diff --git a/CreuSAT/src/assignments.rs b/CreuSAT/src/assignments.rs index d8438d10..1c94ff54 100644 --- a/CreuSAT/src/assignments.rs +++ b/CreuSAT/src/assignments.rs @@ -17,8 +17,8 @@ impl Index for Assignments { type Output = AssignedState; #[inline] #[cfg_attr(feature = "trust_assignments", trusted)] - #[requires(@ix < (@self).len())] - #[ensures((@self)[@ix] == *result)] + #[requires(i@x < self@.len())] + #[ensures(self@[i@x] == *result)] fn index(&self, ix: usize) -> &AssignedState { #[cfg(not(creusot))] unsafe { @@ -32,10 +32,10 @@ impl Index for Assignments { impl IndexMut for Assignments { #[inline] #[cfg_attr(feature = "trust_assignments", trusted)] - #[requires(@ix < (@self).len())] - #[ensures((@*self)[@ix] == *result)] - #[ensures((@^self)[@ix] == ^result)] - #[ensures(forall 0 <= i && i != @ix && i < (@self).len() ==> (@self)[i] == (@^self)[i])] + #[requires(i@x < self@.len())] + #[ensures((@*self)[i@x] == *result)] + #[ensures((@^self)[i@x] == ^result)] + #[ensures(forall 0 <= i && i != i@x && i < self@.len() ==> self@[i] == (@^self)[i])] #[ensures((@^self).len() == (@*self).len())] fn index_mut(&mut self, ix: usize) -> &mut AssignedState { #[cfg(not(creusot))] @@ -51,7 +51,7 @@ impl Assignments { // Ok #[inline(always)] #[cfg_attr(feature = "trust_assignments", trusted)] - #[ensures(@result == (@self).len())] + #[ensures(result@ == self@.len())] pub fn len(&self) -> usize { self.0.len() } @@ -62,12 +62,12 @@ impl Assignments { #[requires(lit.invariant(@_f.num_vars))] #[requires(_f.invariant())] #[requires(trail_invariant(@_t, *_f))] - #[requires(unset((@self)[lit.index_logic()]))] - #[requires(long_are_post_unit_inner(@_t, *_f, @self))] + #[requires(unset(self@[lit.index_logic()]))] + #[requires(long_are_post_unit_inner(@_t, *_f, self@))] #[ensures(long_are_post_unit_inner(@_t, *_f, @^self))] #[ensures(!unset((@^self)[lit.index_logic()]))] - #[ensures((@^self).len() == (@self).len())] - #[ensures((forall 0 <= j && j < (@self).len() + #[ensures((@^self).len() == self@.len())] + #[ensures((forall 0 <= j && j < self@.len() && j != lit.index_logic() ==> (@*self)[j] == (@^self)[j]))] #[ensures(lit.sat(^self))] pub fn set_assignment(&mut self, lit: Lit, _f: &Formula, _t: &Vec) { diff --git a/CreuSAT/src/clause.rs b/CreuSAT/src/clause.rs index 3c89cf89..0add6a01 100644 --- a/CreuSAT/src/clause.rs +++ b/CreuSAT/src/clause.rs @@ -19,8 +19,8 @@ impl Index for Clause { type Output = Lit; #[inline] #[cfg_attr(feature = "trust_clause", trusted)] - #[requires(@ix < (@self).len())] - #[ensures((@self)[@ix] == *result)] + #[requires(i@x < self@.len())] + #[ensures(self@[i@x] == *result)] fn index(&self, ix: usize) -> &Lit { #[cfg(not(creusot))] unsafe { @@ -34,10 +34,10 @@ impl Index for Clause { impl IndexMut for Clause { #[inline] #[cfg_attr(feature = "trust_clause", trusted)] - #[requires(@ix < (@self).len())] - #[ensures((@*self)[@ix] == *result)] - #[ensures((@^self)[@ix] == ^result)] - #[ensures(forall 0 <= i && i != @ix && i < (@self).len() ==> (@self)[i] == (@^self)[i])] + #[requires(i@x < self@.len())] + #[ensures((@*self)[i@x] == *result)] + #[ensures((@^self)[i@x] == ^result)] + #[ensures(forall 0 <= i && i != i@x && i < self@.len() ==> self@[i] == (@^self)[i])] #[ensures((@^self).len() == (@*self).len())] fn index_mut(&mut self, ix: usize) -> &mut Lit { #[cfg(not(creusot))] @@ -54,7 +54,7 @@ impl Clause { #[ensures(result == self.invariant(@n))] pub fn check_clause_invariant(&self, n: usize) -> bool { let mut i: usize = 0; - #[invariant(inv, forall 0 <= j && j < @i ==> (@self)[j].invariant(@n))] + #[invariant(inv, forall 0 <= j && j < i@ ==> self@[j].invariant(@n))] while i < self.len() { if !self[i].check_lit_invariant(n) { return false; @@ -72,12 +72,12 @@ impl Clause { pub fn no_duplicates(&self) -> bool { let mut i: usize = 0; #[invariant(no_dups, - forall 0 <= j && j < @i && - 0 <= k && k < j ==> (@self)[j].index_logic() != (@self)[k].index_logic())] + forall 0 <= j && j < i@ && + 0 <= k && k < j ==> self@[j].index_logic() != self@[k].index_logic())] while i < self.len() { let lit1 = self[i]; let mut j: usize = 0; - #[invariant(inv, forall 0 <= k && k < @j ==> lit1.index_logic() != (@self)[k].index_logic())] + #[invariant(inv, forall 0 <= k && k < @j ==> lit1.index_logic() != self@[k].index_logic())] while j < i { let lit2 = self[j]; if lit1.index() == lit2.index() { @@ -92,7 +92,7 @@ impl Clause { #[inline(always)] #[cfg_attr(feature = "trust_clause", trusted)] - #[ensures(@result == (@self).len())] + #[ensures(result@ == self@.len())] pub fn len(&self) -> usize { self.lits.len() } @@ -108,14 +108,14 @@ impl Clause { #[inline(always)] #[cfg_attr(feature = "trust_clause", trusted)] #[maintains((mut self).invariant(@_f.num_vars))] - #[requires((@self).len() > 0)] - #[requires(@idx < (@self).len())] + #[requires(self@.len() > 0)] + #[requires(i@dx < self@.len())] #[ensures(forall 0 <= i && i < (@(^self)).len() ==> - (exists 0 <= j && j < (@self).len() && (@(^self))[i] == (@self)[j]))] - #[ensures((@(^self))[(@^self).len() - 1] == (@self)[@idx])] - #[ensures((@(^self)).len() == (@self).len())] - #[ensures(forall 0 <= j && j < (@self).len() - ==> (@self)[j].lit_in(^self))] + (exists 0 <= j && j < self@.len() && (@(^self))[i] == self@[j]))] + #[ensures((@(^self))[(@^self).len() - 1] == self@[i@dx])] + #[ensures((@(^self)).len() == self@.len())] + #[ensures(forall 0 <= j && j < self@.len() + ==> self@[j].lit_in(^self))] fn move_to_end(&mut self, idx: usize, _f: &Formula) { let end = self.len() - 1; self.lits.swap(idx, end); @@ -125,14 +125,14 @@ impl Clause { #[inline(always)] #[cfg_attr(feature = "trust_clause", trusted)] #[maintains((mut self).invariant(@_f.num_vars))] - #[requires((@self).len() > 0)] - #[requires(@idx < (@self).len())] + #[requires(self@.len() > 0)] + #[requires(i@dx < self@.len())] #[ensures(forall 0 <= i && i < (@(^self)).len() ==> - exists 0 <= j && j < (@self).len() && (@(^self))[i] == (@self)[j])] - #[ensures((@(^self)).len() + 1 == (@self).len())] - #[ensures(!(@self)[@idx].lit_in(^self))] - #[ensures(forall 0 <= j && j < (@self).len() - && j != @idx ==> (@self)[j].lit_in(^self))] + exists 0 <= j && j < self@.len() && (@(^self))[i] == self@[j])] + #[ensures((@(^self)).len() + 1 == self@.len())] + #[ensures(!self@[i@dx].lit_in(^self))] + #[ensures(forall 0 <= j && j < self@.len() + && j != i@dx ==> self@[j].lit_in(^self))] pub fn remove_from_clause(&mut self, idx: usize, _f: &Formula) { self.move_to_end(idx, _f); self.lits.pop(); @@ -140,14 +140,14 @@ impl Clause { // This is an ugly runtime check #[cfg_attr(feature = "trust_clause", trusted)] - #[requires(invariant_internal(@self, @_f.num_vars))] + #[requires(invariant_internal(self@, @_f.num_vars))] #[requires(a.invariant(*_f))] - #[requires((@self).len() > 1)] + #[requires(self@.len() > 1)] #[ensures(result ==> self.unit(*a))] - #[ensures(result ==> (@self)[0].unset(*a))] + #[ensures(result ==> self@[0].unset(*a))] pub fn unit_and_unset(&self, a: &Assignments, _f: &Formula) -> bool { let mut i: usize = 1; - #[invariant(unsat, forall 1 <= j && j < @i ==> (@self)[j].unsat(*a))] + #[invariant(unsat, forall 1 <= j && j < i@ ==> self@[j].unsat(*a))] while i < self.len() { if !self[i].lit_unsat(a) { return false; @@ -159,11 +159,11 @@ impl Clause { // ONLY VALID FOR CLAUSES NOT IN THE FORMULA #[cfg_attr(feature = "trust_clause", trusted)] - #[requires((@self).len() > @j)] - #[requires((@self).len() > @k)] + #[requires(self@.len() > @j)] + #[requires(self@.len() > @k)] #[maintains((mut self).invariant(@_f.num_vars))] #[maintains((mut self).equisat_extension(*_f))] - #[ensures((@self).len() == (@(^self)).len())] + #[ensures(self@.len() == (@(^self)).len())] pub fn swap_lits_in_clause(&mut self, _f: &Formula, j: usize, k: usize) { let old_c: Ghost<&mut Clause> = ghost! { self }; self.lits.swap(j, k); @@ -177,7 +177,7 @@ impl Clause { pub fn calc_lbd(&self, _f: &Formula, s: &mut Solver, t: &Trail) -> usize { let mut i: usize = 0; let mut lbd: usize = 0; - #[invariant(lbd_bound, @lbd <= @i)] + #[invariant(lbd_bound, @lbd <= i@)] while i < self.len() { let level = t.lit_to_level[self[i].index()]; if level < s.perm_diff.len() && // TODO: Add this as an invariant to Solver diff --git a/CreuSAT/src/conflict_analysis.rs b/CreuSAT/src/conflict_analysis.rs index c9bedd95..b48e37b1 100644 --- a/CreuSAT/src/conflict_analysis.rs +++ b/CreuSAT/src/conflict_analysis.rs @@ -19,9 +19,9 @@ pub enum Conflict { #[inline(always)] #[cfg_attr(feature = "trust_conflict", trusted)] #[requires(vars_in_range_inner(@c, (@seen).len()))] -#[requires(@idx < (@seen).len())] -#[requires((@seen)[@idx] == idx_in_logic(@idx, @c))] -#[ensures(result == (exists 0 <= i && i < (@c).len() && (@c)[i].index_logic() == @idx))] +#[requires(i@dx < (@seen).len())] +#[requires((@seen)[i@dx] == idx_in_logic(i@dx, @c))] +#[ensures(result == (exists 0 <= i && i < (@c).len() && (@c)[i].index_logic() == i@dx))] fn idx_in(c: &Vec, idx: usize, seen: &Vec) -> bool { seen[idx] } @@ -29,13 +29,13 @@ fn idx_in(c: &Vec, idx: usize, seen: &Vec) -> bool { #[cfg_attr(feature = "trust_conflict", trusted)] #[requires(_f.invariant())] #[requires(trail.invariant(*_f))] -#[requires(@idx < @_f.num_vars)] +#[requires(i@dx < @_f.num_vars)] #[requires(o.in_formula(*_f))] #[requires(@c_idx < (@c).len() - && (@c)[@c_idx].index_logic() == @idx + && (@c)[@c_idx].index_logic() == i@dx && (@o)[0].is_opp((@c)[@c_idx]) )] -#[requires(c.same_idx_same_polarity_except(*o, @idx))] +#[requires(c.same_idx_same_polarity_except(*o, i@dx))] // New post unit -> abstract away #[requires(forall 1 <= j && j < (@o).len() ==> (@o)[j].unsat_inner(@trail.assignments))] #[requires((@o)[0].sat_inner(@trail.assignments))] @@ -78,9 +78,9 @@ fn resolve( let mut i: usize = 1; #[invariant(inv, c.invariant(@_f.num_vars))] #[invariant(all_unsat, c.unsat(trail.assignments))] // TODO: Should be stated with regards to seq - #[invariant(i_bound, 1 <= @i && @i <= (@o).len())] + #[invariant(i_bound, 1 <= i@ && i@ <= (@o).len())] #[invariant(not_in, !(@old_c)[@c_idx].lit_in(*c) && !(@o)[0].lit_in(*c))] - #[invariant(all_in, forall 1 <= j && j < @i ==> (@o)[j].lit_in(*c))] + #[invariant(all_in, forall 1 <= j && j < i@ ==> (@o)[j].lit_in(*c))] #[invariant(all_in2, forall 0 <= j && j < (@old_c).len() && j != @c_idx ==> (@old_c)[j].lit_in(*c))] #[invariant(from_c_or_o, (forall 0 <= j && j < (@c).len() ==> @@ -104,9 +104,9 @@ fn resolve( if trail.lit_to_level[o[i].index()] >= trail.decision_level() { *path_c += 1; } - proof_assert!(@c == (@old_c3).push((@o)[@i])); + proof_assert!(@c == (@old_c3).push((@o)[i@])); proof_assert!((@c).len() == (@old_c3).len() + 1); - proof_assert!((@o)[@i].lit_in(*c)); + proof_assert!((@o)[i@].lit_in(*c)); } proof_assert!(forall 0 <= j && j < (@old_c3).len() ==> @@ -120,7 +120,7 @@ fn resolve( #[cfg_attr(feature = "trust_conflict", trusted)] #[requires(trail.invariant(*_f))] #[requires(c.unsat(trail.assignments))] -#[requires(@i <= (@trail.trail).len())] +#[requires(i@ <= (@trail.trail).len())] #[requires((@seen).len() == @_f.num_vars)] #[ensures(match result { Some(r) => @r < (@c).len() @@ -133,13 +133,13 @@ fn resolve( })] fn choose_literal(c: &Clause, trail: &Trail, i: &mut usize, _f: &Formula, seen: &Vec) -> Option { let old_i: Ghost<&mut usize> = ghost! {i}; - #[invariant(i_bound, 0 <= @i && @i <= (@trail.trail).len())] + #[invariant(i_bound, 0 <= i@ && i@ <= (@trail.trail).len())] #[invariant(proph_i, ^i == ^old_i.inner())] while *i > 0 { *i -= 1; if seen[trail.trail[*i].lit.index()] { let mut k: usize = 0; - #[invariant(i_bound2, 0 <= @i && @i < (@trail.trail).len())] + #[invariant(i_bound2, 0 <= i@ && i@ < (@trail.trail).len())] #[invariant(k_bound, 0 <= @k && @k <= (@c).len())] #[invariant(proph_i2, ^i == ^old_i.inner())] while k < c.len() { @@ -155,36 +155,36 @@ fn choose_literal(c: &Clause, trail: &Trail, i: &mut usize, _f: &Formula, seen: #[cfg_attr(feature = "trust_conflict", trusted)] #[requires(f.invariant())] -#[requires(@f.num_vars < @usize::MAX)] +#[requires(f.num_vars@ < usize::MAX@)] #[requires(trail.invariant(*f))] -#[requires(@cref < (@f.clauses).len())] -#[requires((@f.clauses)[@cref].unsat(trail.assignments))] +#[requires(@cref < f.clauses@.len())] +#[requires(f.clauses@[@cref].unsat(trail.assignments))] #[ensures(match result { Conflict::Ground => f.not_satisfiable(), Conflict::Unit(clause) => { - clause.invariant(@f.num_vars) + clause.invariant(f.num_vars@) && (@clause).len() == 1 - && vars_in_range_inner(@clause, @f.num_vars) + && vars_in_range_inner(@clause, f.num_vars@) && no_duplicate_indexes_inner(@clause) && equisat_extension_inner(clause, @f) }, Conflict::Learned(s_idx, clause) => { - clause.invariant(@f.num_vars) + clause.invariant(f.num_vars@) && (@clause).len() > 1 - && vars_in_range_inner(@clause, @f.num_vars) + && vars_in_range_inner(@clause, f.num_vars@) && no_duplicate_indexes_inner(@clause) && equisat_extension_inner(clause, @f) && @s_idx < (@clause).len() }, Conflict::Restart(clause) => { - clause.invariant(@f.num_vars) + clause.invariant(f.num_vars@) && (@clause).len() > 1 - && vars_in_range_inner(@clause, @f.num_vars) + && vars_in_range_inner(@clause, f.num_vars@) && no_duplicate_indexes_inner(@clause) && equisat_extension_inner(clause, @f) }, })] -#[maintains((mut d).invariant(@f.num_vars))] +#[maintains((mut d).invariant(f.num_vars@))] pub fn analyze_conflict(f: &Formula, trail: &Trail, cref: usize, d: &mut Decisions) -> Conflict { let decisionlevel = trail.decision_level(); let mut to_bump = Vec::new(); @@ -196,10 +196,10 @@ pub fn analyze_conflict(f: &Formula, trail: &Trail, cref: usize, d: &mut Decisio let mut j: usize = 0; #[invariant(seen_is_clause, forall 0 <= idx && idx < (@seen).len() ==> ((@seen)[idx] == (exists 0 <= i && i < @j && (@clause)[i].index_logic() == idx)))] - #[invariant(seen_len, (@seen).len() == @f.num_vars)] + #[invariant(seen_len, (@seen).len() == f.num_vars@)] #[invariant(path_c_less, @path_c <= @j)] #[invariant(j_is_len, @j <= (@clause).len())] // This is needed to establish the loop invariant for the next loop - #[invariant(elems_less, elems_less_than(@to_bump, @f.num_vars))] + #[invariant(elems_less, elems_less_than(@to_bump, f.num_vars@))] while j < clause.len() { seen[clause[j].index()] = true; to_bump.push(clause[j].index()); @@ -209,15 +209,15 @@ pub fn analyze_conflict(f: &Formula, trail: &Trail, cref: usize, d: &mut Decisio j += 1; } let mut clause = clause; - #[invariant(seen_len, (@seen).len() == @f.num_vars)] + #[invariant(seen_len, (@seen).len() == f.num_vars@)] #[invariant(seen_is_clause, forall 0 <= idx && idx < (@seen).len() ==> ((@seen)[idx] == idx_in_logic(idx, @clause)))] - #[invariant(clause_vars, clause.invariant(@f.num_vars))] + #[invariant(clause_vars, clause.invariant(f.num_vars@))] #[invariant(clause_equi, equisat_extension_inner(clause, @f))] #[invariant(clause_unsat, clause.unsat(trail.assignments))] - #[invariant(i_bound, 0 <= @i && @i <= (@trail.trail).len())] + #[invariant(i_bound, 0 <= i@ && i@ <= (@trail.trail).len())] #[invariant(path_c_less, @path_c <= (@clause).len())] - #[invariant(elems_less, elems_less_than(@to_bump, @f.num_vars))] + #[invariant(elems_less, elems_less_than(@to_bump, f.num_vars@))] while path_c > break_cond { let c_idx = match choose_literal(&clause, trail, &mut i, f, &seen) { Some(c_idx) => c_idx, @@ -229,7 +229,7 @@ pub fn analyze_conflict(f: &Formula, trail: &Trail, cref: usize, d: &mut Decisio _ => break, }; let idx = trail.trail[i].lit.index(); - proof_assert!(clause.same_idx_same_polarity_except(*ante, @idx)); + proof_assert!(clause.same_idx_same_polarity_except(*ante, i@dx)); resolve(f, &mut clause, ante, idx, c_idx, &trail, &mut seen, &mut path_c, &mut to_bump); } //let clause = clause; @@ -261,8 +261,8 @@ pub fn analyze_conflict(f: &Formula, trail: &Trail, cref: usize, d: &mut Decisio #[cfg_attr(all(feature = "trust_conflict", not(feature = "problem_child")), trusted)] #[requires(f.invariant())] #[requires(trail.invariant(*f))] -#[requires(@cref < (@f.clauses).len())] -#[requires((@f.clauses)[@cref].unsat(trail.assignments))] +#[requires(@cref < f.clauses@.len())] +#[requires(f.clauses@[@cref].unsat(trail.assignments))] #[ensures(result ==> f.not_satisfiable())] pub fn resolve_empty_clause(f: &Formula, trail: &Trail, cref: usize) -> bool { let decisionlevel = trail.decision_level(); @@ -273,7 +273,7 @@ pub fn resolve_empty_clause(f: &Formula, trail: &Trail, cref: usize) -> bool { let mut j: usize = 0; #[invariant(seen_is_clause, forall 0 <= idx && idx < (@seen).len() ==> ((@seen)[idx] == (exists 0 <= i && i < @j && (@clause)[i].index_logic() == idx)))] - #[invariant(seen_len, (@seen).len() == @f.num_vars)] + #[invariant(seen_len, (@seen).len() == f.num_vars@)] #[invariant(j_is_len, @j <= (@clause).len())] // This is needed to establish the loop invariant for the next loop while j < clause.len() { diff --git a/CreuSAT/src/decision.rs b/CreuSAT/src/decision.rs index 91deb38e..a230974e 100644 --- a/CreuSAT/src/decision.rs +++ b/CreuSAT/src/decision.rs @@ -16,9 +16,9 @@ pub struct Node { //const INVALID: usize = usize::MAX; impl ::std::default::Default for Node { - #[ensures(@result.next == @usize::MAX)] - #[ensures(@result.prev == @usize::MAX)] - #[ensures(@result.ts == 0)] + #[ensures(result@.next == usize::MAX@)] + #[ensures(result@.prev == usize::MAX@)] + #[ensures(result@.ts == 0)] fn default() -> Self { Node { next: usize::MAX, prev: usize::MAX, ts: 0 } } @@ -27,7 +27,7 @@ impl ::std::default::Default for Node { impl creusot_contracts::Default for Node { #[predicate] fn is_default(self) -> bool { - pearlite! { @self.next == @usize::MAX && @self.prev == @usize::MAX && @self.ts == 0 } + pearlite! { self@.next == usize::MAX@ && self@.prev == usize::MAX@ && self@.ts == 0 } } } @@ -42,21 +42,21 @@ impl Decisions { // It is possible to sacrifice some readability for a tad faster proofs here(by adding assertions). #[cfg_attr(feature = "trust_decision", trusted)] #[requires(f.invariant())] - #[requires(0 < @f.num_vars && @f.num_vars < @usize::MAX/2)] - #[requires((@lit_order).len() == @f.num_vars && + #[requires(0 < f.num_vars@ && f.num_vars@ < usize::MAX@/2)] + #[requires((@lit_order).len() == f.num_vars@ && forall 0 <= i && i < (@lit_order).len() ==> - @(@lit_order)[i] < @f.num_vars)] - #[ensures(result.invariant(@f.num_vars))] + @(@lit_order)[i] < f.num_vars@)] + #[ensures(result.invariant(f.num_vars@))] pub fn make_linked_list(f: &Formula, lit_order: Vec) -> Decisions { let INVALID: usize = usize::MAX; let mut linked_list: Vec = vec::from_elem(Node::default(), f.num_vars); let mut i: usize = 0; let mut head: usize = 0; - #[invariant(len_ok, (@linked_list).len() == @f.num_vars)] - #[invariant(head_ok, @head < @f.num_vars)] - #[invariant(inv, forall 0 <= j && j < @f.num_vars ==> - ((@(@linked_list)[j].next == @usize::MAX || @(@linked_list)[j].next < @f.num_vars) - && (@(@linked_list)[j].prev == @usize::MAX || @(@linked_list)[j].prev < @f.num_vars)))] + #[invariant(len_ok, (@linked_list).len() == f.num_vars@)] + #[invariant(head_ok, @head < f.num_vars@)] + #[invariant(inv, forall 0 <= j && j < f.num_vars@ ==> + ((@(@linked_list)[j].next == usize::MAX@ || @(@linked_list)[j].next < f.num_vars@) + && (@(@linked_list)[j].prev == usize::MAX@ || @(@linked_list)[j].prev < f.num_vars@)))] while i < f.num_vars { let j = lit_order[i]; if i == 0 { @@ -82,21 +82,21 @@ impl Decisions { #[cfg_attr(feature = "trust_decision", trusted)] #[requires(f.invariant())] - #[requires(0 < @f.num_vars && @f.num_vars < @usize::MAX/2)] - #[ensures(result.invariant(@f.num_vars))] + #[requires(0 < f.num_vars@ && f.num_vars@ < usize::MAX@/2)] + #[ensures(result.invariant(f.num_vars@))] pub fn new(f: &Formula) -> Decisions { let mut lit_order: Vec = vec::from_elem(0, f.num_vars); let mut counts: Vec = vec::from_elem(0, f.num_vars); let mut counts_with_index: Vec<(usize, usize)> = vec::from_elem((0, 0), f.num_vars); let mut i: usize = 0; - #[invariant(i_bound, @i <= (@f.clauses).len())] - #[invariant(counts_len1, (@counts).len() == @f.num_vars)] + #[invariant(i_bound, i@ <= f.clauses@.len())] + #[invariant(counts_len1, (@counts).len() == f.num_vars@)] while i < f.clauses.len() { let curr_clause = &f[i]; let mut j: usize = 0; - #[invariant(i_bound2, @i <= (@f.clauses).len())] + #[invariant(i_bound2, i@ <= f.clauses@.len())] #[invariant(j_bound, @j <= (@curr_clause).len())] - #[invariant(counts_len, (@counts).len() == @f.num_vars)] + #[invariant(counts_len, (@counts).len() == f.num_vars@)] while j < curr_clause.len() { // Okay this is obviously provable, a vector cannot be longer than usize, and we don't allow duplicates, so we will // never overflow, even if every clause contains a literal, @@ -108,22 +108,22 @@ impl Decisions { i += 1; } i = 0; - #[invariant(i_bound, @i <= @f.num_vars)] - #[invariant(counts_with_idx_len, (@counts_with_index).len() == @f.num_vars)] - #[invariant(second_ok, forall 0 <= j && j < @f.num_vars ==> - @(@counts_with_index)[j].1 < @f.num_vars)] + #[invariant(i_bound, i@ <= f.num_vars@)] + #[invariant(counts_with_idx_len, (@counts_with_index).len() == f.num_vars@)] + #[invariant(second_ok, forall 0 <= j && j < f.num_vars@ ==> + @(@counts_with_index)[j].1 < f.num_vars@)] while i < f.num_vars { counts_with_index[i] = (counts[i], i); i += 1; } sort_reverse(&mut counts_with_index); proof_assert!(forall 0 <= j && j < (@counts_with_index).len() ==> - @(@counts_with_index)[j].1 < @f.num_vars); + @(@counts_with_index)[j].1 < f.num_vars@); i = 0; - #[invariant(i_bound, 0 <= @i && @i <= @f.num_vars)] - #[invariant(lit_order_len, (@lit_order).len() == @f.num_vars)] - #[invariant(second_ok, forall 0 <= j && j < @f.num_vars ==> - @(@lit_order)[j] < @f.num_vars)] + #[invariant(i_bound, 0 <= i@ && i@ <= f.num_vars@)] + #[invariant(lit_order_len, (@lit_order).len() == f.num_vars@)] + #[invariant(second_ok, forall 0 <= j && j < f.num_vars@ ==> + @(@lit_order)[j] < f.num_vars@)] while i < f.num_vars { lit_order[i] = counts_with_index[i].1; i += 1; @@ -133,20 +133,20 @@ impl Decisions { #[cfg_attr(feature = "trust_decision", trusted)] #[maintains((mut self).invariant(@_f.num_vars))] - #[requires((@self.linked_list).len() < @usize::MAX)] - #[ensures(@(^self).timestamp == (@self.linked_list).len() + 1)] - #[ensures((@(^self).linked_list).len() == (@self.linked_list).len())] + #[requires((self@.linked_list).len() < usize::MAX@)] + #[ensures(@(^self).timestamp == (self@.linked_list).len() + 1)] + #[ensures((@(^self).linked_list).len() == (self@.linked_list).len())] fn rescore(&mut self, _f: &Formula) { let INVALID: usize = usize::MAX; let old_self: Ghost<&mut Decisions> = ghost! { self }; let mut curr_score = self.linked_list.len(); let mut i: usize = 0; let mut curr = self.start; - #[invariant(curr_ok, curr == usize::MAX || @curr < (@self.linked_list).len())] + #[invariant(curr_ok, curr == usize::MAX || @curr < (self@.linked_list).len())] #[invariant(proph, ^old_self.inner() == ^self)] - #[invariant(unch, forall 0 <= j && j < (@self.linked_list).len() ==> - ((@self.linked_list)[j].next == (@old_self.linked_list)[j].next - && (@self.linked_list)[j].prev == (@old_self.linked_list)[j].prev) + #[invariant(unch, forall 0 <= j && j < (self@.linked_list).len() ==> + ((self@.linked_list)[j].next == (@old_self.linked_list)[j].next + && (self@.linked_list)[j].prev == (@old_self.linked_list)[j].prev) )] #[invariant(inv, self.invariant(@_f.num_vars))] while curr != INVALID { @@ -162,8 +162,8 @@ impl Decisions { } #[cfg_attr(feature = "trust_decision", trusted)] - #[requires(@_f.num_vars < @usize::MAX)] - #[requires(@tomove < (@self.linked_list).len())] + #[requires(@_f.num_vars < usize::MAX@)] + #[requires(@tomove < (self@.linked_list).len())] #[maintains((mut self).invariant(@_f.num_vars))] fn move_to_front(&mut self, tomove: usize, _f: &Formula) { let INVALID: usize = usize::MAX; @@ -181,7 +181,7 @@ impl Decisions { } else { self.timestamp += 1; } - proof_assert!(@self.start < (@_f.num_vars)); + proof_assert!(self@.start < (@_f.num_vars)); self.linked_list[self.start].prev = tomove; self.start = tomove; if prev != INVALID { @@ -201,10 +201,10 @@ impl Decisions { } #[cfg_attr(feature = "trust_decision", trusted)] - #[requires(elems_less_than(@v, @f.num_vars))] - #[requires(@f.num_vars < @usize::MAX)] + #[requires(elems_less_than(@v, f.num_vars@))] + #[requires(f.num_vars@ < usize::MAX@)] #[requires(f.invariant())] - #[maintains((mut self).invariant(@f.num_vars))] + #[maintains((mut self).invariant(f.num_vars@))] pub fn increment_and_move(&mut self, f: &Formula, v: Vec) { let mut counts_with_index: Vec<(usize, usize)> = vec![(0, 0); v.len()]; let old_self: Ghost<&mut Decisions> = ghost! { self }; @@ -212,8 +212,8 @@ impl Decisions { #[invariant(unch, old_self.inner() == self)] #[invariant(proph, ^old_self.inner() == ^self)] #[invariant(len_same, (@v).len() == (@counts_with_index).len())] - #[invariant(all_less, forall 0 <= j && j < @i ==> - @(@counts_with_index)[j].1 < (@self.linked_list).len())] + #[invariant(all_less, forall 0 <= j && j < i@ ==> + @(@counts_with_index)[j].1 < (self@.linked_list).len())] while i < v.len() { counts_with_index[i] = (self.linked_list[v[i]].ts, v[i]); i += 1; @@ -225,7 +225,7 @@ impl Decisions { //counts_with_index.sort_by_key(|k| k.0); i = 0; #[invariant(proph, ^old_self.inner() == ^self)] - #[invariant(inv, self.invariant(@f.num_vars))] + #[invariant(inv, self.invariant(f.num_vars@))] #[invariant(len_same, (@v).len() == (@counts_with_index).len())] while i < counts_with_index.len() { self.move_to_front(counts_with_index[i].1, f); @@ -237,13 +237,13 @@ impl Decisions { #[maintains((mut self).invariant(@_f.num_vars))] #[requires(a.invariant(*_f))] #[ensures(match result { - Some(k) => @k < (@a).len() && unset((@a)[@k]), + Some(k) => @k < (a@).len() && unset((a@)[@k]), None => a.complete(), })] pub fn get_next(&mut self, a: &Assignments, _f: &Formula) -> Option { let INVALID: usize = usize::MAX; let mut curr = self.search; - #[invariant(inv, curr == usize::MAX || @curr < (@a).len())] + #[invariant(inv, curr == usize::MAX || @curr < (a@).len())] while curr != INVALID { if a[curr] >= 2 { self.search = self.linked_list[curr].next; @@ -254,7 +254,7 @@ impl Decisions { // Strictly speaking this is an unecessary runtime check, but it only gets run at most once and it // greatly simplifies the proof. let mut i: usize = 0; - #[invariant(prev, forall 0 <= j && j < @i ==> !unset((@a)[j]))] + #[invariant(prev, forall 0 <= j && j < i@ ==> !unset((a@)[j]))] while i < a.len() { if a[i] >= 2 { return Some(i); diff --git a/CreuSAT/src/formula.rs b/CreuSAT/src/formula.rs index c1fffc94..f9b9968a 100644 --- a/CreuSAT/src/formula.rs +++ b/CreuSAT/src/formula.rs @@ -25,8 +25,8 @@ impl Index for Formula { type Output = Clause; #[inline] #[cfg_attr(feature = "trust_formula", trusted)] - #[requires(@ix < (@self).0.len())] - #[ensures((@self).0[@ix] == *result)] + #[requires(i@x < self@.0.len())] + #[ensures(self@.0[i@x] == *result)] fn index(&self, ix: usize) -> &Clause { #[cfg(not(creusot))] unsafe { @@ -40,10 +40,10 @@ impl Index for Formula { impl IndexMut for Formula { #[inline] #[cfg_attr(feature = "trust_formula", trusted)] - #[requires(@ix < (@self).0.len())] - #[ensures((@*self).0[@ix] == *result)] - #[ensures((@^self).0[@ix] == ^result)] - #[ensures(forall 0 <= i && i != @ix && i < (@self).0.len() ==> (@self).0[i] == (@^self).0[i])] + #[requires(i@x < self@.0.len())] + #[ensures((@*self).0[i@x] == *result)] + #[ensures((@^self).0[i@x] == ^result)] + #[ensures(forall 0 <= i && i != i@x && i < self@.0.len() ==> self@.0[i] == (@^self).0[i])] #[ensures((@^self).0.len() == (@*self).0.len())] fn index_mut(&mut self, ix: usize) -> &mut Clause { #[cfg(not(creusot))] @@ -58,9 +58,9 @@ impl IndexMut for Formula { impl Formula { #[cfg_attr(feature = "trust_formula", trusted)] #[ensures(match result { - SatResult::Sat(assn) => { formula_sat_inner(@self, @assn) }, + SatResult::Sat(assn) => { formula_sat_inner(self@, a@ssn) }, SatResult::Unsat => { self.not_satisfiable() }, - SatResult::Unknown => { self.invariant() && 0 < @self.num_vars && @self.num_vars < @usize::MAX/2 }, + SatResult::Unknown => { self.invariant() && 0 < self@.num_vars && self@.num_vars < usize::MAX@/2 }, SatResult::Err => { true }, })] pub fn check_formula_invariant(&self) -> SatResult { @@ -74,8 +74,8 @@ impl Formula { return SatResult::Err; // We have no vars but more than 0 clauses -> error. } let mut i: usize = 0; - #[invariant(inv, forall 0 <= j && j < @i ==> (@self.clauses)[j].invariant(@self.num_vars))] - #[invariant(clause_len, forall 0 <= j && j < @i ==> (@(@self.clauses)[j]).len() > 0)] + #[invariant(inv, forall 0 <= j && j < i@ ==> (self@.clauses)[j].invariant(self@.num_vars))] + #[invariant(clause_len, forall 0 <= j && j < i@ ==> (@(self@.clauses)[j]).len() > 0)] while i < self.clauses.len() { if !self.clauses[i].check_clause_invariant(self.num_vars) { return SatResult::Err; @@ -91,12 +91,12 @@ impl Formula { #[cfg_attr(feature = "trust_formula", trusted)] #[requires(self.invariant())] #[requires(a.invariant(*self))] - #[requires(@idx < (@self.clauses).len())] - #[ensures(result == (@self.clauses)[@idx].sat(*a))] + #[requires(i@dx < (self@.clauses).len())] + #[ensures(result == (self@.clauses)[i@dx].sat(*a))] pub fn is_clause_sat(&self, idx: usize, a: &Assignments) -> bool { let clause = &self.clauses[idx]; let mut i: usize = 0; - #[invariant(previous_not_sat, forall 0 <= j && j < @i ==> !(@clause)[j].sat(*a))] + #[invariant(previous_not_sat, forall 0 <= j && j < i@ ==> !(@clause)[j].sat(*a))] while i < clause.len() { if clause[i].lit_sat(a) { return true; @@ -111,16 +111,16 @@ impl Formula { #[maintains(_t.invariant(mut self))] #[maintains((mut watches).invariant(mut self))] #[requires((@clause).len() >= 2)] - #[requires(@self.num_vars < @usize::MAX/2)] - //#[requires(vars_in_range_inner(@clause, @self.num_vars))] + #[requires(self@.num_vars < usize::MAX@/2)] + //#[requires(vars_in_range_inner(@clause, self@.num_vars))] //#[requires(no_duplicate_indexes_inner(@clause))] - #[requires(clause.invariant(@self.num_vars))] - #[requires(equisat_extension_inner(clause, @self))] - #[ensures(@self.num_vars == @(^self).num_vars)] + #[requires(clause.invariant(self@.num_vars))] + #[requires(equisat_extension_inner(clause, self@))] + #[ensures(self@.num_vars == @(^self).num_vars)] #[ensures(self.equisat(^self))] - #[ensures(@result == (@self.clauses).len())] - #[ensures((@(^self).clauses)[@result] == clause)] - #[ensures((@self.clauses).len() + 1 == (@(^self).clauses).len())] + #[ensures(result@ == (self@.clauses).len())] + #[ensures((@(^self).clauses)[result@] == clause)] + #[ensures((self@.clauses).len() + 1 == (@(^self).clauses).len())] pub fn add_clause(&mut self, clause: Clause, watches: &mut Watches, _t: &Trail) -> usize { let old_self: Ghost<&mut Formula> = ghost! { self }; let cref = self.clauses.len(); @@ -145,14 +145,14 @@ impl Formula { #[maintains(_t.invariant(mut self))] #[maintains((mut watches).invariant(mut self))] #[requires((@clause).len() >= 2)] - #[requires(@self.num_vars < @usize::MAX/2)] - #[requires(clause.invariant(@self.num_vars))] - #[requires(equisat_extension_inner(clause, @self))] - #[ensures(@self.num_vars == @(^self).num_vars)] + #[requires(self@.num_vars < usize::MAX@/2)] + #[requires(clause.invariant(self@.num_vars))] + #[requires(equisat_extension_inner(clause, self@))] + #[ensures(self@.num_vars == @(^self).num_vars)] #[ensures(self.equisat(^self))] - #[ensures(@result == (@self.clauses).len())] - #[ensures((@(^self).clauses)[@result] == clause)] - #[ensures((@self.clauses).len() + 1 == (@(^self).clauses).len())] + #[ensures(result@ == (self@.clauses).len())] + #[ensures((@(^self).clauses)[result@] == clause)] + #[ensures((self@.clauses).len() + 1 == (@(^self).clauses).len())] pub fn add_unwatched_clause(&mut self, clause: Clause, watches: &mut Watches, _t: &Trail) -> usize { let old_self: Ghost<&mut Formula> = ghost! { self }; let cref = self.clauses.len(); @@ -164,19 +164,19 @@ impl Formula { #[maintains((mut self).invariant())] #[maintains(_t.invariant(mut self))] #[requires((@clause).len() == 1)] - #[requires(clause.invariant(@self.num_vars))] - #[requires(@self.num_vars < @usize::MAX/2)] - #[requires(vars_in_range_inner(@clause, @self.num_vars))] + #[requires(clause.invariant(self@.num_vars))] + #[requires(self@.num_vars < usize::MAX@/2)] + #[requires(vars_in_range_inner(@clause, self@.num_vars))] #[requires(no_duplicate_indexes_inner(@clause))] - #[requires(equisat_extension_inner(clause, @self))] - #[ensures(@self.num_vars == @(^self).num_vars)] + #[requires(equisat_extension_inner(clause, self@))] + #[ensures(self@.num_vars == @(^self).num_vars)] //#[ensures(self.equisat_compatible(^self))] - #[ensures(forall 0 <= i && i < (@self.clauses).len() ==> - (@self.clauses)[i] == (@(^self).clauses)[i])] // This or equisat_compatible is needed for the watch invariant. + #[ensures(forall 0 <= i && i < (self@.clauses).len() ==> + (self@.clauses)[i] == (@(^self).clauses)[i])] // This or equisat_compatible is needed for the watch invariant. #[ensures(self.equisat(^self))] // Added/changed - #[ensures(@result == (@self.clauses).len())] - #[ensures((@(@(^self).clauses)[@result]).len() == 1)] - #[ensures((@self.clauses).len() + 1 == (@(^self).clauses).len())] + #[ensures(result@ == (self@.clauses).len())] + #[ensures((@(@(^self).clauses)[result@]).len() == 1)] + #[ensures((self@.clauses).len() + 1 == (@(^self).clauses).len())] pub fn add_unit(&mut self, clause: Clause, _t: &Trail) -> usize { let old_self: Ghost<&mut Formula> = ghost! { self }; let cref = self.clauses.len(); @@ -190,7 +190,7 @@ impl Formula { #[ensures(result == self.sat(*a))] pub fn is_sat(&self, a: &Assignments) -> bool { let mut i: usize = 0; - #[invariant(prev, forall 0 <= k && k < @i ==> (@self.clauses)[k].sat(*a))] + #[invariant(prev, forall 0 <= k && k < i@ ==> (self@.clauses)[k].sat(*a))] while i < self.clauses.len() { if !self.is_clause_sat(i, a) { return false; @@ -204,9 +204,9 @@ impl Formula { #[maintains((mut watches).invariant(mut self))] #[maintains((mut self).invariant())] #[maintains((*t).invariant(mut self))] - #[requires(@self.num_vars < @usize::MAX/2)] - #[requires((@(@self.clauses)[@cref]).len() > 1)] - #[requires(@cref < (@self.clauses).len())] + #[requires(self@.num_vars < usize::MAX@/2)] + #[requires((@(self@.clauses)[@cref]).len() > 1)] + #[requires(@cref < (self@.clauses).len())] #[ensures(self.equisat(^self))] #[ensures(self.num_vars == (^self).num_vars)] fn delete_clause(&mut self, cref: usize, watches: &mut Watches, t: &Trail) { @@ -214,8 +214,8 @@ impl Formula { watches.unwatch(self, t, cref, self.clauses[cref][0]); watches.unwatch(self, t, cref, self.clauses[cref][1]); self.clauses[cref].deleted = true; - proof_assert!(forall 0 <= i && i < (@(@self.clauses)[@cref]).len() ==> - (@(@self.clauses)[@cref])[i] == (@(@old_f.clauses)[@cref])[i]); + proof_assert!(forall 0 <= i && i < (@(self@.clauses)[@cref]).len() ==> + (@(self@.clauses)[@cref])[i] == (@(@old_f.clauses)[@cref])[i]); proof_assert!(old_f.equisat(*self)); // This assertion helps with the invariant, which otherwise takes a long time. proof_assert!(^self == ^old_f.inner()); } @@ -226,7 +226,7 @@ impl Formula { #[maintains((mut watches).invariant(mut self))] #[maintains((*t).invariant(mut self))] #[requires(t.invariant(*self))] - #[requires(@self.num_vars < @usize::MAX/2)] + #[requires(self@.num_vars < usize::MAX@/2)] #[ensures(self.num_vars == (^self).num_vars)] #[ensures(self.equisat(^self))] pub fn delete_clauses(&mut self, watches: &mut Watches, t: &Trail) { @@ -239,7 +239,7 @@ impl Formula { #[invariant(f_inv, self.invariant())] #[invariant(proph_w, ^watches == ^old_w.inner())] #[invariant(proph_f, ^self == ^old_f.inner())] - #[invariant(num_vars_unch, @self.num_vars == @old_f.num_vars)] + #[invariant(num_vars_unch, self@.num_vars == @old_f.num_vars)] #[invariant(equi, self.equisat(*old_f.inner()))] while i < self.clauses.len() { if !self.clauses[i].deleted { @@ -258,7 +258,7 @@ impl Formula { #[maintains((mut self).invariant())] #[maintains((mut watches).invariant(mut self))] //#[maintains((*t).invariant(mut self))] - #[requires(@self.num_vars < @usize::MAX/2)] + #[requires(self@.num_vars < usize::MAX@/2)] #[requires(t.invariant(*self))] #[ensures(t.invariant(^self))] #[ensures(self.num_vars == (^self).num_vars)] @@ -276,7 +276,7 @@ impl Formula { #[requires(self.invariant())] #[requires(t.invariant(*self))] #[ensures(t.invariant(^self))] - #[requires(@self.num_vars < @usize::MAX/2)] + #[requires(self@.num_vars < usize::MAX@/2)] #[ensures(self.num_vars == (^self).num_vars)] #[ensures(self.equisat(^self))] pub fn reduceDB(&mut self, watches: &mut Watches, t: &Trail, s: &mut Solver) { @@ -297,7 +297,7 @@ impl Formula { #[invariant(f_inv, self.invariant())] #[invariant(proph_w, ^watches == ^old_w.inner())] #[invariant(proph_f, ^self == ^old_f.inner())] - #[invariant(num_vars_unch, @self.num_vars == @old_f.num_vars)] + #[invariant(num_vars_unch, self@.num_vars == @old_f.num_vars)] #[invariant(equi, self.equisat(*old_f.inner()))] while i < self.clauses.len() { if !self.clauses[i].deleted { diff --git a/CreuSAT/src/lit.rs b/CreuSAT/src/lit.rs index b820fc8b..08766fbb 100644 --- a/CreuSAT/src/lit.rs +++ b/CreuSAT/src/lit.rs @@ -38,7 +38,7 @@ impl DeepModel for Lit { impl Lit { #[inline(always)] #[cfg_attr(feature = "trust_lit", trusted)] - #[ensures(@result == self.index_logic())] + #[ensures(result@ == self.index_logic())] pub fn index(self) -> usize { self.idx } @@ -59,7 +59,7 @@ impl Lit { #[inline(always)] #[cfg_attr(feature = "trust_lit", trusted)] - #[requires(self.invariant((@a).len()))] + #[requires(self.invariant((a@).len()))] #[ensures(result == self.sat(*a))] pub fn lit_sat(self, a: &Assignments) -> bool { match self.is_positive() { @@ -70,7 +70,7 @@ impl Lit { #[inline(always)] #[cfg_attr(feature = "trust_lit", trusted)] - #[requires(self.invariant((@a).len()))] + #[requires(self.invariant((a@).len()))] #[ensures(result == self.unsat(*a))] pub fn lit_unsat(self, a: &Assignments) -> bool { match self.is_positive() { @@ -81,7 +81,7 @@ impl Lit { #[inline(always)] #[cfg_attr(feature = "trust_lit", trusted)] - #[requires(self.invariant((@a).len()))] + #[requires(self.invariant((a@).len()))] #[ensures(result == self.unset(*a))] pub fn lit_unset(self, a: &Assignments) -> bool { a[self.index()] >= 2 @@ -89,7 +89,7 @@ impl Lit { #[inline(always)] #[cfg_attr(feature = "trust_lit", trusted)] - #[requires(self.invariant((@a).len()))] + #[requires(self.invariant((a@).len()))] #[ensures(result == !self.unset(*a))] pub fn lit_set(self, a: &Assignments) -> bool { a[self.index()] < 2 @@ -97,25 +97,25 @@ impl Lit { // Gets the index of the literal in the representation used for the watchlist #[cfg_attr(feature = "trust_lit", trusted)] - #[requires(self.index_logic() < @usize::MAX/2)] - #[ensures(@result == self.to_watchidx_logic())] - #[ensures(@result == self.index_logic() * 2 + if self.is_positive_logic() { 0 } else { 1 })] + #[requires(self.index_logic() < usize::MAX@/2)] + #[ensures(result@ == self.to_watchidx_logic())] + #[ensures(result@ == self.index_logic() * 2 + if self.is_positive_logic() { 0 } else { 1 })] pub fn to_watchidx(self) -> usize { self.index() * 2 + if self.is_positive() { 0 } else { 1 } } // Gets the index of the literal of the opposite polarity(-self) in the representation used for the watchlist #[cfg_attr(feature = "trust_lit", trusted)] - #[requires(self.index_logic() < @usize::MAX/2)] - #[ensures(@result == self.to_neg_watchidx_logic())] - #[ensures(@result == self.index_logic() * 2 + if self.is_positive_logic() { 1 } else { 0 })] + #[requires(self.index_logic() < usize::MAX@/2)] + #[ensures(result@ == self.to_neg_watchidx_logic())] + #[ensures(result@ == self.index_logic() * 2 + if self.is_positive_logic() { 1 } else { 0 })] pub fn to_neg_watchidx(self) -> usize { self.index() * 2 + if self.is_positive() { 1 } else { 0 } } #[cfg_attr(feature = "trust_lit", trusted)] - #[requires(@idx < (@assignments).len())] - #[ensures(result.index_logic() == @idx)] - #[ensures(result.is_positive_logic() == (@(@assignments)[@idx] == 1))] + #[requires(i@dx < (a@ssignments).len())] + #[ensures(result.index_logic() == i@dx)] + #[ensures(result.is_positive_logic() == (@(a@ssignments)[i@dx] == 1))] pub fn phase_saved(idx: usize, assignments: &Assignments) -> Lit { Lit { idx: idx, polarity: if assignments[idx] == 1 { true } else { false } } } diff --git a/CreuSAT/src/logic/logic.rs b/CreuSAT/src/logic/logic.rs index 8cc03af9..e2dcfd98 100644 --- a/CreuSAT/src/logic/logic.rs +++ b/CreuSAT/src/logic/logic.rs @@ -29,8 +29,8 @@ pub fn unset(v: AssignedState) -> bool { #[cfg_attr(feature = "trust_logic_logic", trusted)] #[logic] -#[ensures(b ==> @result == 1)] -#[ensures(!b ==> @result == 0)] +#[ensures(b ==> result@ == 1)] +#[ensures(!b ==> result@ == 0)] pub fn bool_to_assignedstate(b: bool) -> AssignedState { if b { 1u8 diff --git a/CreuSAT/src/logic/logic_assignments.rs b/CreuSAT/src/logic/logic_assignments.rs index 6da95ec3..e046ad64 100644 --- a/CreuSAT/src/logic/logic_assignments.rs +++ b/CreuSAT/src/logic/logic_assignments.rs @@ -45,15 +45,15 @@ impl Assignments { #[predicate] pub fn invariant(self, f: Formula) -> bool { pearlite! { - @f.num_vars == (@self).len() - && forall 0 <= i && i < (@self).len() ==> @(@self)[i] <= 3 + f.num_vars@ == self@.len() + && forall 0 <= i && i < self@.len() ==> @self@[i] <= 3 } } #[predicate] pub fn complete(self) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> !unset((@self)[i]) + forall 0 <= i && i < self@.len() ==> !unset(self@[i]) } } } diff --git a/CreuSAT/src/logic/logic_clause.rs b/CreuSAT/src/logic/logic_clause.rs index 74492ab5..4899b9f4 100644 --- a/CreuSAT/src/logic/logic_clause.rs +++ b/CreuSAT/src/logic/logic_clause.rs @@ -55,8 +55,8 @@ impl Clause { #[predicate] pub fn post_unit_inner(self, a: Seq) -> bool { pearlite! { - exists 0 <= i && i < (@self).len() && (@self)[i].sat_inner(a) - && forall 0 <= j && j < (@self).len() && j != i ==> (@self)[j].unsat_inner(a) + exists 0 <= i && i < self@.len() && self@[i].sat_inner(a) + && forall 0 <= j && j < self@.len() && j != i ==> self@[j].unsat_inner(a) } } @@ -64,20 +64,20 @@ impl Clause { #[predicate] pub fn no_unset_inner(self, a: Seq) -> bool { pearlite! { - forall 0 <= j && j < (@self).len() ==> !(@self)[j].unset_inner(a) + forall 0 <= j && j < self@.len() ==> !self@[j].unset_inner(a) } } #[predicate] pub fn post_unit(self, a: Assignments) -> bool { - pearlite! { self.post_unit_inner(@a) } + pearlite! { self.post_unit_inner(a@) } } #[predicate] pub fn eq_assn_inner(self, a: Seq, a2: Seq) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> - a[(@self)[i].index_logic()] == a2[(@self)[i].index_logic()] + forall 0 <= i && i < self@.len() ==> + a[self@[i].index_logic()] == a2[self@[i].index_logic()] } } } @@ -91,10 +91,10 @@ impl Clause { #[predicate] pub fn same_idx_same_polarity_except(self, other: Clause, exception: Int) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() && 0 <= j && j < (@other).len() ==> - (((@self)[i].index_logic() != exception && - (@self)[i].index_logic() == (@other)[j].index_logic())) ==> - (@self)[i].is_positive_logic() == (@other)[j].is_positive_logic() + forall 0 <= i && i < self@.len() && 0 <= j && j < (@other).len() ==> + ((self@[i].index_logic() != exception && + self@[i].index_logic() == (@other)[j].index_logic())) ==> + self@[i].is_positive_logic() == (@other)[j].is_positive_logic() } } @@ -103,8 +103,8 @@ impl Clause { pearlite! { (forall 0 <= i && i < (@c ).len() && i != m ==> (@c )[i].lit_in(self)) && (forall 0 <= i && i < (@c2).len() && i != k ==> (@c2 )[i].lit_in(self)) && - (forall 0 <= i && i < (@self).len() ==> ((@self)[i].lit_in(c) - || (@self)[i].lit_in(c2))) && + (forall 0 <= i && i < self@.len() ==> (self@[i].lit_in(c) + || self@[i].lit_in(c2))) && !(@c)[m].lit_in(self) && !(@c2)[k].lit_in(self) && (@c2)[k].is_opp((@c)[m]) } @@ -113,8 +113,8 @@ impl Clause { #[predicate] pub fn in_formula(self, f: Formula) -> bool { pearlite! { - exists 0 <= i && i < (@f.clauses).len() && - (@f.clauses)[i] == self + exists 0 <= i && i < f.clauses@.len() && + f.clauses@[i] == self } } @@ -130,42 +130,42 @@ impl Clause { pearlite! { self.vars_in_range(a.len()) && !self.sat_inner(a) && - exists 0 <= i && i < (@self).len() && - (@self)[i].unset_inner(a) && - (forall 0 <= j && j < (@self).len() && j != i ==> - !(@self)[j].unset_inner(a)) + exists 0 <= i && i < self@.len() && + self@[i].unset_inner(a) && + (forall 0 <= j && j < self@.len() && j != i ==> + !self@[j].unset_inner(a)) } } #[predicate] pub fn unit(self, a: Assignments) -> bool { - pearlite! { self.unit_inner(@a) } + pearlite! { self.unit_inner(a@) } } #[predicate] pub fn unsat_inner(self, a: Seq) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> - (@self)[i].unsat_inner(a) + forall 0 <= i && i < self@.len() ==> + self@[i].unsat_inner(a) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } #[predicate] pub fn sat_inner(self, a: Seq) -> bool { pearlite! { - exists 0 <= i && i < (@self).len() && - (@self)[i].sat_inner(a) + exists 0 <= i && i < self@.len() && + self@[i].sat_inner(a) } } #[predicate] pub fn sat(self, a: Assignments) -> bool { pearlite! { - self.sat_inner(@a) + self.sat_inner(a@) } } @@ -176,38 +176,38 @@ impl Clause { #[predicate] pub fn vars_in_range(self, n: Int) -> bool { - pearlite! { vars_in_range_inner(@self, n) } + pearlite! { vars_in_range_inner(self@, n) } } #[predicate] pub fn no_duplicate_indexes(self) -> bool { - pearlite! { no_duplicate_indexes_inner(@self) } + pearlite! { no_duplicate_indexes_innerself@ } } #[predicate] pub fn search_idx_in_range(self) -> bool { - pearlite! { 2 <= @self.search && @self.search <= (@self).len() } + pearlite! { 2 <= self@.search && self@.search <= self@.len() } } #[predicate] pub fn invariant(self, n: Int) -> bool { - pearlite! { invariant_internal(@self, n) } + pearlite! { invariant_internal(self@, n) } } #[predicate] pub fn clause_is_seen(self, seen: Vec) -> bool { pearlite! { forall 0 <= idx && idx < (@seen).len() ==> - ((@seen)[idx] == idx_in_logic(idx, @self)) + ((@seen)[idx] == idx_in_logic(idx, self@)) } } #[predicate] pub fn equals(self, o: Clause) -> bool { pearlite! { - (@self).len() == (@o).len() - && forall 0 <= j && j < (@self).len() ==> - (@self)[j] == (@o)[j] + self@.len() == (@o).len() + && forall 0 <= j && j < self@.len() ==> + self@[j] == (@o)[j] } } } diff --git a/CreuSAT/src/logic/logic_decision.rs b/CreuSAT/src/logic/logic_decision.rs index 426a8970..fa62a4fa 100644 --- a/CreuSAT/src/logic/logic_decision.rs +++ b/CreuSAT/src/logic/logic_decision.rs @@ -8,12 +8,12 @@ impl Decisions { #[predicate] pub fn invariant(self, n: Int) -> bool { pearlite! { - (@self.linked_list).len() == n - && (@self.search < (@self.linked_list).len() || @self.search == @usize::MAX) - && @self.start < (@self.linked_list).len() - && forall 0 <= i && i < (@self.linked_list).len() ==> - ((@(@self.linked_list)[i].next == @usize::MAX || @(@self.linked_list)[i].next < n) - && (@(@self.linked_list)[i].prev == @usize::MAX || @(@self.linked_list)[i].prev < n)) + (self@.linked_list).len() == n + && (self@.search < (self@.linked_list).len() || self@.search == usize::MAX@) + && self@.start < (self@.linked_list).len() + && forall 0 <= i && i < (self@.linked_list).len() ==> + ((@(self@.linked_list)[i].next == usize::MAX@ || @(self@.linked_list)[i].next < n) + && (@(self@.linked_list)[i].prev == usize::MAX@ || @(self@.linked_list)[i].prev < n)) } } } diff --git a/CreuSAT/src/logic/logic_formula.rs b/CreuSAT/src/logic/logic_formula.rs index e19cdc0e..28767763 100644 --- a/CreuSAT/src/logic/logic_formula.rs +++ b/CreuSAT/src/logic/logic_formula.rs @@ -52,7 +52,7 @@ impl Formula { #[predicate] pub fn eventually_sat_complete(self) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && complete_inner(a2) && self.sat_inner(a2) + exists> a2.len() == self@.num_vars && complete_inner(a2) && self.sat_inner(a2) } } @@ -65,17 +65,17 @@ impl Formula { #[cfg_attr(feature = "trust_formula_logic", trusted)] #[ensures(result == self.invariant_mirror())] // Removing this makes a bunch of seemingly unrelated things fail pub fn invariant(self) -> bool { - pearlite! { formula_invariant(@self) } + pearlite! { formula_invariantself@ } } #[predicate] fn invariant_mirror(self) -> bool { pearlite! { - (forall 0 <= i && i < (@self.clauses).len() ==> - (@self.clauses)[i].invariant(@self.num_vars)) + (forall 0 <= i && i < (self@.clauses).len() ==> + (self@.clauses)[i].invariant(self@.num_vars)) && - (forall 0 <= i && i < (@self.clauses).len() ==> - (@(@self.clauses)[i]).len() >= 1) + (forall 0 <= i && i < (self@.clauses).len() ==> + (@(self@.clauses)[i]).len() >= 1) } } @@ -83,46 +83,46 @@ impl Formula { #[predicate] fn eventually_sat_inner(self, a: Seq) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && compatible_inner(a, a2) && self.sat_inner(a2) + exists> a2.len() == self@.num_vars && compatible_inner(a, a2) && self.sat_inner(a2) } } #[predicate] fn eventually_sat_complete_inner(self, a: Seq) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && compatible_complete_inner(a, a2) && self.sat_inner(a2) + exists> a2.len() == self@.num_vars && compatible_complete_inner(a, a2) && self.sat_inner(a2) } } #[predicate] fn eventually_sat(self, a: Assignments) -> bool { - pearlite! { self.eventually_sat_inner(@a)} + pearlite! { self.eventually_sat_inner(a@)} } #[predicate] pub fn sat_inner(self, a: Seq) -> bool { pearlite! { - forall 0 <= i && i < (@self.clauses).len() ==> - (@self.clauses)[i].sat_inner(a) + forall 0 <= i && i < (self@.clauses).len() ==> + (self@.clauses)[i].sat_inner(a) } } #[predicate] pub fn sat(self, a: Assignments) -> bool { - pearlite! { formula_sat_inner(@self, @a) } + pearlite! { formula_sat_inner(self@, a@) } } #[predicate] fn unsat_inner(self, a: Seq) -> bool { pearlite! { - exists 0 <= i && i < (@self.clauses).len() && - (@self.clauses)[i].unsat_inner(a) + exists 0 <= i && i < (self@.clauses).len() && + (self@.clauses)[i].unsat_inner(a) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } #[predicate] diff --git a/CreuSAT/src/logic/logic_lit.rs b/CreuSAT/src/logic/logic_lit.rs index 39a8912c..3faf339d 100644 --- a/CreuSAT/src/logic/logic_lit.rs +++ b/CreuSAT/src/logic/logic_lit.rs @@ -19,7 +19,7 @@ impl Lit { #[logic] #[why3::attr = "inline:trivial"] pub fn index_logic(self) -> Int { - pearlite! { @self.idx } + pearlite! { self@.idx } } #[logic] @@ -77,8 +77,8 @@ impl Lit { pub fn sat_inner(self, a: Seq) -> bool { pearlite! { match self.is_positive_logic() { - true => (@a[self.index_logic()] == 1), - false => (@a[self.index_logic()] == 0), + true => (a@[self.index_logic()] == 1), + false => (a@[self.index_logic()] == 0), } } } @@ -87,8 +87,8 @@ impl Lit { pub fn unsat_inner(self, a: Seq) -> bool { pearlite! { match self.is_positive_logic() { - true => (@a[self.index_logic()] == 0), - false => (@a[self.index_logic()] == 1), + true => (a@[self.index_logic()] == 0), + false => (a@[self.index_logic()] == 1), } } } @@ -100,17 +100,17 @@ impl Lit { #[predicate] pub fn sat(self, a: Assignments) -> bool { - pearlite! { self.sat_inner(@a) } + pearlite! { self.sat_inner(a@) } } #[predicate] pub fn unset(self, a: Assignments) -> bool { - pearlite! { self.unset_inner(@a) } + pearlite! { self.unset_inner(a@) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } #[predicate] diff --git a/CreuSAT/src/logic/logic_trail.rs b/CreuSAT/src/logic/logic_trail.rs index c521b228..3e037620 100644 --- a/CreuSAT/src/logic/logic_trail.rs +++ b/CreuSAT/src/logic/logic_trail.rs @@ -13,11 +13,11 @@ impl Reason { pearlite! { match self { Reason::Long(cref) => - (0 <= @cref && @cref < (@f.clauses).len()) - && (@(@f.clauses)[@cref]).len() > 1, + (0 <= @cref && @cref < f.clauses@.len()) + && (@f.clauses@[@cref]).len() > 1, Reason::Unit(cref) => - (0 <= @cref && @cref < (@f.clauses).len()) - && (@(@f.clauses)[@cref]).len() == 1, + (0 <= @cref && @cref < f.clauses@.len()) + && (@f.clauses@[@cref]).len() == 1, _ => true } } @@ -29,15 +29,15 @@ impl Reason { pearlite! { match self { Reason::Long(cref) => - (0 <= @cref && @cref < (@f.clauses).len()) - && (@(@f.clauses)[@cref]).len() > 1 - && (forall 1 <= i && i < (@(@f.clauses)[@cref]).len() ==> - (@(@f.clauses)[@cref])[i].unsat_inner(@a)) - && (@(@f.clauses)[@cref])[0].sat_inner(@a), + (0 <= @cref && @cref < f.clauses@.len()) + && (@f.clauses@[@cref]).len() > 1 + && (forall 1 <= i && i < (@f.clauses@[@cref]).len() ==> + (@f.clauses@[@cref])[i].unsat_inner(a@)) + && (@f.clauses@[@cref])[0].sat_inner(a@), Reason::Unit(cref) => - (0 <= @cref && @cref < (@f.clauses).len()) - && (@(@f.clauses)[@cref]).len() == 1 - && (@(@f.clauses)[@cref])[0].sat_inner(@a), + (0 <= @cref && @cref < f.clauses@.len()) + && (@f.clauses@[@cref]).len() == 1 + && (@f.clauses@[@cref])[0].sat_inner(a@), _ => true } } @@ -52,15 +52,15 @@ impl Trail { pub fn invariant(self, f: Formula) -> bool { pearlite! { self.assignments.invariant(f) - && trail_invariant(@self.trail, f) - && (@self.lit_to_level).len() == @f.num_vars - && lit_not_in_less_inner(@self.trail, f) - && lit_is_unique_inner(@self.trail) - && long_are_post_unit_inner(@self.trail, f, @self.assignments) - && trail_entries_are_assigned_inner(@self.trail, @self.assignments) - && sorted(@self.decisions) - && unit_are_sat(@self.trail, f, self.assignments) - && (forall 0 <= i && i < (@self.decisions).len() ==> @(@self.decisions)[i] <= (@self.trail).len()) + && trail_invariant(self@.trail, f) + && (self@.lit_to_level).len() == f.num_vars@ + && lit_not_in_less_inner(self@.trail, f) + && lit_is_unique_inner(self@.trail) + && long_are_post_unit_inner(self@.trail, f, self@.assignments) + && trail_entries_are_assigned_inner(self@.trail, self@.assignments) + && sorted(self@.decisions) + && unit_are_sat(self@.trail, f, self.assignments) + && (forall 0 <= i && i < (self@.decisions).len() ==> @(self@.decisions)[i] <= (self@.trail).len()) } } @@ -69,14 +69,14 @@ impl Trail { pub fn invariant_no_decision(self, f: Formula) -> bool { pearlite! { self.assignments.invariant(f) - && trail_invariant(@self.trail, f) - && (@self.lit_to_level).len() == @f.num_vars - && lit_not_in_less_inner(@self.trail, f) - && lit_is_unique_inner(@self.trail) - && long_are_post_unit_inner(@self.trail, f, @self.assignments) - && trail_entries_are_assigned_inner(@self.trail, @self.assignments) - && sorted(@self.decisions) - && unit_are_sat(@self.trail, f, self.assignments) + && trail_invariant(self@.trail, f) + && (self@.lit_to_level).len() == f.num_vars@ + && lit_not_in_less_inner(self@.trail, f) + && lit_is_unique_inner(self@.trail) + && long_are_post_unit_inner(self@.trail, f, self@.assignments) + && trail_entries_are_assigned_inner(self@.trail, self@.assignments) + && sorted(self@.decisions) + && unit_are_sat(self@.trail, f, self.assignments) } } } @@ -87,7 +87,7 @@ pub fn lit_not_in_less_inner(t: Seq, f: Formula) -> bool { forall 0 <= i && i < t.len() ==> forall 0 <= j && j < i ==> match t[j].reason { - Reason::Long(cref) => !(t)[i].lit.lit_idx_in((@f.clauses)[@cref]), + Reason::Long(cref) => !(t)[i].lit.lit_idx_in(f.clauses@[@cref]), _ => true, } } @@ -97,7 +97,7 @@ pub fn lit_not_in_less_inner(t: Seq, f: Formula) -> bool { pub fn trail_invariant(trail: Seq, f: Formula) -> bool { pearlite! { forall 0 <= i && i < trail.len() ==> - (trail[i].lit.invariant(@f.num_vars) + (trail[i].lit.invariant(f.num_vars@) && trail[i].reason.invariant(f)) } } @@ -112,7 +112,7 @@ fn trail_entries_are_assigned_inner(t: Seq, a: Seq) -> bool #[predicate] pub fn clause_post_with_regards_to(c: Clause, a: Assignments, j: Int) -> bool { - pearlite! { clause_post_with_regards_to_inner(c, @a, j) } + pearlite! { clause_post_with_regards_to_inner(c, a@, j) } } #[predicate] @@ -126,7 +126,7 @@ pub fn clause_post_with_regards_to_inner(c: Clause, a: Seq, j: In #[predicate] pub fn clause_post_with_regards_to_lit(c: Clause, a: Assignments, lit: Lit) -> bool { - pearlite! { clause_post_with_regards_to_inner(c, @a, @lit.idx) } + pearlite! { clause_post_with_regards_to_inner(c, a@, @lit.idx) } } #[predicate] @@ -143,7 +143,7 @@ pub fn long_are_post_unit(trail: Trail, f: Formula) -> bool { pearlite! { forall 0 <= j && j < (@trail.trail).len() ==> match (@trail.trail)[j].reason { - Reason::Long(k) => { clause_post_with_regards_to((@f.clauses)[@k], trail.assignments, (@trail.trail)[j].lit.index_logic()) }, + Reason::Long(k) => { clause_post_with_regards_to(f.clauses@[@k], trail.assignments, (@trail.trail)[j].lit.index_logic()) }, _ => true, } } @@ -154,7 +154,7 @@ pub fn long_are_post_unit_inner(trail: Seq, f: Formula, a: Seq 0 <= j && j < trail.len() ==> match trail[j].reason { - Reason::Long(k) => { clause_post_with_regards_to_inner((@f.clauses)[@k], a, (trail)[j].lit.index_logic()) }, + Reason::Long(k) => { clause_post_with_regards_to_inner(f.clauses@[@k], a, (trail)[j].lit.index_logic()) }, _ => true, } } @@ -166,8 +166,8 @@ fn unit_are_sat(trail: Seq, f: Formula, a: Assignments) -> bool { forall 0 <= j && j < trail.len() ==> match trail[j].reason { Reason::Unit(k) => { - trail[j].lit == (@(@f.clauses)[@k])[0] - && (@(@f.clauses)[@k])[0].sat(a) }, + trail[j].lit == (@f.clauses@[@k])[0] + && (@f.clauses@[@k])[0].sat(a) }, _ => true, } } @@ -180,11 +180,11 @@ fn unit_are_sat(trail: Seq, f: Formula, a: Assignments) -> bool { #[requires(f.invariant())] #[requires(trail_invariant(v, f))] #[requires(crefs_in_range(v, f))] -#[requires(lit.invariant(@f.num_vars))] -#[requires(unset((@a)[lit.index_logic()]))] -#[requires(long_are_post_unit_inner(v, f, @a))] -#[ensures(long_are_post_unit_inner(v, f, (@a).set(lit.index_logic(), 1u8)))] -#[ensures(long_are_post_unit_inner(v, f, (@a).set(lit.index_logic(), 0u8)))] +#[requires(lit.invariant(f.num_vars@))] +#[requires(unset((a@)[lit.index_logic()]))] +#[requires(long_are_post_unit_inner(v, f, a@))] +#[ensures(long_are_post_unit_inner(v, f, (a@).set(lit.index_logic(), 1u8)))] +#[ensures(long_are_post_unit_inner(v, f, (a@).set(lit.index_logic(), 0u8)))] pub fn lemma_assign_maintains_long_are_post_unit(v: Seq, f: Formula, a: Assignments, lit: Lit) {} */ @@ -193,7 +193,7 @@ pub fn lemma_assign_maintains_long_are_post_unit(v: Seq, f: Formula, a: As #[requires(f.invariant())] #[requires(t.invariant(f))] #[requires(unset((@t.assignments)[step.lit.index_logic()]))] -#[requires(step.lit.invariant(@f.num_vars))] +#[requires(step.lit.invariant(f.num_vars@))] //#[requires(step.reason.invariant(f))] #[requires(lit_not_in_less_inner(@t.trail, f))] #[ensures(lit_not_in_less_inner((@t.trail).push(step), f))] diff --git a/CreuSAT/src/logic/logic_watches.rs b/CreuSAT/src/logic/logic_watches.rs index f19b96bb..acc5a297 100644 --- a/CreuSAT/src/logic/logic_watches.rs +++ b/CreuSAT/src/logic/logic_watches.rs @@ -13,10 +13,10 @@ pub fn watches_invariant_internal(w: Seq>, n: Int, f: Formula) -> b 2 * n == w.len() && forall 0 <= i && i < w.len() ==> forall 0 <= j && j < (@w[i]).len() ==> - ((@(@w[i])[j].cref < (@f.clauses).len() - && (@(@f.clauses)[@(@w[i])[j].cref]).len() > 1) - && (@w[i])[j].blocker.index_logic() < @f.num_vars) - //&& (@f.clauses)[@(@w[i])[j].cref].search_idx_in_range() + ((@(@w[i])[j].cref < f.clauses@.len() + && (@f.clauses@[@(@w[i])[j].cref]).len() > 1) + && (@w[i])[j].blocker.index_logic() < f.num_vars@) + //&& f.clauses@[@(@w[i])[j].cref].search_idx_in_range() } } @@ -25,9 +25,9 @@ pub fn watches_invariant_internal(w: Seq>, n: Int, f: Formula) -> b pub fn watch_valid(w: Seq, f: Formula) -> bool { pearlite! { forall 0 <= j && j < w.len() ==> - @w[j].cref < (@f.clauses).len() // all clauses are valid - && (@(@f.clauses)[@w[j].cref]).len() > 1 // the clauses have at least two litearls - && w[j].blocker.index_logic() < @f.num_vars // something about blocking lits + @w[j].cref < f.clauses@.len() // all clauses are valid + && (@f.clauses@[@w[j].cref]).len() > 1 // the clauses have at least two litearls + && w[j].blocker.index_logic() < f.num_vars@ // something about blocking lits } } @@ -35,7 +35,7 @@ pub fn watch_valid(w: Seq, f: Formula) -> bool { pub fn watcher_crefs_in_range(w: Seq, f: Formula) -> bool { pearlite! { forall 0 <= j && j < w.len() ==> - @w[j].cref < (@f.clauses).len() + @w[j].cref < f.clauses@.len() } } @@ -57,16 +57,16 @@ pub fn lemma_pop_watch_maintains_watcher_invariant(w: Seq, f: Formula) #[logic] #[cfg_attr(feature = "trust_watches_logic", trusted)] #[requires(watcher_crefs_in_range(w, f))] -#[requires(@o.cref < (@f.clauses).len())] +#[requires(@o.cref < f.clauses@.len())] #[ensures(watcher_crefs_in_range(w.push(o), f))] pub fn lemma_push_maintains_watcher_invariant(w: Seq, f: Formula, o: Watcher) {} impl Watches { #[predicate] - //#[ensures(result == watches_invariant_internal(@self.watches, n))] + //#[ensures(result == watches_invariant_internal(self@.watches, n))] pub fn invariant(self, f: Formula) -> bool { pearlite! { - watches_invariant_internal(@self.watches, @f.num_vars, f) + watches_invariant_internal(self@.watches, f.num_vars@, f) } } } diff --git a/CreuSAT/src/solver.rs b/CreuSAT/src/solver.rs index e0d48a23..d3f61f64 100644 --- a/CreuSAT/src/solver.rs +++ b/CreuSAT/src/solver.rs @@ -30,11 +30,11 @@ pub enum ConflictResult { #[requires(f.invariant())] #[requires(trail.invariant(*f))] #[requires(equisat_extension_inner(*clause, @f))] -#[requires(clause.invariant(@f.num_vars))] +#[requires(clause.invariant(f.num_vars@))] #[requires((@clause).len() > 1)] -#[requires(vars_in_range_inner(@clause, @f.num_vars))] +#[requires(vars_in_range_inner(@clause, f.num_vars@))] #[requires(no_duplicate_indexes_inner(@clause))] -#[ensures(@result.0 < (@clause).len())] +#[ensures(result@.0 < (@clause).len())] pub fn get_asserting_level(clause: &Clause, trail: &Trail, f: &Formula) -> (usize, usize) { let mut max_i: usize = 1; let mut max_level = trail.lit_to_level[clause[1].index()]; @@ -104,13 +104,13 @@ impl Solver { #[maintains((mut f).invariant())] #[maintains((mut t).invariant(mut f))] #[maintains((mut w).invariant(mut f))] - #[maintains((mut d).invariant(@f.num_vars))] - #[requires(@f.num_vars < @usize::MAX/2)] - #[requires(clause.invariant(@f.num_vars))] + #[maintains((mut d).invariant(f.num_vars@))] + #[requires(f.num_vars@ < usize::MAX@/2)] + #[requires(clause.invariant(f.num_vars@))] #[requires(equisat_extension_inner(clause, @f))] #[requires((@clause).len() > 1)] #[requires(@s_idx < (@clause).len())] - #[ensures(@f.num_vars == @(^f).num_vars)] + #[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] fn handle_long_clause( &mut self, f: &mut Formula, t: &mut Trail, w: &mut Watches, d: &mut Decisions, mut clause: Clause, s_idx: usize, @@ -133,7 +133,7 @@ impl Solver { // TODO: // These two have to be ensured by analysis + backtrack - //proof_assert!((@f.clauses)[@cref].unit(t.assignments)); + //proof_assert!(f.clauses@[@cref].unit(t.assignments)); //proof_assert!(unset((@t.assignments)[@step.lit.idx])); if f[cref].unit_and_unset(&t.assignments, f) { t.enq_assignment(step, f); @@ -147,11 +147,11 @@ impl Solver { #[maintains((mut f).invariant())] #[maintains((mut t).invariant(mut f))] #[maintains((mut w).invariant(mut f))] - #[maintains((mut d).invariant(@f.num_vars))] - #[requires(@f.num_vars < @usize::MAX/2)] - #[requires(@cref < (@f.clauses).len())] - #[requires((@f.clauses)[@cref].unsat(t.assignments))] - #[ensures(@f.num_vars == @(^f).num_vars)] + #[maintains((mut d).invariant(f.num_vars@))] + #[requires(f.num_vars@ < usize::MAX@/2)] + #[requires(@cref < f.clauses@.len())] + #[requires(f.clauses@[@cref].unsat(t.assignments))] + #[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] #[ensures(match result { Some(false) => { (^f).not_satisfiable() }, @@ -194,9 +194,9 @@ impl Solver { #[maintains((mut f).invariant())] #[maintains((mut w).invariant(mut f))] #[maintains((mut t).invariant(mut f))] - #[maintains((mut d).invariant(@f.num_vars))] - #[requires(@f.num_vars < @usize::MAX/2)] - #[ensures(@f.num_vars == @(^f).num_vars)] + #[maintains((mut d).invariant(f.num_vars@))] + #[requires(f.num_vars@ < usize::MAX@/2)] + #[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] #[ensures(match result { ConflictResult::Ground => { (^f).not_satisfiable() }, @@ -217,14 +217,14 @@ impl Solver { #[maintains((mut f).invariant())] #[maintains((mut t).invariant(mut f))] #[maintains((mut w).invariant(mut f))] - #[maintains((mut d).invariant(@f.num_vars))] - #[requires(@f.num_vars < @usize::MAX/2)] + #[maintains((mut d).invariant(f.num_vars@))] + #[requires(f.num_vars@ < usize::MAX@/2)] #[ensures(match result { Some(false) => { (^f).not_satisfiable() }, Some(true) => { true }, None => { true }, })] - #[ensures(@f.num_vars == @(^f).num_vars)] + #[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] fn unit_prop_loop(&mut self, f: &mut Formula, d: &mut Decisions, t: &mut Trail, w: &mut Watches) -> Option { let old_f: Ghost<&mut Formula> = ghost! { f }; @@ -234,9 +234,9 @@ impl Solver { #[invariant(maintains_f, f.invariant())] #[invariant(maintains_t, t.invariant(*f))] #[invariant(maintains_w, w.invariant(*f))] - #[invariant(maintains_d, d.invariant(@f.num_vars))] + #[invariant(maintains_d, d.invariant(f.num_vars@))] #[invariant(equi, old_f.inner().equisat(*f))] - #[invariant(num_vars, @f.num_vars == @old_f.num_vars)] + #[invariant(num_vars, f.num_vars@ == @old_f.num_vars)] #[invariant(prophf, ^f == ^old_f.inner())] #[invariant(propht, ^t == ^old_t.inner())] #[invariant(prophw, ^w == ^old_w.inner())] @@ -261,10 +261,10 @@ impl Solver { #[maintains((mut f).invariant())] #[maintains((mut trail).invariant(mut f))] #[maintains((mut w).invariant(mut f))] - #[maintains((mut d).invariant(@f.num_vars))] - #[requires(d.invariant(@f.num_vars))] - #[requires(@f.num_vars < @usize::MAX/2)] - #[ensures(@f.num_vars == @(^f).num_vars)] + #[maintains((mut d).invariant(f.num_vars@))] + #[requires(d.invariant(f.num_vars@))] + #[requires(f.num_vars@ < usize::MAX@/2)] + #[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] #[ensures(match result { SatResult::Sat(_) => { (^f).sat((^trail).assignments) @@ -309,7 +309,7 @@ impl Solver { // OK #[cfg_attr(feature = "trust_solver", trusted)] - #[requires(@formula.num_vars < @usize::MAX/2)] + #[requires(@formula.num_vars < usize::MAX@/2)] #[requires(formula.invariant())] #[requires(decisions.invariant(@formula.num_vars))] #[requires(trail.invariant(*formula))] @@ -348,7 +348,7 @@ impl Solver { #[cfg_attr(feature = "trust_solver", trusted)] #[ensures(match result { - SatResult::Sat(assn) => { formula_sat_inner(@(^formula), @assn) && formula.equisat(^formula) }, + SatResult::Sat(assn) => { formula_sat_inner(@(^formula), a@ssn) && formula.equisat(^formula) }, SatResult::Unsat => { (^formula).not_satisfiable() && formula.equisat(^formula) }, _ => { true }, })] diff --git a/CreuSAT/src/trail.rs b/CreuSAT/src/trail.rs index f1e335cd..3ad9638a 100644 --- a/CreuSAT/src/trail.rs +++ b/CreuSAT/src/trail.rs @@ -31,7 +31,7 @@ impl Trail { // OK #[cfg_attr(feature = "trust_trail", trusted)] #[inline(always)] - #[ensures(@result == (@self.decisions).len())] + #[ensures(result@ == (self@.decisions).len())] pub fn decision_level(&self) -> usize { self.decisions.len() } @@ -53,12 +53,12 @@ impl Trail { #[cfg_attr(all(feature = "trust_trail", not(feature = "problem_child")), trusted)] #[inline(always)] #[requires(f.invariant())] - #[requires(@f.num_vars > 0)] + #[requires(f.num_vars@ > 0)] #[maintains((mut self).invariant_no_decision(*f))] - #[requires(long_are_post_unit_inner(@self.trail, *f, @self.assignments))] + #[requires(long_are_post_unit_inner(self@.trail, *f, self@.assignments))] #[ensures(long_are_post_unit_inner((@(^self).trail), *f, (@(^self).assignments)))] - #[ensures(@result < @f.num_vars)] - //#[ensures((@self.trail).len() == (@(^self).trail).len() + 1)] // added + #[ensures(result@ < f.num_vars@)] + //#[ensures((self@.trail).len() == (@(^self).trail).len() + 1)] // added fn backstep(&mut self, f: &Formula) -> usize { let old_t: Ghost<&mut Trail> = ghost! { self }; //proof_assert!(self == @old_t); @@ -68,27 +68,27 @@ impl Trail { // TODO: Wrap in abstraction self.assignments[step.lit.index()] += 2; - proof_assert!(@self.trail == pop(@old_t.trail)); + proof_assert!(self@.trail == pop(@old_t.trail)); proof_assert!(^old_t.inner() == ^self); self.lit_to_level[step.lit.index()] = usize::MAX; - proof_assert!(long_are_post_unit_inner(@self.trail, *f, @self.assignments)); + proof_assert!(long_are_post_unit_inner(self@.trail, *f, self@.assignments)); return step.lit.index(); } None => { // Could add a req on trail len and prove that this doesn't happen, but // not sure if it really is needed. - proof_assert!(long_are_post_unit_inner(@self.trail, *f, @self.assignments)&& true); + proof_assert!(long_are_post_unit_inner(self@.trail, *f, self@.assignments)&& true); } } proof_assert!(self.assignments.invariant(*f)); - // proof_assert!(trail_invariant(@self.trail, *f)); - // proof_assert!(lit_to_level_invariant(@self.lit_to_level, *f)); - //proof_assert!(decisions_invariant(@self.decisions, @self.trail)); + // proof_assert!(trail_invariant(self@.trail, *f)); + // proof_assert!(lit_to_level_invariant(self@.lit_to_level, *f)); + //proof_assert!(decisions_invariant(self@.decisions, self@.trail)); //proof_assert!(self.lit_not_in_less(*f)); //proof_assert!(self.lit_is_unique()); - proof_assert!(long_are_post_unit_inner(@self.trail, *f, @self.assignments)); + proof_assert!(long_are_post_unit_inner(self@.trail, *f, self@.assignments)); //proof_assert!(self.trail_entries_are_assigned()); return 0; } @@ -97,8 +97,8 @@ impl Trail { #[inline(always)] #[requires(f.invariant())] #[maintains((mut self).invariant(*f))] - #[maintains((mut d).invariant(@f.num_vars))] - #[requires(long_are_post_unit_inner(@self.trail, *f, @self.assignments))] + #[maintains((mut d).invariant(f.num_vars@))] + #[requires(long_are_post_unit_inner(self@.trail, *f, self@.assignments))] #[ensures(long_are_post_unit_inner((@(^self).trail), *f, (@(^self).assignments)))] pub fn backtrack_safe(&mut self, level: usize, f: &Formula, d: &mut Decisions) { if level < self.decision_level() { @@ -107,12 +107,12 @@ impl Trail { } #[cfg_attr(feature = "trust_trail", trusted)] - #[requires((@self.decisions).len() > @level)] + #[requires((self@.decisions).len() > @level)] #[requires(f.invariant())] #[maintains((mut self).invariant(*f))] - #[maintains((mut d).invariant(@f.num_vars))] - //#[requires((@self.trail).len() > 0)] // removed - #[requires(long_are_post_unit_inner(@self.trail, *f, @self.assignments))] + #[maintains((mut d).invariant(f.num_vars@))] + //#[requires((self@.trail).len() > 0)] // removed + #[requires(long_are_post_unit_inner(self@.trail, *f, self@.assignments))] #[ensures(long_are_post_unit_inner((@(^self).trail), *f, (@(^self).assignments)))] // Backtracks to the start of level pub fn backtrack_to(&mut self, level: usize, f: &Formula, d: &mut Decisions) { @@ -123,19 +123,19 @@ impl Trail { let mut i: usize = 0; let mut curr = d.search; let mut timestamp = if curr != usize::MAX { d.linked_list[curr].ts } else { 0 }; // revisit this later - #[invariant(i_less2, @i <= (@old_t.trail).len())] + #[invariant(i_less2, i@ <= (@old_t.trail).len())] #[invariant(i_less, i <= how_many)] - #[invariant(post_unit, long_are_post_unit_inner(@self.trail, *f, @self.assignments))] + #[invariant(post_unit, long_are_post_unit_inner(self@.trail, *f, self@.assignments))] #[invariant(inv, self.invariant_no_decision(*f))] - #[invariant(d_inv, d.invariant(@f.num_vars))] - //#[invariant(len_is, (@self.trail).len() == (@old_t.trail).len() - @i)] // we don't care anymore + #[invariant(d_inv, d.invariant(f.num_vars@))] + //#[invariant(len_is, (self@.trail).len() == (@old_t.trail).len() - i@)] // we don't care anymore #[invariant(proph, ^old_t.inner() == ^self)] #[invariant(proph_d, ^old_d.inner() == ^d)] - #[invariant(curr_less, @curr < (@d.linked_list).len() || @curr == @usize::MAX)] + #[invariant(curr_less, @curr < (@d.linked_list).len() || @curr == usize::MAX@)] // Hmm maybe change invariant while i < how_many { let idx = self.backstep(f); - proof_assert!(@idx < @f.num_vars); + proof_assert!(i@dx < f.num_vars@); let curr_timestamp = d.linked_list[idx].ts; if curr_timestamp > timestamp { timestamp = curr_timestamp; @@ -145,38 +145,38 @@ impl Trail { } d.search = curr; - #[invariant(post_unit, long_are_post_unit_inner(@self.trail, *f, @self.assignments))] + #[invariant(post_unit, long_are_post_unit_inner(self@.trail, *f, self@.assignments))] #[invariant(inv, self.invariant_no_decision(*f))] #[invariant(proph, ^old_t.inner() == ^self)] while self.decisions.len() > level { let old_t2: Ghost<&mut Trail> = ghost! { self }; - proof_assert!(sorted(@self.decisions)); - proof_assert!((@self.decisions).len() > 0); - proof_assert!(lemma_pop_maintains_sorted(@self.decisions); true); + proof_assert!(sorted(self@.decisions)); + proof_assert!((self@.decisions).len() > 0); + proof_assert!(lemma_pop_maintains_sorted(self@.decisions); true); match self.decisions.pop() { Some(_) => { - proof_assert!(@self.decisions == pop(@old_t2.decisions)); + proof_assert!(self@.decisions == pop(@old_t2.decisions)); proof_assert!((^old_t2.inner()) == ^self); } None => { unreachable!(); } } - proof_assert!(sorted(@self.decisions)); + proof_assert!(sorted(self@.decisions)); } // This is a noop, and should be proven away. - #[invariant(post_unit, long_are_post_unit_inner(@self.trail, *f, @self.assignments))] + #[invariant(post_unit, long_are_post_unit_inner(self@.trail, *f, self@.assignments))] #[invariant(inv, self.invariant_no_decision(*f))] #[invariant(proph, ^old_t.inner() == ^self)] while self.decisions.len() > 0 && self.decisions[self.decisions.len() - 1] > self.trail.len() { let old_t3: Ghost<&mut Trail> = ghost! { self }; - proof_assert!(sorted(@self.decisions)); - proof_assert!((@self.decisions).len() > 0); - proof_assert!(lemma_pop_maintains_sorted(@self.decisions); true); - //proof_assert!((@self.decisions) == (@(@old_trail).decisions)); + proof_assert!(sorted(self@.decisions)); + proof_assert!((self@.decisions).len() > 0); + proof_assert!(lemma_pop_maintains_sorted(self@.decisions); true); + //proof_assert!((self@.decisions) == (@(@old_trail).decisions)); match self.decisions.pop() { Some(_) => { - proof_assert!((@self.decisions) == pop(@old_t3.decisions)); + proof_assert!((self@.decisions) == pop(@old_t3.decisions)); proof_assert!((^old_t3.inner()) == ^self); } None => { @@ -184,19 +184,19 @@ impl Trail { } } proof_assert!(lemma_pop_maintains_sorted(@old_t3.decisions); true); - proof_assert!(sorted(@self.decisions)); + proof_assert!(sorted(self@.decisions)); } proof_assert!( - (@self.decisions).len() == 0 || - @(@self.decisions)[(@self.decisions).len()-1] <= (@self.trail).len() + (self@.decisions).len() == 0 || + @(self@.decisions)[(self@.decisions).len()-1] <= (self@.trail).len() ); - // proof_assert!(decisions_invariant(@self.decisions, @self.trail)); + // proof_assert!(decisions_invariant(self@.decisions, self@.trail)); proof_assert!(self.assignments.invariant(*f)); - // proof_assert!(trail_invariant(@self.trail, *f)); - // proof_assert!(lit_to_level_invariant(@self.lit_to_level, *f)); + // proof_assert!(trail_invariant(self@.trail, *f)); + // proof_assert!(lit_to_level_invariant(self@.lit_to_level, *f)); //proof_assert!(self.lit_not_in_less(*f)); //proof_assert!(self.lit_is_unique()); - proof_assert!(long_are_post_unit_inner(@self.trail, *f, @self.assignments)); + proof_assert!(long_are_post_unit_inner(self@.trail, *f, self@.assignments)); //proof_assert!(self.trail_entries_are_assigned()); self.curr_i = level; @@ -223,17 +223,17 @@ impl Trail { _ => true, })] #[requires(!step.lit.idx_in_trail(self.trail))] - #[requires(unset((@self.assignments)[step.lit.index_logic()]))] // Should not be needed anymore - #[requires(long_are_post_unit_inner(@self.trail, *_f, @self.assignments))] - #[ensures((forall 0 <= j && j < (@self.assignments).len() && - j != step.lit.index_logic() ==> (@self.assignments)[j] == (@(^self).assignments)[j]))] + #[requires(unset((self@.assignments)[step.lit.index_logic()]))] // Should not be needed anymore + #[requires(long_are_post_unit_inner(self@.trail, *_f, self@.assignments))] + #[ensures((forall 0 <= j && j < (self@.assignments).len() && + j != step.lit.index_logic() ==> (self@.assignments)[j] == (@(^self).assignments)[j]))] #[ensures(step.lit.sat((^self).assignments))] #[ensures(long_are_post_unit_inner((@(^self).trail), *_f, (@(^self).assignments)))] #[ensures(match step.reason { Reason::Long(k) => clause_post_with_regards_to_lit((@_f.clauses)[@k], (^self).assignments, step.lit), _ => true })] - #[ensures((@(^self).trail).len() == 1 + (@self.trail).len())] + #[ensures((@(^self).trail).len() == 1 + (self@.trail).len())] #[ensures((^self).decisions == self.decisions)] // added pub fn enq_assignment(&mut self, step: Step, _f: &Formula) { self.lit_to_level[step.lit.index()] = self.decision_level(); @@ -248,20 +248,20 @@ impl Trail { //proof_assert!(self.lit_is_unique()); //proof_assert!(self.lit_not_in_less(*_f)); - proof_assert!(long_are_post_unit_inner(@self.trail, *_f, @self.assignments)); + proof_assert!(long_are_post_unit_inner(self@.trail, *_f, self@.assignments)); } #[cfg_attr(feature = "trust_trail", trusted)] #[requires(_f.invariant())] #[maintains((mut self).invariant(*_f))] - #[requires(@idx < @_f.num_vars)] - #[requires(unset((@self.assignments)[@idx]))] - #[ensures((forall 0 <= j && j < (@self.assignments).len() && - j != @idx ==> (@self.assignments)[j] == (@(^self).assignments)[j]))] - #[ensures(@(@(^self).assignments)[@idx] == 1 || @(@(^self).assignments)[@idx] == 0)] // Is this needed? - #[requires(long_are_post_unit_inner(@self.trail, *_f, @self.assignments))] + #[requires(i@dx < @_f.num_vars)] + #[requires(unset((self@.assignments)[i@dx]))] + #[ensures((forall 0 <= j && j < (self@.assignments).len() && + j != i@dx ==> (self@.assignments)[j] == (@(^self).assignments)[j]))] + #[ensures(@(@(^self).assignments)[i@dx] == 1 || @(@(^self).assignments)[i@dx] == 0)] // Is this needed? + #[requires(long_are_post_unit_inner(self@.trail, *_f, self@.assignments))] #[ensures(long_are_post_unit_inner((@(^self).trail), *_f, (@(^self).assignments)))] - #[ensures((@(^self).trail).len() == 1 + (@self.trail).len())] + #[ensures((@(^self).trail).len() == 1 + (self@.trail).len())] pub fn enq_decision(&mut self, idx: usize, _f: &Formula) { let trail_len = self.trail.len(); self.decisions.push(trail_len); @@ -278,17 +278,17 @@ impl Trail { // Okay so I should really just prove the backtracking mechanism, this is not nice #[cfg_attr(feature = "trust_trail", trusted)] #[maintains((mut self).invariant(*f))] - #[maintains((mut d).invariant(@f.num_vars))] + #[maintains((mut d).invariant(f.num_vars@))] #[requires(f.invariant())] - #[requires(@cref < (@f.clauses).len())] - #[requires((@(@f.clauses)[@cref]).len() == 1)] - #[requires((@f.clauses)[@cref].invariant(@f.num_vars))] + #[requires(@cref < f.clauses@.len())] + #[requires((@f.clauses@[@cref]).len() == 1)] + #[requires(f.clauses@[@cref].invariant(f.num_vars@))] // unsure which of these is wanted - //#[ensures(@f.clauses)[@cref].sat((^self).assignments))] + //#[ensuresf.clauses@[@cref].sat((^self).assignments))] #[ensures(match result { Err(_) => true, - Ok(_) => (@(@f.clauses)[@cref])[0].sat((^self).assignments)})] - #[requires(long_are_post_unit_inner(@self.trail, *f, @self.assignments))] + Ok(_) => (@f.clauses@[@cref])[0].sat((^self).assignments)})] + #[requires(long_are_post_unit_inner(self@.trail, *f, self@.assignments))] #[ensures(long_are_post_unit_inner((@(^self).trail), *f, (@(^self).assignments)))] pub fn learn_unit(&mut self, cref: usize, f: &Formula, d: &mut Decisions) -> Result<(), ()> { if self.decision_level() > 0 { @@ -305,7 +305,7 @@ impl Trail { #[cfg_attr(feature = "trust_trail", trusted)] #[maintains((mut self).invariant(*f))] - #[maintains((mut d).invariant(@f.num_vars))] + #[maintains((mut d).invariant(f.num_vars@))] #[requires(f.invariant())] #[ensures(match result { Some(true) => f.not_satisfiable(), @@ -318,7 +318,7 @@ impl Trail { #[invariant(self_inv, self.invariant(*f))] #[invariant(proph, ^old_self.inner() == ^self)] #[invariant(proph_d, ^old_d.inner() == ^d)] - #[invariant(d_inv, d.invariant(@f.num_vars))] + #[invariant(d_inv, d.invariant(f.num_vars@))] while i < f.clauses.len() { let clause = &f[i]; if clause.len() == 1 { diff --git a/CreuSAT/src/unit_prop.rs b/CreuSAT/src/unit_prop.rs index 82a2e51d..d1d15c67 100644 --- a/CreuSAT/src/unit_prop.rs +++ b/CreuSAT/src/unit_prop.rs @@ -16,17 +16,17 @@ use crate::logic::{ #[maintains((mut f).invariant())] #[maintains(trail.invariant(mut f))] #[maintains((mut watches).invariant(mut f))] -#[requires(@f.num_vars < @usize::MAX/2)] -#[requires(lit.index_logic() < @f.num_vars)] -#[requires(!(@(@f.clauses)[@cref])[0].sat_inner(@trail.assignments))] -#[requires(@cref < (@f.clauses).len())] -#[requires(2 <= @k && @k < (@(@f.clauses)[@cref]).len())] +#[requires(f.num_vars@ < usize::MAX@/2)] +#[requires(lit.index_logic() < f.num_vars@)] +#[requires(!(@f.clauses@[@cref])[0].sat_inner(@trail.assignments))] +#[requires(@cref < f.clauses@.len())] +#[requires(2 <= @k && @k < (@f.clauses@[@cref]).len())] #[requires((@(@watches.watches)[lit.to_watchidx_logic()]).len() > @j)] -#[ensures(@f.num_vars == @(^f).num_vars)] +#[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] -#[ensures((@f.clauses).len() == (@(^f).clauses).len())] +#[ensures(f.clauses@.len() == (@(^f).clauses).len())] #[ensures(!result ==> (@(@(^f).clauses)[@cref])[@k].unsat(trail.assignments) && ^f == *f && *watches == ^watches)] -#[ensures((@(@(^f).clauses)[@cref]).len() == (@(@f.clauses)[@cref]).len())] +#[ensures((@(@(^f).clauses)[@cref]).len() == (@f.clauses@[@cref]).len())] fn check_and_move_watch( f: &mut Formula, trail: &Trail, watches: &mut Watches, cref: usize, j: usize, k: usize, lit: Lit, ) -> bool { @@ -55,25 +55,25 @@ fn check_and_move_watch( #[maintains((mut f).invariant())] #[maintains((*trail).invariant(mut f))] // <- #[maintains((*watches).invariant(mut f))] -#[requires((@(@f.clauses)[@cref]).len() >= 2)] -#[requires(@cref < (@f.clauses).len())] -#[requires((@(@f.clauses)[@cref]).len() > @j)] -#[requires((@(@f.clauses)[@cref]).len() > @k)] -#[requires(!(@(@f.clauses)[@cref])[0].sat_inner(@trail.assignments))] -#[ensures(((@(@(^f).clauses)[@cref]).exchange(@(@f.clauses)[@cref], @j, @k)))] -#[ensures(@f.num_vars == @(^f).num_vars)] -#[ensures((@f.clauses).len() == (@(^f).clauses).len())] -//#[ensures((@(@f.clauses)[@cref]).len() == (@(@(^f).clauses)[@cref]).len())] +#[requires((@f.clauses@[@cref]).len() >= 2)] +#[requires(@cref < f.clauses@.len())] +#[requires((@f.clauses@[@cref]).len() > @j)] +#[requires((@f.clauses@[@cref]).len() > @k)] +#[requires(!(@f.clauses@[@cref])[0].sat_inner(@trail.assignments))] +#[ensures(((@(@(^f).clauses)[@cref]).exchange(@f.clauses@[@cref], @j, @k)))] +#[ensures(f.num_vars@ == @(^f).num_vars)] +#[ensures(f.clauses@.len() == (@(^f).clauses).len())] +//#[ensures((@f.clauses@[@cref]).len() == (@(@(^f).clauses)[@cref]).len())] #[ensures(f.equisat(^f))] // <- fn swap(f: &mut Formula, trail: &Trail, watches: &Watches, cref: usize, j: usize, k: usize) { let old_f: Ghost<&mut Formula> = ghost! { f }; f.clauses[cref].lits.swap(j, k); - proof_assert!(vars_in_range_inner(@(@f.clauses)[@cref], @f.num_vars)); - proof_assert!(no_duplicate_indexes_inner(@(@f.clauses)[@cref])); + proof_assert!(vars_in_range_inner(@f.clauses@[@cref], f.num_vars@)); + proof_assert!(no_duplicate_indexes_inner(@f.clauses@[@cref])); - proof_assert!(forall> a2.len() == @f.num_vars && complete_inner(a2) && (@old_f.clauses)[@cref].sat_inner(a2) ==> (@f.clauses)[@cref].sat_inner(a2)); + proof_assert!(forall> a2.len() == f.num_vars@ && complete_inner(a2) && (@old_f.clauses)[@cref].sat_inner(a2) ==> f.clauses@[@cref].sat_inner(a2)); proof_assert!(eventually_sat_complete(@old_f) ==> eventually_sat_complete(@f)); proof_assert!(^f == ^old_f.inner()); } @@ -83,17 +83,17 @@ fn swap(f: &mut Formula, trail: &Trail, watches: &Watches, cref: usize, j: usize #[maintains((mut f).invariant())] #[maintains((trail).invariant(mut f))] #[maintains((mut watches).invariant(mut f))] -#[requires(@f.num_vars < @usize::MAX/2)] +#[requires(f.num_vars@ < usize::MAX@/2)] #[requires(lit.to_watchidx_logic() < (@watches.watches).len())] #[requires((@(@watches.watches)[lit.to_watchidx_logic()]).len() > @j)] -#[requires(lit.index_logic() < @f.num_vars)] -#[requires(@cref < (@f.clauses).len())] -#[requires((@(@f.clauses)[@cref]).len() >= 2)] -#[requires(!(@(@f.clauses)[@cref])[0].sat_inner(@trail.assignments))] -#[ensures(!result ==> forall 2 <= m && m < (@(@f.clauses)[@cref]).len() ==> (@(@f.clauses)[@cref])[m].unsat(trail.assignments))] -#[ensures(!result ==> (@(@f.clauses)[@cref]) == (@(@(^f).clauses)[@cref]))] -#[ensures(@f.num_vars == @(^f).num_vars)] -#[ensures((@f.clauses).len() == (@(^f).clauses).len())] +#[requires(lit.index_logic() < f.num_vars@)] +#[requires(@cref < f.clauses@.len())] +#[requires((@f.clauses@[@cref]).len() >= 2)] +#[requires(!(@f.clauses@[@cref])[0].sat_inner(@trail.assignments))] +#[ensures(!result ==> forall 2 <= m && m < (@f.clauses@[@cref]).len() ==> (@f.clauses@[@cref])[m].unsat(trail.assignments))] +#[ensures(!result ==> (@f.clauses@[@cref]) == (@(@(^f).clauses)[@cref]))] +#[ensures(f.num_vars@ == @(^f).num_vars)] +#[ensures(f.clauses@.len() == (@(^f).clauses).len())] #[ensures(f.equisat(^f))] fn exists_new_watchable_lit( f: &mut Formula, trail: &Trail, watches: &mut Watches, cref: usize, j: usize, lit: Lit, @@ -106,14 +106,14 @@ fn exists_new_watchable_lit( #[invariant(search, @search >= 2)] #[invariant(f_unchanged, f == *old_f)] #[invariant(w_unchanged, watches == *old_w)] - #[invariant(uns, forall @init_search <= m && m < @search ==> (@(@f.clauses)[@cref])[m].unsat(trail.assignments))] + #[invariant(uns, forall i@nit_search <= m && m < @search ==> (@f.clauses@[@cref])[m].unsat(trail.assignments))] // Here to help the trail invariant - #[invariant(first_not_sat, !(@(@f.clauses)[@cref])[0].sat_inner(@trail.assignments))] + #[invariant(first_not_sat, !(@f.clauses@[@cref])[0].sat_inner(@trail.assignments))] while search < clause_len { if check_and_move_watch(f, trail, watches, cref, j, search, lit) { let old_f2: Ghost<&mut Formula> = ghost! { f }; f.clauses[cref].search = search; - proof_assert!(forall 0 <= j && j < (@f.clauses).len() ==> @(@f.clauses)[j] == @(@(old_f2.inner()).clauses)[j]); + proof_assert!(forall 0 <= j && j < f.clauses@.len() ==> @f.clauses@[j] == @(@(old_f2.inner()).clauses)[j]); proof_assert!(old_f2.inner().equisat(*f)); //proof_assert!(crefs_in_range(@trail.trail, *f)); // I am here to help the trail invariant pass return true; @@ -124,15 +124,15 @@ fn exists_new_watchable_lit( #[invariant(search_bound, 2 <= @search && @search <= @clause_len)] #[invariant(f_unchanged, f == *old_f)] #[invariant(w_unchanged, watches == *old_w)] - #[invariant(uns, forall @init_search <= m && m < @clause_len ==> ((@(@f.clauses)[@cref])[m]).unsat(trail.assignments))] - #[invariant(uns2, forall 2 <= m && m < @search ==> ((@(@f.clauses)[@cref])[m]).unsat(trail.assignments))] + #[invariant(uns, forall i@nit_search <= m && m < @clause_len ==> ((@f.clauses@[@cref])[m]).unsat(trail.assignments))] + #[invariant(uns2, forall 2 <= m && m < @search ==> ((@f.clauses@[@cref])[m]).unsat(trail.assignments))] // Here to help the trail invariant - #[invariant(first_not_sat, !(@(@f.clauses)[@cref])[0].sat_inner(@trail.assignments))] + #[invariant(first_not_sat, !(@f.clauses@[@cref])[0].sat_inner(@trail.assignments))] while search < init_search { if check_and_move_watch(f, trail, watches, cref, j, search, lit) { let old_f2: Ghost<&mut Formula> = ghost! { f }; f.clauses[cref].search = search; - proof_assert!(forall 0 <= j && j < (@f.clauses).len() ==> @(@f.clauses)[j] == @(@(old_f2.inner()).clauses)[j]); + proof_assert!(forall 0 <= j && j < f.clauses@.len() ==> @f.clauses@[j] == @(@(old_f2.inner()).clauses)[j]); proof_assert!(old_f2.inner().equisat(*f)); //proof_assert!(crefs_in_range(@trail.trail, *f)); // I am here to help the trail invariant pass return true; @@ -148,17 +148,17 @@ fn exists_new_watchable_lit( #[maintains((mut watches).invariant(mut f))] #[requires(lit.to_watchidx_logic() < (@watches.watches).len())] #[requires((@(@watches.watches)[lit.to_watchidx_logic()]).len() > @j)] -#[requires(@f.num_vars < @usize::MAX/2)] -#[requires(lit.index_logic() < @f.num_vars)] -#[requires(@cref < (@f.clauses).len())] -#[requires((@(@f.clauses)[@cref]).len() >= 2)] +#[requires(f.num_vars@ < usize::MAX@/2)] +#[requires(lit.index_logic() < f.num_vars@)] +#[requires(@cref < f.clauses@.len())] +#[requires((@f.clauses@[@cref]).len() >= 2)] #[ensures((^trail).decisions == trail.decisions)] // added #[ensures(match result { Ok(true) => true, Ok(false) => (@(^trail).trail).len() == (@trail.trail).len(), Err(n) => @n < (@(^f).clauses).len() && (^f).unsat((^trail).assignments) && (@(^f).clauses)[@n].unsat((^trail).assignments), })] -#[ensures(@f.num_vars == @(^f).num_vars)] +#[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] fn propagate_lit_with_regard_to_clause( f: &mut Formula, trail: &mut Trail, watches: &mut Watches, cref: usize, lit: Lit, j: usize, @@ -169,7 +169,7 @@ fn propagate_lit_with_regard_to_clause( if first_lit.lit_sat(&trail.assignments) { // We know blocker cannot be first, as then we would not be here proof_assert!(^watches == ^old_w.inner()); - proof_assert!(first_lit.index_logic() < @f.num_vars); + proof_assert!(first_lit.index_logic() < f.num_vars@); watches.watches[lit.to_watchidx()][j].blocker = first_lit; return Ok(true); } @@ -177,7 +177,7 @@ fn propagate_lit_with_regard_to_clause( if second_lit.lit_sat(&trail.assignments) { // We know blocker cannot be second, as then we would not be here proof_assert!(^watches == ^old_w.inner()); - proof_assert!(second_lit.index_logic() < @f.num_vars); + proof_assert!(second_lit.index_logic() < f.num_vars@); watches.watches[lit.to_watchidx()][j].blocker = second_lit; return Ok(true); } @@ -186,7 +186,7 @@ fn propagate_lit_with_regard_to_clause( return Ok(false); // Watches have been updated -> don't increase j } // If we have gotten here, the clause is either all false or unit - proof_assert!((@f.clauses)[@cref].unsat(trail.assignments) || ((@(@f.clauses)[@cref])[0]).unset(trail.assignments) || ((@(@f.clauses)[@cref])[1]).unset(trail.assignments)); + proof_assert!(f.clauses@[@cref].unsat(trail.assignments) || ((@f.clauses@[@cref])[0]).unset(trail.assignments) || ((@f.clauses@[@cref])[1]).unset(trail.assignments)); if first_lit.lit_unset(&trail.assignments) { //if f.clauses[cref].rest[0].lit_unset(&trail.assignments) { // zzTODOzz: Prove the runtime-check @@ -194,8 +194,8 @@ fn propagate_lit_with_regard_to_clause( return Ok(true); } proof_assert!(trail.invariant(*f)); - proof_assert!(!(@f.clauses)[@cref].unsat(trail.assignments)); - proof_assert!((@f.clauses)[@cref].unit(trail.assignments)); + proof_assert!(!f.clauses@[@cref].unsat(trail.assignments)); + proof_assert!(f.clauses@[@cref].unit(trail.assignments)); let step = Step { lit: first_lit, //lit: f.clauses[cref].rest[0], @@ -204,19 +204,19 @@ fn propagate_lit_with_regard_to_clause( }; trail.enq_assignment(step, f); - proof_assert!(((@f.clauses)[@cref]).post_unit(trail.assignments) && true); - proof_assert!(clause_post_with_regards_to_lit(((@f.clauses)[@cref]), trail.assignments, first_lit)); + proof_assert!((f.clauses@[@cref]).post_unit(trail.assignments) && true); + proof_assert!(clause_post_with_regards_to_lit((f.clauses@[@cref]), trail.assignments, first_lit)); return Ok(true); } else if second_lit.lit_unset(&trail.assignments) { let step = Step { lit: second_lit, decision_level: trail.decision_level(), reason: Reason::Long(cref) }; let old_c: Ghost = ghost! { f.clauses[cref] }; - proof_assert!((@(@f.clauses)[@cref])[1].unset(trail.assignments)); + proof_assert!((@f.clauses@[@cref])[1].unset(trail.assignments)); swap(f, trail, watches, cref, 0, 1); - proof_assert!((@(@f.clauses)[@cref]).exchange(@old_c, 0, 1)); - proof_assert!((@(@f.clauses)[@cref])[0].unset(trail.assignments)); + proof_assert!((@f.clauses@[@cref]).exchange(@old_c, 0, 1)); + proof_assert!((@f.clauses@[@cref])[0].unset(trail.assignments)); trail.enq_assignment(step, f); - proof_assert!(((@f.clauses)[@cref]).post_unit(trail.assignments)); - proof_assert!(clause_post_with_regards_to_lit(((@f.clauses)[@cref]), trail.assignments, second_lit)); + proof_assert!((f.clauses@[@cref]).post_unit(trail.assignments)); + proof_assert!(clause_post_with_regards_to_lit((f.clauses@[@cref]), trail.assignments, second_lit)); return Ok(true); } else { return Err(cref); @@ -227,18 +227,18 @@ fn propagate_lit_with_regard_to_clause( #[maintains((mut f).invariant())] #[maintains((mut trail).invariant(mut f))] #[maintains((mut watches).invariant(mut f))] -#[requires(@f.num_vars < @usize::MAX/2)] -#[requires(lit.index_logic() < @f.num_vars)] +#[requires(f.num_vars@ < usize::MAX@/2)] +#[requires(lit.index_logic() < f.num_vars@)] #[ensures(match result { Ok(()) => true,// !(^f).unsat(^a), Err(n) => @n < (@(^f).clauses).len() && (^f).unsat((^trail).assignments) && (@(^f).clauses)[@n].unsat((^trail).assignments), })] -#[ensures(@f.num_vars == @(^f).num_vars)] +#[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] fn propagate_literal(f: &mut Formula, trail: &mut Trail, watches: &mut Watches, lit: Lit) -> Result<(), usize> { let mut j = 0; let watchidx = lit.to_watchidx(); - proof_assert!((@watches.watches).len() == 2 * @f.num_vars); + proof_assert!((@watches.watches).len() == 2 * f.num_vars@); proof_assert!((@watches.watches).len() > @watchidx); let old_trail: Ghost<&mut Trail> = ghost! { trail }; let old_f: Ghost<&mut Formula> = ghost! { f }; @@ -249,7 +249,7 @@ fn propagate_literal(f: &mut Formula, trail: &mut Trail, watches: &mut Watches, #[invariant(f_equi, old_f.equisat(*f))] #[invariant(f_inv, f.invariant())] #[invariant(dec_unch, (@trail.decisions) == (@old_trail.decisions))] - #[invariant(nvars_unch, @f.num_vars == @old_f.num_vars)] + #[invariant(nvars_unch, f.num_vars@ == @old_f.num_vars)] #[invariant(proph_t, ^trail == ^old_trail.inner())] #[invariant(proph_f, ^f == ^old_f.inner())] #[invariant(proph_w, ^watches == ^old_w.inner())] @@ -277,12 +277,12 @@ fn propagate_literal(f: &mut Formula, trail: &mut Trail, watches: &mut Watches, #[maintains((mut f).invariant())] #[maintains((mut trail).invariant(mut f))] #[maintains((mut watches).invariant(mut f))] -#[requires(@f.num_vars < @usize::MAX/2)] +#[requires(f.num_vars@ < usize::MAX@/2)] #[ensures(match result { Ok(()) => true, // !(^f).unsat(^a), Err(n) => @n < (@(^f).clauses).len() && (^f).unsat((^trail).assignments) && (@(^f).clauses)[@n].unsat((^trail).assignments), })] -#[ensures(@f.num_vars == @(^f).num_vars)] +#[ensures(f.num_vars@ == @(^f).num_vars)] #[ensures(f.equisat(^f))] pub fn unit_propagate(f: &mut Formula, trail: &mut Trail, watches: &mut Watches) -> Result<(), usize> { let mut i = trail.curr_i; @@ -294,7 +294,7 @@ pub fn unit_propagate(f: &mut Formula, trail: &mut Trail, watches: &mut Watches) #[invariant(watch_len, (@watches.watches).len() == (@old_w.watches).len())] #[invariant(watch_inv, watches.invariant(*f))] #[invariant(f_equi, old_f.equisat(*f))] - #[invariant(nvars_unch, @f.num_vars == @old_f.num_vars)] + #[invariant(nvars_unch, f.num_vars@ == @old_f.num_vars)] #[invariant(proph_t, ^trail == ^old_trail.inner())] #[invariant(proph_f, ^f == ^old_f.inner())] #[invariant(proph_w, ^watches == ^old_w.inner())] diff --git a/CreuSAT/src/util.rs b/CreuSAT/src/util.rs index fff42acb..47e00564 100644 --- a/CreuSAT/src/util.rs +++ b/CreuSAT/src/util.rs @@ -13,15 +13,15 @@ pub fn sort_reverse(v: &mut Vec<(usize, usize)>) { let old_v: Ghost<&mut Vec<(usize, usize)>> = ghost! { v }; #[invariant(proph_const, ^v == ^old_v.inner())] #[invariant(permutation, (@v).permutation_of(@*old_v.inner()))] - #[invariant(i_bound, @i <= (@v).len())] - #[invariant(sorted, sorted_range_rev(@v, 0, @i))] - #[invariant(partition, partition_rev(@v, @i))] + #[invariant(i_bound, i@ <= (@v).len())] + #[invariant(sorted, sorted_range_rev(@v, 0, i@))] + #[invariant(partition, partition_rev(@v, i@))] while i < v.len() { let mut max = i; let mut j = i + 1; - #[invariant(max_is_max, forall @i <= k && k < @j ==> (@v)[@max].0 >= (@v)[k].0)] - #[invariant(j_bound, @i <= @j && @j <= (@v).len())] - #[invariant(max_bound, @i <= @max && @max < @j)] + #[invariant(max_is_max, forall i@ <= k && k < @j ==> (@v)[@max].0 >= (@v)[k].0)] + #[invariant(j_bound, i@ <= @j && @j <= (@v).len())] + #[invariant(max_bound, i@ <= @max && @max < @j)] while j < v.len() { if v[j].0 > v[max].0 { max = j; @@ -62,15 +62,15 @@ pub fn sort(v: &mut Vec<(usize, usize)>) { let old_v: Ghost<&mut Vec<(usize, usize)>> = ghost! { v }; #[invariant(proph_const, ^v == ^old_v.inner())] #[invariant(permutation, (@v).permutation_of(@*old_v.inner()))] - #[invariant(i_bound, @i <= (@v).len())] - #[invariant(sorted, sorted_range_tuple_zeroth(@v, 0, @i))] - #[invariant(partition, partition(@v, @i))] + #[invariant(i_bound, i@ <= (@v).len())] + #[invariant(sorted, sorted_range_tuple_zeroth(@v, 0, i@))] + #[invariant(partition, partition(@v, i@))] while i < v.len() { let mut max = i; let mut j = i + 1; - #[invariant(max_is_max, forall @i <= k && k < @j ==> (@v)[@max].0 <= (@v)[k].0)] - #[invariant(j_bound, @i <= @j && @j <= (@v).len())] - #[invariant(max_bound, @i <= @max && @max < @j)] + #[invariant(max_is_max, forall i@ <= k && k < @j ==> (@v)[@max].0 <= (@v)[k].0)] + #[invariant(j_bound, i@ <= @j && @j <= (@v).len())] + #[invariant(max_bound, i@ <= @max && @max < @j)] while j < v.len() { if v[j].0 < v[max].0 { max = j; @@ -92,10 +92,10 @@ fn min_log(a: Int, b: Int) -> Int { } #[cfg_attr(feature = "trust_util", trusted)] -#[ensures(@result == min_log(@a, @b))] -#[ensures(@a <= @b ==> @result == @a)] -#[ensures(@b < @a ==> @result == @b)] -#[ensures(@result <= @b && @result <= @a)] +#[ensures(result@ == min_log(a@, @b))] +#[ensures(a@ <= @b ==> result@ == a@)] +#[ensures(@b < a@ ==> result@ == @b)] +#[ensures(result@ <= @b && result@ <= a@)] pub fn min(a: usize, b: usize) -> usize { if a <= b { a @@ -114,7 +114,7 @@ fn max_log(a: Int, b: Int) -> Int { } #[cfg_attr(feature = "trust_util", trusted)] -#[ensures(@result == max_log(@a, @b))] +#[ensures(result@ == max_log(a@, @b))] pub fn max(a: usize, b: usize) -> usize { if a >= b { a diff --git a/CreuSAT/src/watches.rs b/CreuSAT/src/watches.rs index 544cb035..520fbf72 100644 --- a/CreuSAT/src/watches.rs +++ b/CreuSAT/src/watches.rs @@ -25,13 +25,13 @@ pub struct Watches { // #10 and #19 just take some time, but check out on Mac #[cfg_attr(all(feature = "trust_watches", not(feature = "problem_child")), trusted)] #[maintains((mut watches).invariant(*f))] -#[requires(@f.num_vars < @usize::MAX/2)] -#[requires(lit.index_logic() < @f.num_vars)] +#[requires(f.num_vars@ < usize::MAX@/2)] +#[requires(lit.index_logic() < f.num_vars@)] #[requires(f.invariant())] #[requires(trail.invariant(*f))] -#[requires(@cref < (@f.clauses).len())] -#[requires(0 <= @k && @k < (@(@f.clauses)[@cref]).len())] // Changed -#[requires((@(@f.clauses)[@cref]).len() >= 2)] // This was > 2 before ? +#[requires(@cref < f.clauses@.len())] +#[requires(0 <= @k && @k < (@f.clauses@[@cref]).len())] // Changed +#[requires((@f.clauses@[@cref]).len() >= 2)] // This was > 2 before ? #[requires((@(@watches.watches)[lit.to_watchidx_logic()]).len() > @j)] pub fn update_watch(f: &Formula, trail: &Trail, watches: &mut Watches, cref: usize, j: usize, k: usize, lit: Lit) { let watchidx = lit.to_watchidx(); @@ -49,7 +49,7 @@ pub fn update_watch(f: &Formula, trail: &Trail, watches: &mut Watches, cref: usi proof_assert!(watches.invariant(*f)); proof_assert!(curr_lit.to_neg_watchidx_logic() < (@watches.watches).len()); proof_assert!(watcher_crefs_in_range(@(@watches.watches)[curr_lit.to_neg_watchidx_logic()], *f)); - proof_assert!(@w.cref < (@f.clauses).len()); + proof_assert!(@w.cref < f.clauses@.len()); proof_assert!(lemma_push_maintains_watcher_invariant(@(@watches.watches)[curr_lit.to_neg_watchidx_logic()], *f, w); true); let watch_lit = curr_lit.to_neg_watchidx(); @@ -72,8 +72,8 @@ impl Watches { pub fn new(f: &Formula) -> Watches { let mut i: usize = 0; let mut watches = Vec::new(); - #[invariant(i_less, @i <= @f.num_vars)] - #[invariant(maintains_inv, watches_invariant_internal(@watches, @i, *f))] + #[invariant(i_less, i@ <= f.num_vars@)] + #[invariant(maintains_inv, watches_invariant_internal(@watches, i@, *f))] while i < f.num_vars { watches.push(Vec::new()); watches.push(Vec::new()); @@ -89,10 +89,10 @@ impl Watches { #[cfg_attr(feature = "trust_watches", trusted)] #[maintains((mut self).invariant(*_f))] #[requires(@cref < (@_f.clauses).len())] - #[requires(lit.index_logic() < @usize::MAX/2)] - #[requires(lit.to_neg_watchidx_logic() < (@self.watches).len())] + #[requires(lit.index_logic() < usize::MAX@/2)] + #[requires(lit.to_neg_watchidx_logic() < (self@.watches).len())] #[requires((@(@_f.clauses)[@cref]).len() > 1)] - #[ensures((@self.watches).len() == (@(^self).watches).len())] + #[ensures((self@.watches).len() == (@(^self).watches).len())] pub fn add_watcher(&mut self, lit: Lit, cref: usize, _f: &Formula) { self.watches[lit.to_neg_watchidx()].push(Watcher { cref }); } @@ -101,11 +101,11 @@ impl Watches { #[cfg_attr(feature = "trust_watches", trusted)] #[maintains((mut self).invariant(*_f))] #[requires(@cref < (@_f.clauses).len())] - #[requires(lit.index_logic() < @usize::MAX/2)] + #[requires(lit.index_logic() < usize::MAX@/2)] #[requires(blocker.index_logic() < @_f.num_vars)] - #[requires(lit.to_neg_watchidx_logic() < (@self.watches).len())] + #[requires(lit.to_neg_watchidx_logic() < (self@.watches).len())] #[requires((@(@_f.clauses)[@cref]).len() > 1)] - #[ensures((@self.watches).len() == (@(^self).watches).len())] + #[ensures((self@.watches).len() == (@(^self).watches).len())] pub fn add_watcher(&mut self, lit: Lit, cref: usize, _f: &Formula, blocker: Lit) { self.watches[lit.to_neg_watchidx()].push(Watcher { cref, blocker }); } @@ -113,11 +113,11 @@ impl Watches { // OK #[cfg_attr(feature = "trust_watches", trusted)] #[maintains((mut self).invariant(*_f))] - #[requires(new_lit.index_logic() < @usize::MAX/2)] - #[requires(new_lit.to_neg_watchidx_logic() < (@self.watches).len())] - #[requires(@old_idx < (@self.watches).len())] - #[requires(@old_pos < (@(@self.watches)[@old_idx]).len())] - #[ensures((@(@(^self).watches)[@old_idx]).len() == ((@(@self.watches)[@old_idx]).len()))] + #[requires(new_lit.index_logic() < usize::MAX@/2)] + #[requires(new_lit.to_neg_watchidx_logic() < (self@.watches).len())] + #[requires(@old_idx < (self@.watches).len())] + #[requires(@old_pos < (@(self@.watches)[@old_idx]).len())] + #[ensures((@(@(^self).watches)[@old_idx]).len() == ((@(self@.watches)[@old_idx]).len()))] pub fn move_to_end(&mut self, old_idx: usize, old_pos: usize, new_lit: Lit, _f: &Formula) { let end = self.watches[old_idx].len() - 1; self.watches[old_idx].swap(old_pos, end); @@ -127,13 +127,13 @@ impl Watches { // OK #[cfg_attr(feature = "trust_watches", trusted)] #[maintains((mut self).invariant(*f))] - #[requires(@f.num_vars < @usize::MAX/2)] + #[requires(f.num_vars@ < usize::MAX@/2)] #[requires(f.invariant())] pub fn init_watches(&mut self, f: &Formula) { let old_w: Ghost<&mut Watches> = ghost! { self }; let mut i = 0; #[invariant(watch_inv, self.invariant(*f))] - #[invariant(same_len, (@self.watches).len() == 2 * @f.num_vars)] + #[invariant(same_len, (self@.watches).len() == 2 * f.num_vars@)] #[invariant(proph, ^self == ^old_w.inner())] while i < f.clauses.len() { let clause = &f[i]; @@ -150,12 +150,12 @@ impl Watches { // This is just the first half of update_watch. #[cfg_attr(all(feature = "trust_watches", not(feature = "problem_child")), trusted)] #[maintains((mut self).invariant(*f))] - #[requires(@f.num_vars < @usize::MAX/2)] - #[requires(lit.index_logic() < @f.num_vars)] + #[requires(f.num_vars@ < usize::MAX@/2)] + #[requires(lit.index_logic() < f.num_vars@)] #[requires(f.invariant())] #[requires(trail.invariant(*f))] - #[requires(@cref < (@f.clauses).len())] - #[requires((@(@f.clauses)[@cref]).len() >= 2)] + #[requires(@cref < f.clauses@.len())] + #[requires((@f.clauses@[@cref]).len() >= 2)] pub fn unwatch(&mut self, f: &Formula, trail: &Trail, cref: usize, lit: Lit) { let watchidx = lit.to_neg_watchidx(); let mut i: usize = 0; diff --git a/NewDB/src/clause_allocator.rs b/NewDB/src/clause_allocator.rs index 55a6f060..b9fc725a 100644 --- a/NewDB/src/clause_allocator.rs +++ b/NewDB/src/clause_allocator.rs @@ -39,8 +39,8 @@ pub(crate) struct ClauseAllocator { impl ClauseAllocator { #[logic] - //#[ensures(forall 0 <= i && i < (@self.buffer).len() ==> (@self.buffer)[i] == (@result.buffer)[i])] - //#[ensures(@result.num_vars == @self.num_vars)] + //#[ensures(forall 0 <= i && i < (self@.buffer).len() ==> (self@.buffer)[i] == (result@.buffer)[i])] + //#[ensures(result@.num_vars == self@.num_vars)] pub(crate) fn push(self, lit: Lit) -> Self { self } @@ -132,9 +132,9 @@ impl ClauseAllocator { self@[cref@ + HEADER_LEN@ + i] == lits@[i])] #[invariant(forall 0 <= i && i < self@.len() - old_self@.len() ==> self@[cref@ + HEADER_LEN@ + i].var_in_range(self.num_vars@))] - //#[invariant(extended2, forall 0 <= i && i < (produced).len() ==> (@self)[@cref + HEADER_LEN@ + i] == *(produced)[i])] - //#[invariant(extended, forall 0 <= i && i < (produced).len() ==> (@self)[@cref + HEADER_LEN@ + i] == (@lits)[i] - // && (@self)[@cref + HEADER_LEN@ + i].var_in_range(@self.num_vars))] + //#[invariant(extended2, forall 0 <= i && i < (produced).len() ==> self@[@cref + HEADER_LEN@ + i] == *(produced)[i])] + //#[invariant(extended, forall 0 <= i && i < (produced).len() ==> self@[@cref + HEADER_LEN@ + i] == (@lits)[i] + // && self@[@cref + HEADER_LEN@ + i].var_in_range(self@.num_vars))] for lit in lits { self.buffer.push(*lit); } diff --git a/NewDB/src/clause_manager.rs b/NewDB/src/clause_manager.rs index 06c7f7cb..dc5afa86 100644 --- a/NewDB/src/clause_manager.rs +++ b/NewDB/src/clause_manager.rs @@ -61,7 +61,7 @@ impl ClauseManager { #[requires(lits@.len() > 0)] #[requires(self.clause_allocator@.len() + lits@.len() + HEADER_LEN@ <= u32::MAX@)] // TODO: May have to move this to a runtime check #[requires(Formula::from(self.original_clauses@, self.clause_allocator, self.clause_allocator.num_vars@).implies(seq_to_fset(lits@)))] - //#[requires((@self).len() + (@lits).len() + @HEADER_LEN <= @u32::MAX)] // TODO: May have to move this to a runtime check + //#[requires(self@.len() + (@lits).len() + @HEADER_LEN <= @u32::MAX)] // TODO: May have to move this to a runtime check #[requires(clause_invariant_seq(lits@, self.clause_allocator.num_vars@))] pub(crate) fn learn_clause(&mut self, lits: &[Lit]) -> CRef { let old_self: Ghost<&mut ClauseManager> = ghost!(self); diff --git a/NewDB/src/formula.rs b/NewDB/src/formula.rs index 6c1767c2..cc25d4ee 100644 --- a/NewDB/src/formula.rs +++ b/NewDB/src/formula.rs @@ -15,10 +15,10 @@ pub(crate) struct Formula { #[logic] #[variant(just.len() - ix)] #[requires(ix >= 0)] -#[requires(forall 0 <= i && i < just.len() ==> @just[i] < (@self.assignments).len())] -#[ensures(forall result.contains(a) ==> exists 0 <= i && i < (@self.assignments).len() && a == (@self.assignments)[i].term_value())] -#[ensures(forall result.contains(a) ==> exists ix <= i && i < just.len() && a == (@self.assignments)[@just[i]].term_value())] -#[ensures(forall ix <= i && i < just.len() ==> result.contains((@self.assignments)[@just[i]].term_value()))] +#[requires(forall 0 <= i && i < just.len() ==> @just[i] < (self@.assignments).len())] +#[ensures(forall result.contains(a) ==> exists 0 <= i && i < (self@.assignments).len() && a == (self@.assignments)[i].term_value())] +#[ensures(forall result.contains(a) ==> exists ix <= i && i < just.len() && a == (self@.assignments)[@just[i]].term_value())] +#[ensures(forall ix <= i && i < just.len() ==> result.contains((self@.assignments)[@just[i]].term_value()))] pub fn abs_just_inner(self, just: Seq, ix: Int) -> FSet<(theory::Term, theory::Value)> { if ix < just.len() { let set = self.abs_just_inner(just, ix + 1); diff --git a/Robinson/src/assignments.rs b/Robinson/src/assignments.rs index 3fe7b228..d3c6082a 100644 --- a/Robinson/src/assignments.rs +++ b/Robinson/src/assignments.rs @@ -43,7 +43,7 @@ pub fn compatible_complete_inner(a: Seq, a2: Seq) #[predicate] pub fn assignments_invariant(a: Seq, f: Formula) -> bool { - pearlite! { @f.num_vars == a.len() } + pearlite! { f.num_vars@ == a.len() } } // Predicates @@ -51,19 +51,19 @@ impl Assignments { #[predicate] pub fn invariant(self, f: Formula) -> bool { pearlite! { - @f.num_vars == (@self).len() && @self.1 <= @f.num_vars + f.num_vars@ == self@.len() && self.1@ <= f.num_vars@ } } #[predicate] pub fn compatible(self, a2: Assignments) -> bool { - pearlite! { compatible_inner(@self, @a2) } + pearlite! { compatible_inner(self@, a2@) } } #[predicate] pub fn complete(self) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> !unset((@self)[i]) + forall 0 <= i && i < self@.len() ==> !unset(self@[i]) } } @@ -75,15 +75,15 @@ impl Assignments { impl Assignments { #[cfg_attr(feature = "trust_assignments", trusted)] - #[ensures(forall 0 <= i && i < (@self).len() ==> (@self)[i] == (@result)[i])] - #[ensures((@self).len() == (@result).len())] - #[ensures(@result.1 == @self.1)] + #[ensures(forall 0 <= i && i < self@.len() ==> self@[i] == result@[i])] + #[ensures(self@.len() == result@.len())] + #[ensures(result.1@ == self.1@)] pub fn clone(&self) -> Self { let mut out = Vec::new(); let mut i: usize = 0; - #[invariant(loop_invariant, @i <= (@self).len())] - #[invariant(equality, forall 0 <= j && j < @i ==> (@out)[j] == (@self)[j])] - #[invariant(len, (@out).len() == @i)] + #[invariant(i@ <= self@.len())] + #[invariant(forall 0 <= j && j < i@ ==> out@[j] == self@[j])] + #[invariant(out@.len() == i@)] while i < self.0.len() { out.push(self.0[i]); i += 1; @@ -94,7 +94,7 @@ impl Assignments { #[cfg_attr(feature = "trust_assignments", trusted)] #[requires(f.invariant())] #[ensures(result.invariant(*f))] - #[ensures(forall 0 <= i && i < (@result).len() ==> unset((@result)[i]))] + #[ensures(forall 0 <= i && i < result@.len() ==> unset(result@[i]))] pub fn new(f: &Formula) -> Self { Assignments(vec::from_elem(2u8, f.num_vars), 0) } @@ -102,12 +102,12 @@ impl Assignments { #[cfg_attr(feature = "trust_assignments", trusted)] #[maintains((mut self).invariant(*_f))] #[requires(!self.complete())] - #[requires(d.invariant((@self).len()))] - #[ensures(@result < (@self).len() && unset((@self)[@result]))] - #[ensures(@self == @^self)] + #[requires(d.invariant(self@.len()))] + #[ensures(result@ < self@.len() && unset(self@[result@]))] + #[ensures(self@ == (^self)@)] pub fn find_unassigned(&mut self, d: &Decisions, _f: &Formula) -> usize { let mut i: usize = self.1; - #[invariant(i_bound, @i <= (@d.lit_order).len())] + #[invariant(i@ <= d.lit_order@.len())] while i < d.lit_order.len() { let curr = self.0[d.lit_order[i]]; if curr >= 2 { @@ -119,7 +119,7 @@ impl Assignments { // Strictly speaking this is an unecessary runtime check, but it only gets run at most once and it // greatly simplifies the proof. i = 0; - #[invariant(prev, forall 0 <= j && j < @i ==> !unset((@self)[j]))] + #[invariant(forall 0 <= j && j < i@ ==> !unset(self@[j]))] while i < self.0.len() { if self.0[i] >= 2 { return i; @@ -132,20 +132,20 @@ impl Assignments { #[cfg_attr(feature = "trust_assignments", trusted)] #[maintains((mut self).invariant(*f))] #[requires(f.invariant())] - #[requires(0 <= @i && @i < (@f.clauses).len())] + #[requires(0 <= i@ && i@ < f.clauses@.len())] #[ensures((*self).compatible(^self))] #[ensures(f.eventually_sat_complete(*self) == f.eventually_sat_complete(^self))] /* - #[ensures((result == ClauseState::Unit) ==> (@f.clauses)[@i].unit(*self) && !(self).complete())] - #[ensures((result == ClauseState::Sat) ==> (@f.clauses)[@i].sat(^self) && @self == @^self)] - #[ensures((result == ClauseState::Unsat) ==> (@f.clauses)[@i].unsat(^self) && @self == @^self)] - #[ensures((result == ClauseState::Unknown) ==> @self == @^self && !(^self).complete())] + #[ensures((result == ClauseState::Unit) ==> f.clauses@[i@].unit(*self) && !(self).complete())] + #[ensures((result == ClauseState::Sat) ==> f.clauses@[i@].sat(^self) && self@ == @^self)] + #[ensures((result == ClauseState::Unsat) ==> f.clauses@[i@].unsat(^self) && self@ == @^self)] + #[ensures((result == ClauseState::Unknown) ==> self@ == @^self && !(^self).complete())] */ #[ensures(match result { - ClauseState::Unit => (@f.clauses)[@i].unit(*self) && !self.complete(), - ClauseState::Sat => (@f.clauses)[@i].sat(^self) && @self == @^self, - ClauseState::Unsat => (@f.clauses)[@i].unsat(^self) && @self == @^self, - ClauseState::Unknown => @self == @^self && !(^self).complete(), + ClauseState::Unit => f.clauses@[i@].unit(*self) && !self.complete(), + ClauseState::Sat => f.clauses@[i@].sat(^self) && self@ == (^self)@, + ClauseState::Unsat => f.clauses@[i@].unsat(^self) && self@ == (^self)@, + ClauseState::Unknown => self@ == (^self)@ && !(^self).complete(), })] #[ensures((self).complete() ==> *self == ^self && ((result == ClauseState::Unsat) || (result == ClauseState::Sat)))] pub fn unit_prop_once(&mut self, i: usize, f: &Formula) -> ClauseState { @@ -158,15 +158,15 @@ impl Assignments { // rare and we on average have to traverse n/2 lits to find the unit lit. If I make formula // mutable, then I can swap to index 0 and skip the call to clause.get_unit() let lit = clause.get_unit(self, f); - proof_assert!(lemma_unit_wrong_polarity_unsat_formula(*clause, *f, @self, lit.index_logic(), bool_to_assignedstate(lit.polarity)); true); - proof_assert!(lemma_unit_forces(*f, @self, lit.index_logic(), bool_to_assignedstate(lit.polarity)); true); + proof_assert!(lemma_unit_wrong_polarity_unsat_formula(*clause, *f, self@, lit.index_logic(), bool_to_assignedstate(lit.polarity)); true); + proof_assert!(lemma_unit_forces(*f, self@, lit.index_logic(), bool_to_assignedstate(lit.polarity)); true); if lit.polarity { self.0[lit.index()] = 1; } else { self.0[lit.index()] = 0; } - proof_assert!(lemma_extension_sat_base_sat(*f, @_old_a.inner(), lit.index_logic(), bool_to_assignedstate(lit.polarity)); true); - proof_assert!(lemma_extensions_unsat_base_unsat(@_old_a.inner(), lit.index_logic(), *f); true); + proof_assert!(lemma_extension_sat_base_sat(*f, _old_a.inner()@, lit.index_logic(), bool_to_assignedstate(lit.polarity)); true); + proof_assert!(lemma_extensions_unsat_base_unsat(_old_a.inner()@, lit.index_logic(), *f); true); proof_assert!(^self == ^_old_a.inner()); return ClauseState::Unit; } @@ -191,21 +191,21 @@ impl Assignments { let _old_a: Ghost<&mut Assignments> = ghost!(self); let mut i: usize = 0; let mut out = ClauseState::Sat; - #[invariant(assignment_invariant, self.invariant(*f))] - #[invariant(proph, ^self == ^_old_a.inner())] - #[invariant(maintains_compat, _old_a.compatible(*self))] - #[invariant(maintains_sat, f.eventually_sat_complete(*_old_a.inner()) == f.eventually_sat_complete(*self))] - #[invariant(out_not_unsat, !(out == ClauseState::Unsat))] - #[invariant(inv,_old_a.complete() ==> - *_old_a.inner() == *self && forall 0 <= j && j < @i ==> - !(@f.clauses)[j].unknown(*self) && !(@f.clauses)[j].unit(*self) && (@f.clauses)[j].sat(*self) + #[invariant(self.invariant(*f))] + #[invariant(^self == ^_old_a.inner())] + #[invariant(_old_a.compatible(*self))] + #[invariant(f.eventually_sat_complete(*_old_a.inner()) == f.eventually_sat_complete(*self))] + #[invariant(!(out == ClauseState::Unsat))] + #[invariant(_old_a.complete() ==> + *_old_a.inner() == *self && forall 0 <= j && j < i@ ==> + !f.clauses@[j].unknown(*self) && !f.clauses@[j].unit(*self) && f.clauses@[j].sat(*self) )] - #[invariant(inv2, - out == ClauseState::Sat ==> forall 0 <= j && j < @i ==> - !(@f.clauses)[j].unsat(*self) && !(@f.clauses)[j].unknown(*self) && !(@f.clauses)[j].unit(*self) && (@f.clauses)[j].sat(*self) + #[invariant( + out == ClauseState::Sat ==> forall 0 <= j && j < i@ ==> + !f.clauses@[j].unsat(*self) && !f.clauses@[j].unknown(*self) && !f.clauses@[j].unit(*self) && f.clauses@[j].sat(*self) )] - #[invariant(inv3, out == ClauseState::Unit ==> !_old_a.complete())] - #[invariant(inv4, out == ClauseState::Unknown ==> !self.complete())] + #[invariant(out == ClauseState::Unit ==> !_old_a.complete())] + #[invariant(out == ClauseState::Unknown ==> !self.complete())] while i < f.clauses.len() { match self.unit_prop_once(i, f) { ClauseState::Sat => {} @@ -237,10 +237,10 @@ impl Assignments { #[ensures(result == None ==> !(^self).complete())] pub fn do_unit_propagation(&mut self, f: &Formula) -> Option { let _old_a: Ghost<&mut Assignments> = ghost!(self); - #[invariant(assignments_invariant, self.invariant(*f))] - #[invariant(proph, ^self == ^_old_a.inner())] - #[invariant(maintains_compat, _old_a.compatible(*self))] - #[invariant(maintains_sat, f.eventually_sat_complete(*_old_a.inner()) ==> f.eventually_sat_complete(*self))] + #[invariant(self.invariant(*f))] + #[invariant(^self == ^_old_a.inner())] + #[invariant(_old_a.compatible(*self))] + #[invariant(f.eventually_sat_complete(*_old_a.inner()) ==> f.eventually_sat_complete(*self))] loop { match self.unit_propagate(f) { ClauseState::Sat => { diff --git a/Robinson/src/clause.rs b/Robinson/src/clause.rs index 72191ada..ac5f6318 100644 --- a/Robinson/src/clause.rs +++ b/Robinson/src/clause.rs @@ -25,8 +25,8 @@ impl Clause { #[predicate] pub fn in_formula(self, f: Formula) -> bool { pearlite! { - exists 0 <= i && i < (@f.clauses).len() && - (@f.clauses)[i] == self + exists 0 <= i && i < f.clauses@.len() && + f.clauses@[i] == self } } @@ -35,39 +35,39 @@ impl Clause { pearlite! { self.vars_in_range(a.len()) && !self.sat_inner(a) - && exists 0 <= i && i < (@self).len() && (@self)[i].unset_inner(a) - && (forall 0 <= j && j < (@self).len() && j != i ==> !(@self)[j].unset_inner(a)) + && exists 0 <= i && i < self@.len() && self@[i].unset_inner(a) + && (forall 0 <= j && j < self@.len() && j != i ==> !self@[j].unset_inner(a)) } } #[predicate] pub fn unit(self, a: Assignments) -> bool { - pearlite! { self.unit_inner(@a) } + pearlite! { self.unit_inner(a@) } } #[predicate] pub fn unsat_inner(self, a: Seq) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> - (@self)[i].unsat_inner(a) + forall 0 <= i && i < self@.len() ==> + self@[i].unsat_inner(a) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } #[predicate] pub fn sat_inner(self, a: Seq) -> bool { pearlite! { - exists 0 <= i && i < (@self).len() && - (@self)[i].sat_inner(a) + exists 0 <= i && i < self@.len() && + self@[i].sat_inner(a) } } #[predicate] pub fn sat(self, a: Assignments) -> bool { - pearlite! { self.sat_inner(@a) } + pearlite! { self.sat_inner(a@) } } #[predicate] @@ -78,16 +78,16 @@ impl Clause { #[predicate] pub fn vars_in_range(self, n: Int) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> - (@self)[i].invariant(n) + forall 0 <= i && i < self@.len() ==> + self@[i].invariant(n) } } #[predicate] pub fn no_duplicate_indexes(self) -> bool { pearlite! { - forall 0 <= j && j < (@self).len() && - 0 <= k && k < j ==> !((@self)[k].index_logic() == (@self)[j].index_logic()) + forall 0 <= j && j < self@.len() && + 0 <= k && k < j ==> !(self@[k].index_logic() == self@[j].index_logic()) } } @@ -111,7 +111,7 @@ impl Clause { } #[cfg_attr(feature = "trust_clause", trusted)] - #[requires(self.invariant((@a).len()))] + #[requires(self.invariant((a@).len()))] #[requires(_f.invariant())] #[requires(a.invariant(*_f))] #[ensures((result == ClauseState::Sat) ==> self.sat(*a))] @@ -122,16 +122,16 @@ impl Clause { let mut i: usize = 0; let mut _k: usize = 0; // _k is the "ghost" index of the unset literal let mut unassigned: usize = 0; - #[invariant(loop_invariant, 0 <= @i && @i <= (@self.rest).len())] - #[invariant(unass, @unassigned <= 1)] - #[invariant(k_is_unass, (@unassigned == 0 || (@self)[@_k].unset(*a)))] - #[invariant(kk, @unassigned > 0 ==> (@self)[@_k].unset(*a))] - #[invariant(not_sat, forall 0 <= j && j < @i ==> - ((@self)[j].unsat(*a) || ((@self)[j].unset(*a) && @unassigned >= 1)))] - #[invariant(k_in_bounds, @unassigned == 0 || 0 <= @_k && @_k < (@self).len())] - #[invariant(k_only, @unassigned == 1 ==> - (forall 0 <= j && j < @i && j != @_k ==> !(@self)[j].unset(*a)))] - #[invariant(k_unset, @unassigned == 0 ==> @_k == 0)] + #[invariant(0 <= i@ && i@ <= (self.rest@).len())] + #[invariant(unassigned@ <= 1)] + #[invariant((unassigned@ == 0 || self@[_k@].unset(*a)))] + #[invariant(unassigned@ > 0 ==> self@[_k@].unset(*a))] + #[invariant(forall 0 <= j && j < i@ ==> + (self@[j].unsat(*a) || (self@[j].unset(*a) && unassigned@ >= 1)))] + #[invariant(unassigned@ == 0 || 0 <= _k@ && _k@ < self@.len())] + #[invariant(unassigned@ == 1 ==> + (forall 0 <= j && j < i@ && j != _k@ ==> !self@[j].unset(*a)))] + #[invariant(unassigned@ == 0 ==> _k@ == 0)] while i < self.rest.len() { let lit = self.rest[i]; if lit.lit_sat(a) { @@ -157,12 +157,12 @@ impl Clause { #[requires(self.unit(*a))] #[requires(_f.invariant())] #[requires(a.invariant(*_f))] - #[ensures(exists 0 <= j && j < (@self).len() && (@self)[j] == result)] - #[ensures(result.index_logic() < (@a).len())] - #[ensures(unset((@a)[result.index_logic()]))] + #[ensures(exists 0 <= j && j < self@.len() && self@[j] == result)] + #[ensures(result.index_logic() < (a@).len())] + #[ensures(unset((a@)[result.index_logic()]))] pub fn get_unit(&self, a: &Assignments, _f: &Formula) -> Lit { let mut i: usize = 0; - #[invariant(not_unset, forall 0 <= j && j < @i ==> !(@self)[j].unset(*a))] + #[invariant(forall 0 <= j && j < i@ ==> !self@[j].unset(*a))] while i < self.rest.len() { let lit = self.rest[i]; if lit.lit_unset(a) { @@ -174,13 +174,13 @@ impl Clause { } #[cfg_attr(feature = "trust_clause", trusted)] - #[requires(self.vars_in_range(@usize::MAX))] - #[ensures(self.invariant(@result))] + #[requires(self.vars_in_range(usize::MAX@))] + #[ensures(self.invariant(result@))] pub fn check_clause_invariant(&self, n: usize) -> usize { let mut i: usize = 0; let mut new_n = n; - #[invariant(inv, forall 0 <= j && j < @i ==> (@self)[j].invariant(@new_n))] - #[invariant(new_n_inv, @new_n >= @n)] + #[invariant(forall 0 <= j && j < i@ ==> self@[j].invariant(new_n@))] + #[invariant(new_n@ >= n@)] while i < self.len() { if !self.rest[i].check_lit_invariant(new_n) { new_n = self.rest[i].idx + 1; @@ -199,13 +199,13 @@ impl Clause { #[ensures(result == self.no_duplicate_indexes())] pub fn no_duplicates(&self) -> bool { let mut i: usize = 0; - #[invariant(no_dups, - forall 0 <= j && j < @i && - 0 <= k && k < j ==> (@self)[j].idx != (@self)[k].idx)] + #[invariant( + forall 0 <= j && j < i@ && + 0 <= k && k < j ==> self@[j].idx != self@[k].idx)] while i < self.rest.len() { let lit1 = self.rest[i]; let mut j: usize = 0; - #[invariant(inv, forall 0 <= k && k < @j ==> lit1.idx != (@self)[k].idx)] + #[invariant(forall 0 <= k && k < j@ ==> lit1.idx != self@[k].idx)] while j < i { let lit2 = self.rest[j]; if lit1.idx == lit2.idx { @@ -220,7 +220,7 @@ impl Clause { #[inline(always)] #[cfg_attr(feature = "trust_clause", trusted)] - #[ensures(@result == (@self).len())] + #[ensures(result@ == self@.len())] pub fn len(&self) -> usize { self.rest.len() } diff --git a/Robinson/src/decision.rs b/Robinson/src/decision.rs index ef00c99d..7de14a94 100644 --- a/Robinson/src/decision.rs +++ b/Robinson/src/decision.rs @@ -12,9 +12,9 @@ impl Decisions { #[predicate] pub fn invariant(self, n: Int) -> bool { pearlite! { - (@self.lit_order).len() == n - && forall 0 <= i && i < (@self.lit_order).len() ==> - @(@self.lit_order)[i] < n + self.lit_order@.len() == n + && forall 0 <= i && i < self.lit_order@.len() ==> + self.lit_order@[i]@ < n } } } @@ -22,17 +22,17 @@ impl Decisions { impl Decisions { #[cfg_attr(feature = "trust_decision", trusted)] #[requires(f.invariant())] - #[ensures(result.invariant(@f.num_vars))] + #[ensures(result.invariant(f.num_vars@))] pub fn new(f: &Formula) -> Decisions { let mut lit_order: Vec = vec::from_elem(0, f.num_vars); let mut counts: Vec = vec::from_elem(0, f.num_vars); let mut counts_with_index: Vec<(usize, usize)> = vec::from_elem((0, 0), f.num_vars); let mut i: usize = 0; - #[invariant(counts_len1, (@counts).len() == @f.num_vars)] + #[invariant(counts@.len() == f.num_vars@)] while i < f.clauses.len() { let curr_clause = &f.clauses[i]; let mut j: usize = 0; - #[invariant(counts_len, (@counts).len() == @f.num_vars)] + #[invariant(counts@.len() == f.num_vars@)] while j < curr_clause.rest.len() { // Okay this is obviously provable, a vector cannot be longer than usize, and we don't allow duplicates, so we will // never overflow, even if every clause contains a literal, @@ -46,17 +46,17 @@ impl Decisions { i += 1; } i = 0; - #[invariant(counts_with_idx_len, (@counts_with_index).len() == @f.num_vars)] - #[invariant(second_ok, forall 0 <= j && j < @f.num_vars ==> - @(@counts_with_index)[j].1 < @f.num_vars)] + #[invariant(counts_with_index@.len() == f.num_vars@)] + #[invariant(forall 0 <= j && j < f.num_vars@ ==> + counts_with_index@[j].1@ < f.num_vars@)] while i < f.num_vars { counts_with_index[i] = (counts[i], i); i += 1; } sort_reverse(&mut counts_with_index); i = 0; - #[invariant(lit_order_len, (@lit_order).len() == @f.num_vars)] - #[invariant(second_ok, forall 0 <= j && j < @f.num_vars ==> @(@lit_order)[j] < @f.num_vars)] + #[invariant(lit_order@.len() == f.num_vars@)] + #[invariant(forall 0 <= j && j < f.num_vars@ ==> lit_order@[j]@ < f.num_vars@)] while i < f.num_vars { lit_order[i] = counts_with_index[i].1; i += 1; diff --git a/Robinson/src/formula.rs b/Robinson/src/formula.rs index d009c638..3bc47935 100644 --- a/Robinson/src/formula.rs +++ b/Robinson/src/formula.rs @@ -35,15 +35,15 @@ impl Formula { #[predicate] pub fn invariant(self) -> bool { pearlite! { - forall 0 <= i && i < (@self.clauses).len() ==> - (@self.clauses)[i].invariant(@self.num_vars) + forall 0 <= i && i < (self.clauses@).len() ==> + (self.clauses@)[i].invariant(self.num_vars@) } } #[predicate] pub fn eventually_sat_inner(self, a: Seq) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && compatible_inner(a, a2) && self.sat_inner(a2) + exists> a2.len() == self.num_vars@ && compatible_inner(a, a2) && self.sat_inner(a2) } } @@ -55,68 +55,68 @@ impl Formula { #[predicate] pub fn eventually_sat_complete_no_ass(self) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && complete_inner(a2) && self.sat_inner(a2) + exists> a2.len() == self.num_vars@ && complete_inner(a2) && self.sat_inner(a2) } } #[predicate] pub fn eventually_sat_complete_inner(self, a: Seq) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && compatible_complete_inner(a, a2) && self.sat_inner(a2) + exists> a2.len() == self.num_vars@ && compatible_complete_inner(a, a2) && self.sat_inner(a2) } } #[predicate] pub fn eventually_sat_complete(self, a: Assignments) -> bool { - pearlite! { self.eventually_sat_complete_inner(@a) } + pearlite! { self.eventually_sat_complete_inner(a@) } } #[predicate] pub fn eventually_sat(self, a: Assignments) -> bool { - pearlite! { self.eventually_sat_inner(@a) } + pearlite! { self.eventually_sat_inner(a@) } } #[predicate] pub fn sat_inner(self, a: Seq) -> bool { pearlite! { - forall 0 <= i && i < (@self.clauses).len() ==> - (@self.clauses)[i].sat_inner(a) + forall 0 <= i && i < self.clauses@.len() ==> + self.clauses@[i].sat_inner(a) } } #[predicate] pub fn sat(self, a: Assignments) -> bool { - pearlite! { self.sat_inner(@a) } + pearlite! { self.sat_inner(a@) } } #[predicate] pub fn unsat_inner(self, a: Seq) -> bool { pearlite! { - exists 0 <= i && i < (@(self.clauses)).len() && - (@(self.clauses))[i].unsat_inner(a) + exists 0 <= i && i < self.clauses@.len() && + self.clauses@[i].unsat_inner(a) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } #[predicate] pub fn contains_empty_clause(self) -> bool { pearlite! { - exists 0 <= i && i < (@self.clauses).len() && - (@(@self.clauses)[i]).len() == 0 + exists 0 <= i && i < self.clauses@.len() && + self.clauses@[i]@.len() == 0 } } } impl Formula { #[cfg_attr(feature = "trust_formula", trusted)] - #[requires(forall 0 <= i && i < (@self.clauses).len() ==> - (@self.clauses)[i].vars_in_range(@usize::MAX))] + #[requires(forall 0 <= i && i < self.clauses@.len() ==> + self.clauses@[i].vars_in_range(usize::MAX@))] #[ensures(match result { - SatResult::Sat(assn) => { (^self).eventually_sat_no_ass() && formula_sat_inner(@self, @assn) }, + SatResult::Sat(assn) => { (^self).eventually_sat_no_ass() && formula_sat_inner(self@, assn@) }, SatResult::Unsat => { (^self).contains_empty_clause() && !self.eventually_sat_complete_no_ass() }, SatResult::Unknown => { (^self).invariant() }, })] @@ -125,17 +125,17 @@ impl Formula { if self.clauses.len() == 0 { let a = Vec::new(); // These just help the proof along. - proof_assert!(self.sat_inner(@a)); + proof_assert!(self.sat_inner(a@)); proof_assert!(self.eventually_sat_no_ass()); return SatResult::Sat(a); } let old_self: Ghost<&mut Formula> = ghost!(self); let mut i: usize = 0; - #[invariant(inv, forall 0 <= j && j < @i ==> (@self.clauses)[j].invariant(@self.num_vars))] - #[invariant(inv, forall 0 <= j && j < @i ==> (@(@self.clauses)[j]).len() > 0)] - #[invariant(unch, (@self).0 == (@old_self.inner()).0)] - #[invariant(unch, self.clauses == old_self.clauses)] - #[invariant(proph, ^self == ^old_self.inner())] + #[invariant(forall 0 <= j && j < i@ ==> self.clauses@[j].invariant(self.num_vars@))] + #[invariant(forall 0 <= j && j < i@ ==> self.clauses@[j]@.len() > 0)] + #[invariant(self@.0 == old_self.inner()@.0)] + #[invariant(self.clauses == old_self.clauses)] + #[invariant(^self == ^old_self.inner())] while i < self.clauses.len() { if self.clauses[i].len() == 0 { return SatResult::Unsat; diff --git a/Robinson/src/lit.rs b/Robinson/src/lit.rs index 84bd8b61..df4e57cd 100644 --- a/Robinson/src/lit.rs +++ b/Robinson/src/lit.rs @@ -18,7 +18,7 @@ impl Lit { #[logic] #[why3::attr = "inline:trivial"] pub fn index_logic(self) -> Int { - pearlite! { @self.idx } + pearlite! { self.idx@ } } } @@ -27,21 +27,21 @@ impl Lit { #[predicate] pub fn lit_in(self, c: Clause) -> bool { pearlite! { - exists 0 <= i && i < (@c).len() && (@c)[i] == self + exists 0 <= i && i < c@.len() && c@[i] == self } } #[predicate] pub fn invariant(self, n: Int) -> bool { - pearlite! { @self.idx < n } + pearlite! { self.idx@ < n } } #[predicate] pub fn sat_inner(self, a: Seq) -> bool { pearlite! { match self.polarity { - true => (@a[@self.idx] == 1), - false => (@a[@self.idx] == 0), + true => (a[self.idx@]@ == 1), + false => (a[self.idx@]@ == 0), } } } @@ -50,8 +50,8 @@ impl Lit { pub fn unsat_inner(self, a: Seq) -> bool { pearlite! { match self.polarity { - true => (@a[@self.idx] == 0), - false => (@a[@self.idx] == 1), + true => (a[self.idx@]@ == 0), + false => (a[self.idx@]@ == 1), } } } @@ -59,38 +59,38 @@ impl Lit { #[predicate] pub fn unset_inner(self, a: Seq) -> bool { pearlite! { - @(a)[@self.idx] >= 2 + a[self.idx@]@ >= 2 } } #[predicate] pub fn sat(self, a: Assignments) -> bool { pearlite! { - self.sat_inner(@a) + self.sat_inner(a@) } } #[predicate] pub fn unset(self, a: Assignments) -> bool { - pearlite! { self.unset_inner(@a) } + pearlite! { self.unset_inner(a@) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } } impl Lit { #[inline(always)] #[cfg_attr(feature = "trust_lit", trusted)] - #[ensures(@result == self.index_logic())] + #[ensures(result@ == self.index_logic())] pub fn index(self) -> usize { self.idx } #[inline] - #[requires(self.invariant((@a).len()))] + #[requires(self.invariant(a@.len()))] #[ensures(result == self.sat(*a))] pub fn lit_sat(self, a: &Assignments) -> bool { match self.polarity { @@ -101,7 +101,7 @@ impl Lit { #[allow(unused)] // Not used, but OK to have. #[inline] - #[requires(self.invariant((@a).len()))] + #[requires(self.invariant(a@.len()))] #[ensures(result == self.unsat(*a))] pub fn lit_unsat(self, a: &Assignments) -> bool { match self.polarity { @@ -111,7 +111,7 @@ impl Lit { } #[inline] - #[requires(self.invariant((@a).len()))] + #[requires(self.invariant(a@.len()))] #[ensures(result == self.unset(*a))] pub fn lit_unset(self, a: &Assignments) -> bool { a.0[self.idx] >= 2 @@ -119,8 +119,8 @@ impl Lit { #[inline(always)] //#[cfg_attr(feature = "trust_lit", trusted)] - #[ensures(result == self.invariant(@n))] - #[ensures(result == (@self.idx < @n))] + #[ensures(result == self.invariant(n@))] + #[ensures(result == (self.idx@ < n@))] pub fn check_lit_invariant(&self, n: usize) -> bool { self.idx < n } diff --git a/Robinson/src/logic.rs b/Robinson/src/logic.rs index 59719cce..3638a251 100644 --- a/Robinson/src/logic.rs +++ b/Robinson/src/logic.rs @@ -4,8 +4,8 @@ use creusot_contracts::*; use crate::{assignments::*, clause::*, formula::*}; #[logic] -#[ensures(b ==> @result == 1)] -#[ensures(!b ==> @result == 0)] +#[ensures(b ==> result@ == 1)] +#[ensures(!b ==> result@ == 0)] pub fn bool_to_assignedstate(b: bool) -> AssignedState { if b { 1u8 @@ -17,9 +17,9 @@ pub fn bool_to_assignedstate(b: bool) -> AssignedState { #[logic] fn flip_v(v: AssignedState) -> AssignedState { pearlite! { - if @v == 0 { + if v@ == 0 { 1u8 - } else if @v == 1 { + } else if v@ == 1 { 0u8 } else { v @@ -40,7 +40,7 @@ fn neg() -> AssignedState { #[predicate] pub fn unset(v: AssignedState) -> bool { pearlite! { - if @v >= 2 { + if v@ >= 2 { true } else { false @@ -50,7 +50,7 @@ pub fn unset(v: AssignedState) -> bool { #[logic] #[requires(f.invariant())] -#[requires(@f.num_vars == a.len())] +#[requires(f.num_vars@ == a.len())] #[requires(0 <= ix && ix < a.len() && unset(a[ix]))] #[requires(!unset(v))] #[requires(f.eventually_sat_complete_inner(a))] @@ -60,14 +60,14 @@ pub fn lemma_unit_forces(f: Formula, a: Seq, ix: Int, v: Assigned #[logic] #[requires(f.invariant())] -#[requires(@f.num_vars == a.len())] +#[requires(f.num_vars@ == a.len())] #[requires(0 <= ix && ix < a.len() && unset(a[ix]))] #[requires(!unset(v))] #[requires(c.unit_inner(a))] #[requires(c.in_formula(f))] #[requires(c.invariant(a.len()))] -#[requires(exists 0 <= j && j < (@c).len() && (@c)[j].index_logic() == ix && bool_to_assignedstate(((@c)[j].polarity)) == v)] -#[requires(forall 0 <= j && j < (@c).len() && !((@c)[j].index_logic() == ix) ==> (@c)[j].unsat_inner(a))] +#[requires(exists 0 <= j && j < c@.len() && c@[j].index_logic() == ix && bool_to_assignedstate((c@[j].polarity)) == v)] +#[requires(forall 0 <= j && j < c@.len() && !(c@[j].index_logic() == ix) ==> c@[j].unsat_inner(a))] #[ensures(!f.eventually_sat_complete_inner(a.set(ix, flip_v(v))))] #[ensures(f.unsat_inner(a.set(ix, flip_v(v))))] pub fn lemma_unit_wrong_polarity_unsat_formula( diff --git a/Robinson/src/solver.rs b/Robinson/src/solver.rs index 943e9598..2f9adf2d 100644 --- a/Robinson/src/solver.rs +++ b/Robinson/src/solver.rs @@ -11,7 +11,7 @@ pub enum SatResult { #[requires(f.invariant())] #[requires(a.invariant(*f))] -#[requires(d.invariant(@f.num_vars))] +#[requires(d.invariant(f.num_vars@))] #[ensures(result == true ==> f.eventually_sat(a))] #[ensures(result == false ==> !f.eventually_sat_complete(a))] fn inner(f: &Formula, mut a: Assignments, d: &Decisions) -> bool { @@ -34,11 +34,11 @@ fn inner(f: &Formula, mut a: Assignments, d: &Decisions) -> bool { } #[cfg_attr(feature = "trust_solver", trusted)] -#[requires(forall 0 <= i && i < (@formula.clauses).len() ==> - (@formula.clauses)[i].vars_in_range(@usize::MAX))] +#[requires(forall 0 <= i && i < formula.clauses@.len() ==> + formula.clauses@[i].vars_in_range(usize::MAX@))] #[ensures(match result { SatResult::Sat(_assn) => { (^formula).eventually_sat_no_ass() - //&& formula.sat_inner(@assn) // TODO on returning satisfying assignment + //&& formula.sat_inner(assn@) // TODO on returning satisfying assignment }, SatResult::Unsat => { !(^formula).eventually_sat_complete_no_ass() }, _ => { false }, // We are complete diff --git a/Robinson/src/util.rs b/Robinson/src/util.rs index 6913ae8a..ee72b48b 100644 --- a/Robinson/src/util.rs +++ b/Robinson/src/util.rs @@ -20,21 +20,21 @@ fn partition_rev(v: Seq<(usize, usize)>, i: Int) -> bool { // Selection sort with larger elements first. Based on the one in Creusot repo by Xavier and me. #[cfg_attr(feature = "trust_util", trusted)] -#[ensures(sorted_rev(@^v))] -#[ensures((@^v).permutation_of(@v))] +#[ensures(sorted_rev((^v)@))] +#[ensures((^v)@.permutation_of(v@))] pub fn sort_reverse(v: &mut Vec<(usize, usize)>) { let mut i: usize = 0; let _old_v: Ghost<&mut Vec<(usize, usize)>> = ghost!(v); - #[invariant(proph_const, ^v == ^_old_v.inner())] - #[invariant(permutation, (@v).permutation_of(@_old_v.inner()))] - #[invariant(sorted, sorted_range_rev(@v, 0, @i))] - #[invariant(partition, partition_rev(@v, @i))] + #[invariant(^v == ^_old_v.inner())] + #[invariant(v@.permutation_of(_old_v.inner()@))] + #[invariant(sorted_range_rev(v@, 0, i@))] + #[invariant(partition_rev(v@, i@))] while i < v.len() { let mut max = i; let mut j = i + 1; - #[invariant(max_is_max, forall @i <= k && k < @j ==> (@v)[@max].0 >= (@v)[k].0)] - #[invariant(j_bound, @i <= @j && @j <= (@v).len())] - #[invariant(max_bound, @i <= @max && @max < @j)] + #[invariant(forall i@ <= k && k < j@ ==> v@[max@].0 >= v@[k].0)] + #[invariant(i@ <= j@ && j@ <= v@.len())] + #[invariant(i@ <= max@ && max@ < j@)] while j < v.len() { if v[j].0 > v[max].0 { max = j; diff --git a/Scratch/src/assignments.rs b/Scratch/src/assignments.rs index 4a9984ba..7d1aca60 100644 --- a/Scratch/src/assignments.rs +++ b/Scratch/src/assignments.rs @@ -47,15 +47,15 @@ impl Assignments { #[predicate] pub fn invariant(self, f: Formula) -> bool { pearlite! { - @f.num_vars == (@self).len() - && forall 0 <= i && i < (@self).len() ==> @(@self)[i] <= 3 + f.num_vars@ == self@.len() + && forall 0 <= i && i < self@.len() ==> @self@[i] <= 3 } } #[predicate] pub fn complete(self) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> !unset((@self)[i]) + forall 0 <= i && i < self@.len() ==> !unset(self@[i]) } } } diff --git a/Scratch/src/clause.rs b/Scratch/src/clause.rs index 1bd08070..c81b7845 100644 --- a/Scratch/src/clause.rs +++ b/Scratch/src/clause.rs @@ -59,8 +59,8 @@ impl Clause { #[predicate] pub fn post_unit_inner(self, a: Seq) -> bool { pearlite! { - exists 0 <= i && i < (@self).len() && (@self)[i].sat_inner(a) - && forall 0 <= j && j < (@self).len() && j != i ==> (@self)[j].unsat_inner(a) + exists 0 <= i && i < self@.len() && self@[i].sat_inner(a) + && forall 0 <= j && j < self@.len() && j != i ==> self@[j].unsat_inner(a) } } @@ -68,20 +68,20 @@ impl Clause { #[predicate] pub fn no_unset_inner(self, a: Seq) -> bool { pearlite! { - forall 0 <= j && j < (@self).len() ==> !(@self)[j].unset_inner(a) + forall 0 <= j && j < self@.len() ==> !self@[j].unset_inner(a) } } #[predicate] pub fn post_unit(self, a: Assignments) -> bool { - pearlite! { self.post_unit_inner(@a) } + pearlite! { self.post_unit_inner(a@) } } #[predicate] pub fn eq_assn_inner(self, a: Seq, a2: Seq) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> - a[(@self)[i].index_logic()] == a2[(@self)[i].index_logic()] + forall 0 <= i && i < self@.len() ==> + a[self@[i].index_logic()] == a2[self@[i].index_logic()] } } } @@ -95,10 +95,10 @@ impl Clause { #[predicate] pub fn same_idx_same_polarity_except(self, other: Clause, exception: Int) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() && 0 <= j && j < (@other).len() ==> - (((@self)[i].index_logic() != exception && - (@self)[i].index_logic() == (@other)[j].index_logic())) ==> - (@self)[i].is_positive_logic() == (@other)[j].is_positive_logic() + forall 0 <= i && i < self@.len() && 0 <= j && j < (@other).len() ==> + ((self@[i].index_logic() != exception && + self@[i].index_logic() == (@other)[j].index_logic())) ==> + self@[i].is_positive_logic() == (@other)[j].is_positive_logic() } } @@ -107,8 +107,8 @@ impl Clause { pearlite! { (forall 0 <= i && i < (@c ).len() && i != m ==> (@c )[i].lit_in(self)) && (forall 0 <= i && i < (@c2).len() && i != k ==> (@c2 )[i].lit_in(self)) && - (forall 0 <= i && i < (@self).len() ==> ((@self)[i].lit_in(c) - || (@self)[i].lit_in(c2))) && + (forall 0 <= i && i < self@.len() ==> (self@[i].lit_in(c) + || self@[i].lit_in(c2))) && !(@c)[m].lit_in(self) && !(@c2)[k].lit_in(self) && (@c2)[k].is_opp((@c)[m]) } @@ -117,8 +117,8 @@ impl Clause { #[predicate] pub fn in_formula(self, f: Formula) -> bool { pearlite! { - exists 0 <= i && i < (@f.clauses).len() && - (@f.clauses)[i] == self + exists 0 <= i && i < f.clauses@.len() && + f.clauses@[i] == self } } @@ -134,42 +134,42 @@ impl Clause { pearlite! { self.vars_in_range(a.len()) && !self.sat_inner(a) && - exists 0 <= i && i < (@self).len() && - (@self)[i].unset_inner(a) && - (forall 0 <= j && j < (@self).len() && j != i ==> - !(@self)[j].unset_inner(a)) + exists 0 <= i && i < self@.len() && + self@[i].unset_inner(a) && + (forall 0 <= j && j < self@.len() && j != i ==> + !self@[j].unset_inner(a)) } } #[predicate] pub fn unit(self, a: Assignments) -> bool { - pearlite! { self.unit_inner(@a) } + pearlite! { self.unit_inner(a@) } } #[predicate] pub fn unsat_inner(self, a: Seq) -> bool { pearlite! { - forall 0 <= i && i < (@self).len() ==> - (@self)[i].unsat_inner(a) + forall 0 <= i && i < self@.len() ==> + self@[i].unsat_inner(a) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } #[predicate] pub fn sat_inner(self, a: Seq) -> bool { pearlite! { - exists 0 <= i && i < (@self).len() && - (@self)[i].sat_inner(a) + exists 0 <= i && i < self@.len() && + self@[i].sat_inner(a) } } #[predicate] pub fn sat(self, a: Assignments) -> bool { pearlite! { - self.sat_inner(@a) + self.sat_inner(a@) } } @@ -180,38 +180,38 @@ impl Clause { #[predicate] pub fn vars_in_range(self, n: Int) -> bool { - pearlite! { vars_in_range_inner(@self, n) } + pearlite! { vars_in_range_inner(self@, n) } } #[predicate] pub fn no_duplicate_indexes(self) -> bool { - pearlite! { no_duplicate_indexes_inner(@self) } + pearlite! { no_duplicate_indexes_innerself@ } } #[predicate] pub fn search_idx_in_range(self) -> bool { - pearlite! { 2 <= @self.search && @self.search <= (@self).len() } + pearlite! { 2 <= self@.search && self@.search <= self@.len() } } #[predicate] pub fn invariant(self, n: Int) -> bool { - pearlite! { invariant_internal(@self, n) } + pearlite! { invariant_internal(self@, n) } } #[predicate] pub fn clause_is_seen(self, seen: Vec) -> bool { pearlite! { forall 0 <= idx && idx < (@seen).len() ==> - ((@seen)[idx] == idx_in_logic(idx, @self)) + ((@seen)[idx] == idx_in_logic(idx, self@)) } } #[predicate] pub fn equals(self, o: Clause) -> bool { pearlite! { - (@self).len() == (@o).len() - && forall 0 <= j && j < (@self).len() ==> - (@self)[j] == (@o)[j] + self@.len() == (@o).len() + && forall 0 <= j && j < self@.len() ==> + self@[j] == (@o)[j] } } } diff --git a/Scratch/src/formula.rs b/Scratch/src/formula.rs index bbe60572..0232e16e 100644 --- a/Scratch/src/formula.rs +++ b/Scratch/src/formula.rs @@ -56,7 +56,7 @@ impl Formula { #[predicate] pub fn eventually_sat_complete(self) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && complete_inner(a2) && self.sat_inner(a2) + exists> a2.len() == self@.num_vars && complete_inner(a2) && self.sat_inner(a2) } } @@ -69,17 +69,17 @@ impl Formula { #[cfg_attr(feature = "trust_formula_logic", trusted)] #[ensures(result == self.invariant_mirror())] // Removing this makes a bunch of seemingly unrelated things fail pub fn invariant(self) -> bool { - pearlite! { formula_invariant(@self) } + pearlite! { formula_invariantself@ } } #[predicate] fn invariant_mirror(self) -> bool { pearlite! { - (forall 0 <= i && i < (@self.clauses).len() ==> - (@self.clauses)[i].invariant(@self.num_vars)) + (forall 0 <= i && i < (self@.clauses).len() ==> + (self@.clauses)[i].invariant(self@.num_vars)) && - (forall 0 <= i && i < (@self.clauses).len() ==> - (@(@self.clauses)[i]).len() >= 1) + (forall 0 <= i && i < (self@.clauses).len() ==> + (@(self@.clauses)[i]).len() >= 1) } } @@ -87,46 +87,46 @@ impl Formula { #[predicate] fn eventually_sat_inner(self, a: Seq) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && compatible_inner(a, a2) && self.sat_inner(a2) + exists> a2.len() == self@.num_vars && compatible_inner(a, a2) && self.sat_inner(a2) } } #[predicate] fn eventually_sat_complete_inner(self, a: Seq) -> bool { pearlite! { - exists> a2.len() == @self.num_vars && compatible_complete_inner(a, a2) && self.sat_inner(a2) + exists> a2.len() == self@.num_vars && compatible_complete_inner(a, a2) && self.sat_inner(a2) } } #[predicate] fn eventually_sat(self, a: Assignments) -> bool { - pearlite! { self.eventually_sat_inner(@a)} + pearlite! { self.eventually_sat_inner(a@)} } #[predicate] pub fn sat_inner(self, a: Seq) -> bool { pearlite! { - forall 0 <= i && i < (@self.clauses).len() ==> - (@self.clauses)[i].sat_inner(a) + forall 0 <= i && i < (self@.clauses).len() ==> + (self@.clauses)[i].sat_inner(a) } } #[predicate] pub fn sat(self, a: Assignments) -> bool { - pearlite! { formula_sat_inner(@self, @a) } + pearlite! { formula_sat_inner(self@, a@) } } #[predicate] fn unsat_inner(self, a: Seq) -> bool { pearlite! { - exists 0 <= i && i < (@self.clauses).len() && - (@self.clauses)[i].unsat_inner(a) + exists 0 <= i && i < (self@.clauses).len() && + (self@.clauses)[i].unsat_inner(a) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } #[predicate] diff --git a/Scratch/src/lit.rs b/Scratch/src/lit.rs index 3c239ddf..6576875b 100644 --- a/Scratch/src/lit.rs +++ b/Scratch/src/lit.rs @@ -48,7 +48,7 @@ impl Lit { #[logic] #[why3::attr = "inline:trivial"] pub fn index_logic(self) -> Int { - pearlite! { @self.idx } + pearlite! { self@.idx } } #[logic] @@ -106,8 +106,8 @@ impl Lit { pub fn sat_inner(self, a: Seq) -> bool { pearlite! { match self.is_positive_logic() { - true => (@a[self.index_logic()] == 1), - false => (@a[self.index_logic()] == 0), + true => (a@[self.index_logic()] == 1), + false => (a@[self.index_logic()] == 0), } } } @@ -116,8 +116,8 @@ impl Lit { pub fn unsat_inner(self, a: Seq) -> bool { pearlite! { match self.is_positive_logic() { - true => (@a[self.index_logic()] == 0), - false => (@a[self.index_logic()] == 1), + true => (a@[self.index_logic()] == 0), + false => (a@[self.index_logic()] == 1), } } } @@ -129,17 +129,17 @@ impl Lit { #[predicate] pub fn sat(self, a: Assignments) -> bool { - pearlite! { self.sat_inner(@a) } + pearlite! { self.sat_inner(a@) } } #[predicate] pub fn unset(self, a: Assignments) -> bool { - pearlite! { self.unset_inner(@a) } + pearlite! { self.unset_inner(a@) } } #[predicate] pub fn unsat(self, a: Assignments) -> bool { - pearlite! { self.unsat_inner(@a) } + pearlite! { self.unsat_inner(a@) } } /* diff --git a/Scratch/src/logic.rs b/Scratch/src/logic.rs index 5bb2279e..2b6267bb 100644 --- a/Scratch/src/logic.rs +++ b/Scratch/src/logic.rs @@ -27,8 +27,8 @@ pub fn unset(v: AssignedState) -> bool { #[cfg_attr(feature = "trust_logic_logic", trusted)] #[logic] -#[ensures(b ==> @result == 1)] -#[ensures(!b ==> @result == 0)] +#[ensures(b ==> result@ == 1)] +#[ensures(!b ==> result@ == 0)] pub fn bool_to_assignedstate(b: bool) -> AssignedState { if b { 1u8 diff --git a/Scratch/src/scratch.rs b/Scratch/src/scratch.rs index 440995a6..b7b3ca12 100644 --- a/Scratch/src/scratch.rs +++ b/Scratch/src/scratch.rs @@ -13,7 +13,7 @@ use crate::{assignments::*, clause::*, formula::*, lit::*}; #[requires(f.invariant())] #[requires(t.invariant(f))] #[requires(unset((@t.assignments)[step.lit.index_logic()]))] -#[requires(step.lit.invariant(@f.num_vars))] +#[requires(step.lit.invariant(f.num_vars@))] //#[requires(step.reason.invariant(f))] #[requires(lit_not_in_less_inner(@t.trail, f))] #[ensures(lit_not_in_less_inner((@t.trail).push(step), f))] @@ -31,14 +31,14 @@ pub fn lemma_clause_permuted_maintains_sat(c: Clause, a: Assignments) {} pub fn lemma_clause_permuted_maintains_unsat(c: Clause, a: Assignments) {} #[maintains((mut f).invariant())] -#[requires((@(@f.clauses)[@cref]).len() >= 2)] -#[requires(@cref < (@f.clauses).len())] -#[requires((@(@f.clauses)[@cref]).len() > @j)] -#[requires((@(@f.clauses)[@cref]).len() > @k)] -#[requires(!(@(@f.clauses)[@cref])[0].sat_inner(@assignments))] -#[ensures(((@(@(^f).clauses)[@cref]).exchange(@(@f.clauses)[@cref], @j, @k)))] -#[ensures(@f.num_vars == @(^f).num_vars)] -#[ensures((@f.clauses).len() == (@(^f).clauses).len())] +#[requires((@f.clauses@[@cref]).len() >= 2)] +#[requires(@cref < f.clauses@.len())] +#[requires((@f.clauses@[@cref]).len() > @j)] +#[requires((@f.clauses@[@cref]).len() > @k)] +#[requires(!(@f.clauses@[@cref])[0].sat_inner(a@ssignments))] +#[ensures(((@(@(^f).clauses)[@cref]).exchange(@f.clauses@[@cref], @j, @k)))] +#[ensures(f.num_vars@ == @(^f).num_vars)] +#[ensures(f.clauses@.len() == (@(^f).clauses).len())] #[ensures(f.equisat(^f))] // This one is hard (both ways equisat) fn swap(f: &mut Formula, cref: usize, j: usize, k: usize, assignments: Assignments) { let old_f: Ghost<&mut Formula> = ghost! { f }; diff --git a/mlcfgs/NewDB.mlcfg b/mlcfgs/NewDB.mlcfg index 37ec5c89..afcf6ad9 100644 --- a/mlcfgs/NewDB.mlcfg +++ b/mlcfgs/NewDB.mlcfg @@ -316,7 +316,7 @@ module CreusotContracts_Logic_Fset_Impl0_Contains type t use set.Fset predicate contains [@inline:trivial] (self : Fset.fset t) (e : t) = - [#"../NewDB/src/cref_manager.rs" 10 8 11 4] Fset.mem e self + [#"../NewDB/src/cref_manager.rs" 10 16 11 12] Fset.mem e self val contains [@inline:trivial] (self : Fset.fset t) (e : t) : bool ensures { result = contains self e } @@ -695,7 +695,7 @@ module CreusotContracts_Logic_Fset_Impl0_Insert type t use set.Fset function insert [@inline:trivial] (self : Fset.fset t) (e : t) : Fset.fset t = - [#"../NewDB/src/cref_manager.rs" 24 2 25 1] Fset.add e self + [#"../NewDB/src/cref_manager.rs" 24 10 25 9] Fset.add e self val insert [@inline:trivial] (self : Fset.fset t) (e : t) : Fset.fset t ensures { result = insert self e } @@ -1094,7 +1094,7 @@ module CreusotContracts_Logic_Ops_Impl0_IndexLogic type self = s, type ShallowModelTy0.shallowModelTy = Seq.seq t function index_logic [@inline:trivial] (self : s) (ix : int) : t = - [#"../NewDB/src/formula.rs" 60 7 60 30] Seq.get (ShallowModel0.shallow_model self) ix + [#"../NewDB/src/formula.rs" 60 15 60 38] Seq.get (ShallowModel0.shallow_model self) ix val index_logic [@inline:trivial] (self : s) (ix : int) : t ensures { result = index_logic self ix } diff --git a/mlcfgs/Robinson.mlcfg b/mlcfgs/Robinson.mlcfg index cb360031..47dbe05a 100644 --- a/mlcfgs/Robinson.mlcfg +++ b/mlcfgs/Robinson.mlcfg @@ -57,12 +57,12 @@ module Robinson_Assignments_Assignments_Type | C_Assignments _ a -> a end end -module Core_Num_Impl12_Max_Stub +module Core_Num_Impl11_Max_Stub use prelude.Int use prelude.UIntSize val constant mAX' : usize end -module Core_Num_Impl12_Max +module Core_Num_Impl11_Max use prelude.Int use prelude.UIntSize let constant mAX' : usize = [@vc:do_not_keep_trace] [@vc:sp] @@ -75,7 +75,7 @@ module CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub use prelude.UIntSize use prelude.Int use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 function shallow_model (self : Alloc_Vec_Vec_Type.t_vec t a) : Seq.seq t end module CreusotContracts_Std1_Vec_Impl0_ShallowModel_Interface @@ -85,7 +85,7 @@ module CreusotContracts_Std1_Vec_Impl0_ShallowModel_Interface use prelude.UIntSize use prelude.Int use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 function shallow_model (self : Alloc_Vec_Vec_Type.t_vec t a) : Seq.seq t axiom shallow_model_spec : forall self : Alloc_Vec_Vec_Type.t_vec t a . Seq.length (shallow_model self) <= UIntSize.to_int Max0.mAX' end @@ -96,7 +96,7 @@ module CreusotContracts_Std1_Vec_Impl0_ShallowModel use prelude.UIntSize use prelude.Int use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 function shallow_model (self : Alloc_Vec_Vec_Type.t_vec t a) : Seq.seq t val shallow_model (self : Alloc_Vec_Vec_Type.t_vec t a) : Seq.seq t ensures { result = shallow_model self } @@ -125,7 +125,7 @@ module Robinson_Assignments_Impl0_ShallowModel use prelude.UInt8 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = uint8, type a = Alloc_Alloc_Global_Type.t_global, @@ -334,7 +334,7 @@ module Robinson_Assignments_Impl1_Invariant predicate invariant' [#"../Robinson/src/assignments.rs" 52 4 52 46] (self : Robinson_Assignments_Assignments_Type.t_assignments) (f : Robinson_Formula_Formula_Type.t_formula) = - [#"../Robinson/src/assignments.rs" 54 12 54 66] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length (ShallowModel0.shallow_model self) /\ UIntSize.to_int (Robinson_Assignments_Assignments_Type.assignments_1 self) <= UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) + [#"../Robinson/src/assignments.rs" 54 12 54 64] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length (ShallowModel0.shallow_model self) /\ UIntSize.to_int (Robinson_Assignments_Assignments_Type.assignments_1 self) <= UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) val invariant' [#"../Robinson/src/assignments.rs" 52 4 52 46] (self : Robinson_Assignments_Assignments_Type.t_assignments) (f : Robinson_Formula_Formula_Type.t_formula) : bool ensures { result = invariant' self f } @@ -459,11 +459,88 @@ module CreusotContracts_Model_Impl1_ShallowModel val shallow_model (self : t) : ShallowModelTy0.shallowModelTy ensures { result = shallow_model self } +end +module CreusotContracts_Logic_Ops_Impl0_IndexLogic_Stub + type t + type s + use prelude.Int + function index_logic [@inline:trivial] (self : s) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl0_IndexLogic_Interface + type t + type s + use prelude.Int + function index_logic [@inline:trivial] (self : s) (ix : int) : t +end +module CreusotContracts_Logic_Ops_Impl0_IndexLogic + type t + type s + use prelude.Int + use seq.Seq + use seq.Seq + clone CreusotContracts_Model_ShallowModel_ShallowModel_Stub as ShallowModel0 with + type self = s, + type ShallowModelTy0.shallowModelTy = Seq.seq t + function index_logic [@inline:trivial] (self : s) (ix : int) : t = + [#"../Robinson/src/clause.rs" 193 9 195 11] Seq.get (ShallowModel0.shallow_model self) ix + val index_logic [@inline:trivial] (self : s) (ix : int) : t + ensures { result = index_logic self ix } + +end +module CreusotContracts_Resolve_Resolve_Resolve_Stub + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve_Interface + type self + predicate resolve (self : self) +end +module CreusotContracts_Resolve_Resolve_Resolve + type self + predicate resolve (self : self) + val resolve (self : self) : bool + ensures { result = resolve self } + +end +module CreusotContracts_Std1_Vec_Impl10_Resolve_Stub + type t + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + predicate resolve (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) +end +module CreusotContracts_Std1_Vec_Impl10_Resolve_Interface + type t + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + predicate resolve (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) +end +module CreusotContracts_Std1_Vec_Impl10_Resolve + type t + use prelude.Int + use seq.Seq + clone Core_Num_Impl11_Max_Stub as Max0 + clone CreusotContracts_Resolve_Resolve_Resolve_Stub as Resolve0 with + type self = t + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + clone CreusotContracts_Logic_Ops_Impl0_IndexLogic_Stub as IndexLogic0 with + type t = t, + type s = Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = t, + type a = Alloc_Alloc_Global_Type.t_global, + val Max0.mAX' = Max0.mAX', + axiom . + predicate resolve (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = + forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model self) -> Resolve0.resolve (IndexLogic0.index_logic self i) + val resolve (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool + ensures { result = resolve self } + end module Alloc_Vec_Impl0_New_Interface type t use seq.Seq - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with @@ -553,27 +630,26 @@ module CreusotContracts_Std1_Slice_SliceIndex_HasValue ensures { result = has_value self seq out } end -module Alloc_Vec_Impl15_Index_Interface +module Alloc_Vec_Impl13_Index_Interface type t type i type a use prelude.Borrow use prelude.Slice - use prelude.Seq use seq.Seq use seq.Seq clone Core_Slice_Index_SliceIndex_Output_Type as Output0 with type self = i, - type t = seq t + type t = slice t use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type clone CreusotContracts_Std1_Slice_SliceIndex_HasValue_Stub as HasValue0 with type self = i, - type t = seq t, + type t = slice t, type ShallowModelTy0.shallowModelTy = Seq.seq t, type Output0.output = Output0.output clone CreusotContracts_Std1_Slice_SliceIndex_InBounds_Stub as InBounds0 with type self = i, - type t = seq t, + type t = slice t, type ShallowModelTy0.shallowModelTy = Seq.seq t clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with type t = Alloc_Vec_Vec_Type.t_vec t a, @@ -617,7 +693,7 @@ module Alloc_Vec_Impl1_Push_Interface use prelude.Borrow use seq.Seq use seq.Seq - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type clone CreusotContracts_Model_Impl3_ShallowModel_Stub as ShallowModel1 with type t = Alloc_Vec_Vec_Type.t_vec t a, @@ -630,53 +706,6 @@ module Alloc_Vec_Impl1_Push_Interface val push (self : borrowed (Alloc_Vec_Vec_Type.t_vec t a)) (value : t) : () ensures { ShallowModel0.shallow_model ( ^ self) = Seq.snoc (ShallowModel1.shallow_model self) value } -end -module CreusotContracts_Resolve_Resolve_Resolve_Stub - type self - predicate resolve (self : self) -end -module CreusotContracts_Resolve_Resolve_Resolve_Interface - type self - predicate resolve (self : self) -end -module CreusotContracts_Resolve_Resolve_Resolve - type self - predicate resolve (self : self) - val resolve (self : self) : bool - ensures { result = resolve self } - -end -module CreusotContracts_Std1_Vec_Impl10_Resolve_Stub - type t - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - predicate resolve (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) -end -module CreusotContracts_Std1_Vec_Impl10_Resolve_Interface - type t - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - predicate resolve (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) -end -module CreusotContracts_Std1_Vec_Impl10_Resolve - type t - use prelude.Int - use seq.Seq - clone Core_Num_Impl12_Max_Stub as Max0 - clone CreusotContracts_Resolve_Resolve_Resolve_Stub as Resolve0 with - type self = t - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with - type t = t, - type a = Alloc_Alloc_Global_Type.t_global, - val Max0.mAX' = Max0.mAX', - axiom . - predicate resolve (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) = - forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model self) -> Resolve0.resolve (Seq.get (ShallowModel0.shallow_model self) i) - val resolve (self : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global)) : bool - ensures { result = resolve self } - end module CreusotContracts_Std1_Slice_Impl5_InBounds_Stub type t @@ -757,8 +786,8 @@ module Robinson_Assignments_Impl2_Clone_Interface type t = Robinson_Assignments_Assignments_Type.t_assignments, type ShallowModelTy0.shallowModelTy = Seq.seq uint8 val clone' [#"../Robinson/src/assignments.rs" 81 4 81 31] (self : Robinson_Assignments_Assignments_Type.t_assignments) : Robinson_Assignments_Assignments_Type.t_assignments - ensures { [#"../Robinson/src/assignments.rs" 78 4 78 89] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model self) -> Seq.get (ShallowModel0.shallow_model self) i = Seq.get (ShallowModel1.shallow_model result) i } - ensures { [#"../Robinson/src/assignments.rs" 79 14 79 46] Seq.length (ShallowModel0.shallow_model self) = Seq.length (ShallowModel1.shallow_model result) } + ensures { [#"../Robinson/src/assignments.rs" 78 4 78 83] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model self) -> Seq.get (ShallowModel0.shallow_model self) i = Seq.get (ShallowModel1.shallow_model result) i } + ensures { [#"../Robinson/src/assignments.rs" 79 14 79 42] Seq.length (ShallowModel0.shallow_model self) = Seq.length (ShallowModel1.shallow_model result) } ensures { [#"../Robinson/src/assignments.rs" 80 14 80 34] UIntSize.to_int (Robinson_Assignments_Assignments_Type.assignments_1 result) = UIntSize.to_int (Robinson_Assignments_Assignments_Type.assignments_1 self) } end @@ -770,15 +799,19 @@ module Robinson_Assignments_Impl2_Clone use seq.Seq clone CreusotContracts_Resolve_Impl2_Resolve as Resolve1 with type t = uint8 + use seq.Seq use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with type t = uint8, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - use seq.Seq + clone CreusotContracts_Logic_Ops_Impl0_IndexLogic as IndexLogic0 with + type t = uint8, + type s = Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global), + function ShallowModel0.shallow_model = ShallowModel2.shallow_model clone CreusotContracts_Model_Impl3_ShallowModel as ShallowModel4 with type t = Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global), type ShallowModelTy0.shallowModelTy = Seq.seq uint8, @@ -794,6 +827,7 @@ module Robinson_Assignments_Impl2_Clone clone CreusotContracts_Std1_Vec_Impl10_Resolve as Resolve0 with type t = uint8, function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Resolve0.resolve = Resolve1.resolve, val Max0.mAX' = Max0.mAX' clone Alloc_Vec_Impl1_Push_Interface as Push0 with @@ -802,7 +836,7 @@ module Robinson_Assignments_Impl2_Clone function ShallowModel0.shallow_model = ShallowModel2.shallow_model, function ShallowModel1.shallow_model = ShallowModel4.shallow_model, val Max0.mAX' = Max0.mAX' - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = uint8, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -827,8 +861,8 @@ module Robinson_Assignments_Impl2_Clone type ShallowModelTy0.shallowModelTy = Seq.seq uint8, function ShallowModel0.shallow_model = ShallowModel1.shallow_model let rec cfg clone' [#"../Robinson/src/assignments.rs" 81 4 81 31] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Assignments_Assignments_Type.t_assignments) : Robinson_Assignments_Assignments_Type.t_assignments - ensures { [#"../Robinson/src/assignments.rs" 78 4 78 89] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model self) -> Seq.get (ShallowModel0.shallow_model self) i = Seq.get (ShallowModel1.shallow_model result) i } - ensures { [#"../Robinson/src/assignments.rs" 79 14 79 46] Seq.length (ShallowModel0.shallow_model self) = Seq.length (ShallowModel1.shallow_model result) } + ensures { [#"../Robinson/src/assignments.rs" 78 4 78 83] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model self) -> Seq.get (ShallowModel0.shallow_model self) i = Seq.get (ShallowModel1.shallow_model result) i } + ensures { [#"../Robinson/src/assignments.rs" 79 14 79 42] Seq.length (ShallowModel0.shallow_model self) = Seq.length (ShallowModel1.shallow_model result) } ensures { [#"../Robinson/src/assignments.rs" 80 14 80 34] UIntSize.to_int (Robinson_Assignments_Assignments_Type.assignments_1 result) = UIntSize.to_int (Robinson_Assignments_Assignments_Type.assignments_1 self) } = [@vc:do_not_keep_trace] [@vc:sp] @@ -872,9 +906,9 @@ module Robinson_Assignments_Impl2_Clone goto BB4 } BB4 { - invariant loop_invariant { [#"../Robinson/src/assignments.rs" 84 36 84 55] UIntSize.to_int i_6 <= Seq.length (ShallowModel0.shallow_model self_1) }; - invariant equality { [#"../Robinson/src/assignments.rs" 84 8 84 57] forall j : int . 0 <= j /\ j < UIntSize.to_int i_6 -> Seq.get (ShallowModel2.shallow_model out_5) j = Seq.get (ShallowModel0.shallow_model self_1) j }; - invariant len { [#"../Robinson/src/assignments.rs" 86 25 86 43] Seq.length (ShallowModel2.shallow_model out_5) = UIntSize.to_int i_6 }; + invariant { [#"../Robinson/src/assignments.rs" 84 20 84 37] UIntSize.to_int i_6 <= Seq.length (ShallowModel0.shallow_model self_1) }; + invariant { [#"../Robinson/src/assignments.rs" 84 8 84 39] forall j : int . 0 <= j /\ j < UIntSize.to_int i_6 -> Seq.get (ShallowModel2.shallow_model out_5) j = Seq.get (ShallowModel0.shallow_model self_1) j }; + invariant { [#"../Robinson/src/assignments.rs" 86 20 86 36] Seq.length (ShallowModel2.shallow_model out_5) = UIntSize.to_int i_6 }; _13 <- i_6; _15 <- Robinson_Assignments_Assignments_Type.assignments_0 self_1; _14 <- ([#"../Robinson/src/assignments.rs" 87 18 87 30] Len0.len _15); @@ -941,7 +975,7 @@ module Robinson_Clause_Impl0_ShallowModel use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, @@ -1039,7 +1073,7 @@ module Robinson_Formula_Impl1_Invariant use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone Robinson_Clause_Impl1_Invariant_Stub as Invariant0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = Robinson_Clause_Clause_Type.t_clause, @@ -1058,9 +1092,12 @@ module Alloc_Vec_FromElem_Interface use seq.Seq use prelude.UIntSize use prelude.Int - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + clone CreusotContracts_Logic_Ops_Impl0_IndexLogic_Stub as IndexLogic0 with + type t = t, + type s = Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = t, type a = Alloc_Alloc_Global_Type.t_global, @@ -1068,7 +1105,7 @@ module Alloc_Vec_FromElem_Interface axiom . val from_elem (elem : t) (n : usize) : Alloc_Vec_Vec_Type.t_vec t (Alloc_Alloc_Global_Type.t_global) ensures { Seq.length (ShallowModel0.shallow_model result) = UIntSize.to_int n } - ensures { forall i : int . 0 <= i /\ i < UIntSize.to_int n -> Seq.get (ShallowModel0.shallow_model result) i = elem } + ensures { forall i : int . 0 <= i /\ i < UIntSize.to_int n -> IndexLogic0.index_logic result i = elem } end module Robinson_Assignments_Impl2_New_Interface @@ -1084,7 +1121,7 @@ module Robinson_Assignments_Impl2_New_Interface val new [#"../Robinson/src/assignments.rs" 98 4 98 35] (f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Assignments_Assignments_Type.t_assignments requires {[#"../Robinson/src/assignments.rs" 95 15 95 28] Invariant0.invariant' f} ensures { [#"../Robinson/src/assignments.rs" 96 14 96 34] Invariant1.invariant' result f } - ensures { [#"../Robinson/src/assignments.rs" 97 4 97 84] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model result) -> Unset0.unset (Seq.get (ShallowModel0.shallow_model result) i) } + ensures { [#"../Robinson/src/assignments.rs" 97 4 97 80] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model result) -> Unset0.unset (Seq.get (ShallowModel0.shallow_model result) i) } end module Robinson_Assignments_Impl2_New @@ -1096,7 +1133,7 @@ module Robinson_Assignments_Impl2_New use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel4 with type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, @@ -1107,6 +1144,7 @@ module Robinson_Assignments_Impl2_New clone Robinson_Clause_Impl0_ShallowModel as ShallowModel3 with function ShallowModel0.shallow_model = ShallowModel4.shallow_model, val Max0.mAX' = Max0.mAX' + use seq.Seq clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with function ShallowModel0.shallow_model = ShallowModel3.shallow_model, predicate Invariant0.invariant' = Invariant3.invariant' @@ -1115,6 +1153,10 @@ module Robinson_Assignments_Impl2_New type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . + clone CreusotContracts_Logic_Ops_Impl0_IndexLogic as IndexLogic0 with + type t = uint8, + type s = Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global), + function ShallowModel0.shallow_model = ShallowModel2.shallow_model clone Robinson_Clause_Impl1_Invariant as Invariant2 with predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel1 with @@ -1125,6 +1167,7 @@ module Robinson_Assignments_Impl2_New clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = uint8, function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, val Max0.mAX' = Max0.mAX' clone Robinson_Logic_Unset as Unset0 use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type @@ -1141,7 +1184,7 @@ module Robinson_Assignments_Impl2_New let rec cfg new [#"../Robinson/src/assignments.rs" 98 4 98 35] [@cfg:stackify] [@cfg:subregion_analysis] (f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Assignments_Assignments_Type.t_assignments requires {[#"../Robinson/src/assignments.rs" 95 15 95 28] Invariant0.invariant' f} ensures { [#"../Robinson/src/assignments.rs" 96 14 96 34] Invariant1.invariant' result f } - ensures { [#"../Robinson/src/assignments.rs" 97 4 97 84] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model result) -> Unset0.unset (Seq.get (ShallowModel0.shallow_model result) i) } + ensures { [#"../Robinson/src/assignments.rs" 97 4 97 80] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model result) -> Unset0.unset (Seq.get (ShallowModel0.shallow_model result) i) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : Robinson_Assignments_Assignments_Type.t_assignments; @@ -1199,7 +1242,7 @@ module Robinson_Decision_Impl0_Invariant use prelude.UIntSize use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -1254,10 +1297,10 @@ module Robinson_Assignments_Impl2_FindUnassigned_Interface val find_unassigned [#"../Robinson/src/assignments.rs" 108 4 108 75] (self : borrowed (Robinson_Assignments_Assignments_Type.t_assignments)) (d : Robinson_Decision_Decisions_Type.t_decisions) (_f : Robinson_Formula_Formula_Type.t_formula) : usize requires {[#"../Robinson/src/assignments.rs" 103 4 103 43] Invariant0.invariant' ( * self) _f} requires {[#"../Robinson/src/assignments.rs" 104 15 104 31] not Complete0.complete ( * self)} - requires {[#"../Robinson/src/assignments.rs" 105 15 105 41] Invariant1.invariant' d (Seq.length (ShallowModel0.shallow_model self))} + requires {[#"../Robinson/src/assignments.rs" 105 15 105 39] Invariant1.invariant' d (Seq.length (ShallowModel0.shallow_model self))} ensures { [#"../Robinson/src/assignments.rs" 103 4 103 43] Invariant0.invariant' ( ^ self) _f } - ensures { [#"../Robinson/src/assignments.rs" 106 14 106 64] UIntSize.to_int result < Seq.length (ShallowModel0.shallow_model self) /\ Unset0.unset (Seq.get (ShallowModel0.shallow_model self) (UIntSize.to_int result)) } - ensures { [#"../Robinson/src/assignments.rs" 107 14 107 29] ShallowModel0.shallow_model self = ShallowModel1.shallow_model ( ^ self) } + ensures { [#"../Robinson/src/assignments.rs" 106 14 106 60] UIntSize.to_int result < Seq.length (ShallowModel0.shallow_model self) /\ Unset0.unset (Seq.get (ShallowModel0.shallow_model self) (UIntSize.to_int result)) } + ensures { [#"../Robinson/src/assignments.rs" 107 14 107 31] ShallowModel0.shallow_model self = ShallowModel1.shallow_model ( ^ self) } end module Robinson_Assignments_Impl2_FindUnassigned @@ -1271,7 +1314,7 @@ module Robinson_Assignments_Impl2_FindUnassigned clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds1 with type t = uint8 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel3 with type t = uint8, @@ -1303,7 +1346,7 @@ module Robinson_Assignments_Impl2_FindUnassigned use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with type t = Robinson_Assignments_Assignments_Type.t_assignments - clone Alloc_Vec_Impl15_Index_Interface as Index1 with + clone Alloc_Vec_Impl13_Index_Interface as Index1 with type t = uint8, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -1311,7 +1354,7 @@ module Robinson_Assignments_Impl2_FindUnassigned predicate InBounds0.in_bounds = InBounds1.in_bounds, predicate HasValue0.has_value = HasValue1.has_value, type Output0.output = uint8 - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = usize, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -1344,10 +1387,10 @@ module Robinson_Assignments_Impl2_FindUnassigned let rec cfg find_unassigned [#"../Robinson/src/assignments.rs" 108 4 108 75] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (Robinson_Assignments_Assignments_Type.t_assignments)) (d : Robinson_Decision_Decisions_Type.t_decisions) (_f : Robinson_Formula_Formula_Type.t_formula) : usize requires {[#"../Robinson/src/assignments.rs" 103 4 103 43] Invariant0.invariant' ( * self) _f} requires {[#"../Robinson/src/assignments.rs" 104 15 104 31] not Complete0.complete ( * self)} - requires {[#"../Robinson/src/assignments.rs" 105 15 105 41] Invariant1.invariant' d (Seq.length (ShallowModel0.shallow_model self))} + requires {[#"../Robinson/src/assignments.rs" 105 15 105 39] Invariant1.invariant' d (Seq.length (ShallowModel0.shallow_model self))} ensures { [#"../Robinson/src/assignments.rs" 103 4 103 43] Invariant0.invariant' ( ^ self) _f } - ensures { [#"../Robinson/src/assignments.rs" 106 14 106 64] UIntSize.to_int result < Seq.length (ShallowModel0.shallow_model self) /\ Unset0.unset (Seq.get (ShallowModel0.shallow_model self) (UIntSize.to_int result)) } - ensures { [#"../Robinson/src/assignments.rs" 107 14 107 29] ShallowModel0.shallow_model self = ShallowModel1.shallow_model ( ^ self) } + ensures { [#"../Robinson/src/assignments.rs" 106 14 106 60] UIntSize.to_int result < Seq.length (ShallowModel0.shallow_model self) /\ Unset0.unset (Seq.get (ShallowModel0.shallow_model self) (UIntSize.to_int result)) } + ensures { [#"../Robinson/src/assignments.rs" 107 14 107 31] ShallowModel0.shallow_model self = ShallowModel1.shallow_model ( ^ self) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : usize; @@ -1407,7 +1450,7 @@ module Robinson_Assignments_Impl2_FindUnassigned goto BB1 } BB1 { - invariant i_bound { [#"../Robinson/src/assignments.rs" 110 29 110 55] UIntSize.to_int i_11 <= Seq.length (ShallowModel2.shallow_model (Robinson_Decision_Decisions_Type.decisions_lit_order d_2)) }; + invariant { [#"../Robinson/src/assignments.rs" 110 20 110 44] UIntSize.to_int i_11 <= Seq.length (ShallowModel2.shallow_model (Robinson_Decision_Decisions_Type.decisions_lit_order d_2)) }; _16 <- i_11; _18 <- Robinson_Decision_Decisions_Type.decisions_lit_order d_2; _17 <- ([#"../Robinson/src/assignments.rs" 111 18 111 35] Len0.len _18); @@ -1466,7 +1509,7 @@ module Robinson_Assignments_Impl2_FindUnassigned goto BB10 } BB10 { - invariant prev { [#"../Robinson/src/assignments.rs" 122 8 122 82] forall j : int . 0 <= j /\ j < UIntSize.to_int i_11 -> not Unset0.unset (Seq.get (ShallowModel0.shallow_model self_1) j) }; + invariant { [#"../Robinson/src/assignments.rs" 122 8 122 74] forall j : int . 0 <= j /\ j < UIntSize.to_int i_11 -> not Unset0.unset (Seq.get (ShallowModel0.shallow_model self_1) j) }; _40 <- i_11; _42 <- Robinson_Assignments_Assignments_Type.assignments_0 ( * self_1); _41 <- ([#"../Robinson/src/assignments.rs" 123 18 123 30] Len1.len _42); @@ -1599,7 +1642,7 @@ module Robinson_Formula_Impl1_SatInner use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone Robinson_Clause_Impl1_SatInner_Stub as SatInner0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = Robinson_Clause_Clause_Type.t_clause, @@ -1702,7 +1745,7 @@ module Robinson_Lit_Impl1_UnsetInner use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type predicate unset_inner [#"../Robinson/src/lit.rs" 60 4 60 59] (self : Robinson_Lit_Lit_Type.t_lit) (a : Seq.seq uint8) = - [#"../Robinson/src/lit.rs" 62 12 62 32] UInt8.to_int (Seq.get a (UIntSize.to_int (Robinson_Lit_Lit_Type.lit_idx self))) >= 2 + [#"../Robinson/src/lit.rs" 62 12 62 30] UInt8.to_int (Seq.get a (UIntSize.to_int (Robinson_Lit_Lit_Type.lit_idx self))) >= 2 val unset_inner [#"../Robinson/src/lit.rs" 60 4 60 59] (self : Robinson_Lit_Lit_Type.t_lit) (a : Seq.seq uint8) : bool ensures { result = unset_inner self a } @@ -1879,1603 +1922,1602 @@ module Robinson_Clause_Impl1_Unsat ensures { result = unsat self a } end -module Robinson_Lit_Impl1_Sat_Stub - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type +module Robinson_Lit_Impl0_IndexLogic_Stub + use prelude.Int use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - predicate sat [#"../Robinson/src/lit.rs" 67 4 67 44] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + function index_logic [@inline:trivial] [#"../Robinson/src/lit.rs" 20 4 20 35] (self : Robinson_Lit_Lit_Type.t_lit) : int end -module Robinson_Lit_Impl1_Sat_Interface - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type +module Robinson_Lit_Impl0_IndexLogic_Interface + use prelude.Int use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - predicate sat [#"../Robinson/src/lit.rs" 67 4 67 44] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + function index_logic [@inline:trivial] [#"../Robinson/src/lit.rs" 20 4 20 35] (self : Robinson_Lit_Lit_Type.t_lit) : int end -module Robinson_Lit_Impl1_Sat +module Robinson_Lit_Impl0_IndexLogic + use prelude.Int + use prelude.UIntSize use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_SatInner_Stub as SatInner0 - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - clone Robinson_Assignments_Impl0_ShallowModel_Stub as ShallowModel0 - predicate sat [#"../Robinson/src/lit.rs" 67 4 67 44] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + function index_logic [@inline:trivial] [#"../Robinson/src/lit.rs" 20 4 20 35] (self : Robinson_Lit_Lit_Type.t_lit) : int = - [#"../Robinson/src/lit.rs" 69 12 69 30] SatInner0.sat_inner self (ShallowModel0.shallow_model a) - val sat [#"../Robinson/src/lit.rs" 67 4 67 44] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - ensures { result = sat self a } + [#"../Robinson/src/lit.rs" 21 8 21 31] UIntSize.to_int (Robinson_Lit_Lit_Type.lit_idx self) + val index_logic [@inline:trivial] [#"../Robinson/src/lit.rs" 20 4 20 35] (self : Robinson_Lit_Lit_Type.t_lit) : int + ensures { result = index_logic self } end -module Robinson_Lit_Impl2_LitSat_Interface - use seq.Seq - use prelude.Borrow +module Robinson_Logic_BoolToAssignedstate_Stub + use prelude.UInt8 use prelude.Int + function bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 +end +module Robinson_Logic_BoolToAssignedstate_Interface use prelude.UInt8 - use seq.Seq - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_Sat_Stub as Sat0 - clone Robinson_Lit_Impl1_Invariant_Stub as Invariant0 - clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with - type t = Robinson_Assignments_Assignments_Type.t_assignments, - type ShallowModelTy0.shallowModelTy = Seq.seq uint8 - val lit_sat [#"../Robinson/src/lit.rs" 95 4 95 49] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - requires {[#"../Robinson/src/lit.rs" 93 15 93 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} - ensures { [#"../Robinson/src/lit.rs" 94 14 94 36] result = Sat0.sat self a } - + use prelude.Int + function bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 + axiom bool_to_assignedstate_spec : forall b : bool . ([#"../Robinson/src/logic.rs" 8 0 8 31] not b -> UInt8.to_int (bool_to_assignedstate b) = 0) && ([#"../Robinson/src/logic.rs" 7 0 7 30] b -> UInt8.to_int (bool_to_assignedstate b) = 1) end -module Robinson_Lit_Impl2_LitSat - use prelude.Borrow +module Robinson_Logic_BoolToAssignedstate + use prelude.UInt8 use prelude.Int + function bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 = + [#"../Robinson/src/logic.rs" 6 0 6 8] if b then (1 : uint8) else (0 : uint8) + val bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 + ensures { result = bool_to_assignedstate b } + + axiom bool_to_assignedstate_spec : forall b : bool . ([#"../Robinson/src/logic.rs" 8 0 8 31] not b -> UInt8.to_int (bool_to_assignedstate b) = 0) && ([#"../Robinson/src/logic.rs" 7 0 7 30] b -> UInt8.to_int (bool_to_assignedstate b) = 1) +end +module Robinson_Logic_BoolToAssignedstate_Impl use prelude.UInt8 - use prelude.UIntSize + use prelude.Int + let rec ghost function bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 + ensures { [#"../Robinson/src/logic.rs" 7 0 7 30] b -> UInt8.to_int result = 1 } + ensures { [#"../Robinson/src/logic.rs" 8 0 8 31] not b -> UInt8.to_int result = 0 } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../Robinson/src/logic.rs" 6 0 6 8] if b then (1 : uint8) else (0 : uint8) +end +module Robinson_Clause_Impl1_InFormula_Stub + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + predicate in_formula [#"../Robinson/src/clause.rs" 26 4 26 47] (self : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) + +end +module Robinson_Clause_Impl1_InFormula_Interface + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + predicate in_formula [#"../Robinson/src/clause.rs" 26 4 26 47] (self : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) + +end +module Robinson_Clause_Impl1_InFormula + use prelude.Int use seq.Seq - clone Core_Num_Impl12_Max as Max0 - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel3 with - type t = uint8, + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + clone Core_Num_Impl11_Max_Stub as Max0 + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with - type t = uint8 - clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds0 with - type t = uint8 - use seq.Seq - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel2 with - type t = Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global), - type ShallowModelTy0.shallowModelTy = Seq.seq uint8, - function ShallowModel0.shallow_model = ShallowModel3.shallow_model - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_SatInner as SatInner0 - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel1 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - val Max0.mAX' = Max0.mAX' - clone Alloc_Vec_Impl15_Index_Interface as Index0 with - type t = uint8, - type i = usize, - type a = Alloc_Alloc_Global_Type.t_global, - function ShallowModel0.shallow_model = ShallowModel2.shallow_model, - predicate InBounds0.in_bounds = InBounds0.in_bounds, - predicate HasValue0.has_value = HasValue0.has_value, - type Output0.output = uint8 - clone Robinson_Lit_Impl1_Sat as Sat0 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate SatInner0.sat_inner = SatInner0.sat_inner - clone Robinson_Lit_Impl1_Invariant as Invariant0 - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel0 with - type t = Robinson_Assignments_Assignments_Type.t_assignments, - type ShallowModelTy0.shallowModelTy = Seq.seq uint8, - function ShallowModel0.shallow_model = ShallowModel1.shallow_model - let rec cfg lit_sat [#"../Robinson/src/lit.rs" 95 4 95 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - requires {[#"../Robinson/src/lit.rs" 93 15 93 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} - ensures { [#"../Robinson/src/lit.rs" 94 14 94 36] result = Sat0.sat self a } + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + predicate in_formula [#"../Robinson/src/clause.rs" 26 4 26 47] (self : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) - = [@vc:do_not_keep_trace] [@vc:sp] - var _0 : bool; - var self_1 : Robinson_Lit_Lit_Type.t_lit; - var a_2 : Robinson_Assignments_Assignments_Type.t_assignments; - var _5 : uint8; - var _6 : uint8; - var _7 : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global); - var _8 : usize; - var _9 : uint8; - var _10 : uint8; - var _11 : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global); - var _12 : usize; - { - self_1 <- self; - a_2 <- a; - goto BB0 - } - BB0 { - switch (Robinson_Lit_Lit_Type.lit_polarity self_1) - | False -> goto BB1 - | True -> goto BB2 - end - } - BB1 { - _11 <- Robinson_Assignments_Assignments_Type.assignments_0 a_2; - _12 <- Robinson_Lit_Lit_Type.lit_idx self_1; - _10 <- ([#"../Robinson/src/lit.rs" 98 22 98 35] Index0.index _11 _12); - goto BB4 - } - BB2 { - _7 <- Robinson_Assignments_Assignments_Type.assignments_0 a_2; - _8 <- Robinson_Lit_Lit_Type.lit_idx self_1; - _6 <- ([#"../Robinson/src/lit.rs" 97 21 97 34] Index0.index _7 _8); - goto BB3 - } - BB3 { - _5 <- _6; - _0 <- ([#"../Robinson/src/lit.rs" 97 20 97 40] _5 = ([#"../Robinson/src/lit.rs" 97 38 97 39] (1 : uint8))); - goto BB5 - } - BB4 { - _9 <- _10; - _0 <- ([#"../Robinson/src/lit.rs" 98 21 98 41] _9 = ([#"../Robinson/src/lit.rs" 98 39 98 40] (0 : uint8))); - goto BB5 - } - BB5 { - return _0 - } - -end -module Robinson_Lit_Impl1_Unset_Stub - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - predicate unset [#"../Robinson/src/lit.rs" 74 4 74 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + = + [#"../Robinson/src/clause.rs" 27 8 30 9] exists i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f)) /\ Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f)) i = self + val in_formula [#"../Robinson/src/clause.rs" 26 4 26 47] (self : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) : bool + ensures { result = in_formula self f } end -module Robinson_Lit_Impl1_Unset_Interface - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - predicate unset [#"../Robinson/src/lit.rs" 74 4 74 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) - +module Robinson_Logic_FlipV_Stub + use prelude.Int + use prelude.UInt8 + function flip_v [#"../Robinson/src/logic.rs" 18 0 18 44] (v : uint8) : uint8 end -module Robinson_Lit_Impl1_Unset - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_UnsetInner_Stub as UnsetInner0 - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - clone Robinson_Assignments_Impl0_ShallowModel_Stub as ShallowModel0 - predicate unset [#"../Robinson/src/lit.rs" 74 4 74 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) +module Robinson_Logic_FlipV_Interface + use prelude.Int + use prelude.UInt8 + function flip_v [#"../Robinson/src/logic.rs" 18 0 18 44] (v : uint8) : uint8 +end +module Robinson_Logic_FlipV + use prelude.Int + use prelude.UInt8 + function flip_v [#"../Robinson/src/logic.rs" 18 0 18 44] (v : uint8) : uint8 = + [#"../Robinson/src/logic.rs" 19 4 27 5] if UInt8.to_int v = 0 then + (1 : uint8) + else + if UInt8.to_int v = 1 then (0 : uint8) else v - = - [#"../Robinson/src/lit.rs" 75 20 75 40] UnsetInner0.unset_inner self (ShallowModel0.shallow_model a) - val unset [#"../Robinson/src/lit.rs" 74 4 74 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - ensures { result = unset self a } + val flip_v [#"../Robinson/src/logic.rs" 18 0 18 44] (v : uint8) : uint8 + ensures { result = flip_v v } end -module Robinson_Lit_Impl2_LitUnset_Interface +module Robinson_Formula_Impl1_UnsatInner_Stub use seq.Seq - use prelude.Borrow use prelude.Int use prelude.UInt8 - use seq.Seq - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_Unset_Stub as Unset0 - clone Robinson_Lit_Impl1_Invariant_Stub as Invariant0 - clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with - type t = Robinson_Assignments_Assignments_Type.t_assignments, - type ShallowModelTy0.shallowModelTy = Seq.seq uint8 - val lit_unset [#"../Robinson/src/lit.rs" 116 4 116 51] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - requires {[#"../Robinson/src/lit.rs" 114 15 114 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} - ensures { [#"../Robinson/src/lit.rs" 115 14 115 38] result = Unset0.unset self a } + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + predicate unsat_inner [#"../Robinson/src/formula.rs" 93 4 93 59] (self : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) end -module Robinson_Lit_Impl2_LitUnset - use prelude.Borrow +module Robinson_Formula_Impl1_UnsatInner_Interface + use seq.Seq use prelude.Int use prelude.UInt8 - use prelude.UIntSize + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + predicate unsat_inner [#"../Robinson/src/formula.rs" 93 4 93 59] (self : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) + +end +module Robinson_Formula_Impl1_UnsatInner use seq.Seq - clone Core_Num_Impl12_Max as Max0 - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + use prelude.Int + use prelude.UInt8 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel3 with - type t = uint8, + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + clone Core_Num_Impl11_Max_Stub as Max0 + clone Robinson_Clause_Impl1_UnsatInner_Stub as UnsatInner0 + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with + type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with - type t = uint8 - clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds0 with - type t = uint8 - use seq.Seq - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel2 with - type t = Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global), - type ShallowModelTy0.shallowModelTy = Seq.seq uint8, - function ShallowModel0.shallow_model = ShallowModel3.shallow_model - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_UnsetInner as UnsetInner0 - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel1 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - val Max0.mAX' = Max0.mAX' - clone Alloc_Vec_Impl15_Index_Interface as Index0 with - type t = uint8, - type i = usize, - type a = Alloc_Alloc_Global_Type.t_global, - function ShallowModel0.shallow_model = ShallowModel2.shallow_model, - predicate InBounds0.in_bounds = InBounds0.in_bounds, - predicate HasValue0.has_value = HasValue0.has_value, - type Output0.output = uint8 - clone Robinson_Lit_Impl1_Unset as Unset0 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner - clone Robinson_Lit_Impl1_Invariant as Invariant0 - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel0 with - type t = Robinson_Assignments_Assignments_Type.t_assignments, - type ShallowModelTy0.shallowModelTy = Seq.seq uint8, - function ShallowModel0.shallow_model = ShallowModel1.shallow_model - let rec cfg lit_unset [#"../Robinson/src/lit.rs" 116 4 116 51] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - requires {[#"../Robinson/src/lit.rs" 114 15 114 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} - ensures { [#"../Robinson/src/lit.rs" 115 14 115 38] result = Unset0.unset self a } - - = [@vc:do_not_keep_trace] [@vc:sp] - var _0 : bool; - var self_1 : Robinson_Lit_Lit_Type.t_lit; - var a_2 : Robinson_Assignments_Assignments_Type.t_assignments; - var _5 : uint8; - var _6 : uint8; - var _7 : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global); - var _8 : usize; - { - self_1 <- self; - a_2 <- a; - goto BB0 - } - BB0 { - _7 <- Robinson_Assignments_Assignments_Type.assignments_0 a_2; - _8 <- Robinson_Lit_Lit_Type.lit_idx self_1; - _6 <- ([#"../Robinson/src/lit.rs" 117 8 117 21] Index0.index _7 _8); - goto BB1 - } - BB1 { - _5 <- _6; - _0 <- ([#"../Robinson/src/lit.rs" 117 8 117 26] _5 >= ([#"../Robinson/src/lit.rs" 117 25 117 26] (2 : uint8))); - return _0 - } - -end -module Robinson_Lit_Impl1_Unsat_Stub - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - predicate unsat [#"../Robinson/src/lit.rs" 79 4 79 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) - -end -module Robinson_Lit_Impl1_Unsat_Interface - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - predicate unsat [#"../Robinson/src/lit.rs" 79 4 79 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) - -end -module Robinson_Lit_Impl1_Unsat - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_UnsatInner_Stub as UnsatInner0 - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - clone Robinson_Assignments_Impl0_ShallowModel_Stub as ShallowModel0 - predicate unsat [#"../Robinson/src/lit.rs" 79 4 79 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + predicate unsat_inner [#"../Robinson/src/formula.rs" 93 4 93 59] (self : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) = - [#"../Robinson/src/lit.rs" 80 20 80 40] UnsatInner0.unsat_inner self (ShallowModel0.shallow_model a) - val unsat [#"../Robinson/src/lit.rs" 79 4 79 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - ensures { result = unsat self a } + [#"../Robinson/src/formula.rs" 94 8 97 9] exists i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses self)) /\ UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses self)) i) a + val unsat_inner [#"../Robinson/src/formula.rs" 93 4 93 59] (self : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) : bool + ensures { result = unsat_inner self a } end -module Robinson_Clause_Impl2_CheckIfUnit_Interface +module Robinson_Logic_LemmaUnitWrongPolarityUnsatFormula_Stub + use prelude.UIntSize use seq.Seq - use prelude.Borrow use prelude.Int use prelude.UInt8 - use seq.Seq - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - clone Robinson_Assignments_Impl1_Complete_Stub as Complete0 - clone Robinson_Clause_Impl1_Unit_Stub as Unit0 - clone Robinson_Clause_Impl1_Unsat_Stub as Unsat0 - clone Robinson_Clause_Impl1_Sat_Stub as Sat0 - use Robinson_Clause_ClauseState_Type as Robinson_Clause_ClauseState_Type - clone Robinson_Assignments_Impl1_Invariant_Stub as Invariant2 - clone Robinson_Formula_Impl1_Invariant_Stub as Invariant1 - clone Robinson_Clause_Impl1_Invariant_Stub as Invariant0 - clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with - type t = Robinson_Assignments_Assignments_Type.t_assignments, - type ShallowModelTy0.shallowModelTy = Seq.seq uint8 - val check_if_unit [#"../Robinson/src/clause.rs" 121 4 121 77] (self : Robinson_Clause_Clause_Type.t_clause) (a : Robinson_Assignments_Assignments_Type.t_assignments) (_f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Clause_ClauseState_Type.t_clausestate - requires {[#"../Robinson/src/clause.rs" 114 15 114 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} - requires {[#"../Robinson/src/clause.rs" 115 15 115 29] Invariant1.invariant' _f} - requires {[#"../Robinson/src/clause.rs" 116 15 116 31] Invariant2.invariant' a _f} - ensures { [#"../Robinson/src/clause.rs" 117 4 117 65] result = Robinson_Clause_ClauseState_Type.C_Sat -> Sat0.sat self a } - ensures { [#"../Robinson/src/clause.rs" 118 4 118 67] result = Robinson_Clause_ClauseState_Type.C_Unsat -> Unsat0.unsat self a } - ensures { [#"../Robinson/src/clause.rs" 119 4 119 83] result = Robinson_Clause_ClauseState_Type.C_Unit -> Unit0.unit self a /\ not Complete0.complete a } - ensures { [#"../Robinson/src/clause.rs" 120 4 120 66] result = Robinson_Clause_ClauseState_Type.C_Unknown -> not Complete0.complete a } + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_UnsatInner_Stub as UnsatInner1 + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_FlipV_Stub as FlipV0 + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_UnsatInner_Stub as UnsatInner0 + clone Robinson_Logic_BoolToAssignedstate_Stub as BoolToAssignedstate0 with + axiom . + clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 + clone Robinson_Clause_Impl0_ShallowModel_Stub as ShallowModel0 + clone Robinson_Clause_Impl1_Invariant_Stub as Invariant1 + clone Robinson_Clause_Impl1_InFormula_Stub as InFormula0 + clone Robinson_Clause_Impl1_UnitInner_Stub as UnitInner0 + clone Robinson_Logic_Unset_Stub as Unset0 + clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 + function lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () end -module Robinson_Clause_Impl2_CheckIfUnit - use prelude.Borrow - use prelude.Int +module Robinson_Logic_LemmaUnitWrongPolarityUnsatFormula_Interface use prelude.UIntSize use seq.Seq + use prelude.Int use prelude.UInt8 + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_UnsatInner_Stub as UnsatInner1 + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_FlipV_Stub as FlipV0 use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_SatInner as SatInner1 - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel7 with - type t = uint8, - type a = Alloc_Alloc_Global_Type.t_global, - val Max0.mAX' = Max0.mAX', - axiom . - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel3 with - function ShallowModel0.shallow_model = ShallowModel7.shallow_model, + clone Robinson_Lit_Impl1_UnsatInner_Stub as UnsatInner0 + clone Robinson_Logic_BoolToAssignedstate_Stub as BoolToAssignedstate0 with + axiom . + clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 + clone Robinson_Clause_Impl0_ShallowModel_Stub as ShallowModel0 + clone Robinson_Clause_Impl1_Invariant_Stub as Invariant1 + clone Robinson_Clause_Impl1_InFormula_Stub as InFormula0 + clone Robinson_Clause_Impl1_UnitInner_Stub as UnitInner0 + clone Robinson_Logic_Unset_Stub as Unset0 + clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 + function lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + + axiom lemma_unit_wrong_polarity_unsat_formula_spec : forall c : Robinson_Clause_Clause_Type.t_clause, f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 62 11 62 24] Invariant0.invariant' f) -> ([#"../Robinson/src/logic.rs" 63 11 63 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a) -> ([#"../Robinson/src/logic.rs" 64 11 64 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 65 11 65 20] not Unset0.unset v) -> ([#"../Robinson/src/logic.rs" 66 11 66 26] UnitInner0.unit_inner c a) -> ([#"../Robinson/src/logic.rs" 67 11 67 26] InFormula0.in_formula c f) -> ([#"../Robinson/src/logic.rs" 68 11 68 31] Invariant1.invariant' c (Seq.length a)) -> ([#"../Robinson/src/logic.rs" 69 0 69 127] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix /\ BoolToAssignedstate0.bool_to_assignedstate (Robinson_Lit_Lit_Type.lit_polarity (Seq.get (ShallowModel0.shallow_model c) j)) = v) -> ([#"../Robinson/src/logic.rs" 70 0 70 107] forall j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ not IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix -> UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model c) j) a) -> ([#"../Robinson/src/logic.rs" 72 10 72 45] UnsatInner1.unsat_inner f (Seq.set a ix (FlipV0.flip_v v))) && ([#"../Robinson/src/logic.rs" 71 10 71 64] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))) +end +module Robinson_Logic_LemmaUnitWrongPolarityUnsatFormula + use prelude.UIntSize + use seq.Seq + use prelude.Int + use prelude.UInt8 + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_UnsatInner_Stub as UnsatInner1 + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_FlipV_Stub as FlipV0 + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_UnsatInner_Stub as UnsatInner0 + clone Robinson_Logic_BoolToAssignedstate_Stub as BoolToAssignedstate0 with + axiom . + clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 + clone Robinson_Clause_Impl0_ShallowModel_Stub as ShallowModel0 + clone Robinson_Clause_Impl1_Invariant_Stub as Invariant1 + clone Robinson_Clause_Impl1_InFormula_Stub as InFormula0 + clone Robinson_Clause_Impl1_UnitInner_Stub as UnitInner0 + clone Robinson_Logic_Unset_Stub as Unset0 + clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 + function lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + + = + [#"../Robinson/src/logic.rs" 61 0 61 8] () + val lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + requires {[#"../Robinson/src/logic.rs" 62 11 62 24] Invariant0.invariant' f} + requires {[#"../Robinson/src/logic.rs" 63 11 63 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a} + requires {[#"../Robinson/src/logic.rs" 64 11 64 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} + requires {[#"../Robinson/src/logic.rs" 65 11 65 20] not Unset0.unset v} + requires {[#"../Robinson/src/logic.rs" 66 11 66 26] UnitInner0.unit_inner c a} + requires {[#"../Robinson/src/logic.rs" 67 11 67 26] InFormula0.in_formula c f} + requires {[#"../Robinson/src/logic.rs" 68 11 68 31] Invariant1.invariant' c (Seq.length a)} + requires {[#"../Robinson/src/logic.rs" 69 0 69 127] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix /\ BoolToAssignedstate0.bool_to_assignedstate (Robinson_Lit_Lit_Type.lit_polarity (Seq.get (ShallowModel0.shallow_model c) j)) = v} + requires {[#"../Robinson/src/logic.rs" 70 0 70 107] forall j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ not IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix -> UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model c) j) a} + ensures { result = lemma_unit_wrong_polarity_unsat_formula c f a ix v } + + axiom lemma_unit_wrong_polarity_unsat_formula_spec : forall c : Robinson_Clause_Clause_Type.t_clause, f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 62 11 62 24] Invariant0.invariant' f) -> ([#"../Robinson/src/logic.rs" 63 11 63 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a) -> ([#"../Robinson/src/logic.rs" 64 11 64 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 65 11 65 20] not Unset0.unset v) -> ([#"../Robinson/src/logic.rs" 66 11 66 26] UnitInner0.unit_inner c a) -> ([#"../Robinson/src/logic.rs" 67 11 67 26] InFormula0.in_formula c f) -> ([#"../Robinson/src/logic.rs" 68 11 68 31] Invariant1.invariant' c (Seq.length a)) -> ([#"../Robinson/src/logic.rs" 69 0 69 127] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix /\ BoolToAssignedstate0.bool_to_assignedstate (Robinson_Lit_Lit_Type.lit_polarity (Seq.get (ShallowModel0.shallow_model c) j)) = v) -> ([#"../Robinson/src/logic.rs" 70 0 70 107] forall j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ not IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix -> UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model c) j) a) -> ([#"../Robinson/src/logic.rs" 72 10 72 45] UnsatInner1.unsat_inner f (Seq.set a ix (FlipV0.flip_v v))) && ([#"../Robinson/src/logic.rs" 71 10 71 64] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))) +end +module Robinson_Logic_LemmaUnitWrongPolarityUnsatFormula_Impl + use prelude.UIntSize + use seq.Seq + use prelude.Int + use prelude.UInt8 + clone Robinson_Logic_Unset as Unset0 + clone Robinson_Assignments_CompleteInner as CompleteInner0 with + predicate Unset0.unset = Unset0.unset + clone Robinson_Assignments_CompatibleInner as CompatibleInner0 with + predicate Unset0.unset = Unset0.unset + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_SatInner as SatInner2 + clone Robinson_Lit_Impl1_Invariant as Invariant2 + clone Robinson_Lit_Impl1_UnsatInner as UnsatInner0 + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + clone Core_Num_Impl11_Max as Max0 + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with + type t = Robinson_Lit_Lit_Type.t_lit, + type a = Alloc_Alloc_Global_Type.t_global, + val Max0.mAX' = Max0.mAX', + axiom . + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + clone Robinson_Clause_Impl0_ShallowModel as ShallowModel0 with + function ShallowModel0.shallow_model = ShallowModel2.shallow_model, val Max0.mAX' = Max0.mAX' - clone Robinson_Lit_Impl1_Sat as Sat1 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - predicate SatInner0.sat_inner = SatInner1.sat_inner - clone Robinson_Lit_Impl1_Invariant as Invariant3 - clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with - type t = Robinson_Lit_Lit_Type.t_lit - clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds0 with - type t = Robinson_Lit_Lit_Type.t_lit + clone Robinson_Clause_Impl1_UnsatInner as UnsatInner2 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner + clone Robinson_Clause_Impl1_SatInner as SatInner0 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate SatInner0.sat_inner = SatInner2.sat_inner clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel1 with - type t = Robinson_Lit_Lit_Type.t_lit, + type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - use seq.Seq - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel6 with - type t = Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global), - type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), - function ShallowModel0.shallow_model = ShallowModel1.shallow_model - clone Robinson_Lit_Impl1_UnsatInner as UnsatInner1 + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_SatInner as SatInner1 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + predicate SatInner0.sat_inner = SatInner0.sat_inner, + val Max0.mAX' = Max0.mAX' + clone Robinson_Assignments_CompatibleCompleteInner as CompatibleCompleteInner0 with + predicate CompatibleInner0.compatible_inner = CompatibleInner0.compatible_inner, + predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner clone Robinson_Lit_Impl1_UnsetInner as UnsetInner0 - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - clone Robinson_Clause_Impl0_ShallowModel as ShallowModel5 with + clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate Invariant0.invariant' = Invariant2.invariant' + clone Robinson_Formula_Impl1_UnsatInner as UnsatInner1 with function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner, val Max0.mAX' = Max0.mAX' - clone Robinson_Logic_Unset as Unset1 - clone Robinson_Clause_Impl1_SatInner as SatInner0 with - function ShallowModel0.shallow_model = ShallowModel5.shallow_model, + clone Robinson_Formula_Impl1_EventuallySatCompleteInner as EventuallySatCompleteInner0 with + predicate CompatibleCompleteInner0.compatible_complete_inner = CompatibleCompleteInner0.compatible_complete_inner, predicate SatInner0.sat_inner = SatInner1.sat_inner - clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with - function ShallowModel0.shallow_model = ShallowModel5.shallow_model, - predicate Invariant0.invariant' = Invariant3.invariant' + clone Robinson_Logic_FlipV as FlipV0 + clone Robinson_Logic_BoolToAssignedstate as BoolToAssignedstate0 with + axiom . + clone Robinson_Lit_Impl0_IndexLogic as IndexLogic0 + clone Robinson_Clause_Impl1_Invariant as Invariant1 with + predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range + clone Robinson_Clause_Impl1_InFormula as InFormula0 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + val Max0.mAX' = Max0.mAX' clone Robinson_Clause_Impl1_UnitInner as UnitInner0 with predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range, predicate SatInner0.sat_inner = SatInner0.sat_inner, - function ShallowModel0.shallow_model = ShallowModel5.shallow_model, + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner - clone Robinson_Clause_Impl1_UnsatInner as UnsatInner0 with - function ShallowModel0.shallow_model = ShallowModel5.shallow_model, - predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel4 with - type t = Robinson_Clause_Clause_Type.t_clause, + clone Robinson_Formula_Impl1_Invariant as Invariant0 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + predicate Invariant0.invariant' = Invariant1.invariant', + val Max0.mAX' = Max0.mAX' + let rec ghost function lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + requires {[#"../Robinson/src/logic.rs" 62 11 62 24] Invariant0.invariant' f} + requires {[#"../Robinson/src/logic.rs" 63 11 63 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a} + requires {[#"../Robinson/src/logic.rs" 64 11 64 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} + requires {[#"../Robinson/src/logic.rs" 65 11 65 20] not Unset0.unset v} + requires {[#"../Robinson/src/logic.rs" 66 11 66 26] UnitInner0.unit_inner c a} + requires {[#"../Robinson/src/logic.rs" 67 11 67 26] InFormula0.in_formula c f} + requires {[#"../Robinson/src/logic.rs" 68 11 68 31] Invariant1.invariant' c (Seq.length a)} + requires {[#"../Robinson/src/logic.rs" 69 0 69 127] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix /\ BoolToAssignedstate0.bool_to_assignedstate (Robinson_Lit_Lit_Type.lit_polarity (Seq.get (ShallowModel0.shallow_model c) j)) = v} + requires {[#"../Robinson/src/logic.rs" 70 0 70 107] forall j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ not IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix -> UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model c) j) a} + ensures { [#"../Robinson/src/logic.rs" 71 10 71 64] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v)) } + ensures { [#"../Robinson/src/logic.rs" 72 10 72 45] UnsatInner1.unsat_inner f (Seq.set a ix (FlipV0.flip_v v)) } + + = [@vc:do_not_keep_trace] [@vc:sp] + [#"../Robinson/src/logic.rs" 61 0 61 8] () +end +module Robinson_Logic_LemmaUnitForces_Stub + use prelude.UIntSize + use seq.Seq + use prelude.Int + use prelude.UInt8 + clone Robinson_Logic_FlipV_Stub as FlipV0 + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_Unset_Stub as Unset0 + clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 + function lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + +end +module Robinson_Logic_LemmaUnitForces_Interface + use prelude.UIntSize + use seq.Seq + use prelude.Int + use prelude.UInt8 + clone Robinson_Logic_FlipV_Stub as FlipV0 + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_Unset_Stub as Unset0 + clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 + function lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + + axiom lemma_unit_forces_spec : forall f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 52 11 52 24] Invariant0.invariant' f) -> ([#"../Robinson/src/logic.rs" 53 11 53 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a) -> ([#"../Robinson/src/logic.rs" 54 11 54 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 55 11 55 20] not Unset0.unset v) -> ([#"../Robinson/src/logic.rs" 56 11 56 45] EventuallySatCompleteInner0.eventually_sat_complete_inner f a) -> ([#"../Robinson/src/logic.rs" 57 11 57 65] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))) -> ([#"../Robinson/src/logic.rs" 58 10 58 55] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)) +end +module Robinson_Logic_LemmaUnitForces + use prelude.UIntSize + use seq.Seq + use prelude.Int + use prelude.UInt8 + clone Robinson_Logic_FlipV_Stub as FlipV0 + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_Unset_Stub as Unset0 + clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 + function lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + + = + [#"../Robinson/src/logic.rs" 51 0 51 8] () + val lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + requires {[#"../Robinson/src/logic.rs" 52 11 52 24] Invariant0.invariant' f} + requires {[#"../Robinson/src/logic.rs" 53 11 53 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a} + requires {[#"../Robinson/src/logic.rs" 54 11 54 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} + requires {[#"../Robinson/src/logic.rs" 55 11 55 20] not Unset0.unset v} + requires {[#"../Robinson/src/logic.rs" 56 11 56 45] EventuallySatCompleteInner0.eventually_sat_complete_inner f a} + requires {[#"../Robinson/src/logic.rs" 57 11 57 65] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))} + ensures { result = lemma_unit_forces f a ix v } + + axiom lemma_unit_forces_spec : forall f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 52 11 52 24] Invariant0.invariant' f) -> ([#"../Robinson/src/logic.rs" 53 11 53 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a) -> ([#"../Robinson/src/logic.rs" 54 11 54 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 55 11 55 20] not Unset0.unset v) -> ([#"../Robinson/src/logic.rs" 56 11 56 45] EventuallySatCompleteInner0.eventually_sat_complete_inner f a) -> ([#"../Robinson/src/logic.rs" 57 11 57 65] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))) -> ([#"../Robinson/src/logic.rs" 58 10 58 55] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)) +end +module Robinson_Logic_LemmaUnitForces_Impl + use prelude.UIntSize + use seq.Seq + use prelude.Int + use prelude.UInt8 + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + clone Core_Num_Impl11_Max as Max0 + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with + type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - clone Robinson_Lit_Impl1_Unset as Unset0 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel0 with - type t = Robinson_Assignments_Assignments_Type.t_assignments, - type ShallowModelTy0.shallowModelTy = Seq.seq uint8, - function ShallowModel0.shallow_model = ShallowModel3.shallow_model - clone Robinson_Lit_Impl2_LitUnset_Interface as LitUnset0 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate Invariant0.invariant' = Invariant3.invariant', + clone Robinson_Lit_Impl1_SatInner as SatInner2 + clone Robinson_Lit_Impl1_Invariant as Invariant2 + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + clone Robinson_Clause_Impl0_ShallowModel as ShallowModel1 with + function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + val Max0.mAX' = Max0.mAX' + clone Robinson_Clause_Impl1_SatInner as SatInner1 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + predicate SatInner0.sat_inner = SatInner2.sat_inner + clone Robinson_Logic_Unset as Unset0 + clone Robinson_Assignments_CompleteInner as CompleteInner0 with predicate Unset0.unset = Unset0.unset - clone Robinson_Lit_Impl2_LitSat_Interface as LitSat0 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate Invariant0.invariant' = Invariant3.invariant', - predicate Sat0.sat = Sat1.sat - clone Alloc_Vec_Impl15_Index_Interface as Index0 with - type t = Robinson_Lit_Lit_Type.t_lit, - type i = usize, + clone Robinson_Assignments_CompatibleInner as CompatibleInner0 with + predicate Unset0.unset = Unset0.unset + clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + predicate Invariant0.invariant' = Invariant2.invariant' + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel0 with + type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, - function ShallowModel0.shallow_model = ShallowModel6.shallow_model, - predicate InBounds0.in_bounds = InBounds0.in_bounds, - predicate HasValue0.has_value = HasValue0.has_value, - type Output0.output = Robinson_Lit_Lit_Type.t_lit - clone Alloc_Vec_Impl1_Len_Interface as Len0 with - type t = Robinson_Lit_Lit_Type.t_lit, - type a = Alloc_Alloc_Global_Type.t_global, - function ShallowModel0.shallow_model = ShallowModel6.shallow_model - clone Robinson_Lit_Impl1_Unsat as Unsat1 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel2 with - type t = Robinson_Clause_Clause_Type.t_clause, - type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), - function ShallowModel0.shallow_model = ShallowModel5.shallow_model - clone Robinson_Assignments_Impl1_Complete as Complete0 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - predicate Unset0.unset = Unset1.unset - clone Robinson_Clause_Impl1_Unit as Unit0 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - predicate UnitInner0.unit_inner = UnitInner0.unit_inner - clone Robinson_Clause_Impl1_Unsat as Unsat0 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner - clone Robinson_Clause_Impl1_Sat as Sat0 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - predicate SatInner0.sat_inner = SatInner0.sat_inner + val Max0.mAX' = Max0.mAX', + axiom . use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Assignments_Impl1_Invariant as Invariant2 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model - clone Robinson_Clause_Impl1_Invariant as Invariant0 with + clone Robinson_Formula_Impl1_SatInner as SatInner0 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate SatInner0.sat_inner = SatInner1.sat_inner, + val Max0.mAX' = Max0.mAX' + clone Robinson_Assignments_CompatibleCompleteInner as CompatibleCompleteInner0 with + predicate CompatibleInner0.compatible_inner = CompatibleInner0.compatible_inner, + predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner + clone Robinson_Clause_Impl1_Invariant as Invariant1 with predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range - clone Robinson_Formula_Impl1_Invariant as Invariant1 with - function ShallowModel0.shallow_model = ShallowModel4.shallow_model, - predicate Invariant0.invariant' = Invariant0.invariant', + clone Robinson_Logic_FlipV as FlipV0 + clone Robinson_Formula_Impl1_EventuallySatCompleteInner as EventuallySatCompleteInner0 with + predicate CompatibleCompleteInner0.compatible_complete_inner = CompatibleCompleteInner0.compatible_complete_inner, + predicate SatInner0.sat_inner = SatInner0.sat_inner + clone Robinson_Formula_Impl1_Invariant as Invariant0 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate Invariant0.invariant' = Invariant1.invariant', val Max0.mAX' = Max0.mAX' - use Robinson_Clause_ClauseState_Type as Robinson_Clause_ClauseState_Type - let rec cfg check_if_unit [#"../Robinson/src/clause.rs" 121 4 121 77] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Clause_Clause_Type.t_clause) (a : Robinson_Assignments_Assignments_Type.t_assignments) (_f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Clause_ClauseState_Type.t_clausestate - requires {[#"../Robinson/src/clause.rs" 114 15 114 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} - requires {[#"../Robinson/src/clause.rs" 115 15 115 29] Invariant1.invariant' _f} - requires {[#"../Robinson/src/clause.rs" 116 15 116 31] Invariant2.invariant' a _f} - ensures { [#"../Robinson/src/clause.rs" 117 4 117 65] result = Robinson_Clause_ClauseState_Type.C_Sat -> Sat0.sat self a } - ensures { [#"../Robinson/src/clause.rs" 118 4 118 67] result = Robinson_Clause_ClauseState_Type.C_Unsat -> Unsat0.unsat self a } - ensures { [#"../Robinson/src/clause.rs" 119 4 119 83] result = Robinson_Clause_ClauseState_Type.C_Unit -> Unit0.unit self a /\ not Complete0.complete a } - ensures { [#"../Robinson/src/clause.rs" 120 4 120 66] result = Robinson_Clause_ClauseState_Type.C_Unknown -> not Complete0.complete a } + let rec ghost function lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + requires {[#"../Robinson/src/logic.rs" 52 11 52 24] Invariant0.invariant' f} + requires {[#"../Robinson/src/logic.rs" 53 11 53 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a} + requires {[#"../Robinson/src/logic.rs" 54 11 54 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} + requires {[#"../Robinson/src/logic.rs" 55 11 55 20] not Unset0.unset v} + requires {[#"../Robinson/src/logic.rs" 56 11 56 45] EventuallySatCompleteInner0.eventually_sat_complete_inner f a} + requires {[#"../Robinson/src/logic.rs" 57 11 57 65] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))} + ensures { [#"../Robinson/src/logic.rs" 58 10 58 55] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v) } = [@vc:do_not_keep_trace] [@vc:sp] - var _0 : Robinson_Clause_ClauseState_Type.t_clausestate; - var self_1 : Robinson_Clause_Clause_Type.t_clause; - var a_2 : Robinson_Assignments_Assignments_Type.t_assignments; - var _f_3 : Robinson_Formula_Formula_Type.t_formula; - var i_11 : usize; - var _k_12 : usize; - var unassigned_13 : usize; - var _14 : (); - var _23 : (); - var _24 : bool; - var _25 : usize; - var _26 : usize; - var _27 : Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global); - var lit_28 : Robinson_Lit_Lit_Type.t_lit; - var _29 : Robinson_Lit_Lit_Type.t_lit; - var _30 : Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global); - var _31 : usize; - var _32 : (); - var _33 : bool; - var _34 : Robinson_Lit_Lit_Type.t_lit; - var _35 : Robinson_Assignments_Assignments_Type.t_assignments; - var _36 : (); - var _37 : bool; - var _38 : Robinson_Lit_Lit_Type.t_lit; - var _39 : Robinson_Assignments_Assignments_Type.t_assignments; - var _40 : (); - var _41 : bool; - var _42 : usize; - var _43 : (); - var _44 : usize; - var _45 : (); - var _46 : (); - var _47 : (); - var _48 : bool; - var _49 : usize; - { - self_1 <- self; - a_2 <- a; - _f_3 <- _f; - goto BB0 - } - BB0 { - i_11 <- ([#"../Robinson/src/clause.rs" 122 27 122 28] (0 : usize)); - _k_12 <- ([#"../Robinson/src/clause.rs" 123 28 123 29] (0 : usize)); - unassigned_13 <- ([#"../Robinson/src/clause.rs" 124 36 124 37] (0 : usize)); - goto BB1 - } - BB1 { - invariant loop_invariant { [#"../Robinson/src/clause.rs" 125 36 125 71] 0 <= UIntSize.to_int i_11 /\ UIntSize.to_int i_11 <= Seq.length (ShallowModel1.shallow_model (Robinson_Clause_Clause_Type.clause_rest self_1)) }; - invariant unass { [#"../Robinson/src/clause.rs" 126 27 126 43] UIntSize.to_int unassigned_13 <= 1 }; - invariant k_is_unass { [#"../Robinson/src/clause.rs" 127 32 127 76] UIntSize.to_int unassigned_13 = 0 \/ Unset0.unset (Seq.get (ShallowModel2.shallow_model self_1) (UIntSize.to_int _k_12)) a_2 }; - invariant kk { [#"../Robinson/src/clause.rs" 125 8 125 73] UIntSize.to_int unassigned_13 > 0 -> Unset0.unset (Seq.get (ShallowModel2.shallow_model self_1) (UIntSize.to_int _k_12)) a_2 }; - invariant not_sat { [#"../Robinson/src/clause.rs" 125 8 125 73] forall j : int . 0 <= j /\ j < UIntSize.to_int i_11 -> Unsat1.unsat (Seq.get (ShallowModel2.shallow_model self_1) j) a_2 \/ Unset0.unset (Seq.get (ShallowModel2.shallow_model self_1) j) a_2 /\ UIntSize.to_int unassigned_13 >= 1 }; - invariant k_in_bounds { [#"../Robinson/src/clause.rs" 131 33 131 84] UIntSize.to_int unassigned_13 = 0 \/ 0 <= UIntSize.to_int _k_12 /\ UIntSize.to_int _k_12 < Seq.length (ShallowModel2.shallow_model self_1) }; - invariant k_only { [#"../Robinson/src/clause.rs" 125 8 125 73] UIntSize.to_int unassigned_13 = 1 -> (forall j : int . 0 <= j /\ j < UIntSize.to_int i_11 /\ j <> UIntSize.to_int _k_12 -> not Unset0.unset (Seq.get (ShallowModel2.shallow_model self_1) j) a_2) }; - invariant k_unset { [#"../Robinson/src/clause.rs" 125 8 125 73] UIntSize.to_int unassigned_13 = 0 -> UIntSize.to_int _k_12 = 0 }; - _25 <- i_11; - _27 <- Robinson_Clause_Clause_Type.clause_rest self_1; - _26 <- ([#"../Robinson/src/clause.rs" 135 18 135 33] Len0.len _27); - goto BB2 - } - BB2 { - _24 <- ([#"../Robinson/src/clause.rs" 135 14 135 33] _25 < _26); - switch (_24) - | False -> goto BB14 - | True -> goto BB3 - end - } - BB3 { - _30 <- Robinson_Clause_Clause_Type.clause_rest self_1; - _31 <- i_11; - _29 <- ([#"../Robinson/src/clause.rs" 136 22 136 34] Index0.index _30 _31); - goto BB4 - } - BB4 { - lit_28 <- _29; - _34 <- lit_28; - _35 <- a_2; - _33 <- ([#"../Robinson/src/clause.rs" 137 15 137 29] LitSat0.lit_sat _34 _35); - goto BB5 - } - BB5 { - switch (_33) - | False -> goto BB7 - | True -> goto BB6 - end - } - BB6 { - _0 <- Robinson_Clause_ClauseState_Type.C_Sat; - goto BB18 - } - BB7 { - _38 <- lit_28; - _39 <- a_2; - _37 <- ([#"../Robinson/src/clause.rs" 139 22 139 38] LitUnset0.lit_unset _38 _39); - goto BB8 - } - BB8 { - switch (_37) - | False -> goto BB12 - | True -> goto BB9 - end - } - BB9 { - _42 <- unassigned_13; - _41 <- ([#"../Robinson/src/clause.rs" 141 19 141 33] _42 > ([#"../Robinson/src/clause.rs" 141 32 141 33] (0 : usize))); - switch (_41) - | False -> goto BB11 - | True -> goto BB10 - end - } - BB10 { - _0 <- Robinson_Clause_ClauseState_Type.C_Unknown; - goto BB18 - } - BB11 { - _40 <- (); - _44 <- i_11; - _k_12 <- _44; - _44 <- any usize; - unassigned_13 <- ([#"../Robinson/src/clause.rs" 145 16 145 31] unassigned_13 + ([#"../Robinson/src/clause.rs" 145 30 145 31] (1 : usize))); - _32 <- (); - goto BB13 - } - BB12 { - _32 <- (); - goto BB13 - } - BB13 { - i_11 <- ([#"../Robinson/src/clause.rs" 147 12 147 18] i_11 + ([#"../Robinson/src/clause.rs" 147 17 147 18] (1 : usize))); - _23 <- (); - goto BB1 - } - BB14 { - _14 <- (); - _49 <- unassigned_13; - _48 <- ([#"../Robinson/src/clause.rs" 149 11 149 26] _49 = ([#"../Robinson/src/clause.rs" 149 25 149 26] (1 : usize))); - switch (_48) - | False -> goto BB16 - | True -> goto BB15 - end - } - BB15 { - _0 <- Robinson_Clause_ClauseState_Type.C_Unit; - goto BB17 - } - BB16 { - _0 <- Robinson_Clause_ClauseState_Type.C_Unsat; - goto BB17 - } - BB17 { - goto BB19 - } - BB18 { - goto BB19 - } - BB19 { - return _0 - } - -end -module Robinson_Lit_Impl0_IndexLogic_Stub - use prelude.Int - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - function index_logic [@inline:trivial] [#"../Robinson/src/lit.rs" 20 4 20 35] (self : Robinson_Lit_Lit_Type.t_lit) : int - + [#"../Robinson/src/logic.rs" 51 0 51 8] () end -module Robinson_Lit_Impl0_IndexLogic_Interface +module Robinson_Logic_LemmaExtensionSatBaseSat_Stub use prelude.Int - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - function index_logic [@inline:trivial] [#"../Robinson/src/lit.rs" 20 4 20 35] (self : Robinson_Lit_Lit_Type.t_lit) : int + use seq.Seq + use prelude.UInt8 + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_Unset_Stub as Unset0 + function lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () end -module Robinson_Lit_Impl0_IndexLogic +module Robinson_Logic_LemmaExtensionSatBaseSat_Interface use prelude.Int - use prelude.UIntSize - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - function index_logic [@inline:trivial] [#"../Robinson/src/lit.rs" 20 4 20 35] (self : Robinson_Lit_Lit_Type.t_lit) : int - - = - [#"../Robinson/src/lit.rs" 21 8 21 31] UIntSize.to_int (Robinson_Lit_Lit_Type.lit_idx self) - val index_logic [@inline:trivial] [#"../Robinson/src/lit.rs" 20 4 20 35] (self : Robinson_Lit_Lit_Type.t_lit) : int - ensures { result = index_logic self } + use seq.Seq + use prelude.UInt8 + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_Unset_Stub as Unset0 + function lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + axiom lemma_extension_sat_base_sat_spec : forall f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 79 11 79 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 80 11 80 56] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)) -> ([#"../Robinson/src/logic.rs" 81 10 81 44] EventuallySatCompleteInner0.eventually_sat_complete_inner f a) end -module Robinson_Clause_Impl2_GetUnit_Interface +module Robinson_Logic_LemmaExtensionSatBaseSat use prelude.Int use seq.Seq - use prelude.Borrow use prelude.UInt8 - use seq.Seq - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 clone Robinson_Logic_Unset_Stub as Unset0 - clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel1 with - type t = Robinson_Assignments_Assignments_Type.t_assignments, - type ShallowModelTy0.shallowModelTy = Seq.seq uint8 - clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 - clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with - type t = Robinson_Clause_Clause_Type.t_clause, - type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit) - clone Robinson_Assignments_Impl1_Invariant_Stub as Invariant1 - clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 - clone Robinson_Clause_Impl1_Unit_Stub as Unit0 - val get_unit [#"../Robinson/src/clause.rs" 163 4 163 64] (self : Robinson_Clause_Clause_Type.t_clause) (a : Robinson_Assignments_Assignments_Type.t_assignments) (_f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Lit_Lit_Type.t_lit - requires {[#"../Robinson/src/clause.rs" 157 15 157 28] Unit0.unit self a} - requires {[#"../Robinson/src/clause.rs" 158 15 158 29] Invariant0.invariant' _f} - requires {[#"../Robinson/src/clause.rs" 159 15 159 31] Invariant1.invariant' a _f} - ensures { [#"../Robinson/src/clause.rs" 160 4 160 82] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model self) /\ Seq.get (ShallowModel0.shallow_model self) j = result } - ensures { [#"../Robinson/src/clause.rs" 161 14 161 47] IndexLogic0.index_logic result < Seq.length (ShallowModel1.shallow_model a) } - ensures { [#"../Robinson/src/clause.rs" 162 14 162 47] Unset0.unset (Seq.get (ShallowModel1.shallow_model a) (IndexLogic0.index_logic result)) } + function lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + + = + [#"../Robinson/src/logic.rs" 78 0 78 8] () + val lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + requires {[#"../Robinson/src/logic.rs" 79 11 79 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} + requires {[#"../Robinson/src/logic.rs" 80 11 80 56] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)} + ensures { result = lemma_extension_sat_base_sat f a ix v } + axiom lemma_extension_sat_base_sat_spec : forall f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 79 11 79 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 80 11 80 56] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)) -> ([#"../Robinson/src/logic.rs" 81 10 81 44] EventuallySatCompleteInner0.eventually_sat_complete_inner f a) end -module Robinson_Clause_Impl2_GetUnit - use prelude.Borrow +module Robinson_Logic_LemmaExtensionSatBaseSat_Impl use prelude.Int - use prelude.UIntSize use seq.Seq use prelude.UInt8 + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_SatInner as SatInner1 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel7 with + clone Core_Num_Impl11_Max as Max0 + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . + clone Robinson_Lit_Impl1_SatInner as SatInner2 use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - clone Robinson_Clause_Impl0_ShallowModel as ShallowModel4 with - function ShallowModel0.shallow_model = ShallowModel7.shallow_model, + clone Robinson_Clause_Impl0_ShallowModel as ShallowModel1 with + function ShallowModel0.shallow_model = ShallowModel2.shallow_model, val Max0.mAX' = Max0.mAX' - clone Robinson_Clause_Impl1_SatInner as SatInner0 with - function ShallowModel0.shallow_model = ShallowModel4.shallow_model, - predicate SatInner0.sat_inner = SatInner1.sat_inner - clone Robinson_Lit_Impl1_Invariant as Invariant3 - clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with - function ShallowModel0.shallow_model = ShallowModel4.shallow_model, - predicate Invariant0.invariant' = Invariant3.invariant' - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel6 with - type t = uint8, - type a = Alloc_Alloc_Global_Type.t_global, - val Max0.mAX' = Max0.mAX', - axiom . - clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with - type t = Robinson_Lit_Lit_Type.t_lit - clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds0 with - type t = Robinson_Lit_Lit_Type.t_lit - use seq.Seq - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel5 with - type t = Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global), - type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), - function ShallowModel0.shallow_model = ShallowModel7.shallow_model - clone Robinson_Lit_Impl1_UnsetInner as UnsetInner0 - clone Robinson_Clause_Impl1_Invariant as Invariant2 with - predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel3 with + clone Robinson_Clause_Impl1_SatInner as SatInner1 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + predicate SatInner0.sat_inner = SatInner2.sat_inner + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel0 with type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - clone Robinson_Clause_Impl1_UnitInner as UnitInner0 with - predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range, - predicate SatInner0.sat_inner = SatInner0.sat_inner, - function ShallowModel0.shallow_model = ShallowModel4.shallow_model, - predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner - use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type - clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel2 with - function ShallowModel0.shallow_model = ShallowModel6.shallow_model, - val Max0.mAX' = Max0.mAX' - clone Robinson_Lit_Impl1_Unset as Unset1 with - function ShallowModel0.shallow_model = ShallowModel2.shallow_model, - predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel1 with - type t = Robinson_Assignments_Assignments_Type.t_assignments, - type ShallowModelTy0.shallowModelTy = Seq.seq uint8, - function ShallowModel0.shallow_model = ShallowModel2.shallow_model - clone Robinson_Lit_Impl2_LitUnset_Interface as LitUnset0 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate Invariant0.invariant' = Invariant3.invariant', - predicate Unset0.unset = Unset1.unset - clone Alloc_Vec_Impl15_Index_Interface as Index0 with - type t = Robinson_Lit_Lit_Type.t_lit, - type i = usize, - type a = Alloc_Alloc_Global_Type.t_global, - function ShallowModel0.shallow_model = ShallowModel5.shallow_model, - predicate InBounds0.in_bounds = InBounds0.in_bounds, - predicate HasValue0.has_value = HasValue0.has_value, - type Output0.output = Robinson_Lit_Lit_Type.t_lit - clone Alloc_Vec_Impl1_Len_Interface as Len0 with - type t = Robinson_Lit_Lit_Type.t_lit, - type a = Alloc_Alloc_Global_Type.t_global, - function ShallowModel0.shallow_model = ShallowModel5.shallow_model clone Robinson_Logic_Unset as Unset0 - clone Robinson_Lit_Impl0_IndexLogic as IndexLogic0 - clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel0 with - type t = Robinson_Clause_Clause_Type.t_clause, - type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), - function ShallowModel0.shallow_model = ShallowModel4.shallow_model + clone Robinson_Assignments_CompleteInner as CompleteInner0 with + predicate Unset0.unset = Unset0.unset + clone Robinson_Assignments_CompatibleInner as CompatibleInner0 with + predicate Unset0.unset = Unset0.unset use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Assignments_Impl1_Invariant as Invariant1 with - function ShallowModel0.shallow_model = ShallowModel2.shallow_model - clone Robinson_Formula_Impl1_Invariant as Invariant0 with - function ShallowModel0.shallow_model = ShallowModel3.shallow_model, - predicate Invariant0.invariant' = Invariant2.invariant', + clone Robinson_Formula_Impl1_SatInner as SatInner0 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate SatInner0.sat_inner = SatInner1.sat_inner, val Max0.mAX' = Max0.mAX' - clone Robinson_Clause_Impl1_Unit as Unit0 with - function ShallowModel0.shallow_model = ShallowModel2.shallow_model, - predicate UnitInner0.unit_inner = UnitInner0.unit_inner - let rec cfg get_unit [#"../Robinson/src/clause.rs" 163 4 163 64] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Clause_Clause_Type.t_clause) (a : Robinson_Assignments_Assignments_Type.t_assignments) (_f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Lit_Lit_Type.t_lit - requires {[#"../Robinson/src/clause.rs" 157 15 157 28] Unit0.unit self a} - requires {[#"../Robinson/src/clause.rs" 158 15 158 29] Invariant0.invariant' _f} - requires {[#"../Robinson/src/clause.rs" 159 15 159 31] Invariant1.invariant' a _f} - ensures { [#"../Robinson/src/clause.rs" 160 4 160 82] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model self) /\ Seq.get (ShallowModel0.shallow_model self) j = result } - ensures { [#"../Robinson/src/clause.rs" 161 14 161 47] IndexLogic0.index_logic result < Seq.length (ShallowModel1.shallow_model a) } - ensures { [#"../Robinson/src/clause.rs" 162 14 162 47] Unset0.unset (Seq.get (ShallowModel1.shallow_model a) (IndexLogic0.index_logic result)) } + clone Robinson_Assignments_CompatibleCompleteInner as CompatibleCompleteInner0 with + predicate CompatibleInner0.compatible_inner = CompatibleInner0.compatible_inner, + predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner + clone Robinson_Formula_Impl1_EventuallySatCompleteInner as EventuallySatCompleteInner0 with + predicate CompatibleCompleteInner0.compatible_complete_inner = CompatibleCompleteInner0.compatible_complete_inner, + predicate SatInner0.sat_inner = SatInner0.sat_inner + let rec ghost function lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + requires {[#"../Robinson/src/logic.rs" 79 11 79 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} + requires {[#"../Robinson/src/logic.rs" 80 11 80 56] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)} + ensures { [#"../Robinson/src/logic.rs" 81 10 81 44] EventuallySatCompleteInner0.eventually_sat_complete_inner f a } = [@vc:do_not_keep_trace] [@vc:sp] - var _0 : Robinson_Lit_Lit_Type.t_lit; - var self_1 : Robinson_Clause_Clause_Type.t_clause; - var a_2 : Robinson_Assignments_Assignments_Type.t_assignments; - var _f_3 : Robinson_Formula_Formula_Type.t_formula; - var _4 : (); - var i_11 : usize; - var _12 : (); - var _14 : (); - var _15 : bool; - var _16 : usize; - var _17 : usize; - var _18 : Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global); - var lit_19 : Robinson_Lit_Lit_Type.t_lit; - var _20 : Robinson_Lit_Lit_Type.t_lit; - var _21 : Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global); - var _22 : usize; - var _23 : (); - var _24 : bool; - var _25 : Robinson_Lit_Lit_Type.t_lit; - var _26 : Robinson_Assignments_Assignments_Type.t_assignments; - var _27 : (); - var _28 : (); - var _29 : (); - var _30 : (); - var _31 : (); - { - self_1 <- self; - a_2 <- a; - _f_3 <- _f; - goto BB0 - } - BB0 { - i_11 <- ([#"../Robinson/src/clause.rs" 164 27 164 28] (0 : usize)); - goto BB1 - } - BB1 { - invariant not_unset { [#"../Robinson/src/clause.rs" 165 8 165 90] forall j : int . 0 <= j /\ j < UIntSize.to_int i_11 -> not Unset1.unset (Seq.get (ShallowModel0.shallow_model self_1) j) a_2 }; - _16 <- i_11; - _18 <- Robinson_Clause_Clause_Type.clause_rest self_1; - _17 <- ([#"../Robinson/src/clause.rs" 166 18 166 33] Len0.len _18); - goto BB2 - } - BB2 { - _15 <- ([#"../Robinson/src/clause.rs" 166 14 166 33] _16 < _17); - switch (_15) - | False -> goto BB8 - | True -> goto BB3 - end - } - BB3 { - _21 <- Robinson_Clause_Clause_Type.clause_rest self_1; - _22 <- i_11; - _20 <- ([#"../Robinson/src/clause.rs" 167 22 167 34] Index0.index _21 _22); - goto BB4 - } - BB4 { - lit_19 <- _20; - _25 <- lit_19; - _26 <- a_2; - _24 <- ([#"../Robinson/src/clause.rs" 168 15 168 31] LitUnset0.lit_unset _25 _26); - goto BB5 - } - BB5 { - switch (_24) - | False -> goto BB7 - | True -> goto BB6 - end - } - BB6 { - _0 <- lit_19; - return _0 - } - BB7 { - _23 <- (); - i_11 <- ([#"../Robinson/src/clause.rs" 171 12 171 18] i_11 + ([#"../Robinson/src/clause.rs" 171 17 171 18] (1 : usize))); - _14 <- (); - goto BB1 - } - BB8 { - _12 <- (); - absurd - } - + [#"../Robinson/src/logic.rs" 78 0 78 8] () end -module Robinson_Lit_Impl2_Index_Interface - use prelude.UIntSize +module Robinson_Logic_Neg_Stub use prelude.Int - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 - val index [#"../Robinson/src/lit.rs" 88 4 88 31] (self : Robinson_Lit_Lit_Type.t_lit) : usize - ensures { [#"../Robinson/src/lit.rs" 87 14 87 43] UIntSize.to_int result = IndexLogic0.index_logic self } - + use prelude.UInt8 + function neg [#"../Robinson/src/logic.rs" 36 0 36 25] (_1' : ()) : uint8 end -module Robinson_Lit_Impl2_Index +module Robinson_Logic_Neg_Interface use prelude.Int - use prelude.UIntSize - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl0_IndexLogic as IndexLogic0 - let rec cfg index [#"../Robinson/src/lit.rs" 88 4 88 31] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Lit_Lit_Type.t_lit) : usize - ensures { [#"../Robinson/src/lit.rs" 87 14 87 43] UIntSize.to_int result = IndexLogic0.index_logic self } - - = [@vc:do_not_keep_trace] [@vc:sp] - var _0 : usize; - var self_1 : Robinson_Lit_Lit_Type.t_lit; - { - self_1 <- self; - goto BB0 - } - BB0 { - _0 <- Robinson_Lit_Lit_Type.lit_idx self_1; - return _0 - } - + use prelude.UInt8 + function neg [#"../Robinson/src/logic.rs" 36 0 36 25] (_1' : ()) : uint8 end -module CreusotContracts_Std1_Slice_SliceIndex_ResolveElswhere_Stub - type self - type t - clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with - type self = t - predicate resolve_elswhere (self : self) (old' : ShallowModelTy0.shallowModelTy) (fin : ShallowModelTy0.shallowModelTy) - -end -module CreusotContracts_Std1_Slice_SliceIndex_ResolveElswhere_Interface - type self - type t - clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with - type self = t - predicate resolve_elswhere (self : self) (old' : ShallowModelTy0.shallowModelTy) (fin : ShallowModelTy0.shallowModelTy) - -end -module CreusotContracts_Std1_Slice_SliceIndex_ResolveElswhere - type self - type t - clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with - type self = t - predicate resolve_elswhere (self : self) (old' : ShallowModelTy0.shallowModelTy) (fin : ShallowModelTy0.shallowModelTy) - - val resolve_elswhere (self : self) (old' : ShallowModelTy0.shallowModelTy) (fin : ShallowModelTy0.shallowModelTy) : bool - ensures { result = resolve_elswhere self old' fin } - -end -module Alloc_Vec_Impl16_IndexMut_Interface - type t - type i - type a - use prelude.Borrow - use seq.Seq - use prelude.Slice - use prelude.Seq - clone Core_Num_Impl12_Max_Stub as Max0 - use seq.Seq - clone Core_Slice_Index_SliceIndex_Output_Type as Output0 with - type self = i, - type t = seq t - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone CreusotContracts_Std1_Slice_SliceIndex_ResolveElswhere_Stub as ResolveElswhere0 with - type self = i, - type t = seq t, - type ShallowModelTy0.shallowModelTy = Seq.seq t - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel1 with - type t = t, - type a = a, - val Max0.mAX' = Max0.mAX', - axiom . - clone CreusotContracts_Std1_Slice_SliceIndex_HasValue_Stub as HasValue0 with - type self = i, - type t = seq t, - type ShallowModelTy0.shallowModelTy = Seq.seq t, - type Output0.output = Output0.output - clone CreusotContracts_Std1_Slice_SliceIndex_InBounds_Stub as InBounds0 with - type self = i, - type t = seq t, - type ShallowModelTy0.shallowModelTy = Seq.seq t - clone CreusotContracts_Model_Impl3_ShallowModel_Stub as ShallowModel0 with - type t = Alloc_Vec_Vec_Type.t_vec t a, - type ShallowModelTy0.shallowModelTy = Seq.seq t - val index_mut (self : borrowed (Alloc_Vec_Vec_Type.t_vec t a)) (index : i) : borrowed Output0.output - requires {InBounds0.in_bounds index (ShallowModel0.shallow_model self)} - ensures { HasValue0.has_value index (ShallowModel0.shallow_model self) ( * result) } - ensures { HasValue0.has_value index (ShallowModel1.shallow_model ( ^ self)) ( ^ result) } - ensures { ResolveElswhere0.resolve_elswhere index (ShallowModel0.shallow_model self) (ShallowModel1.shallow_model ( ^ self)) } - ensures { Seq.length (ShallowModel1.shallow_model ( ^ self)) = Seq.length (ShallowModel0.shallow_model self) } - -end -module Robinson_Logic_BoolToAssignedstate_Stub - use prelude.UInt8 - use prelude.Int - function bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 -end -module Robinson_Logic_BoolToAssignedstate_Interface - use prelude.UInt8 - use prelude.Int - function bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 - axiom bool_to_assignedstate_spec : forall b : bool . ([#"../Robinson/src/logic.rs" 8 0 8 31] not b -> UInt8.to_int (bool_to_assignedstate b) = 0) && ([#"../Robinson/src/logic.rs" 7 0 7 30] b -> UInt8.to_int (bool_to_assignedstate b) = 1) -end -module Robinson_Logic_BoolToAssignedstate - use prelude.UInt8 +module Robinson_Logic_Neg use prelude.Int - function bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 = - [#"../Robinson/src/logic.rs" 6 0 6 8] if b then (1 : uint8) else (0 : uint8) - val bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 - ensures { result = bool_to_assignedstate b } - - axiom bool_to_assignedstate_spec : forall b : bool . ([#"../Robinson/src/logic.rs" 8 0 8 31] not b -> UInt8.to_int (bool_to_assignedstate b) = 0) && ([#"../Robinson/src/logic.rs" 7 0 7 30] b -> UInt8.to_int (bool_to_assignedstate b) = 1) -end -module Robinson_Logic_BoolToAssignedstate_Impl use prelude.UInt8 - use prelude.Int - let rec ghost function bool_to_assignedstate [#"../Robinson/src/logic.rs" 9 0 9 54] (b : bool) : uint8 - ensures { [#"../Robinson/src/logic.rs" 7 0 7 30] b -> UInt8.to_int result = 1 } - ensures { [#"../Robinson/src/logic.rs" 8 0 8 31] not b -> UInt8.to_int result = 0 } - - = [@vc:do_not_keep_trace] [@vc:sp] - [#"../Robinson/src/logic.rs" 6 0 6 8] if b then (1 : uint8) else (0 : uint8) -end -module Robinson_Clause_Impl1_InFormula_Stub - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - predicate in_formula [#"../Robinson/src/clause.rs" 26 4 26 47] (self : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) - -end -module Robinson_Clause_Impl1_InFormula_Interface - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - predicate in_formula [#"../Robinson/src/clause.rs" 26 4 26 47] (self : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) - -end -module Robinson_Clause_Impl1_InFormula - use prelude.Int - use seq.Seq - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with - type t = Robinson_Clause_Clause_Type.t_clause, - type a = Alloc_Alloc_Global_Type.t_global, - val Max0.mAX' = Max0.mAX', - axiom . - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - predicate in_formula [#"../Robinson/src/clause.rs" 26 4 26 47] (self : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) - - = - [#"../Robinson/src/clause.rs" 27 8 30 9] exists i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f)) /\ Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f)) i = self - val in_formula [#"../Robinson/src/clause.rs" 26 4 26 47] (self : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) : bool - ensures { result = in_formula self f } + function neg [#"../Robinson/src/logic.rs" 36 0 36 25] (_1' : ()) : uint8 = + [#"../Robinson/src/logic.rs" 37 4 37 7] (0 : uint8) + val neg [#"../Robinson/src/logic.rs" 36 0 36 25] (_1' : ()) : uint8 + ensures { result = neg _1' } end -module Robinson_Logic_FlipV_Stub +module Robinson_Logic_Pos_Stub use prelude.Int use prelude.UInt8 - function flip_v [#"../Robinson/src/logic.rs" 18 0 18 44] (v : uint8) : uint8 + function pos [#"../Robinson/src/logic.rs" 31 0 31 25] (_1' : ()) : uint8 end -module Robinson_Logic_FlipV_Interface +module Robinson_Logic_Pos_Interface use prelude.Int use prelude.UInt8 - function flip_v [#"../Robinson/src/logic.rs" 18 0 18 44] (v : uint8) : uint8 + function pos [#"../Robinson/src/logic.rs" 31 0 31 25] (_1' : ()) : uint8 end -module Robinson_Logic_FlipV +module Robinson_Logic_Pos use prelude.Int use prelude.UInt8 - function flip_v [#"../Robinson/src/logic.rs" 18 0 18 44] (v : uint8) : uint8 = - [#"../Robinson/src/logic.rs" 19 4 27 5] if UInt8.to_int v = 0 then - (1 : uint8) - else - if UInt8.to_int v = 1 then (0 : uint8) else v - - val flip_v [#"../Robinson/src/logic.rs" 18 0 18 44] (v : uint8) : uint8 - ensures { result = flip_v v } + function pos [#"../Robinson/src/logic.rs" 31 0 31 25] (_1' : ()) : uint8 = + [#"../Robinson/src/logic.rs" 32 4 32 7] (1 : uint8) + val pos [#"../Robinson/src/logic.rs" 31 0 31 25] (_1' : ()) : uint8 + ensures { result = pos _1' } end -module Robinson_Formula_Impl1_UnsatInner_Stub - use seq.Seq +module Robinson_Logic_LemmaExtensionsUnsatBaseUnsat_Stub use prelude.Int - use prelude.UInt8 - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - predicate unsat_inner [#"../Robinson/src/formula.rs" 93 4 93 59] (self : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) - -end -module Robinson_Formula_Impl1_UnsatInner_Interface use seq.Seq - use prelude.Int use prelude.UInt8 use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - predicate unsat_inner [#"../Robinson/src/formula.rs" 93 4 93 59] (self : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) + clone Robinson_Logic_Pos_Stub as Pos0 + clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + clone Robinson_Logic_Neg_Stub as Neg0 + clone Robinson_Logic_Unset_Stub as Unset0 + function lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () end -module Robinson_Formula_Impl1_UnsatInner - use seq.Seq +module Robinson_Logic_LemmaExtensionsUnsatBaseUnsat_Interface use prelude.Int - use prelude.UInt8 - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 - clone Robinson_Clause_Impl1_UnsatInner_Stub as UnsatInner0 - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with - type t = Robinson_Clause_Clause_Type.t_clause, - type a = Alloc_Alloc_Global_Type.t_global, - val Max0.mAX' = Max0.mAX', - axiom . - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - predicate unsat_inner [#"../Robinson/src/formula.rs" 93 4 93 59] (self : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) - - = - [#"../Robinson/src/formula.rs" 94 8 97 9] exists i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses self)) /\ UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses self)) i) a - val unsat_inner [#"../Robinson/src/formula.rs" 93 4 93 59] (self : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) : bool - ensures { result = unsat_inner self a } - -end -module Robinson_Logic_LemmaUnitWrongPolarityUnsatFormula_Stub - use prelude.UIntSize use seq.Seq - use prelude.Int use prelude.UInt8 - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_UnsatInner_Stub as UnsatInner1 + clone Robinson_Logic_Pos_Stub as Pos0 clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_FlipV_Stub as FlipV0 - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_UnsatInner_Stub as UnsatInner0 - clone Robinson_Logic_BoolToAssignedstate_Stub as BoolToAssignedstate0 with - axiom . - clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 - clone Robinson_Clause_Impl0_ShallowModel_Stub as ShallowModel0 - clone Robinson_Clause_Impl1_Invariant_Stub as Invariant1 - clone Robinson_Clause_Impl1_InFormula_Stub as InFormula0 - clone Robinson_Clause_Impl1_UnitInner_Stub as UnitInner0 + clone Robinson_Logic_Neg_Stub as Neg0 clone Robinson_Logic_Unset_Stub as Unset0 - clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 - function lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + function lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () + axiom lemma_extensions_unsat_base_unsat_spec : forall a : Seq.seq uint8, ix : int, f : Robinson_Formula_Formula_Type.t_formula . ([#"../Robinson/src/logic.rs" 85 11 85 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 86 11 86 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Neg0.neg ()))) -> ([#"../Robinson/src/logic.rs" 87 11 87 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Pos0.pos ()))) -> ([#"../Robinson/src/logic.rs" 88 10 88 45] not EventuallySatCompleteInner0.eventually_sat_complete_inner f a) end -module Robinson_Logic_LemmaUnitWrongPolarityUnsatFormula_Interface - use prelude.UIntSize - use seq.Seq +module Robinson_Logic_LemmaExtensionsUnsatBaseUnsat use prelude.Int + use seq.Seq use prelude.UInt8 - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_UnsatInner_Stub as UnsatInner1 + clone Robinson_Logic_Pos_Stub as Pos0 clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_FlipV_Stub as FlipV0 - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_UnsatInner_Stub as UnsatInner0 - clone Robinson_Logic_BoolToAssignedstate_Stub as BoolToAssignedstate0 with - axiom . - clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 - clone Robinson_Clause_Impl0_ShallowModel_Stub as ShallowModel0 - clone Robinson_Clause_Impl1_Invariant_Stub as Invariant1 - clone Robinson_Clause_Impl1_InFormula_Stub as InFormula0 - clone Robinson_Clause_Impl1_UnitInner_Stub as UnitInner0 + clone Robinson_Logic_Neg_Stub as Neg0 clone Robinson_Logic_Unset_Stub as Unset0 - clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 - function lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + function lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () - axiom lemma_unit_wrong_polarity_unsat_formula_spec : forall c : Robinson_Clause_Clause_Type.t_clause, f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 62 11 62 24] Invariant0.invariant' f) -> ([#"../Robinson/src/logic.rs" 63 11 63 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a) -> ([#"../Robinson/src/logic.rs" 64 11 64 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 65 11 65 20] not Unset0.unset v) -> ([#"../Robinson/src/logic.rs" 66 11 66 26] UnitInner0.unit_inner c a) -> ([#"../Robinson/src/logic.rs" 67 11 67 26] InFormula0.in_formula c f) -> ([#"../Robinson/src/logic.rs" 68 11 68 31] Invariant1.invariant' c (Seq.length a)) -> ([#"../Robinson/src/logic.rs" 69 0 69 133] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix /\ BoolToAssignedstate0.bool_to_assignedstate (Robinson_Lit_Lit_Type.lit_polarity (Seq.get (ShallowModel0.shallow_model c) j)) = v) -> ([#"../Robinson/src/logic.rs" 70 0 70 113] forall j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ not IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix -> UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model c) j) a) -> ([#"../Robinson/src/logic.rs" 72 10 72 45] UnsatInner1.unsat_inner f (Seq.set a ix (FlipV0.flip_v v))) && ([#"../Robinson/src/logic.rs" 71 10 71 64] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))) + = + [#"../Robinson/src/logic.rs" 84 0 84 8] () + val lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () + requires {[#"../Robinson/src/logic.rs" 85 11 85 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} + requires {[#"../Robinson/src/logic.rs" 86 11 86 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Neg0.neg ()))} + requires {[#"../Robinson/src/logic.rs" 87 11 87 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Pos0.pos ()))} + ensures { result = lemma_extensions_unsat_base_unsat a ix f } + + axiom lemma_extensions_unsat_base_unsat_spec : forall a : Seq.seq uint8, ix : int, f : Robinson_Formula_Formula_Type.t_formula . ([#"../Robinson/src/logic.rs" 85 11 85 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 86 11 86 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Neg0.neg ()))) -> ([#"../Robinson/src/logic.rs" 87 11 87 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Pos0.pos ()))) -> ([#"../Robinson/src/logic.rs" 88 10 88 45] not EventuallySatCompleteInner0.eventually_sat_complete_inner f a) end -module Robinson_Logic_LemmaUnitWrongPolarityUnsatFormula - use prelude.UIntSize - use seq.Seq +module Robinson_Logic_LemmaExtensionsUnsatBaseUnsat_Impl use prelude.Int + use seq.Seq use prelude.UInt8 - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_UnsatInner_Stub as UnsatInner1 - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_FlipV_Stub as FlipV0 + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type - clone Robinson_Lit_Impl1_UnsatInner_Stub as UnsatInner0 - clone Robinson_Logic_BoolToAssignedstate_Stub as BoolToAssignedstate0 with + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + clone Core_Num_Impl11_Max as Max0 + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with + type t = Robinson_Lit_Lit_Type.t_lit, + type a = Alloc_Alloc_Global_Type.t_global, + val Max0.mAX' = Max0.mAX', axiom . - clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 - clone Robinson_Clause_Impl0_ShallowModel_Stub as ShallowModel0 - clone Robinson_Clause_Impl1_Invariant_Stub as Invariant1 - clone Robinson_Clause_Impl1_InFormula_Stub as InFormula0 - clone Robinson_Clause_Impl1_UnitInner_Stub as UnitInner0 - clone Robinson_Logic_Unset_Stub as Unset0 - clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 - function lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - - = - [#"../Robinson/src/logic.rs" 61 0 61 8] () - val lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - requires {[#"../Robinson/src/logic.rs" 62 11 62 24] Invariant0.invariant' f} - requires {[#"../Robinson/src/logic.rs" 63 11 63 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a} - requires {[#"../Robinson/src/logic.rs" 64 11 64 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} - requires {[#"../Robinson/src/logic.rs" 65 11 65 20] not Unset0.unset v} - requires {[#"../Robinson/src/logic.rs" 66 11 66 26] UnitInner0.unit_inner c a} - requires {[#"../Robinson/src/logic.rs" 67 11 67 26] InFormula0.in_formula c f} - requires {[#"../Robinson/src/logic.rs" 68 11 68 31] Invariant1.invariant' c (Seq.length a)} - requires {[#"../Robinson/src/logic.rs" 69 0 69 133] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix /\ BoolToAssignedstate0.bool_to_assignedstate (Robinson_Lit_Lit_Type.lit_polarity (Seq.get (ShallowModel0.shallow_model c) j)) = v} - requires {[#"../Robinson/src/logic.rs" 70 0 70 113] forall j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ not IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix -> UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model c) j) a} - ensures { result = lemma_unit_wrong_polarity_unsat_formula c f a ix v } - - axiom lemma_unit_wrong_polarity_unsat_formula_spec : forall c : Robinson_Clause_Clause_Type.t_clause, f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 62 11 62 24] Invariant0.invariant' f) -> ([#"../Robinson/src/logic.rs" 63 11 63 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a) -> ([#"../Robinson/src/logic.rs" 64 11 64 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 65 11 65 20] not Unset0.unset v) -> ([#"../Robinson/src/logic.rs" 66 11 66 26] UnitInner0.unit_inner c a) -> ([#"../Robinson/src/logic.rs" 67 11 67 26] InFormula0.in_formula c f) -> ([#"../Robinson/src/logic.rs" 68 11 68 31] Invariant1.invariant' c (Seq.length a)) -> ([#"../Robinson/src/logic.rs" 69 0 69 133] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix /\ BoolToAssignedstate0.bool_to_assignedstate (Robinson_Lit_Lit_Type.lit_polarity (Seq.get (ShallowModel0.shallow_model c) j)) = v) -> ([#"../Robinson/src/logic.rs" 70 0 70 113] forall j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ not IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix -> UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model c) j) a) -> ([#"../Robinson/src/logic.rs" 72 10 72 45] UnsatInner1.unsat_inner f (Seq.set a ix (FlipV0.flip_v v))) && ([#"../Robinson/src/logic.rs" 71 10 71 64] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))) -end -module Robinson_Logic_LemmaUnitWrongPolarityUnsatFormula_Impl - use prelude.UIntSize - use seq.Seq - use prelude.Int - use prelude.UInt8 - clone Robinson_Logic_Unset as Unset0 - clone Robinson_Assignments_CompleteInner as CompleteInner0 with - predicate Unset0.unset = Unset0.unset - clone Robinson_Assignments_CompatibleInner as CompatibleInner0 with - predicate Unset0.unset = Unset0.unset - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type clone Robinson_Lit_Impl1_SatInner as SatInner2 - clone Robinson_Lit_Impl1_Invariant as Invariant2 - clone Robinson_Lit_Impl1_UnsatInner as UnsatInner0 - use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with - type t = Robinson_Lit_Lit_Type.t_lit, - type a = Alloc_Alloc_Global_Type.t_global, - val Max0.mAX' = Max0.mAX', - axiom . use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - clone Robinson_Clause_Impl0_ShallowModel as ShallowModel0 with + clone Robinson_Clause_Impl0_ShallowModel as ShallowModel1 with function ShallowModel0.shallow_model = ShallowModel2.shallow_model, val Max0.mAX' = Max0.mAX' - clone Robinson_Clause_Impl1_UnsatInner as UnsatInner2 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner - clone Robinson_Clause_Impl1_SatInner as SatInner0 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + clone Robinson_Clause_Impl1_SatInner as SatInner1 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, predicate SatInner0.sat_inner = SatInner2.sat_inner - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel1 with + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel0 with type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . + clone Robinson_Logic_Unset as Unset0 + clone Robinson_Assignments_CompleteInner as CompleteInner0 with + predicate Unset0.unset = Unset0.unset + clone Robinson_Assignments_CompatibleInner as CompatibleInner0 with + predicate Unset0.unset = Unset0.unset use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_SatInner as SatInner1 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate SatInner0.sat_inner = SatInner0.sat_inner, + clone Robinson_Formula_Impl1_SatInner as SatInner0 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate SatInner0.sat_inner = SatInner1.sat_inner, val Max0.mAX' = Max0.mAX' clone Robinson_Assignments_CompatibleCompleteInner as CompatibleCompleteInner0 with predicate CompatibleInner0.compatible_inner = CompatibleInner0.compatible_inner, predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner - clone Robinson_Lit_Impl1_UnsetInner as UnsetInner0 - clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate Invariant0.invariant' = Invariant2.invariant' - clone Robinson_Formula_Impl1_UnsatInner as UnsatInner1 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate UnsatInner0.unsat_inner = UnsatInner2.unsat_inner, - val Max0.mAX' = Max0.mAX' + clone Robinson_Logic_Pos as Pos0 clone Robinson_Formula_Impl1_EventuallySatCompleteInner as EventuallySatCompleteInner0 with predicate CompatibleCompleteInner0.compatible_complete_inner = CompatibleCompleteInner0.compatible_complete_inner, - predicate SatInner0.sat_inner = SatInner1.sat_inner - clone Robinson_Logic_FlipV as FlipV0 - clone Robinson_Logic_BoolToAssignedstate as BoolToAssignedstate0 with - axiom . - clone Robinson_Lit_Impl0_IndexLogic as IndexLogic0 - clone Robinson_Clause_Impl1_Invariant as Invariant1 with - predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range - clone Robinson_Clause_Impl1_InFormula as InFormula0 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - val Max0.mAX' = Max0.mAX' - clone Robinson_Clause_Impl1_UnitInner as UnitInner0 with - predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range, - predicate SatInner0.sat_inner = SatInner0.sat_inner, - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner - clone Robinson_Formula_Impl1_Invariant as Invariant0 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate Invariant0.invariant' = Invariant1.invariant', - val Max0.mAX' = Max0.mAX' - let rec ghost function lemma_unit_wrong_polarity_unsat_formula [#"../Robinson/src/logic.rs" 73 0 75 1] (c : Robinson_Clause_Clause_Type.t_clause) (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - requires {[#"../Robinson/src/logic.rs" 62 11 62 24] Invariant0.invariant' f} - requires {[#"../Robinson/src/logic.rs" 63 11 63 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a} - requires {[#"../Robinson/src/logic.rs" 64 11 64 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} - requires {[#"../Robinson/src/logic.rs" 65 11 65 20] not Unset0.unset v} - requires {[#"../Robinson/src/logic.rs" 66 11 66 26] UnitInner0.unit_inner c a} - requires {[#"../Robinson/src/logic.rs" 67 11 67 26] InFormula0.in_formula c f} - requires {[#"../Robinson/src/logic.rs" 68 11 68 31] Invariant1.invariant' c (Seq.length a)} - requires {[#"../Robinson/src/logic.rs" 69 0 69 133] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix /\ BoolToAssignedstate0.bool_to_assignedstate (Robinson_Lit_Lit_Type.lit_polarity (Seq.get (ShallowModel0.shallow_model c) j)) = v} - requires {[#"../Robinson/src/logic.rs" 70 0 70 113] forall j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model c) /\ not IndexLogic0.index_logic (Seq.get (ShallowModel0.shallow_model c) j) = ix -> UnsatInner0.unsat_inner (Seq.get (ShallowModel0.shallow_model c) j) a} - ensures { [#"../Robinson/src/logic.rs" 71 10 71 64] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v)) } - ensures { [#"../Robinson/src/logic.rs" 72 10 72 45] UnsatInner1.unsat_inner f (Seq.set a ix (FlipV0.flip_v v)) } + predicate SatInner0.sat_inner = SatInner0.sat_inner + clone Robinson_Logic_Neg as Neg0 + let rec ghost function lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () + requires {[#"../Robinson/src/logic.rs" 85 11 85 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} + requires {[#"../Robinson/src/logic.rs" 86 11 86 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Neg0.neg ()))} + requires {[#"../Robinson/src/logic.rs" 87 11 87 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Pos0.pos ()))} + ensures { [#"../Robinson/src/logic.rs" 88 10 88 45] not EventuallySatCompleteInner0.eventually_sat_complete_inner f a } = [@vc:do_not_keep_trace] [@vc:sp] - [#"../Robinson/src/logic.rs" 61 0 61 8] () + [#"../Robinson/src/logic.rs" 84 0 84 8] () end -module Robinson_Logic_LemmaUnitForces_Stub - use prelude.UIntSize - use seq.Seq - use prelude.Int - use prelude.UInt8 - clone Robinson_Logic_FlipV_Stub as FlipV0 - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_Unset_Stub as Unset0 - clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 - function lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () +module Robinson_Lit_Impl1_Unset_Stub + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + predicate unset [#"../Robinson/src/lit.rs" 74 4 74 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) end -module Robinson_Logic_LemmaUnitForces_Interface - use prelude.UIntSize - use seq.Seq - use prelude.Int - use prelude.UInt8 - clone Robinson_Logic_FlipV_Stub as FlipV0 - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_Unset_Stub as Unset0 - clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 - function lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () +module Robinson_Lit_Impl1_Unset_Interface + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + predicate unset [#"../Robinson/src/lit.rs" 74 4 74 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) - axiom lemma_unit_forces_spec : forall f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 52 11 52 24] Invariant0.invariant' f) -> ([#"../Robinson/src/logic.rs" 53 11 53 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a) -> ([#"../Robinson/src/logic.rs" 54 11 54 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 55 11 55 20] not Unset0.unset v) -> ([#"../Robinson/src/logic.rs" 56 11 56 45] EventuallySatCompleteInner0.eventually_sat_complete_inner f a) -> ([#"../Robinson/src/logic.rs" 57 11 57 65] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))) -> ([#"../Robinson/src/logic.rs" 58 10 58 55] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)) end -module Robinson_Logic_LemmaUnitForces - use prelude.UIntSize - use seq.Seq - use prelude.Int - use prelude.UInt8 - clone Robinson_Logic_FlipV_Stub as FlipV0 - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_Unset_Stub as Unset0 - clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 - function lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () +module Robinson_Lit_Impl1_Unset + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_UnsetInner_Stub as UnsetInner0 + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + clone Robinson_Assignments_Impl0_ShallowModel_Stub as ShallowModel0 + predicate unset [#"../Robinson/src/lit.rs" 74 4 74 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) = - [#"../Robinson/src/logic.rs" 51 0 51 8] () - val lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - requires {[#"../Robinson/src/logic.rs" 52 11 52 24] Invariant0.invariant' f} - requires {[#"../Robinson/src/logic.rs" 53 11 53 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a} - requires {[#"../Robinson/src/logic.rs" 54 11 54 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} - requires {[#"../Robinson/src/logic.rs" 55 11 55 20] not Unset0.unset v} - requires {[#"../Robinson/src/logic.rs" 56 11 56 45] EventuallySatCompleteInner0.eventually_sat_complete_inner f a} - requires {[#"../Robinson/src/logic.rs" 57 11 57 65] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))} - ensures { result = lemma_unit_forces f a ix v } + [#"../Robinson/src/lit.rs" 75 20 75 40] UnsetInner0.unset_inner self (ShallowModel0.shallow_model a) + val unset [#"../Robinson/src/lit.rs" 74 4 74 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool + ensures { result = unset self a } - axiom lemma_unit_forces_spec : forall f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 52 11 52 24] Invariant0.invariant' f) -> ([#"../Robinson/src/logic.rs" 53 11 53 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a) -> ([#"../Robinson/src/logic.rs" 54 11 54 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 55 11 55 20] not Unset0.unset v) -> ([#"../Robinson/src/logic.rs" 56 11 56 45] EventuallySatCompleteInner0.eventually_sat_complete_inner f a) -> ([#"../Robinson/src/logic.rs" 57 11 57 65] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))) -> ([#"../Robinson/src/logic.rs" 58 10 58 55] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)) end -module Robinson_Logic_LemmaUnitForces_Impl - use prelude.UIntSize +module Robinson_Lit_Impl1_Unsat_Stub + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + predicate unsat [#"../Robinson/src/lit.rs" 79 4 79 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + +end +module Robinson_Lit_Impl1_Unsat_Interface + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + predicate unsat [#"../Robinson/src/lit.rs" 79 4 79 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + +end +module Robinson_Lit_Impl1_Unsat + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_UnsatInner_Stub as UnsatInner0 + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + clone Robinson_Assignments_Impl0_ShallowModel_Stub as ShallowModel0 + predicate unsat [#"../Robinson/src/lit.rs" 79 4 79 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + + = + [#"../Robinson/src/lit.rs" 80 20 80 40] UnsatInner0.unsat_inner self (ShallowModel0.shallow_model a) + val unsat [#"../Robinson/src/lit.rs" 79 4 79 46] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool + ensures { result = unsat self a } + +end +module Robinson_Lit_Impl1_Sat_Stub + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + predicate sat [#"../Robinson/src/lit.rs" 67 4 67 44] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + +end +module Robinson_Lit_Impl1_Sat_Interface + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + predicate sat [#"../Robinson/src/lit.rs" 67 4 67 44] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + +end +module Robinson_Lit_Impl1_Sat + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_SatInner_Stub as SatInner0 + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + clone Robinson_Assignments_Impl0_ShallowModel_Stub as ShallowModel0 + predicate sat [#"../Robinson/src/lit.rs" 67 4 67 44] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) + + = + [#"../Robinson/src/lit.rs" 69 12 69 30] SatInner0.sat_inner self (ShallowModel0.shallow_model a) + val sat [#"../Robinson/src/lit.rs" 67 4 67 44] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool + ensures { result = sat self a } + +end +module Robinson_Lit_Impl2_LitSat_Interface use seq.Seq + use prelude.Borrow use prelude.Int use prelude.UInt8 - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use seq.Seq + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_Sat_Stub as Sat0 + clone Robinson_Lit_Impl1_Invariant_Stub as Invariant0 + clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with + type t = Robinson_Assignments_Assignments_Type.t_assignments, + type ShallowModelTy0.shallowModelTy = Seq.seq uint8 + val lit_sat [#"../Robinson/src/lit.rs" 95 4 95 49] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool + requires {[#"../Robinson/src/lit.rs" 93 15 93 39] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} + ensures { [#"../Robinson/src/lit.rs" 94 14 94 36] result = Sat0.sat self a } + +end +module Robinson_Lit_Impl2_LitSat + use prelude.Borrow + use prelude.Int + use prelude.UInt8 + use prelude.UIntSize + use seq.Seq + clone Core_Num_Impl11_Max as Max0 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with - type t = Robinson_Lit_Lit_Type.t_lit, + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel3 with + type t = uint8, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - clone Robinson_Lit_Impl1_SatInner as SatInner2 - clone Robinson_Lit_Impl1_Invariant as Invariant2 - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - clone Robinson_Clause_Impl0_ShallowModel as ShallowModel1 with - function ShallowModel0.shallow_model = ShallowModel2.shallow_model, - val Max0.mAX' = Max0.mAX' - clone Robinson_Clause_Impl1_SatInner as SatInner1 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate SatInner0.sat_inner = SatInner2.sat_inner - clone Robinson_Logic_Unset as Unset0 - clone Robinson_Assignments_CompleteInner as CompleteInner0 with - predicate Unset0.unset = Unset0.unset - clone Robinson_Assignments_CompatibleInner as CompatibleInner0 with - predicate Unset0.unset = Unset0.unset - clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with + clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with + type t = uint8 + clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds0 with + type t = uint8 + use seq.Seq + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel2 with + type t = Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global), + type ShallowModelTy0.shallowModelTy = Seq.seq uint8, + function ShallowModel0.shallow_model = ShallowModel3.shallow_model + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_SatInner as SatInner0 + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel1 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + val Max0.mAX' = Max0.mAX' + clone Alloc_Vec_Impl13_Index_Interface as Index0 with + type t = uint8, + type i = usize, + type a = Alloc_Alloc_Global_Type.t_global, + function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + predicate InBounds0.in_bounds = InBounds0.in_bounds, + predicate HasValue0.has_value = HasValue0.has_value, + type Output0.output = uint8 + clone Robinson_Lit_Impl1_Sat as Sat0 with function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate Invariant0.invariant' = Invariant2.invariant' - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel0 with - type t = Robinson_Clause_Clause_Type.t_clause, + predicate SatInner0.sat_inner = SatInner0.sat_inner + clone Robinson_Lit_Impl1_Invariant as Invariant0 + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel0 with + type t = Robinson_Assignments_Assignments_Type.t_assignments, + type ShallowModelTy0.shallowModelTy = Seq.seq uint8, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model + let rec cfg lit_sat [#"../Robinson/src/lit.rs" 95 4 95 49] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool + requires {[#"../Robinson/src/lit.rs" 93 15 93 39] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} + ensures { [#"../Robinson/src/lit.rs" 94 14 94 36] result = Sat0.sat self a } + + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : bool; + var self_1 : Robinson_Lit_Lit_Type.t_lit; + var a_2 : Robinson_Assignments_Assignments_Type.t_assignments; + var _5 : uint8; + var _6 : uint8; + var _7 : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global); + var _8 : usize; + var _9 : uint8; + var _10 : uint8; + var _11 : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global); + var _12 : usize; + { + self_1 <- self; + a_2 <- a; + goto BB0 + } + BB0 { + switch (Robinson_Lit_Lit_Type.lit_polarity self_1) + | False -> goto BB1 + | True -> goto BB2 + end + } + BB1 { + _11 <- Robinson_Assignments_Assignments_Type.assignments_0 a_2; + _12 <- Robinson_Lit_Lit_Type.lit_idx self_1; + _10 <- ([#"../Robinson/src/lit.rs" 98 22 98 35] Index0.index _11 _12); + goto BB4 + } + BB2 { + _7 <- Robinson_Assignments_Assignments_Type.assignments_0 a_2; + _8 <- Robinson_Lit_Lit_Type.lit_idx self_1; + _6 <- ([#"../Robinson/src/lit.rs" 97 21 97 34] Index0.index _7 _8); + goto BB3 + } + BB3 { + _5 <- _6; + _0 <- ([#"../Robinson/src/lit.rs" 97 20 97 40] _5 = ([#"../Robinson/src/lit.rs" 97 38 97 39] (1 : uint8))); + goto BB5 + } + BB4 { + _9 <- _10; + _0 <- ([#"../Robinson/src/lit.rs" 98 21 98 41] _9 = ([#"../Robinson/src/lit.rs" 98 39 98 40] (0 : uint8))); + goto BB5 + } + BB5 { + return _0 + } + +end +module Robinson_Lit_Impl2_LitUnset_Interface + use seq.Seq + use prelude.Borrow + use prelude.Int + use prelude.UInt8 + use seq.Seq + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_Unset_Stub as Unset0 + clone Robinson_Lit_Impl1_Invariant_Stub as Invariant0 + clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with + type t = Robinson_Assignments_Assignments_Type.t_assignments, + type ShallowModelTy0.shallowModelTy = Seq.seq uint8 + val lit_unset [#"../Robinson/src/lit.rs" 116 4 116 51] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool + requires {[#"../Robinson/src/lit.rs" 114 15 114 39] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} + ensures { [#"../Robinson/src/lit.rs" 115 14 115 38] result = Unset0.unset self a } + +end +module Robinson_Lit_Impl2_LitUnset + use prelude.Borrow + use prelude.Int + use prelude.UInt8 + use prelude.UIntSize + use seq.Seq + clone Core_Num_Impl11_Max as Max0 + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel3 with + type t = uint8, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_SatInner as SatInner0 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate SatInner0.sat_inner = SatInner1.sat_inner, - val Max0.mAX' = Max0.mAX' - clone Robinson_Assignments_CompatibleCompleteInner as CompatibleCompleteInner0 with - predicate CompatibleInner0.compatible_inner = CompatibleInner0.compatible_inner, - predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner - clone Robinson_Clause_Impl1_Invariant as Invariant1 with - predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range - clone Robinson_Logic_FlipV as FlipV0 - clone Robinson_Formula_Impl1_EventuallySatCompleteInner as EventuallySatCompleteInner0 with - predicate CompatibleCompleteInner0.compatible_complete_inner = CompatibleCompleteInner0.compatible_complete_inner, - predicate SatInner0.sat_inner = SatInner0.sat_inner - clone Robinson_Formula_Impl1_Invariant as Invariant0 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate Invariant0.invariant' = Invariant1.invariant', + clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with + type t = uint8 + clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds0 with + type t = uint8 + use seq.Seq + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel2 with + type t = Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global), + type ShallowModelTy0.shallowModelTy = Seq.seq uint8, + function ShallowModel0.shallow_model = ShallowModel3.shallow_model + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_UnsetInner as UnsetInner0 + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel1 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, val Max0.mAX' = Max0.mAX' - let rec ghost function lemma_unit_forces [#"../Robinson/src/logic.rs" 59 0 59 86] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - requires {[#"../Robinson/src/logic.rs" 52 11 52 24] Invariant0.invariant' f} - requires {[#"../Robinson/src/logic.rs" 53 11 53 33] UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f) = Seq.length a} - requires {[#"../Robinson/src/logic.rs" 54 11 54 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} - requires {[#"../Robinson/src/logic.rs" 55 11 55 20] not Unset0.unset v} - requires {[#"../Robinson/src/logic.rs" 56 11 56 45] EventuallySatCompleteInner0.eventually_sat_complete_inner f a} - requires {[#"../Robinson/src/logic.rs" 57 11 57 65] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (FlipV0.flip_v v))} - ensures { [#"../Robinson/src/logic.rs" 58 10 58 55] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v) } + clone Alloc_Vec_Impl13_Index_Interface as Index0 with + type t = uint8, + type i = usize, + type a = Alloc_Alloc_Global_Type.t_global, + function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + predicate InBounds0.in_bounds = InBounds0.in_bounds, + predicate HasValue0.has_value = HasValue0.has_value, + type Output0.output = uint8 + clone Robinson_Lit_Impl1_Unset as Unset0 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner + clone Robinson_Lit_Impl1_Invariant as Invariant0 + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel0 with + type t = Robinson_Assignments_Assignments_Type.t_assignments, + type ShallowModelTy0.shallowModelTy = Seq.seq uint8, + function ShallowModel0.shallow_model = ShallowModel1.shallow_model + let rec cfg lit_unset [#"../Robinson/src/lit.rs" 116 4 116 51] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool + requires {[#"../Robinson/src/lit.rs" 114 15 114 39] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} + ensures { [#"../Robinson/src/lit.rs" 115 14 115 38] result = Unset0.unset self a } = [@vc:do_not_keep_trace] [@vc:sp] - [#"../Robinson/src/logic.rs" 51 0 51 8] () + var _0 : bool; + var self_1 : Robinson_Lit_Lit_Type.t_lit; + var a_2 : Robinson_Assignments_Assignments_Type.t_assignments; + var _5 : uint8; + var _6 : uint8; + var _7 : Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global); + var _8 : usize; + { + self_1 <- self; + a_2 <- a; + goto BB0 + } + BB0 { + _7 <- Robinson_Assignments_Assignments_Type.assignments_0 a_2; + _8 <- Robinson_Lit_Lit_Type.lit_idx self_1; + _6 <- ([#"../Robinson/src/lit.rs" 117 8 117 21] Index0.index _7 _8); + goto BB1 + } + BB1 { + _5 <- _6; + _0 <- ([#"../Robinson/src/lit.rs" 117 8 117 26] _5 >= ([#"../Robinson/src/lit.rs" 117 25 117 26] (2 : uint8))); + return _0 + } + end -module Robinson_Logic_LemmaExtensionSatBaseSat_Stub +module Robinson_Clause_Impl2_CheckIfUnit_Interface + use seq.Seq + use prelude.Borrow use prelude.Int + use prelude.UInt8 + use seq.Seq + use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + clone Robinson_Assignments_Impl1_Complete_Stub as Complete0 + clone Robinson_Clause_Impl1_Unit_Stub as Unit0 + clone Robinson_Clause_Impl1_Unsat_Stub as Unsat0 + clone Robinson_Clause_Impl1_Sat_Stub as Sat0 + use Robinson_Clause_ClauseState_Type as Robinson_Clause_ClauseState_Type + clone Robinson_Assignments_Impl1_Invariant_Stub as Invariant2 + clone Robinson_Formula_Impl1_Invariant_Stub as Invariant1 + clone Robinson_Clause_Impl1_Invariant_Stub as Invariant0 + clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with + type t = Robinson_Assignments_Assignments_Type.t_assignments, + type ShallowModelTy0.shallowModelTy = Seq.seq uint8 + val check_if_unit [#"../Robinson/src/clause.rs" 121 4 121 77] (self : Robinson_Clause_Clause_Type.t_clause) (a : Robinson_Assignments_Assignments_Type.t_assignments) (_f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Clause_ClauseState_Type.t_clausestate + requires {[#"../Robinson/src/clause.rs" 114 15 114 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} + requires {[#"../Robinson/src/clause.rs" 115 15 115 29] Invariant1.invariant' _f} + requires {[#"../Robinson/src/clause.rs" 116 15 116 31] Invariant2.invariant' a _f} + ensures { [#"../Robinson/src/clause.rs" 117 4 117 65] result = Robinson_Clause_ClauseState_Type.C_Sat -> Sat0.sat self a } + ensures { [#"../Robinson/src/clause.rs" 118 4 118 67] result = Robinson_Clause_ClauseState_Type.C_Unsat -> Unsat0.unsat self a } + ensures { [#"../Robinson/src/clause.rs" 119 4 119 83] result = Robinson_Clause_ClauseState_Type.C_Unit -> Unit0.unit self a /\ not Complete0.complete a } + ensures { [#"../Robinson/src/clause.rs" 120 4 120 66] result = Robinson_Clause_ClauseState_Type.C_Unknown -> not Complete0.complete a } + +end +module Robinson_Clause_Impl2_CheckIfUnit + use prelude.Borrow + use prelude.Int + use prelude.UIntSize use seq.Seq use prelude.UInt8 + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_SatInner as SatInner1 + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type + clone Core_Num_Impl11_Max as Max0 + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel7 with + type t = uint8, + type a = Alloc_Alloc_Global_Type.t_global, + val Max0.mAX' = Max0.mAX', + axiom . + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel3 with + function ShallowModel0.shallow_model = ShallowModel7.shallow_model, + val Max0.mAX' = Max0.mAX' + clone Robinson_Lit_Impl1_Sat as Sat1 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + predicate SatInner0.sat_inner = SatInner1.sat_inner + clone Robinson_Lit_Impl1_Invariant as Invariant3 + clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with + type t = Robinson_Lit_Lit_Type.t_lit + clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds0 with + type t = Robinson_Lit_Lit_Type.t_lit + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel1 with + type t = Robinson_Lit_Lit_Type.t_lit, + type a = Alloc_Alloc_Global_Type.t_global, + val Max0.mAX' = Max0.mAX', + axiom . + use seq.Seq + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel6 with + type t = Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global), + type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), + function ShallowModel0.shallow_model = ShallowModel1.shallow_model + clone Robinson_Lit_Impl1_UnsatInner as UnsatInner1 + clone Robinson_Lit_Impl1_UnsetInner as UnsetInner0 + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type + clone Robinson_Clause_Impl0_ShallowModel as ShallowModel5 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + val Max0.mAX' = Max0.mAX' + clone Robinson_Logic_Unset as Unset1 + clone Robinson_Clause_Impl1_SatInner as SatInner0 with + function ShallowModel0.shallow_model = ShallowModel5.shallow_model, + predicate SatInner0.sat_inner = SatInner1.sat_inner + clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with + function ShallowModel0.shallow_model = ShallowModel5.shallow_model, + predicate Invariant0.invariant' = Invariant3.invariant' + clone Robinson_Clause_Impl1_UnitInner as UnitInner0 with + predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range, + predicate SatInner0.sat_inner = SatInner0.sat_inner, + function ShallowModel0.shallow_model = ShallowModel5.shallow_model, + predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner + clone Robinson_Clause_Impl1_UnsatInner as UnsatInner0 with + function ShallowModel0.shallow_model = ShallowModel5.shallow_model, + predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel4 with + type t = Robinson_Clause_Clause_Type.t_clause, + type a = Alloc_Alloc_Global_Type.t_global, + val Max0.mAX' = Max0.mAX', + axiom . + clone Robinson_Lit_Impl1_Unset as Unset0 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel0 with + type t = Robinson_Assignments_Assignments_Type.t_assignments, + type ShallowModelTy0.shallowModelTy = Seq.seq uint8, + function ShallowModel0.shallow_model = ShallowModel3.shallow_model + clone Robinson_Lit_Impl2_LitUnset_Interface as LitUnset0 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate Invariant0.invariant' = Invariant3.invariant', + predicate Unset0.unset = Unset0.unset + clone Robinson_Lit_Impl2_LitSat_Interface as LitSat0 with + function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + predicate Invariant0.invariant' = Invariant3.invariant', + predicate Sat0.sat = Sat1.sat + clone Alloc_Vec_Impl13_Index_Interface as Index0 with + type t = Robinson_Lit_Lit_Type.t_lit, + type i = usize, + type a = Alloc_Alloc_Global_Type.t_global, + function ShallowModel0.shallow_model = ShallowModel6.shallow_model, + predicate InBounds0.in_bounds = InBounds0.in_bounds, + predicate HasValue0.has_value = HasValue0.has_value, + type Output0.output = Robinson_Lit_Lit_Type.t_lit + clone Alloc_Vec_Impl1_Len_Interface as Len0 with + type t = Robinson_Lit_Lit_Type.t_lit, + type a = Alloc_Alloc_Global_Type.t_global, + function ShallowModel0.shallow_model = ShallowModel6.shallow_model + clone Robinson_Lit_Impl1_Unsat as Unsat1 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + predicate UnsatInner0.unsat_inner = UnsatInner1.unsat_inner + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel2 with + type t = Robinson_Clause_Clause_Type.t_clause, + type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), + function ShallowModel0.shallow_model = ShallowModel5.shallow_model + clone Robinson_Assignments_Impl1_Complete as Complete0 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + predicate Unset0.unset = Unset1.unset + clone Robinson_Clause_Impl1_Unit as Unit0 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + predicate UnitInner0.unit_inner = UnitInner0.unit_inner + clone Robinson_Clause_Impl1_Unsat as Unsat0 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + predicate UnsatInner0.unsat_inner = UnsatInner0.unsat_inner + clone Robinson_Clause_Impl1_Sat as Sat0 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + predicate SatInner0.sat_inner = SatInner0.sat_inner use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_Unset_Stub as Unset0 - function lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () + clone Robinson_Assignments_Impl1_Invariant as Invariant2 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model + clone Robinson_Clause_Impl1_Invariant as Invariant0 with + predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range + clone Robinson_Formula_Impl1_Invariant as Invariant1 with + function ShallowModel0.shallow_model = ShallowModel4.shallow_model, + predicate Invariant0.invariant' = Invariant0.invariant', + val Max0.mAX' = Max0.mAX' + use Robinson_Clause_ClauseState_Type as Robinson_Clause_ClauseState_Type + let rec cfg check_if_unit [#"../Robinson/src/clause.rs" 121 4 121 77] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Clause_Clause_Type.t_clause) (a : Robinson_Assignments_Assignments_Type.t_assignments) (_f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Clause_ClauseState_Type.t_clausestate + requires {[#"../Robinson/src/clause.rs" 114 15 114 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} + requires {[#"../Robinson/src/clause.rs" 115 15 115 29] Invariant1.invariant' _f} + requires {[#"../Robinson/src/clause.rs" 116 15 116 31] Invariant2.invariant' a _f} + ensures { [#"../Robinson/src/clause.rs" 117 4 117 65] result = Robinson_Clause_ClauseState_Type.C_Sat -> Sat0.sat self a } + ensures { [#"../Robinson/src/clause.rs" 118 4 118 67] result = Robinson_Clause_ClauseState_Type.C_Unsat -> Unsat0.unsat self a } + ensures { [#"../Robinson/src/clause.rs" 119 4 119 83] result = Robinson_Clause_ClauseState_Type.C_Unit -> Unit0.unit self a /\ not Complete0.complete a } + ensures { [#"../Robinson/src/clause.rs" 120 4 120 66] result = Robinson_Clause_ClauseState_Type.C_Unknown -> not Complete0.complete a } + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : Robinson_Clause_ClauseState_Type.t_clausestate; + var self_1 : Robinson_Clause_Clause_Type.t_clause; + var a_2 : Robinson_Assignments_Assignments_Type.t_assignments; + var _f_3 : Robinson_Formula_Formula_Type.t_formula; + var i_11 : usize; + var _k_12 : usize; + var unassigned_13 : usize; + var _14 : (); + var _23 : (); + var _24 : bool; + var _25 : usize; + var _26 : usize; + var _27 : Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global); + var lit_28 : Robinson_Lit_Lit_Type.t_lit; + var _29 : Robinson_Lit_Lit_Type.t_lit; + var _30 : Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global); + var _31 : usize; + var _32 : (); + var _33 : bool; + var _34 : Robinson_Lit_Lit_Type.t_lit; + var _35 : Robinson_Assignments_Assignments_Type.t_assignments; + var _36 : (); + var _37 : bool; + var _38 : Robinson_Lit_Lit_Type.t_lit; + var _39 : Robinson_Assignments_Assignments_Type.t_assignments; + var _40 : (); + var _41 : bool; + var _42 : usize; + var _43 : (); + var _44 : usize; + var _45 : (); + var _46 : (); + var _47 : (); + var _48 : bool; + var _49 : usize; + { + self_1 <- self; + a_2 <- a; + _f_3 <- _f; + goto BB0 + } + BB0 { + i_11 <- ([#"../Robinson/src/clause.rs" 122 27 122 28] (0 : usize)); + _k_12 <- ([#"../Robinson/src/clause.rs" 123 28 123 29] (0 : usize)); + unassigned_13 <- ([#"../Robinson/src/clause.rs" 124 36 124 37] (0 : usize)); + goto BB1 + } + BB1 { + invariant { [#"../Robinson/src/clause.rs" 125 20 125 55] 0 <= UIntSize.to_int i_11 /\ UIntSize.to_int i_11 <= Seq.length (ShallowModel1.shallow_model (Robinson_Clause_Clause_Type.clause_rest self_1)) }; + invariant { [#"../Robinson/src/clause.rs" 126 20 126 36] UIntSize.to_int unassigned_13 <= 1 }; + invariant { [#"../Robinson/src/clause.rs" 125 8 125 57] UIntSize.to_int unassigned_13 = 0 \/ Unset0.unset (Seq.get (ShallowModel2.shallow_model self_1) (UIntSize.to_int _k_12)) a_2 }; + invariant { [#"../Robinson/src/clause.rs" 125 8 125 57] UIntSize.to_int unassigned_13 > 0 -> Unset0.unset (Seq.get (ShallowModel2.shallow_model self_1) (UIntSize.to_int _k_12)) a_2 }; + invariant { [#"../Robinson/src/clause.rs" 125 8 125 57] forall j : int . 0 <= j /\ j < UIntSize.to_int i_11 -> Unsat1.unsat (Seq.get (ShallowModel2.shallow_model self_1) j) a_2 \/ Unset0.unset (Seq.get (ShallowModel2.shallow_model self_1) j) a_2 /\ UIntSize.to_int unassigned_13 >= 1 }; + invariant { [#"../Robinson/src/clause.rs" 131 20 131 69] UIntSize.to_int unassigned_13 = 0 \/ 0 <= UIntSize.to_int _k_12 /\ UIntSize.to_int _k_12 < Seq.length (ShallowModel2.shallow_model self_1) }; + invariant { [#"../Robinson/src/clause.rs" 125 8 125 57] UIntSize.to_int unassigned_13 = 1 -> (forall j : int . 0 <= j /\ j < UIntSize.to_int i_11 /\ j <> UIntSize.to_int _k_12 -> not Unset0.unset (Seq.get (ShallowModel2.shallow_model self_1) j) a_2) }; + invariant { [#"../Robinson/src/clause.rs" 125 8 125 57] UIntSize.to_int unassigned_13 = 0 -> UIntSize.to_int _k_12 = 0 }; + _25 <- i_11; + _27 <- Robinson_Clause_Clause_Type.clause_rest self_1; + _26 <- ([#"../Robinson/src/clause.rs" 135 18 135 33] Len0.len _27); + goto BB2 + } + BB2 { + _24 <- ([#"../Robinson/src/clause.rs" 135 14 135 33] _25 < _26); + switch (_24) + | False -> goto BB14 + | True -> goto BB3 + end + } + BB3 { + _30 <- Robinson_Clause_Clause_Type.clause_rest self_1; + _31 <- i_11; + _29 <- ([#"../Robinson/src/clause.rs" 136 22 136 34] Index0.index _30 _31); + goto BB4 + } + BB4 { + lit_28 <- _29; + _34 <- lit_28; + _35 <- a_2; + _33 <- ([#"../Robinson/src/clause.rs" 137 15 137 29] LitSat0.lit_sat _34 _35); + goto BB5 + } + BB5 { + switch (_33) + | False -> goto BB7 + | True -> goto BB6 + end + } + BB6 { + _0 <- Robinson_Clause_ClauseState_Type.C_Sat; + goto BB18 + } + BB7 { + _38 <- lit_28; + _39 <- a_2; + _37 <- ([#"../Robinson/src/clause.rs" 139 22 139 38] LitUnset0.lit_unset _38 _39); + goto BB8 + } + BB8 { + switch (_37) + | False -> goto BB12 + | True -> goto BB9 + end + } + BB9 { + _42 <- unassigned_13; + _41 <- ([#"../Robinson/src/clause.rs" 141 19 141 33] _42 > ([#"../Robinson/src/clause.rs" 141 32 141 33] (0 : usize))); + switch (_41) + | False -> goto BB11 + | True -> goto BB10 + end + } + BB10 { + _0 <- Robinson_Clause_ClauseState_Type.C_Unknown; + goto BB18 + } + BB11 { + _40 <- (); + _44 <- i_11; + _k_12 <- _44; + _44 <- any usize; + unassigned_13 <- ([#"../Robinson/src/clause.rs" 145 16 145 31] unassigned_13 + ([#"../Robinson/src/clause.rs" 145 30 145 31] (1 : usize))); + _32 <- (); + goto BB13 + } + BB12 { + _32 <- (); + goto BB13 + } + BB13 { + i_11 <- ([#"../Robinson/src/clause.rs" 147 12 147 18] i_11 + ([#"../Robinson/src/clause.rs" 147 17 147 18] (1 : usize))); + _23 <- (); + goto BB1 + } + BB14 { + _14 <- (); + _49 <- unassigned_13; + _48 <- ([#"../Robinson/src/clause.rs" 149 11 149 26] _49 = ([#"../Robinson/src/clause.rs" 149 25 149 26] (1 : usize))); + switch (_48) + | False -> goto BB16 + | True -> goto BB15 + end + } + BB15 { + _0 <- Robinson_Clause_ClauseState_Type.C_Unit; + goto BB17 + } + BB16 { + _0 <- Robinson_Clause_ClauseState_Type.C_Unsat; + goto BB17 + } + BB17 { + goto BB19 + } + BB18 { + goto BB19 + } + BB19 { + return _0 + } + end -module Robinson_Logic_LemmaExtensionSatBaseSat_Interface +module Robinson_Clause_Impl2_GetUnit_Interface use prelude.Int use seq.Seq + use prelude.Borrow use prelude.UInt8 - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_Unset_Stub as Unset0 - function lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - - axiom lemma_extension_sat_base_sat_spec : forall f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 79 11 79 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 80 11 80 56] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)) -> ([#"../Robinson/src/logic.rs" 81 10 81 44] EventuallySatCompleteInner0.eventually_sat_complete_inner f a) -end -module Robinson_Logic_LemmaExtensionSatBaseSat - use prelude.Int use seq.Seq - use prelude.UInt8 + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type clone Robinson_Logic_Unset_Stub as Unset0 - function lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - - = - [#"../Robinson/src/logic.rs" 78 0 78 8] () - val lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - requires {[#"../Robinson/src/logic.rs" 79 11 79 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} - requires {[#"../Robinson/src/logic.rs" 80 11 80 56] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)} - ensures { result = lemma_extension_sat_base_sat f a ix v } + clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel1 with + type t = Robinson_Assignments_Assignments_Type.t_assignments, + type ShallowModelTy0.shallowModelTy = Seq.seq uint8 + clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 + clone CreusotContracts_Model_Impl1_ShallowModel_Stub as ShallowModel0 with + type t = Robinson_Clause_Clause_Type.t_clause, + type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit) + clone Robinson_Assignments_Impl1_Invariant_Stub as Invariant1 + clone Robinson_Formula_Impl1_Invariant_Stub as Invariant0 + clone Robinson_Clause_Impl1_Unit_Stub as Unit0 + val get_unit [#"../Robinson/src/clause.rs" 163 4 163 64] (self : Robinson_Clause_Clause_Type.t_clause) (a : Robinson_Assignments_Assignments_Type.t_assignments) (_f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Lit_Lit_Type.t_lit + requires {[#"../Robinson/src/clause.rs" 157 15 157 28] Unit0.unit self a} + requires {[#"../Robinson/src/clause.rs" 158 15 158 29] Invariant0.invariant' _f} + requires {[#"../Robinson/src/clause.rs" 159 15 159 31] Invariant1.invariant' a _f} + ensures { [#"../Robinson/src/clause.rs" 160 4 160 78] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model self) /\ Seq.get (ShallowModel0.shallow_model self) j = result } + ensures { [#"../Robinson/src/clause.rs" 161 14 161 47] IndexLogic0.index_logic result < Seq.length (ShallowModel1.shallow_model a) } + ensures { [#"../Robinson/src/clause.rs" 162 14 162 47] Unset0.unset (Seq.get (ShallowModel1.shallow_model a) (IndexLogic0.index_logic result)) } - axiom lemma_extension_sat_base_sat_spec : forall f : Robinson_Formula_Formula_Type.t_formula, a : Seq.seq uint8, ix : int, v : uint8 . ([#"../Robinson/src/logic.rs" 79 11 79 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 80 11 80 56] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)) -> ([#"../Robinson/src/logic.rs" 81 10 81 44] EventuallySatCompleteInner0.eventually_sat_complete_inner f a) end -module Robinson_Logic_LemmaExtensionSatBaseSat_Impl +module Robinson_Clause_Impl2_GetUnit + use prelude.Borrow use prelude.Int + use prelude.UIntSize use seq.Seq use prelude.UInt8 - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl1_SatInner as SatInner1 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with + clone Core_Num_Impl11_Max as Max0 + use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel7 with type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . - clone Robinson_Lit_Impl1_SatInner as SatInner2 use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - clone Robinson_Clause_Impl0_ShallowModel as ShallowModel1 with - function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + clone Robinson_Clause_Impl0_ShallowModel as ShallowModel4 with + function ShallowModel0.shallow_model = ShallowModel7.shallow_model, val Max0.mAX' = Max0.mAX' - clone Robinson_Clause_Impl1_SatInner as SatInner1 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate SatInner0.sat_inner = SatInner2.sat_inner - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel0 with + clone Robinson_Clause_Impl1_SatInner as SatInner0 with + function ShallowModel0.shallow_model = ShallowModel4.shallow_model, + predicate SatInner0.sat_inner = SatInner1.sat_inner + clone Robinson_Lit_Impl1_Invariant as Invariant3 + clone Robinson_Clause_Impl1_VarsInRange as VarsInRange0 with + function ShallowModel0.shallow_model = ShallowModel4.shallow_model, + predicate Invariant0.invariant' = Invariant3.invariant' + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel6 with + type t = uint8, + type a = Alloc_Alloc_Global_Type.t_global, + val Max0.mAX' = Max0.mAX', + axiom . + clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with + type t = Robinson_Lit_Lit_Type.t_lit + clone CreusotContracts_Std1_Slice_Impl5_InBounds as InBounds0 with + type t = Robinson_Lit_Lit_Type.t_lit + use seq.Seq + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel5 with + type t = Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global), + type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), + function ShallowModel0.shallow_model = ShallowModel7.shallow_model + clone Robinson_Lit_Impl1_UnsetInner as UnsetInner0 + clone Robinson_Clause_Impl1_Invariant as Invariant2 with + predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel3 with type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . + clone Robinson_Clause_Impl1_UnitInner as UnitInner0 with + predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range, + predicate SatInner0.sat_inner = SatInner0.sat_inner, + function ShallowModel0.shallow_model = ShallowModel4.shallow_model, + predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner + use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type + clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel2 with + function ShallowModel0.shallow_model = ShallowModel6.shallow_model, + val Max0.mAX' = Max0.mAX' + clone Robinson_Lit_Impl1_Unset as Unset1 with + function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + predicate UnsetInner0.unset_inner = UnsetInner0.unset_inner + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel1 with + type t = Robinson_Assignments_Assignments_Type.t_assignments, + type ShallowModelTy0.shallowModelTy = Seq.seq uint8, + function ShallowModel0.shallow_model = ShallowModel2.shallow_model + clone Robinson_Lit_Impl2_LitUnset_Interface as LitUnset0 with + function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + predicate Invariant0.invariant' = Invariant3.invariant', + predicate Unset0.unset = Unset1.unset + clone Alloc_Vec_Impl13_Index_Interface as Index0 with + type t = Robinson_Lit_Lit_Type.t_lit, + type i = usize, + type a = Alloc_Alloc_Global_Type.t_global, + function ShallowModel0.shallow_model = ShallowModel5.shallow_model, + predicate InBounds0.in_bounds = InBounds0.in_bounds, + predicate HasValue0.has_value = HasValue0.has_value, + type Output0.output = Robinson_Lit_Lit_Type.t_lit + clone Alloc_Vec_Impl1_Len_Interface as Len0 with + type t = Robinson_Lit_Lit_Type.t_lit, + type a = Alloc_Alloc_Global_Type.t_global, + function ShallowModel0.shallow_model = ShallowModel5.shallow_model clone Robinson_Logic_Unset as Unset0 - clone Robinson_Assignments_CompleteInner as CompleteInner0 with - predicate Unset0.unset = Unset0.unset - clone Robinson_Assignments_CompatibleInner as CompatibleInner0 with - predicate Unset0.unset = Unset0.unset + clone Robinson_Lit_Impl0_IndexLogic as IndexLogic0 + clone CreusotContracts_Model_Impl1_ShallowModel as ShallowModel0 with + type t = Robinson_Clause_Clause_Type.t_clause, + type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), + function ShallowModel0.shallow_model = ShallowModel4.shallow_model use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_SatInner as SatInner0 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate SatInner0.sat_inner = SatInner1.sat_inner, + clone Robinson_Assignments_Impl1_Invariant as Invariant1 with + function ShallowModel0.shallow_model = ShallowModel2.shallow_model + clone Robinson_Formula_Impl1_Invariant as Invariant0 with + function ShallowModel0.shallow_model = ShallowModel3.shallow_model, + predicate Invariant0.invariant' = Invariant2.invariant', val Max0.mAX' = Max0.mAX' - clone Robinson_Assignments_CompatibleCompleteInner as CompatibleCompleteInner0 with - predicate CompatibleInner0.compatible_inner = CompatibleInner0.compatible_inner, - predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner - clone Robinson_Formula_Impl1_EventuallySatCompleteInner as EventuallySatCompleteInner0 with - predicate CompatibleCompleteInner0.compatible_complete_inner = CompatibleCompleteInner0.compatible_complete_inner, - predicate SatInner0.sat_inner = SatInner0.sat_inner - let rec ghost function lemma_extension_sat_base_sat [#"../Robinson/src/logic.rs" 82 0 82 97] (f : Robinson_Formula_Formula_Type.t_formula) (a : Seq.seq uint8) (ix : int) (v : uint8) : () - requires {[#"../Robinson/src/logic.rs" 79 11 79 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} - requires {[#"../Robinson/src/logic.rs" 80 11 80 56] EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix v)} - ensures { [#"../Robinson/src/logic.rs" 81 10 81 44] EventuallySatCompleteInner0.eventually_sat_complete_inner f a } + clone Robinson_Clause_Impl1_Unit as Unit0 with + function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + predicate UnitInner0.unit_inner = UnitInner0.unit_inner + let rec cfg get_unit [#"../Robinson/src/clause.rs" 163 4 163 64] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Clause_Clause_Type.t_clause) (a : Robinson_Assignments_Assignments_Type.t_assignments) (_f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Lit_Lit_Type.t_lit + requires {[#"../Robinson/src/clause.rs" 157 15 157 28] Unit0.unit self a} + requires {[#"../Robinson/src/clause.rs" 158 15 158 29] Invariant0.invariant' _f} + requires {[#"../Robinson/src/clause.rs" 159 15 159 31] Invariant1.invariant' a _f} + ensures { [#"../Robinson/src/clause.rs" 160 4 160 78] exists j : int . 0 <= j /\ j < Seq.length (ShallowModel0.shallow_model self) /\ Seq.get (ShallowModel0.shallow_model self) j = result } + ensures { [#"../Robinson/src/clause.rs" 161 14 161 47] IndexLogic0.index_logic result < Seq.length (ShallowModel1.shallow_model a) } + ensures { [#"../Robinson/src/clause.rs" 162 14 162 47] Unset0.unset (Seq.get (ShallowModel1.shallow_model a) (IndexLogic0.index_logic result)) } = [@vc:do_not_keep_trace] [@vc:sp] - [#"../Robinson/src/logic.rs" 78 0 78 8] () -end -module Robinson_Logic_Neg_Stub - use prelude.Int - use prelude.UInt8 - function neg [#"../Robinson/src/logic.rs" 36 0 36 25] (_1' : ()) : uint8 -end -module Robinson_Logic_Neg_Interface - use prelude.Int - use prelude.UInt8 - function neg [#"../Robinson/src/logic.rs" 36 0 36 25] (_1' : ()) : uint8 + var _0 : Robinson_Lit_Lit_Type.t_lit; + var self_1 : Robinson_Clause_Clause_Type.t_clause; + var a_2 : Robinson_Assignments_Assignments_Type.t_assignments; + var _f_3 : Robinson_Formula_Formula_Type.t_formula; + var _4 : (); + var i_11 : usize; + var _12 : (); + var _14 : (); + var _15 : bool; + var _16 : usize; + var _17 : usize; + var _18 : Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global); + var lit_19 : Robinson_Lit_Lit_Type.t_lit; + var _20 : Robinson_Lit_Lit_Type.t_lit; + var _21 : Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global); + var _22 : usize; + var _23 : (); + var _24 : bool; + var _25 : Robinson_Lit_Lit_Type.t_lit; + var _26 : Robinson_Assignments_Assignments_Type.t_assignments; + var _27 : (); + var _28 : (); + var _29 : (); + var _30 : (); + var _31 : (); + { + self_1 <- self; + a_2 <- a; + _f_3 <- _f; + goto BB0 + } + BB0 { + i_11 <- ([#"../Robinson/src/clause.rs" 164 27 164 28] (0 : usize)); + goto BB1 + } + BB1 { + invariant { [#"../Robinson/src/clause.rs" 165 8 165 77] forall j : int . 0 <= j /\ j < UIntSize.to_int i_11 -> not Unset1.unset (Seq.get (ShallowModel0.shallow_model self_1) j) a_2 }; + _16 <- i_11; + _18 <- Robinson_Clause_Clause_Type.clause_rest self_1; + _17 <- ([#"../Robinson/src/clause.rs" 166 18 166 33] Len0.len _18); + goto BB2 + } + BB2 { + _15 <- ([#"../Robinson/src/clause.rs" 166 14 166 33] _16 < _17); + switch (_15) + | False -> goto BB8 + | True -> goto BB3 + end + } + BB3 { + _21 <- Robinson_Clause_Clause_Type.clause_rest self_1; + _22 <- i_11; + _20 <- ([#"../Robinson/src/clause.rs" 167 22 167 34] Index0.index _21 _22); + goto BB4 + } + BB4 { + lit_19 <- _20; + _25 <- lit_19; + _26 <- a_2; + _24 <- ([#"../Robinson/src/clause.rs" 168 15 168 31] LitUnset0.lit_unset _25 _26); + goto BB5 + } + BB5 { + switch (_24) + | False -> goto BB7 + | True -> goto BB6 + end + } + BB6 { + _0 <- lit_19; + return _0 + } + BB7 { + _23 <- (); + i_11 <- ([#"../Robinson/src/clause.rs" 171 12 171 18] i_11 + ([#"../Robinson/src/clause.rs" 171 17 171 18] (1 : usize))); + _14 <- (); + goto BB1 + } + BB8 { + _12 <- (); + absurd + } + end -module Robinson_Logic_Neg +module Robinson_Lit_Impl2_Index_Interface + use prelude.UIntSize use prelude.Int - use prelude.UInt8 - function neg [#"../Robinson/src/logic.rs" 36 0 36 25] (_1' : ()) : uint8 = - [#"../Robinson/src/logic.rs" 37 4 37 7] (0 : uint8) - val neg [#"../Robinson/src/logic.rs" 36 0 36 25] (_1' : ()) : uint8 - ensures { result = neg _1' } + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl0_IndexLogic_Stub as IndexLogic0 + val index [#"../Robinson/src/lit.rs" 88 4 88 31] (self : Robinson_Lit_Lit_Type.t_lit) : usize + ensures { [#"../Robinson/src/lit.rs" 87 14 87 43] UIntSize.to_int result = IndexLogic0.index_logic self } end -module Robinson_Logic_Pos_Stub - use prelude.Int - use prelude.UInt8 - function pos [#"../Robinson/src/logic.rs" 31 0 31 25] (_1' : ()) : uint8 -end -module Robinson_Logic_Pos_Interface - use prelude.Int - use prelude.UInt8 - function pos [#"../Robinson/src/logic.rs" 31 0 31 25] (_1' : ()) : uint8 -end -module Robinson_Logic_Pos +module Robinson_Lit_Impl2_Index use prelude.Int - use prelude.UInt8 - function pos [#"../Robinson/src/logic.rs" 31 0 31 25] (_1' : ()) : uint8 = - [#"../Robinson/src/logic.rs" 32 4 32 7] (1 : uint8) - val pos [#"../Robinson/src/logic.rs" 31 0 31 25] (_1' : ()) : uint8 - ensures { result = pos _1' } + use prelude.UIntSize + use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + clone Robinson_Lit_Impl0_IndexLogic as IndexLogic0 + let rec cfg index [#"../Robinson/src/lit.rs" 88 4 88 31] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Lit_Lit_Type.t_lit) : usize + ensures { [#"../Robinson/src/lit.rs" 87 14 87 43] UIntSize.to_int result = IndexLogic0.index_logic self } + = [@vc:do_not_keep_trace] [@vc:sp] + var _0 : usize; + var self_1 : Robinson_Lit_Lit_Type.t_lit; + { + self_1 <- self; + goto BB0 + } + BB0 { + _0 <- Robinson_Lit_Lit_Type.lit_idx self_1; + return _0 + } + end -module Robinson_Logic_LemmaExtensionsUnsatBaseUnsat_Stub - use prelude.Int - use seq.Seq - use prelude.UInt8 - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Logic_Pos_Stub as Pos0 - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_Neg_Stub as Neg0 - clone Robinson_Logic_Unset_Stub as Unset0 - function lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () +module CreusotContracts_Std1_Slice_SliceIndex_ResolveElswhere_Stub + type self + type t + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + predicate resolve_elswhere (self : self) (old' : ShallowModelTy0.shallowModelTy) (fin : ShallowModelTy0.shallowModelTy) end -module Robinson_Logic_LemmaExtensionsUnsatBaseUnsat_Interface - use prelude.Int - use seq.Seq - use prelude.UInt8 - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Logic_Pos_Stub as Pos0 - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_Neg_Stub as Neg0 - clone Robinson_Logic_Unset_Stub as Unset0 - function lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () +module CreusotContracts_Std1_Slice_SliceIndex_ResolveElswhere_Interface + type self + type t + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + predicate resolve_elswhere (self : self) (old' : ShallowModelTy0.shallowModelTy) (fin : ShallowModelTy0.shallowModelTy) - axiom lemma_extensions_unsat_base_unsat_spec : forall a : Seq.seq uint8, ix : int, f : Robinson_Formula_Formula_Type.t_formula . ([#"../Robinson/src/logic.rs" 85 11 85 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 86 11 86 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Neg0.neg ()))) -> ([#"../Robinson/src/logic.rs" 87 11 87 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Pos0.pos ()))) -> ([#"../Robinson/src/logic.rs" 88 10 88 45] not EventuallySatCompleteInner0.eventually_sat_complete_inner f a) end -module Robinson_Logic_LemmaExtensionsUnsatBaseUnsat - use prelude.Int - use seq.Seq - use prelude.UInt8 - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Logic_Pos_Stub as Pos0 - clone Robinson_Formula_Impl1_EventuallySatCompleteInner_Stub as EventuallySatCompleteInner0 - clone Robinson_Logic_Neg_Stub as Neg0 - clone Robinson_Logic_Unset_Stub as Unset0 - function lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () +module CreusotContracts_Std1_Slice_SliceIndex_ResolveElswhere + type self + type t + clone CreusotContracts_Model_ShallowModel_ShallowModelTy_Type as ShallowModelTy0 with + type self = t + predicate resolve_elswhere (self : self) (old' : ShallowModelTy0.shallowModelTy) (fin : ShallowModelTy0.shallowModelTy) - = - [#"../Robinson/src/logic.rs" 84 0 84 8] () - val lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () - requires {[#"../Robinson/src/logic.rs" 85 11 85 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} - requires {[#"../Robinson/src/logic.rs" 86 11 86 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Neg0.neg ()))} - requires {[#"../Robinson/src/logic.rs" 87 11 87 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Pos0.pos ()))} - ensures { result = lemma_extensions_unsat_base_unsat a ix f } + val resolve_elswhere (self : self) (old' : ShallowModelTy0.shallowModelTy) (fin : ShallowModelTy0.shallowModelTy) : bool + ensures { result = resolve_elswhere self old' fin } - axiom lemma_extensions_unsat_base_unsat_spec : forall a : Seq.seq uint8, ix : int, f : Robinson_Formula_Formula_Type.t_formula . ([#"../Robinson/src/logic.rs" 85 11 85 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)) -> ([#"../Robinson/src/logic.rs" 86 11 86 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Neg0.neg ()))) -> ([#"../Robinson/src/logic.rs" 87 11 87 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Pos0.pos ()))) -> ([#"../Robinson/src/logic.rs" 88 10 88 45] not EventuallySatCompleteInner0.eventually_sat_complete_inner f a) end -module Robinson_Logic_LemmaExtensionsUnsatBaseUnsat_Impl - use prelude.Int +module Alloc_Vec_Impl14_IndexMut_Interface + type t + type i + type a + use prelude.Borrow use seq.Seq - use prelude.UInt8 - use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type - use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + use prelude.Slice + clone Core_Num_Impl11_Max_Stub as Max0 + use seq.Seq + clone Core_Slice_Index_SliceIndex_Output_Type as Output0 with + type self = i, + type t = slice t use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with - type t = Robinson_Lit_Lit_Type.t_lit, - type a = Alloc_Alloc_Global_Type.t_global, - val Max0.mAX' = Max0.mAX', - axiom . - clone Robinson_Lit_Impl1_SatInner as SatInner2 - use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type - clone Robinson_Clause_Impl0_ShallowModel as ShallowModel1 with - function ShallowModel0.shallow_model = ShallowModel2.shallow_model, - val Max0.mAX' = Max0.mAX' - clone Robinson_Clause_Impl1_SatInner as SatInner1 with - function ShallowModel0.shallow_model = ShallowModel1.shallow_model, - predicate SatInner0.sat_inner = SatInner2.sat_inner - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel0 with - type t = Robinson_Clause_Clause_Type.t_clause, - type a = Alloc_Alloc_Global_Type.t_global, + clone CreusotContracts_Std1_Slice_SliceIndex_ResolveElswhere_Stub as ResolveElswhere0 with + type self = i, + type t = slice t, + type ShallowModelTy0.shallowModelTy = Seq.seq t + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel1 with + type t = t, + type a = a, val Max0.mAX' = Max0.mAX', axiom . - clone Robinson_Logic_Unset as Unset0 - clone Robinson_Assignments_CompleteInner as CompleteInner0 with - predicate Unset0.unset = Unset0.unset - clone Robinson_Assignments_CompatibleInner as CompatibleInner0 with - predicate Unset0.unset = Unset0.unset - use Robinson_Formula_Formula_Type as Robinson_Formula_Formula_Type - clone Robinson_Formula_Impl1_SatInner as SatInner0 with - function ShallowModel0.shallow_model = ShallowModel0.shallow_model, - predicate SatInner0.sat_inner = SatInner1.sat_inner, - val Max0.mAX' = Max0.mAX' - clone Robinson_Assignments_CompatibleCompleteInner as CompatibleCompleteInner0 with - predicate CompatibleInner0.compatible_inner = CompatibleInner0.compatible_inner, - predicate CompleteInner0.complete_inner = CompleteInner0.complete_inner - clone Robinson_Logic_Pos as Pos0 - clone Robinson_Formula_Impl1_EventuallySatCompleteInner as EventuallySatCompleteInner0 with - predicate CompatibleCompleteInner0.compatible_complete_inner = CompatibleCompleteInner0.compatible_complete_inner, - predicate SatInner0.sat_inner = SatInner0.sat_inner - clone Robinson_Logic_Neg as Neg0 - let rec ghost function lemma_extensions_unsat_base_unsat [#"../Robinson/src/logic.rs" 89 0 89 84] (a : Seq.seq uint8) (ix : int) (f : Robinson_Formula_Formula_Type.t_formula) : () - requires {[#"../Robinson/src/logic.rs" 85 11 85 50] 0 <= ix /\ ix < Seq.length a /\ Unset0.unset (Seq.get a ix)} - requires {[#"../Robinson/src/logic.rs" 86 11 86 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Neg0.neg ()))} - requires {[#"../Robinson/src/logic.rs" 87 11 87 61] not EventuallySatCompleteInner0.eventually_sat_complete_inner f (Seq.set a ix (Pos0.pos ()))} - ensures { [#"../Robinson/src/logic.rs" 88 10 88 45] not EventuallySatCompleteInner0.eventually_sat_complete_inner f a } + clone CreusotContracts_Std1_Slice_SliceIndex_HasValue_Stub as HasValue0 with + type self = i, + type t = slice t, + type ShallowModelTy0.shallowModelTy = Seq.seq t, + type Output0.output = Output0.output + clone CreusotContracts_Std1_Slice_SliceIndex_InBounds_Stub as InBounds0 with + type self = i, + type t = slice t, + type ShallowModelTy0.shallowModelTy = Seq.seq t + clone CreusotContracts_Model_Impl3_ShallowModel_Stub as ShallowModel0 with + type t = Alloc_Vec_Vec_Type.t_vec t a, + type ShallowModelTy0.shallowModelTy = Seq.seq t + val index_mut (self : borrowed (Alloc_Vec_Vec_Type.t_vec t a)) (index : i) : borrowed Output0.output + requires {InBounds0.in_bounds index (ShallowModel0.shallow_model self)} + ensures { HasValue0.has_value index (ShallowModel0.shallow_model self) ( * result) } + ensures { HasValue0.has_value index (ShallowModel1.shallow_model ( ^ self)) ( ^ result) } + ensures { ResolveElswhere0.resolve_elswhere index (ShallowModel0.shallow_model self) (ShallowModel1.shallow_model ( ^ self)) } + ensures { Seq.length (ShallowModel1.shallow_model ( ^ self)) = Seq.length (ShallowModel0.shallow_model self) } - = [@vc:do_not_keep_trace] [@vc:sp] - [#"../Robinson/src/logic.rs" 84 0 84 8] () end module CreusotContracts_Std1_Slice_Impl5_ResolveElswhere_Stub type t @@ -3512,7 +3554,7 @@ module Robinson_Assignments_Impl2_UnitPropOnce_Interface use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 use Robinson_Assignments_Assignments_Type as Robinson_Assignments_Assignments_Type clone Robinson_Clause_Impl1_Unsat_Stub as Unsat0 clone Robinson_Assignments_Impl0_ShallowModel_Stub as ShallowModel2 @@ -3536,7 +3578,7 @@ module Robinson_Assignments_Impl2_UnitPropOnce_Interface val unit_prop_once [#"../Robinson/src/assignments.rs" 151 4 151 74] (self : borrowed (Robinson_Assignments_Assignments_Type.t_assignments)) (i : usize) (f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Clause_ClauseState_Type.t_clausestate requires {[#"../Robinson/src/assignments.rs" 133 4 133 42] Invariant0.invariant' ( * self) f} requires {[#"../Robinson/src/assignments.rs" 134 15 134 28] Invariant1.invariant' f} - requires {[#"../Robinson/src/assignments.rs" 135 15 135 49] 0 <= UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f))} + requires {[#"../Robinson/src/assignments.rs" 135 15 135 47] 0 <= UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f))} ensures { [#"../Robinson/src/assignments.rs" 133 4 133 42] Invariant0.invariant' ( ^ self) f } ensures { [#"../Robinson/src/assignments.rs" 136 14 136 39] Compatible0.compatible ( * self) ( ^ self) } ensures { [#"../Robinson/src/assignments.rs" 137 14 137 82] EventuallySatComplete0.eventually_sat_complete f ( * self) = EventuallySatComplete0.eventually_sat_complete f ( ^ self) } @@ -3564,7 +3606,7 @@ module Robinson_Assignments_Impl2_UnitPropOnce clone Robinson_Lit_Impl1_Invariant as Invariant3 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel9 with type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, @@ -3669,7 +3711,7 @@ module Robinson_Assignments_Impl2_UnitPropOnce axiom . clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with type t = uint8 - clone Alloc_Vec_Impl16_IndexMut_Interface as IndexMut0 with + clone Alloc_Vec_Impl14_IndexMut_Interface as IndexMut0 with type t = uint8, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -3743,7 +3785,7 @@ module Robinson_Assignments_Impl2_UnitPropOnce predicate Unsat0.unsat = Unsat0.unsat, predicate Unit0.unit = Unit0.unit, predicate Complete0.complete = Complete0.complete - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = Robinson_Clause_Clause_Type.t_clause, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -3764,7 +3806,7 @@ module Robinson_Assignments_Impl2_UnitPropOnce let rec cfg unit_prop_once [#"../Robinson/src/assignments.rs" 151 4 151 74] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (Robinson_Assignments_Assignments_Type.t_assignments)) (i : usize) (f : Robinson_Formula_Formula_Type.t_formula) : Robinson_Clause_ClauseState_Type.t_clausestate requires {[#"../Robinson/src/assignments.rs" 133 4 133 42] Invariant0.invariant' ( * self) f} requires {[#"../Robinson/src/assignments.rs" 134 15 134 28] Invariant1.invariant' f} - requires {[#"../Robinson/src/assignments.rs" 135 15 135 49] 0 <= UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f))} + requires {[#"../Robinson/src/assignments.rs" 135 15 135 47] 0 <= UIntSize.to_int i /\ UIntSize.to_int i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f))} ensures { [#"../Robinson/src/assignments.rs" 133 4 133 42] Invariant0.invariant' ( ^ self) f } ensures { [#"../Robinson/src/assignments.rs" 136 14 136 39] Compatible0.compatible ( * self) ( ^ self) } ensures { [#"../Robinson/src/assignments.rs" 137 14 137 82] EventuallySatComplete0.eventually_sat_complete f ( * self) = EventuallySatComplete0.eventually_sat_complete f ( ^ self) } @@ -4035,7 +4077,7 @@ module Robinson_Assignments_Impl2_UnitPropagate use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel6 with type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, @@ -4219,15 +4261,15 @@ module Robinson_Assignments_Impl2_UnitPropagate goto BB2 } BB2 { - invariant assignment_invariant { [#"../Robinson/src/assignments.rs" 194 42 194 60] Invariant1.invariant' ( * self_1) f_2 }; - invariant proph { [#"../Robinson/src/assignments.rs" 195 27 195 51] ^ self_1 = ^ Ghost.inner _old_a_11 }; - invariant maintains_compat { [#"../Robinson/src/assignments.rs" 196 38 196 62] Compatible0.compatible ( * Ghost.inner _old_a_11) ( * self_1) }; - invariant maintains_sat { [#"../Robinson/src/assignments.rs" 197 35 197 113] EventuallySatComplete0.eventually_sat_complete f_2 ( * Ghost.inner _old_a_11) = EventuallySatComplete0.eventually_sat_complete f_2 ( * self_1) }; - invariant out_not_unsat { [#"../Robinson/src/assignments.rs" 198 35 198 63] not out_15 = Robinson_Clause_ClauseState_Type.C_Unsat }; - invariant inv { [#"../Robinson/src/assignments.rs" 194 8 194 62] Complete0.complete ( * Ghost.inner _old_a_11) -> * Ghost.inner _old_a_11 = * self_1 /\ (forall j : int . 0 <= j /\ j < UIntSize.to_int i_14 -> not Unknown0.unknown (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ not Unit0.unit (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ Sat1.sat (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1)) }; - invariant inv2 { [#"../Robinson/src/assignments.rs" 194 8 194 62] out_15 = Robinson_Clause_ClauseState_Type.C_Sat -> (forall j : int . 0 <= j /\ j < UIntSize.to_int i_14 -> not Unsat1.unsat (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ not Unknown0.unknown (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ not Unit0.unit (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ Sat1.sat (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1)) }; - invariant inv3 { [#"../Robinson/src/assignments.rs" 194 8 194 62] out_15 = Robinson_Clause_ClauseState_Type.C_Unit -> not Complete0.complete ( * Ghost.inner _old_a_11) }; - invariant inv4 { [#"../Robinson/src/assignments.rs" 194 8 194 62] out_15 = Robinson_Clause_ClauseState_Type.C_Unknown -> not Complete0.complete ( * self_1) }; + invariant { [#"../Robinson/src/assignments.rs" 194 20 194 38] Invariant1.invariant' ( * self_1) f_2 }; + invariant { [#"../Robinson/src/assignments.rs" 195 20 195 44] ^ self_1 = ^ Ghost.inner _old_a_11 }; + invariant { [#"../Robinson/src/assignments.rs" 196 20 196 44] Compatible0.compatible ( * Ghost.inner _old_a_11) ( * self_1) }; + invariant { [#"../Robinson/src/assignments.rs" 197 20 197 98] EventuallySatComplete0.eventually_sat_complete f_2 ( * Ghost.inner _old_a_11) = EventuallySatComplete0.eventually_sat_complete f_2 ( * self_1) }; + invariant { [#"../Robinson/src/assignments.rs" 198 20 198 48] not out_15 = Robinson_Clause_ClauseState_Type.C_Unsat }; + invariant { [#"../Robinson/src/assignments.rs" 194 8 194 40] Complete0.complete ( * Ghost.inner _old_a_11) -> * Ghost.inner _old_a_11 = * self_1 /\ (forall j : int . 0 <= j /\ j < UIntSize.to_int i_14 -> not Unknown0.unknown (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ not Unit0.unit (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ Sat1.sat (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1)) }; + invariant { [#"../Robinson/src/assignments.rs" 194 8 194 40] out_15 = Robinson_Clause_ClauseState_Type.C_Sat -> (forall j : int . 0 <= j /\ j < UIntSize.to_int i_14 -> not Unsat1.unsat (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ not Unknown0.unknown (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ not Unit0.unit (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1) /\ Sat1.sat (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses f_2)) j) ( * self_1)) }; + invariant { [#"../Robinson/src/assignments.rs" 194 8 194 40] out_15 = Robinson_Clause_ClauseState_Type.C_Unit -> not Complete0.complete ( * Ghost.inner _old_a_11) }; + invariant { [#"../Robinson/src/assignments.rs" 194 8 194 40] out_15 = Robinson_Clause_ClauseState_Type.C_Unknown -> not Complete0.complete ( * self_1) }; _28 <- i_14; _30 <- Robinson_Formula_Formula_Type.formula_clauses f_2; _29 <- ([#"../Robinson/src/assignments.rs" 209 18 209 33] Len0.len _30); @@ -4353,7 +4395,7 @@ module Robinson_Assignments_Impl2_DoUnitPropagation use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel4 with type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, @@ -4483,10 +4525,10 @@ module Robinson_Assignments_Impl2_DoUnitPropagation goto BB2 } BB2 { - invariant assignments_invariant { [#"../Robinson/src/assignments.rs" 240 43 240 61] Invariant1.invariant' ( * self_1) f_2 }; - invariant proph { [#"../Robinson/src/assignments.rs" 241 27 241 51] ^ self_1 = ^ Ghost.inner _old_a_11 }; - invariant maintains_compat { [#"../Robinson/src/assignments.rs" 242 38 242 62] Compatible0.compatible ( * Ghost.inner _old_a_11) ( * self_1) }; - invariant maintains_sat { [#"../Robinson/src/assignments.rs" 240 8 240 63] EventuallySatComplete0.eventually_sat_complete f_2 ( * Ghost.inner _old_a_11) -> EventuallySatComplete0.eventually_sat_complete f_2 ( * self_1) }; + invariant { [#"../Robinson/src/assignments.rs" 240 20 240 38] Invariant1.invariant' ( * self_1) f_2 }; + invariant { [#"../Robinson/src/assignments.rs" 241 20 241 44] ^ self_1 = ^ Ghost.inner _old_a_11 }; + invariant { [#"../Robinson/src/assignments.rs" 242 20 242 44] Compatible0.compatible ( * Ghost.inner _old_a_11) ( * self_1) }; + invariant { [#"../Robinson/src/assignments.rs" 240 8 240 40] EventuallySatComplete0.eventually_sat_complete f_2 ( * Ghost.inner _old_a_11) -> EventuallySatComplete0.eventually_sat_complete f_2 ( * self_1) }; _21 <- borrow_mut ( * self_1); self_1 <- { self_1 with current = ( ^ _21) }; _22 <- f_2; @@ -4560,8 +4602,9 @@ module Robinson_Clause_Impl2_ClauseFromVec_Interface end module Robinson_Clause_Impl2_ClauseFromVec - clone Core_Num_Impl12_Max as Max0 use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type + use seq.Seq + clone Core_Num_Impl11_Max as Max0 clone CreusotContracts_Resolve_Impl2_Resolve as Resolve1 with type t = Robinson_Lit_Lit_Type.t_lit use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type @@ -4571,9 +4614,14 @@ module Robinson_Clause_Impl2_ClauseFromVec type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . + clone CreusotContracts_Logic_Ops_Impl0_IndexLogic as IndexLogic0 with + type t = Robinson_Lit_Lit_Type.t_lit, + type s = Alloc_Vec_Vec_Type.t_vec (Robinson_Lit_Lit_Type.t_lit) (Alloc_Alloc_Global_Type.t_global), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model clone CreusotContracts_Std1_Vec_Impl10_Resolve as Resolve0 with type t = Robinson_Lit_Lit_Type.t_lit, function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Resolve0.resolve = Resolve1.resolve, val Max0.mAX' = Max0.mAX' use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type @@ -4625,7 +4673,7 @@ module Robinson_Clause_Impl2_Len_Interface type t = Robinson_Clause_Clause_Type.t_clause, type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit) val len [#"../Robinson/src/clause.rs" 224 4 224 30] (self : Robinson_Clause_Clause_Type.t_clause) : usize - ensures { [#"../Robinson/src/clause.rs" 223 14 223 38] UIntSize.to_int result = Seq.length (ShallowModel0.shallow_model self) } + ensures { [#"../Robinson/src/clause.rs" 223 14 223 36] UIntSize.to_int result = Seq.length (ShallowModel0.shallow_model self) } end module Robinson_Clause_Impl2_Len @@ -4633,7 +4681,7 @@ module Robinson_Clause_Impl2_Len use prelude.UIntSize use prelude.Borrow use seq.Seq - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type @@ -4660,7 +4708,7 @@ module Robinson_Clause_Impl2_Len type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Lit_Lit_Type.t_lit), function ShallowModel0.shallow_model = ShallowModel1.shallow_model let rec cfg len [#"../Robinson/src/clause.rs" 224 4 224 30] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Clause_Clause_Type.t_clause) : usize - ensures { [#"../Robinson/src/clause.rs" 223 14 223 38] UIntSize.to_int result = Seq.length (ShallowModel0.shallow_model self) } + ensures { [#"../Robinson/src/clause.rs" 223 14 223 36] UIntSize.to_int result = Seq.length (ShallowModel0.shallow_model self) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : usize; @@ -4738,7 +4786,7 @@ module Robinson_Clause_Impl2_CheckClauseInvariant use prelude.UIntSize use prelude.Borrow use seq.Seq - clone Core_Num_Impl12_Max as Max1 + clone Core_Num_Impl11_Max as Max1 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type @@ -4763,7 +4811,7 @@ module Robinson_Clause_Impl2_CheckClauseInvariant clone Robinson_Lit_Impl1_Invariant as Invariant1 clone Robinson_Lit_Impl2_CheckLitInvariant_Interface as CheckLitInvariant0 with predicate Invariant0.invariant' = Invariant1.invariant' - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = Robinson_Lit_Lit_Type.t_lit, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -4825,8 +4873,8 @@ module Robinson_Clause_Impl2_CheckClauseInvariant goto BB1 } BB1 { - invariant inv { [#"../Robinson/src/clause.rs" 182 8 182 91] forall j : int . 0 <= j /\ j < UIntSize.to_int i_5 -> Invariant1.invariant' (Seq.get (ShallowModel0.shallow_model self_1) j) (UIntSize.to_int new_n_6) }; - invariant new_n_inv { [#"../Robinson/src/clause.rs" 183 31 183 43] UIntSize.to_int new_n_6 >= UIntSize.to_int n_2 }; + invariant { [#"../Robinson/src/clause.rs" 182 8 182 84] forall j : int . 0 <= j /\ j < UIntSize.to_int i_5 -> Invariant1.invariant' (Seq.get (ShallowModel0.shallow_model self_1) j) (UIntSize.to_int new_n_6) }; + invariant { [#"../Robinson/src/clause.rs" 183 20 183 32] UIntSize.to_int new_n_6 >= UIntSize.to_int n_2 }; _12 <- i_5; _14 <- self_1; _13 <- ([#"../Robinson/src/clause.rs" 184 18 184 28] Len0.len _14); @@ -4899,7 +4947,7 @@ module Robinson_Clause_Impl2_NoDuplicates use prelude.Int use prelude.UIntSize use seq.Seq - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type @@ -4922,7 +4970,7 @@ module Robinson_Clause_Impl2_NoDuplicates clone Robinson_Clause_Impl0_ShallowModel as ShallowModel1 with function ShallowModel0.shallow_model = ShallowModel3.shallow_model, val Max0.mAX' = Max0.mAX' - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = Robinson_Lit_Lit_Type.t_lit, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -4988,7 +5036,7 @@ module Robinson_Clause_Impl2_NoDuplicates goto BB1 } BB1 { - invariant no_dups { [#"../Robinson/src/clause.rs" 202 8 204 67] forall k : int . forall j : int . 0 <= j /\ j < UIntSize.to_int i_4 /\ 0 <= k /\ k < j -> Robinson_Lit_Lit_Type.lit_idx (Seq.get (ShallowModel0.shallow_model self_1) j) <> Robinson_Lit_Lit_Type.lit_idx (Seq.get (ShallowModel0.shallow_model self_1) k) }; + invariant { [#"../Robinson/src/clause.rs" 202 8 204 63] forall k : int . forall j : int . 0 <= j /\ j < UIntSize.to_int i_4 /\ 0 <= k /\ k < j -> Robinson_Lit_Lit_Type.lit_idx (Seq.get (ShallowModel0.shallow_model self_1) j) <> Robinson_Lit_Lit_Type.lit_idx (Seq.get (ShallowModel0.shallow_model self_1) k) }; _9 <- i_4; _11 <- Robinson_Clause_Clause_Type.clause_rest self_1; _10 <- ([#"../Robinson/src/clause.rs" 205 18 205 33] Len0.len _11); @@ -5013,7 +5061,7 @@ module Robinson_Clause_Impl2_NoDuplicates goto BB5 } BB5 { - invariant inv { [#"../Robinson/src/clause.rs" 208 12 208 93] forall k : int . 0 <= k /\ k < UIntSize.to_int j_16 -> Robinson_Lit_Lit_Type.lit_idx lit1_12 <> Robinson_Lit_Lit_Type.lit_idx (Seq.get (ShallowModel0.shallow_model self_1) k) }; + invariant { [#"../Robinson/src/clause.rs" 208 12 208 86] forall k : int . 0 <= k /\ k < UIntSize.to_int j_16 -> Robinson_Lit_Lit_Type.lit_idx lit1_12 <> Robinson_Lit_Lit_Type.lit_idx (Seq.get (ShallowModel0.shallow_model self_1) k) }; _20 <- j_16; _21 <- i_4; _19 <- ([#"../Robinson/src/clause.rs" 209 18 209 23] _20 < _21); @@ -5124,10 +5172,32 @@ module CreusotContracts_Logic_Seq_Impl0_PermutationOf use seq.Seq use seq.Permut predicate permutation_of (self : Seq.seq t) (o : Seq.seq t) = - [#"../Robinson/src/lit.rs" 19 27 20 19] Permut.permut self o 0 (Seq.length self) + [#"../Robinson/src/lit.rs" 44 44 47 1] Permut.permut self o 0 (Seq.length self) val permutation_of (self : Seq.seq t) (o : Seq.seq t) : bool ensures { result = permutation_of self o } +end +module Robinson_Util_PartitionRev_Stub + use seq.Seq + use prelude.Int + use prelude.UIntSize + predicate partition_rev [#"../Robinson/src/util.rs" 17 0 17 56] (v : Seq.seq (usize, usize)) (i : int) +end +module Robinson_Util_PartitionRev_Interface + use seq.Seq + use prelude.Int + use prelude.UIntSize + predicate partition_rev [#"../Robinson/src/util.rs" 17 0 17 56] (v : Seq.seq (usize, usize)) (i : int) +end +module Robinson_Util_PartitionRev + use seq.Seq + use prelude.Int + use prelude.UIntSize + predicate partition_rev [#"../Robinson/src/util.rs" 17 0 17 56] (v : Seq.seq (usize, usize)) (i : int) = + [#"../Robinson/src/util.rs" 18 4 18 110] forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length v -> (let (a, _) = Seq.get v k1 in a) >= (let (a, _) = Seq.get v k2 in a) + val partition_rev [#"../Robinson/src/util.rs" 17 0 17 56] (v : Seq.seq (usize, usize)) (i : int) : bool + ensures { result = partition_rev v i } + end module CreusotContracts_Std1_Slice_Impl0_ShallowModel_Stub type t @@ -5135,9 +5205,8 @@ module CreusotContracts_Std1_Slice_Impl0_ShallowModel_Stub use prelude.UIntSize use prelude.Int use prelude.Slice - use prelude.Seq - clone Core_Num_Impl12_Max_Stub as Max0 - function shallow_model (self : seq t) : Seq.seq t + clone Core_Num_Impl11_Max_Stub as Max0 + function shallow_model (self : slice t) : Seq.seq t end module CreusotContracts_Std1_Slice_Impl0_ShallowModel_Interface type t @@ -5145,10 +5214,9 @@ module CreusotContracts_Std1_Slice_Impl0_ShallowModel_Interface use prelude.UIntSize use prelude.Int use prelude.Slice - use prelude.Seq - clone Core_Num_Impl12_Max_Stub as Max0 - function shallow_model (self : seq t) : Seq.seq t - axiom shallow_model_spec : forall self : seq t . shallow_model self = Slice.id self && Seq.length (shallow_model self) <= UIntSize.to_int Max0.mAX' + clone Core_Num_Impl11_Max_Stub as Max0 + function shallow_model (self : slice t) : Seq.seq t + axiom shallow_model_spec : forall self : slice t . shallow_model self = Slice.id self && Seq.length (shallow_model self) <= UIntSize.to_int Max0.mAX' end module CreusotContracts_Std1_Slice_Impl0_ShallowModel type t @@ -5156,22 +5224,20 @@ module CreusotContracts_Std1_Slice_Impl0_ShallowModel use prelude.UIntSize use prelude.Int use prelude.Slice - use prelude.Seq - clone Core_Num_Impl12_Max_Stub as Max0 - function shallow_model (self : seq t) : Seq.seq t - val shallow_model (self : seq t) : Seq.seq t + clone Core_Num_Impl11_Max_Stub as Max0 + function shallow_model (self : slice t) : Seq.seq t + val shallow_model (self : slice t) : Seq.seq t ensures { result = shallow_model self } - axiom shallow_model_spec : forall self : seq t . shallow_model self = Slice.id self && Seq.length (shallow_model self) <= UIntSize.to_int Max0.mAX' + axiom shallow_model_spec : forall self : slice t . shallow_model self = Slice.id self && Seq.length (shallow_model self) <= UIntSize.to_int Max0.mAX' end module Alloc_Vec_Impl10_DerefMut_Interface type t type a use prelude.Borrow use prelude.Slice - use prelude.Seq use seq.Seq - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 use seq.Seq use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel3 with @@ -5187,9 +5253,9 @@ module Alloc_Vec_Impl10_DerefMut_Interface type t = Alloc_Vec_Vec_Type.t_vec t a, type ShallowModelTy0.shallowModelTy = Seq.seq t clone CreusotContracts_Model_Impl3_ShallowModel_Stub as ShallowModel0 with - type t = seq t, + type t = slice t, type ShallowModelTy0.shallowModelTy = Seq.seq t - val deref_mut (self : borrowed (Alloc_Vec_Vec_Type.t_vec t a)) : borrowed (seq t) + val deref_mut (self : borrowed (Alloc_Vec_Vec_Type.t_vec t a)) : borrowed (slice t) ensures { ShallowModel0.shallow_model result = ShallowModel1.shallow_model self } ensures { ShallowModel2.shallow_model ( ^ result) = ShallowModel3.shallow_model ( ^ self) } @@ -5202,43 +5268,20 @@ module Core_Slice_Impl0_Swap_Interface use prelude.Borrow use seq.Permut use prelude.Slice - use prelude.Seq - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 use seq.Seq clone CreusotContracts_Std1_Slice_Impl0_ShallowModel_Stub as ShallowModel1 with type t = t, val Max0.mAX' = Max0.mAX', axiom . clone CreusotContracts_Model_Impl3_ShallowModel_Stub as ShallowModel0 with - type t = seq t, + type t = slice t, type ShallowModelTy0.shallowModelTy = Seq.seq t - val swap (self : borrowed (seq t)) (a : usize) (b : usize) : () + val swap (self : borrowed (slice t)) (a : usize) (b : usize) : () requires {UIntSize.to_int a < Seq.length (ShallowModel0.shallow_model self)} requires {UIntSize.to_int b < Seq.length (ShallowModel0.shallow_model self)} ensures { Permut.exchange (ShallowModel1.shallow_model ( ^ self)) (ShallowModel0.shallow_model self) (UIntSize.to_int a) (UIntSize.to_int b) } -end -module Robinson_Util_PartitionRev_Stub - use seq.Seq - use prelude.Int - use prelude.UIntSize - predicate partition_rev [#"../Robinson/src/util.rs" 17 0 17 56] (v : Seq.seq (usize, usize)) (i : int) -end -module Robinson_Util_PartitionRev_Interface - use seq.Seq - use prelude.Int - use prelude.UIntSize - predicate partition_rev [#"../Robinson/src/util.rs" 17 0 17 56] (v : Seq.seq (usize, usize)) (i : int) -end -module Robinson_Util_PartitionRev - use seq.Seq - use prelude.Int - use prelude.UIntSize - predicate partition_rev [#"../Robinson/src/util.rs" 17 0 17 56] (v : Seq.seq (usize, usize)) (i : int) = - [#"../Robinson/src/util.rs" 18 4 18 110] forall k2 : int . forall k1 : int . 0 <= k1 /\ k1 < i /\ i <= k2 /\ k2 < Seq.length v -> (let (a, _) = Seq.get v k1 in a) >= (let (a, _) = Seq.get v k2 in a) - val partition_rev [#"../Robinson/src/util.rs" 17 0 17 56] (v : Seq.seq (usize, usize)) (i : int) : bool - ensures { result = partition_rev v i } - end module Robinson_Util_SortReverse_Interface use prelude.Borrow @@ -5246,7 +5289,7 @@ module Robinson_Util_SortReverse_Interface use prelude.UIntSize use seq.Seq use seq.Seq - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type clone CreusotContracts_Logic_Seq_Impl0_PermutationOf_Stub as PermutationOf0 with @@ -5261,8 +5304,8 @@ module Robinson_Util_SortReverse_Interface val Max0.mAX' = Max0.mAX', axiom . val sort_reverse [#"../Robinson/src/util.rs" 25 0 25 48] (v : borrowed (Alloc_Vec_Vec_Type.t_vec (usize, usize) (Alloc_Alloc_Global_Type.t_global))) : () - ensures { [#"../Robinson/src/util.rs" 23 10 23 25] SortedRev0.sorted_rev (ShallowModel0.shallow_model ( ^ v)) } - ensures { [#"../Robinson/src/util.rs" 24 10 24 34] PermutationOf0.permutation_of (ShallowModel0.shallow_model ( ^ v)) (ShallowModel1.shallow_model v) } + ensures { [#"../Robinson/src/util.rs" 23 10 23 27] SortedRev0.sorted_rev (ShallowModel0.shallow_model ( ^ v)) } + ensures { [#"../Robinson/src/util.rs" 24 0 24 36] PermutationOf0.permutation_of (ShallowModel0.shallow_model ( ^ v)) (ShallowModel1.shallow_model v) } end module Robinson_Util_SortReverse @@ -5271,16 +5314,15 @@ module Robinson_Util_SortReverse use prelude.UIntSize use prelude.Ghost use prelude.Slice - use prelude.Seq use seq.Seq - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 clone CreusotContracts_Std1_Slice_Impl0_ShallowModel as ShallowModel4 with type t = (usize, usize), val Max0.mAX' = Max0.mAX', axiom . use seq.Seq clone CreusotContracts_Model_Impl3_ShallowModel as ShallowModel3 with - type t = seq (usize, usize), + type t = slice (usize, usize), type ShallowModelTy0.shallowModelTy = Seq.seq (usize, usize), function ShallowModel0.shallow_model = ShallowModel4.shallow_model clone CreusotContracts_Std1_Slice_Impl5_HasValue as HasValue0 with @@ -5306,7 +5348,7 @@ module Robinson_Util_SortReverse function ShallowModel1.shallow_model = ShallowModel4.shallow_model, val Max0.mAX' = Max0.mAX' clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with - type t = seq (usize, usize) + type t = slice (usize, usize) clone CreusotContracts_Model_Impl3_ShallowModel as ShallowModel1 with type t = Alloc_Vec_Vec_Type.t_vec (usize, usize) (Alloc_Alloc_Global_Type.t_global), type ShallowModelTy0.shallowModelTy = Seq.seq (usize, usize), @@ -5319,7 +5361,7 @@ module Robinson_Util_SortReverse function ShallowModel2.shallow_model = ShallowModel4.shallow_model, function ShallowModel3.shallow_model = ShallowModel0.shallow_model, val Max0.mAX' = Max0.mAX' - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = (usize, usize), type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -5338,8 +5380,8 @@ module Robinson_Util_SortReverse clone Robinson_Util_SortedRev as SortedRev0 with predicate SortedRangeRev0.sorted_range_rev = SortedRangeRev0.sorted_range_rev let rec cfg sort_reverse [#"../Robinson/src/util.rs" 25 0 25 48] [@cfg:stackify] [@cfg:subregion_analysis] (v : borrowed (Alloc_Vec_Vec_Type.t_vec (usize, usize) (Alloc_Alloc_Global_Type.t_global))) : () - ensures { [#"../Robinson/src/util.rs" 23 10 23 25] SortedRev0.sorted_rev (ShallowModel0.shallow_model ( ^ v)) } - ensures { [#"../Robinson/src/util.rs" 24 10 24 34] PermutationOf0.permutation_of (ShallowModel0.shallow_model ( ^ v)) (ShallowModel1.shallow_model v) } + ensures { [#"../Robinson/src/util.rs" 23 10 23 27] SortedRev0.sorted_rev (ShallowModel0.shallow_model ( ^ v)) } + ensures { [#"../Robinson/src/util.rs" 24 0 24 36] PermutationOf0.permutation_of (ShallowModel0.shallow_model ( ^ v)) (ShallowModel1.shallow_model v) } = [@vc:do_not_keep_trace] [@vc:sp] var _0 : (); @@ -5375,8 +5417,8 @@ module Robinson_Util_SortReverse var _40 : (); var _41 : (); var _42 : (); - var _43 : borrowed (seq (usize, usize)); - var _44 : borrowed (seq (usize, usize)); + var _43 : borrowed (slice (usize, usize)); + var _44 : borrowed (slice (usize, usize)); var _45 : borrowed (Alloc_Vec_Vec_Type.t_vec (usize, usize) (Alloc_Alloc_Global_Type.t_global)); var _46 : usize; var _47 : usize; @@ -5397,10 +5439,10 @@ module Robinson_Util_SortReverse goto BB2 } BB2 { - invariant proph_const { [#"../Robinson/src/util.rs" 28 29 28 50] ^ v_1 = ^ Ghost.inner _old_v_5 }; - invariant permutation { [#"../Robinson/src/util.rs" 29 29 29 65] PermutationOf0.permutation_of (ShallowModel1.shallow_model v_1) (ShallowModel1.shallow_model (Ghost.inner _old_v_5)) }; - invariant sorted { [#"../Robinson/src/util.rs" 30 24 30 51] SortedRangeRev0.sorted_range_rev (ShallowModel1.shallow_model v_1) 0 (UIntSize.to_int i_4) }; - invariant partition { [#"../Robinson/src/util.rs" 31 27 31 48] PartitionRev0.partition_rev (ShallowModel1.shallow_model v_1) (UIntSize.to_int i_4) }; + invariant { [#"../Robinson/src/util.rs" 28 16 28 37] ^ v_1 = ^ Ghost.inner _old_v_5 }; + invariant { [#"../Robinson/src/util.rs" 28 4 28 39] PermutationOf0.permutation_of (ShallowModel1.shallow_model v_1) (ShallowModel1.shallow_model (Ghost.inner _old_v_5)) }; + invariant { [#"../Robinson/src/util.rs" 30 16 30 43] SortedRangeRev0.sorted_range_rev (ShallowModel1.shallow_model v_1) 0 (UIntSize.to_int i_4) }; + invariant { [#"../Robinson/src/util.rs" 31 16 31 37] PartitionRev0.partition_rev (ShallowModel1.shallow_model v_1) (UIntSize.to_int i_4) }; _14 <- i_4; _16 <- * v_1; _15 <- ([#"../Robinson/src/util.rs" 32 14 32 21] Len0.len _16); @@ -5420,9 +5462,9 @@ module Robinson_Util_SortReverse goto BB5 } BB5 { - invariant max_is_max { [#"../Robinson/src/util.rs" 35 8 35 96] forall k : int . UIntSize.to_int i_4 <= k /\ k < UIntSize.to_int j_18 -> (let (a, _) = Seq.get (ShallowModel1.shallow_model v_1) (UIntSize.to_int max_17) in a) >= (let (a, _) = Seq.get (ShallowModel1.shallow_model v_1) k in a) }; - invariant j_bound { [#"../Robinson/src/util.rs" 36 29 36 57] UIntSize.to_int i_4 <= UIntSize.to_int j_18 /\ UIntSize.to_int j_18 <= Seq.length (ShallowModel1.shallow_model v_1) }; - invariant max_bound { [#"../Robinson/src/util.rs" 37 31 37 54] UIntSize.to_int i_4 <= UIntSize.to_int max_17 /\ UIntSize.to_int max_17 < UIntSize.to_int j_18 }; + invariant { [#"../Robinson/src/util.rs" 35 8 35 80] forall k : int . UIntSize.to_int i_4 <= k /\ k < UIntSize.to_int j_18 -> (let (a, _) = Seq.get (ShallowModel1.shallow_model v_1) (UIntSize.to_int max_17) in a) >= (let (a, _) = Seq.get (ShallowModel1.shallow_model v_1) k in a) }; + invariant { [#"../Robinson/src/util.rs" 36 20 36 46] UIntSize.to_int i_4 <= UIntSize.to_int j_18 /\ UIntSize.to_int j_18 <= Seq.length (ShallowModel1.shallow_model v_1) }; + invariant { [#"../Robinson/src/util.rs" 37 20 37 43] UIntSize.to_int i_4 <= UIntSize.to_int max_17 /\ UIntSize.to_int max_17 < UIntSize.to_int j_18 }; _25 <- j_18; _27 <- * v_1; _26 <- ([#"../Robinson/src/util.rs" 38 18 38 25] Len0.len _27); @@ -5543,7 +5585,7 @@ module Robinson_Decision_Impl1_New use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type clone Robinson_Lit_Impl1_Invariant as Invariant3 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel9 with type t = Robinson_Lit_Lit_Type.t_lit, @@ -5629,14 +5671,23 @@ module Robinson_Decision_Impl1_New type t = Alloc_Vec_Vec_Type.t_vec (Robinson_Clause_Clause_Type.t_clause) (Alloc_Alloc_Global_Type.t_global), type ShallowModelTy0.shallowModelTy = Seq.seq (Robinson_Clause_Clause_Type.t_clause), function ShallowModel0.shallow_model = ShallowModel2.shallow_model + clone CreusotContracts_Logic_Ops_Impl0_IndexLogic as IndexLogic1 with + type t = (usize, usize), + type s = Alloc_Vec_Vec_Type.t_vec (usize, usize) (Alloc_Alloc_Global_Type.t_global), + function ShallowModel0.shallow_model = ShallowModel1.shallow_model + clone CreusotContracts_Logic_Ops_Impl0_IndexLogic as IndexLogic0 with + type t = usize, + type s = Alloc_Vec_Vec_Type.t_vec usize (Alloc_Alloc_Global_Type.t_global), + function ShallowModel0.shallow_model = ShallowModel0.shallow_model clone Robinson_Clause_Impl1_Invariant as Invariant2 with predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range clone CreusotContracts_Std1_Vec_Impl10_Resolve as Resolve4 with type t = (usize, usize), function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function IndexLogic0.index_logic = IndexLogic1.index_logic, predicate Resolve0.resolve = Resolve6.resolve, val Max0.mAX' = Max0.mAX' - clone Alloc_Vec_Impl15_Index_Interface as Index3 with + clone Alloc_Vec_Impl13_Index_Interface as Index3 with type t = (usize, usize), type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -5655,11 +5706,12 @@ module Robinson_Decision_Impl1_New clone CreusotContracts_Std1_Vec_Impl10_Resolve as Resolve2 with type t = usize, function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Resolve0.resolve = Resolve5.resolve, val Max0.mAX' = Max0.mAX' clone CreusotContracts_Resolve_Impl1_Resolve as Resolve1 with type t = (usize, usize) - clone Alloc_Vec_Impl16_IndexMut_Interface as IndexMut1 with + clone Alloc_Vec_Impl14_IndexMut_Interface as IndexMut1 with type t = (usize, usize), type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -5672,7 +5724,7 @@ module Robinson_Decision_Impl1_New val Max0.mAX' = Max0.mAX' clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with type t = usize - clone Alloc_Vec_Impl16_IndexMut_Interface as IndexMut0 with + clone Alloc_Vec_Impl14_IndexMut_Interface as IndexMut0 with type t = usize, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -5683,7 +5735,7 @@ module Robinson_Decision_Impl1_New predicate ResolveElswhere0.resolve_elswhere = ResolveElswhere0.resolve_elswhere, type Output0.output = usize, val Max0.mAX' = Max0.mAX' - clone Alloc_Vec_Impl15_Index_Interface as Index2 with + clone Alloc_Vec_Impl13_Index_Interface as Index2 with type t = usize, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -5691,7 +5743,7 @@ module Robinson_Decision_Impl1_New predicate InBounds0.in_bounds = InBounds2.in_bounds, predicate HasValue0.has_value = HasValue2.has_value, type Output0.output = usize - clone Alloc_Vec_Impl15_Index_Interface as Index1 with + clone Alloc_Vec_Impl13_Index_Interface as Index1 with type t = Robinson_Lit_Lit_Type.t_lit, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -5703,7 +5755,7 @@ module Robinson_Decision_Impl1_New type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, function ShallowModel0.shallow_model = ShallowModel4.shallow_model - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = Robinson_Clause_Clause_Type.t_clause, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -5718,10 +5770,12 @@ module Robinson_Decision_Impl1_New clone Alloc_Vec_FromElem_Interface as FromElem1 with type t = (usize, usize), function ShallowModel0.shallow_model = ShallowModel1.shallow_model, + function IndexLogic0.index_logic = IndexLogic1.index_logic, val Max0.mAX' = Max0.mAX' clone Alloc_Vec_FromElem_Interface as FromElem0 with type t = usize, function ShallowModel0.shallow_model = ShallowModel0.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, val Max0.mAX' = Max0.mAX' use Robinson_Decision_Decisions_Type as Robinson_Decision_Decisions_Type clone Robinson_Decision_Impl0_Invariant as Invariant1 with @@ -5845,7 +5899,7 @@ module Robinson_Decision_Impl1_New goto BB5 } BB5 { - invariant counts_len1 { [#"../Robinson/src/decision.rs" 31 33 31 63] Seq.length (ShallowModel0.shallow_model counts_6) = UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; + invariant { [#"../Robinson/src/decision.rs" 31 20 31 48] Seq.length (ShallowModel0.shallow_model counts_6) = UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; _16 <- i_11; _18 <- Robinson_Formula_Formula_Type.formula_clauses f_1; _17 <- ([#"../Robinson/src/decision.rs" 32 18 32 33] Len0.len _18); @@ -5873,7 +5927,7 @@ module Robinson_Decision_Impl1_New goto BB10 } BB10 { - invariant counts_len { [#"../Robinson/src/decision.rs" 35 36 35 66] Seq.length (ShallowModel0.shallow_model counts_6) = UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; + invariant { [#"../Robinson/src/decision.rs" 35 24 35 52] Seq.length (ShallowModel0.shallow_model counts_6) = UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; _27 <- j_23; _29 <- Robinson_Clause_Clause_Type.clause_rest curr_clause_19; _28 <- ([#"../Robinson/src/decision.rs" 36 22 36 44] Len1.len _29); @@ -5952,8 +6006,8 @@ module Robinson_Decision_Impl1_New goto BB24 } BB24 { - invariant counts_with_idx_len { [#"../Robinson/src/decision.rs" 49 41 49 82] Seq.length (ShallowModel1.shallow_model counts_with_index_8) = UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; - invariant second_ok { [#"../Robinson/src/decision.rs" 49 8 49 84] forall j : int . 0 <= j /\ j < UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) -> UIntSize.to_int (let (_, a) = Seq.get (ShallowModel1.shallow_model counts_with_index_8) j in a) < UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; + invariant { [#"../Robinson/src/decision.rs" 49 20 49 59] Seq.length (ShallowModel1.shallow_model counts_with_index_8) = UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; + invariant { [#"../Robinson/src/decision.rs" 49 8 49 61] forall j : int . 0 <= j /\ j < UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) -> UIntSize.to_int (let (_, a) = Seq.get (ShallowModel1.shallow_model counts_with_index_8) j in a) < UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; _55 <- i_11; _56 <- Robinson_Formula_Formula_Type.formula_num_vars f_1; _54 <- ([#"../Robinson/src/decision.rs" 52 14 52 28] _55 < _56); @@ -6006,8 +6060,8 @@ module Robinson_Decision_Impl1_New goto BB32 } BB32 { - invariant lit_order_len { [#"../Robinson/src/decision.rs" 58 35 58 68] Seq.length (ShallowModel0.shallow_model lit_order_4) = UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; - invariant second_ok { [#"../Robinson/src/decision.rs" 58 8 58 70] forall j : int . 0 <= j /\ j < UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) -> UIntSize.to_int (Seq.get (ShallowModel0.shallow_model lit_order_4) j) < UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; + invariant { [#"../Robinson/src/decision.rs" 58 20 58 51] Seq.length (ShallowModel0.shallow_model lit_order_4) = UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; + invariant { [#"../Robinson/src/decision.rs" 58 8 58 53] forall j : int . 0 <= j /\ j < UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) -> UIntSize.to_int (Seq.get (ShallowModel0.shallow_model lit_order_4) j) < UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars f_1) }; _75 <- i_11; _76 <- Robinson_Formula_Formula_Type.formula_num_vars f_1; _74 <- ([#"../Robinson/src/decision.rs" 60 14 60 28] _75 < _76); @@ -6084,7 +6138,7 @@ module Robinson_Formula_Impl0_ShallowModel use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, @@ -6253,7 +6307,7 @@ module Robinson_Formula_Impl1_ContainsEmptyClause use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone Robinson_Clause_Impl0_ShallowModel_Stub as ShallowModel1 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = Robinson_Clause_Clause_Type.t_clause, @@ -6294,7 +6348,7 @@ module Robinson_Formula_Impl2_CheckAndEstablishFormulaInvariant_Interface clone Robinson_Formula_Impl1_EventuallySatCompleteNoAss_Stub as EventuallySatCompleteNoAss0 clone Robinson_Formula_Impl1_ContainsEmptyClause_Stub as ContainsEmptyClause0 clone Robinson_Formula_FormulaSatInner_Stub as FormulaSatInner0 - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel2 with type t = uint8, type a = Alloc_Alloc_Global_Type.t_global, @@ -6312,7 +6366,7 @@ module Robinson_Formula_Impl2_CheckAndEstablishFormulaInvariant_Interface val Max0.mAX' = Max0.mAX', axiom . val check_and_establish_formula_invariant [#"../Robinson/src/formula.rs" 124 4 124 72] (self : borrowed (Robinson_Formula_Formula_Type.t_formula)) : Robinson_Solver_SatResult_Type.t_satresult - requires {[#"../Robinson/src/formula.rs" 116 4 117 59] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self))) -> VarsInRange0.vars_in_range (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self))) i) (UIntSize.to_int Max0.mAX')} + requires {[#"../Robinson/src/formula.rs" 116 4 117 57] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self))) -> VarsInRange0.vars_in_range (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self))) i) (UIntSize.to_int Max0.mAX')} ensures { [#"../Robinson/src/formula.rs" 118 14 122 5] match (result) with | Robinson_Solver_SatResult_Type.C_Sat assn -> EventuallySatNoAss0.eventually_sat_no_ass ( ^ self) /\ FormulaSatInner0.formula_sat_inner (ShallowModel1.shallow_model self) (ShallowModel2.shallow_model assn) | Robinson_Solver_SatResult_Type.C_Unsat -> ContainsEmptyClause0.contains_empty_clause ( ^ self) /\ not EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass ( * self) @@ -6328,13 +6382,13 @@ module Robinson_Formula_Impl2_CheckAndEstablishFormulaInvariant use prelude.UInt8 use prelude.Ghost use seq.Seq + use seq.Seq clone Robinson_Logic_Unset as Unset0 use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type clone Robinson_Lit_Impl1_SatInner as SatInner2 clone Core_Usize_Max as Max1 - use seq.Seq use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel6 with type t = Robinson_Lit_Lit_Type.t_lit, @@ -6355,6 +6409,15 @@ module Robinson_Formula_Impl2_CheckAndEstablishFormulaInvariant type t = Robinson_Clause_Clause_Type.t_clause clone CreusotContracts_Resolve_Impl2_Resolve as Resolve2 with type t = uint8 + clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with + type t = uint8, + type a = Alloc_Alloc_Global_Type.t_global, + val Max0.mAX' = Max0.mAX', + axiom . + clone CreusotContracts_Logic_Ops_Impl0_IndexLogic as IndexLogic0 with + type t = uint8, + type s = Alloc_Vec_Vec_Type.t_vec uint8 (Alloc_Alloc_Global_Type.t_global), + function ShallowModel0.shallow_model = ShallowModel2.shallow_model clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel0 with type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, @@ -6385,7 +6448,7 @@ module Robinson_Formula_Impl2_CheckAndEstablishFormulaInvariant predicate Invariant0.invariant' = Invariant1.invariant' clone Robinson_Clause_Impl2_Len_Interface as Len1 with function ShallowModel0.shallow_model = ShallowModel7.shallow_model - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = Robinson_Clause_Clause_Type.t_clause, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -6393,14 +6456,10 @@ module Robinson_Formula_Impl2_CheckAndEstablishFormulaInvariant predicate InBounds0.in_bounds = InBounds0.in_bounds, predicate HasValue0.has_value = HasValue0.has_value, type Output0.output = Robinson_Clause_Clause_Type.t_clause - clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel2 with - type t = uint8, - type a = Alloc_Alloc_Global_Type.t_global, - val Max0.mAX' = Max0.mAX', - axiom . clone CreusotContracts_Std1_Vec_Impl10_Resolve as Resolve1 with type t = uint8, function ShallowModel0.shallow_model = ShallowModel2.shallow_model, + function IndexLogic0.index_logic = IndexLogic0.index_logic, predicate Resolve0.resolve = Resolve2.resolve, val Max0.mAX' = Max0.mAX' clone Robinson_Formula_Impl1_SatInner as SatInner0 with @@ -6438,7 +6497,7 @@ module Robinson_Formula_Impl2_CheckAndEstablishFormulaInvariant predicate SatInner0.sat_inner = SatInner0.sat_inner use Robinson_Solver_SatResult_Type as Robinson_Solver_SatResult_Type let rec cfg check_and_establish_formula_invariant [#"../Robinson/src/formula.rs" 124 4 124 72] [@cfg:stackify] [@cfg:subregion_analysis] (self : borrowed (Robinson_Formula_Formula_Type.t_formula)) : Robinson_Solver_SatResult_Type.t_satresult - requires {[#"../Robinson/src/formula.rs" 116 4 117 59] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self))) -> VarsInRange0.vars_in_range (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self))) i) (UIntSize.to_int Max0.mAX')} + requires {[#"../Robinson/src/formula.rs" 116 4 117 57] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self))) -> VarsInRange0.vars_in_range (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self))) i) (UIntSize.to_int Max0.mAX')} ensures { [#"../Robinson/src/formula.rs" 118 14 122 5] match (result) with | Robinson_Solver_SatResult_Type.C_Sat assn -> EventuallySatNoAss0.eventually_sat_no_ass ( ^ self) /\ FormulaSatInner0.formula_sat_inner (ShallowModel1.shallow_model self) (ShallowModel2.shallow_model assn) | Robinson_Solver_SatResult_Type.C_Unsat -> ContainsEmptyClause0.contains_empty_clause ( ^ self) /\ not EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass ( * self) @@ -6539,11 +6598,11 @@ module Robinson_Formula_Impl2_CheckAndEstablishFormulaInvariant goto BB8 } BB8 { - invariant inv { [#"../Robinson/src/formula.rs" 134 8 134 107] forall j : int . 0 <= j /\ j < UIntSize.to_int i_20 -> Invariant1.invariant' (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self_1))) j) (UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars ( * self_1))) }; - invariant inv { [#"../Robinson/src/formula.rs" 134 8 134 107] forall j : int . 0 <= j /\ j < UIntSize.to_int i_20 -> Seq.length (ShallowModel3.shallow_model (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self_1))) j)) > 0 }; - invariant unch { [#"../Robinson/src/formula.rs" 136 26 136 60] (let (a, _) = ShallowModel1.shallow_model self_1 in a) = (let (a, _) = ShallowModel1.shallow_model (Ghost.inner old_self_17) in a) }; - invariant unch { [#"../Robinson/src/formula.rs" 137 26 137 58] Robinson_Formula_Formula_Type.formula_clauses ( * self_1) = Robinson_Formula_Formula_Type.formula_clauses ( * Ghost.inner old_self_17) }; - invariant proph { [#"../Robinson/src/formula.rs" 138 27 138 53] ^ self_1 = ^ Ghost.inner old_self_17 }; + invariant { [#"../Robinson/src/formula.rs" 134 8 134 100] forall j : int . 0 <= j /\ j < UIntSize.to_int i_20 -> Invariant1.invariant' (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self_1))) j) (UIntSize.to_int (Robinson_Formula_Formula_Type.formula_num_vars ( * self_1))) }; + invariant { [#"../Robinson/src/formula.rs" 134 8 134 100] forall j : int . 0 <= j /\ j < UIntSize.to_int i_20 -> Seq.length (ShallowModel3.shallow_model (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * self_1))) j)) > 0 }; + invariant { [#"../Robinson/src/formula.rs" 136 20 136 50] (let (a, _) = ShallowModel1.shallow_model self_1 in a) = (let (a, _) = ShallowModel1.shallow_model (Ghost.inner old_self_17) in a) }; + invariant { [#"../Robinson/src/formula.rs" 137 20 137 52] Robinson_Formula_Formula_Type.formula_clauses ( * self_1) = Robinson_Formula_Formula_Type.formula_clauses ( * Ghost.inner old_self_17) }; + invariant { [#"../Robinson/src/formula.rs" 138 20 138 46] ^ self_1 = ^ Ghost.inner old_self_17 }; _29 <- i_20; _31 <- Robinson_Formula_Formula_Type.formula_clauses ( * self_1); _30 <- ([#"../Robinson/src/formula.rs" 139 18 139 36] Len0.len _31); @@ -6639,13 +6698,13 @@ module Core_Clone_Impls_Impl5_Clone_Interface use prelude.Int use prelude.UIntSize val clone' (self : usize) : usize - ensures { [#"../Robinson/src/parser.rs" 36 33 43 98] result = self } + ensures { [#"../Robinson/src/parser.rs" 68 37 84 44] result = self } end module Core_Clone_Impls_Impl19_Clone_Interface use prelude.Borrow val clone' (self : bool) : bool - ensures { [#"../Robinson/src/parser.rs" 36 33 43 98] result = self } + ensures { [#"../Robinson/src/parser.rs" 68 37 84 44] result = self } end module Robinson_Lit_Impl3_Clone_Interface @@ -6732,7 +6791,7 @@ module Robinson_Lit_Impl2_LitUnsat_Interface type t = Robinson_Assignments_Assignments_Type.t_assignments, type ShallowModelTy0.shallowModelTy = Seq.seq uint8 val lit_unsat [#"../Robinson/src/lit.rs" 106 4 106 51] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - requires {[#"../Robinson/src/lit.rs" 104 15 104 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} + requires {[#"../Robinson/src/lit.rs" 104 15 104 39] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} ensures { [#"../Robinson/src/lit.rs" 105 14 105 38] result = Unsat0.unsat self a } end @@ -6742,7 +6801,7 @@ module Robinson_Lit_Impl2_LitUnsat use prelude.UInt8 use prelude.UIntSize use seq.Seq - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel3 with @@ -6765,7 +6824,7 @@ module Robinson_Lit_Impl2_LitUnsat clone Robinson_Assignments_Impl0_ShallowModel as ShallowModel1 with function ShallowModel0.shallow_model = ShallowModel3.shallow_model, val Max0.mAX' = Max0.mAX' - clone Alloc_Vec_Impl15_Index_Interface as Index0 with + clone Alloc_Vec_Impl13_Index_Interface as Index0 with type t = uint8, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -6782,7 +6841,7 @@ module Robinson_Lit_Impl2_LitUnsat type ShallowModelTy0.shallowModelTy = Seq.seq uint8, function ShallowModel0.shallow_model = ShallowModel1.shallow_model let rec cfg lit_unsat [#"../Robinson/src/lit.rs" 106 4 106 51] [@cfg:stackify] [@cfg:subregion_analysis] (self : Robinson_Lit_Lit_Type.t_lit) (a : Robinson_Assignments_Assignments_Type.t_assignments) : bool - requires {[#"../Robinson/src/lit.rs" 104 15 104 41] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} + requires {[#"../Robinson/src/lit.rs" 104 15 104 39] Invariant0.invariant' self (Seq.length (ShallowModel0.shallow_model a))} ensures { [#"../Robinson/src/lit.rs" 105 14 105 38] result = Unsat0.unsat self a } = [@vc:do_not_keep_trace] [@vc:sp] @@ -6866,7 +6925,7 @@ module Robinson_Solver_Inner clone Robinson_Lit_Impl1_SatInner as SatInner2 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel8 with type t = Robinson_Lit_Lit_Type.t_lit, type a = Alloc_Alloc_Global_Type.t_global, @@ -6963,7 +7022,7 @@ module Robinson_Solver_Inner predicate VarsInRange0.vars_in_range = VarsInRange0.vars_in_range clone CreusotContracts_Resolve_Impl1_Resolve as Resolve0 with type t = uint8 - clone Alloc_Vec_Impl16_IndexMut_Interface as IndexMut0 with + clone Alloc_Vec_Impl14_IndexMut_Interface as IndexMut0 with type t = uint8, type i = usize, type a = Alloc_Alloc_Global_Type.t_global, @@ -7178,14 +7237,14 @@ module Robinson_Solver_Solver_Interface clone Robinson_Formula_Impl1_EventuallySatNoAss_Stub as EventuallySatNoAss0 use Robinson_Solver_SatResult_Type as Robinson_Solver_SatResult_Type clone Robinson_Clause_Impl1_VarsInRange_Stub as VarsInRange0 - clone Core_Num_Impl12_Max_Stub as Max0 + clone Core_Num_Impl11_Max_Stub as Max0 clone CreusotContracts_Std1_Vec_Impl0_ShallowModel_Stub as ShallowModel0 with type t = Robinson_Clause_Clause_Type.t_clause, type a = Alloc_Alloc_Global_Type.t_global, val Max0.mAX' = Max0.mAX', axiom . val solver [#"../Robinson/src/solver.rs" 47 0 47 49] (formula : borrowed (Robinson_Formula_Formula_Type.t_formula)) : Robinson_Solver_SatResult_Type.t_satresult - requires {[#"../Robinson/src/solver.rs" 37 0 38 58] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * formula))) -> VarsInRange0.vars_in_range (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * formula))) i) (UIntSize.to_int Max0.mAX')} + requires {[#"../Robinson/src/solver.rs" 37 0 38 56] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * formula))) -> VarsInRange0.vars_in_range (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * formula))) i) (UIntSize.to_int Max0.mAX')} ensures { [#"../Robinson/src/solver.rs" 39 10 45 1] match (result) with | Robinson_Solver_SatResult_Type.C_Sat _assn -> EventuallySatNoAss0.eventually_sat_no_ass ( ^ formula) | Robinson_Solver_SatResult_Type.C_Unsat -> not EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass ( ^ formula) @@ -7213,7 +7272,7 @@ module Robinson_Solver_Solver use Robinson_Lit_Lit_Type as Robinson_Lit_Lit_Type clone Robinson_Lit_Impl1_SatInner as SatInner2 use Alloc_Vec_Vec_Type as Alloc_Vec_Vec_Type - clone Core_Num_Impl12_Max as Max0 + clone Core_Num_Impl11_Max as Max0 use Alloc_Alloc_Global_Type as Alloc_Alloc_Global_Type use Robinson_Clause_Clause_Type as Robinson_Clause_Clause_Type clone CreusotContracts_Std1_Vec_Impl0_ShallowModel as ShallowModel5 with @@ -7330,7 +7389,7 @@ module Robinson_Solver_Solver predicate EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass = EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass, predicate Invariant0.invariant' = Invariant1.invariant' let rec cfg solver [#"../Robinson/src/solver.rs" 47 0 47 49] [@cfg:stackify] [@cfg:subregion_analysis] (formula : borrowed (Robinson_Formula_Formula_Type.t_formula)) : Robinson_Solver_SatResult_Type.t_satresult - requires {[#"../Robinson/src/solver.rs" 37 0 38 58] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * formula))) -> VarsInRange0.vars_in_range (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * formula))) i) (UIntSize.to_int Max0.mAX')} + requires {[#"../Robinson/src/solver.rs" 37 0 38 56] forall i : int . 0 <= i /\ i < Seq.length (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * formula))) -> VarsInRange0.vars_in_range (Seq.get (ShallowModel0.shallow_model (Robinson_Formula_Formula_Type.formula_clauses ( * formula))) i) (UIntSize.to_int Max0.mAX')} ensures { [#"../Robinson/src/solver.rs" 39 10 45 1] match (result) with | Robinson_Solver_SatResult_Type.C_Sat _assn -> EventuallySatNoAss0.eventually_sat_no_ass ( ^ formula) | Robinson_Solver_SatResult_Type.C_Unsat -> not EventuallySatCompleteNoAss0.eventually_sat_complete_no_ass ( ^ formula) diff --git a/mlcfgs/Robinson/why3session.xml b/mlcfgs/Robinson/why3session.xml index c137166c..ee4078eb 100644 --- a/mlcfgs/Robinson/why3session.xml +++ b/mlcfgs/Robinson/why3session.xml @@ -4,191 +4,190 @@ - - + - + - - - - - - - - - - - - - - - - - - - - - - - - - - + - + - + - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -197,152 +196,152 @@ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -353,12 +352,12 @@ - + - + @@ -371,7 +370,7 @@ - + @@ -382,12 +381,12 @@ - + - + @@ -400,12 +399,12 @@ - + - + diff --git a/mlcfgs/Robinson/why3shapes.gz b/mlcfgs/Robinson/why3shapes.gz index e908556c..1c80b5f0 100644 Binary files a/mlcfgs/Robinson/why3shapes.gz and b/mlcfgs/Robinson/why3shapes.gz differ