%% PVS Version 5.0 - Allegro CL Enterprise Edition 8.2 [64-bit Mac OS X (Intel)] (Nov 3, 2011 16:18) %% 8.2 [64-bit Mac OS X (Intel)] (Nov 3, 2011 16:18) $$$pvs-strategies (defstep s-rest () (then (skosimp) (expand "step") (assert) (hide-all-but ( 1 ) +) (branch (split) ((grind))) ) "help string" "skosimp, expand step, assert, hide, split, grind" ) (defstep replaceh (arg) (replace arg :hide? t) "help string" "replace arg :hide? t" ) (defstep s-ensures () (then (skosimp) (use ensures_leto) (assert) (hide 2) (expand "ensures") (expand "co") (expand "transient") (expand "<=" +) (expand "wp") (expand "cap") (expand "cup") (expand "neg") (expand "at") ) "help-string" "using ensures, and expanding; the argument is the responsible thread" ) $$$maxfinset.pvs maxfinset [ t: TYPE ]: THEORY BEGIN E: VAR finite_set[t] f: VAR [t -> nat] n: VAR nat x: VAR t maximum(f, E): RECURSIVE nat = IF empty?(E) THEN 0 ELSE LET xx = epsilon(E) IN max(f(xx), maximum(f, remove(xx, E))) ENDIF MEASURE card(E) maximum_prop: LEMMA maximum(f, E) <= n IFF FORALL x: E(x) IMPLIES f(x) <= n maximum_prop1: LEMMA E(x) IMPLIES f(x) <= maximum(f, E) arg_max: LEMMA nonempty?(E) IMPLIES EXISTS x: E(x) AND maximum(f, E) = f(x) END maxfinset $$$maxfinset.prf (maxfinset (maximum_TCC1 0 (maximum_TCC1-1 nil 3589618503 ("" (skosimp*) (("" (use epsilon_ax[t]) (("1" (use card_remove[t]) (("1" (split) (("1" (assert) nil nil) ("2" (hide - 3) (("2" (expand "empty?") (("2" (expand "member") (("2" (skosimp) (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide - 3) (("2" (grind) nil nil)) nil)) nil)) nil) ((boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (TRUE const-decl "bool" booleans nil) (epsilon_ax formula-decl nil epsilons nil) (t formal-type-decl nil maxfinset nil) (finite_set type-eq-decl nil finite_sets nil) (is_finite const-decl "bool" finite_sets nil) (set type-eq-decl nil sets nil) (pred type-eq-decl nil defined_types nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (finite_remove application-judgement "finite_set" finite_sets nil) (int_minus_int_is_int application-judgement "int" integers nil) (empty? const-decl "bool" sets nil) (member const-decl "bool" sets nil) (card_remove formula-decl nil finite_sets nil)) nil)) (maximum_TCC2 0 (maximum_TCC2-1 nil 3589618503 ("" (existence-tcc) nil nil) ((boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (t formal-type-decl nil maxfinset nil) (set type-eq-decl nil sets nil) (is_finite const-decl "bool" finite_sets nil) (finite_set type-eq-decl nil finite_sets nil) (injective? const-decl "bool" functions nil) (member const-decl "bool" sets nil) (empty? const-decl "bool" sets nil)) nil)) (maximum_prop 0 (maximum_prop-2 nil 3589619068 ("" (skolem!) (("" (case "forall E, n: card(E) <= n IMPLIES ( maximum(f!1, E) <= n!1 IFF (FORALL x: E(x) IMPLIES f!1(x) <= n!1))") (("1" (inst - E!1 "card(E!1)+ 1") (("1" (assert) nil nil)) nil) ("2" (hide 2) (("2" (induct n) (("1" (skosimp) (("1" (assert) (("1" (use empty_card[t]) (("1" (assert) (("1" (expand "maximum") (("1" (skosimp) (("1" (expand "empty?") (("1" (expand "member") (("1" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp*) (("2" (case "card(E!2) <= j!1") (("1" (inst?) (("1" (assert) nil nil)) nil) ("2" (use empty_card[t]) (("2" (assert) (("2" (expand "empty?") (("2" (expand maximum +) (("2" (name-replace ep "epsilon(E!2)" nil) (("1" (use epsilon_ax[t]) (("1" (split) (("1" (inst - "remove(ep, E!2)") (("1" (use card_remove[t]) (("1" (assert) (("1" (name-replace mxr "maximum(f!1, remove(ep, E!2))" nil) (("1" (expand remove -5) (("1" (expand "member") (("1" (expand "max") (("1" (split) (("1" (flatten) (("1" (lift-if) (("1" (skosimp) (("1" (case "f!1(ep) <= n!1 AND mxr <= n!1") (("1" (flatten) (("1" (assert) (("1" (inst -9 x!1) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (hide-all-but (-1 1)) (("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (flatten) (("2" (split -7) (("1" (lift-if) (("1" (assert) (("1" (inst - ep) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (skosimp) (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "member") (("2" (hide-all-but (1 2)) (("2" (skosimp) (("2" (inst?) nil nil)) nil)) nil)) nil)) nil) ("2" (expand "member") (("2" (hide-all-but (1 2)) (("2" (skosimp) (("2" (inst?) nil nil)) nil)) nil)) nil)) nil) ("2" (hide-all-but (1 2)) (("2" (skosimp) (("2" (expand "member") (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((maximum def-decl "nat" maxfinset nil) (IFF const-decl "[bool, bool -> bool]" booleans nil) (card const-decl "{n: nat | n = Card(S)}" finite_sets nil) (Card const-decl "nat" finite_sets nil) (= const-decl "[T, T -> boolean]" equalities nil) (<= const-decl "bool" reals nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number nonempty-type-decl nil numbers nil) (finite_set type-eq-decl nil finite_sets nil) (is_finite const-decl "bool" finite_sets nil) (set type-eq-decl nil sets nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil maxfinset nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (pred type-eq-decl nil defined_types nil) (nat_induction formula-decl nil naturalnumbers nil) (member const-decl "bool" sets nil) (empty? const-decl "bool" sets nil) (empty_card formula-decl nil finite_sets nil) (epsilon_ax formula-decl nil epsilons nil) (finite_remove application-judgement "finite_set" finite_sets nil) (remove const-decl "set" sets nil) (nonneg_rat_max application-judgement "{s: nonneg_rat | s >= q AND s >= r}" real_defs nil) (nat_max application-judgement "{k: nat | i <= k AND j <= k}" real_defs nil) (int_minus_int_is_int application-judgement "int" integers nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (max const-decl "{p: real | p >= m AND p >= n}" real_defs nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (card_remove formula-decl nil finite_sets nil) (epsilon const-decl "T" epsilons nil) (TRUE const-decl "bool" booleans nil)) nil) (maximum_prop-1 nil 3589618704 ("" (skolem!) (("" (case "forall E, n: card(E) < n IMPLIES ( maximum(f!1, E) <= n!1 IFF (FORALL x: E(x) IMPLIES f!1(x) <= n!1))") (("1" (inst - E!1 "card(E!1)+ 1") (("1" (assert) nil nil)) nil) ("2" (hide 2) (("2" (induct n) (("1" (skosimp) (("1" (assert) nil nil)) nil) ("2" (skosimp*) (("2" (postpone) nil nil)) nil)) nil)) nil)) nil)) nil) nil shostak)) (maximum_prop1 0 (maximum_prop1-1 nil 3589622403 ("" (skosimp) (("" (use maximum_prop (n "maximum(f!1, E!1)")) (("" (assert) (("" (inst?) (("" (assert) nil nil)) nil)) nil)) nil)) nil) ((maximum_prop formula-decl nil maxfinset nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil maxfinset nil) (set type-eq-decl nil sets nil) (is_finite const-decl "bool" finite_sets nil) (finite_set type-eq-decl nil finite_sets nil) (maximum def-decl "nat" maxfinset nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil)) shostak)) (arg_max 0 (arg_max-1 nil 3589621787 ("" (skosimp) (("" (expand "nonempty?") (("" (expand "empty?") (("" (skosimp) (("" (expand "member") (("" (inst-cp + x!1) (("" (assert) (("" (lemma maximum_prop) (("" (inst - E!1 f!1 _) (("" (inst-cp - "maximum(f!1, E!1)") (("" (assert) (("" (inst-cp -2 x!1) (("" (assert) (("" (inst - "maximum(f!1, E!1)-1") (("" (assert) (("" (skosimp) (("" (inst - x!2) (("" (inst + x!2) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nonempty? const-decl "bool" sets nil) (t formal-type-decl nil maxfinset nil) (maximum_prop formula-decl nil maxfinset nil) (maximum def-decl "nat" maxfinset nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number nonempty-type-decl nil numbers nil) (finite_set type-eq-decl nil finite_sets nil) (is_finite const-decl "bool" finite_sets nil) (set type-eq-decl nil sets nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (member const-decl "bool" sets nil) (empty? const-decl "bool" sets nil)) shostak))) $$$ownpred.pvs % Wim H. Hesselink, October 2012 ownpred[t: TYPE]: THEORY % to avoid the function member % about predicates, relations, and mu-calculus BEGIN p, q, r, s: VAR pred[t] x, y: VAR t k, n: VAR nat pseq: VAR [nat -> pred[t]] rel: VAR pred[[t, t]] neg(p)(x): bool = NOT p(x) neg_involutive: LEMMA neg(neg(p)) = p cup(p, q)(x): bool = p(x) OR q (x) cap(p, q)(x): bool = p(x) AND q (x) bigcup(pseq)(x): bool = EXISTS k: pseq(k)(x) bigcup(n, pseq)(x): bool = EXISTS k: k < n AND pseq(k)(x) wp(rel)(q)(x): bool = FORALL y: rel(x, y) IMPLIES q(y) END ownpred $$$ownpred.prf (ownpred (neg_involutive 0 (neg_involutive-1 nil 3358782077 ("" (skolem!) (("" (apply-extensionality :hide? t) (("" (expand "neg") (("" (propax) nil nil)) nil)) nil)) nil) ((t formal-type-decl nil ownpred nil) (boolean nonempty-type-decl nil booleans nil) (neg const-decl "bool" ownpred nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil)) shostak))) $$$bdUnity.pvs % Bounded Unity by Wim H. Hesselink, September-October 2013 bdUnity[ t: TYPE ]: THEORY BEGIN IMPORTING ownpred, maxfinset % used in run_round below p, q, pq, pa, pm: VAR pred[t] x, y: VAR t i, j, k, m, n: VAR nat xs, ys: VAR [nat -> t] pset: VAR pred[pred[t]] specification: TYPE = [# inv: pred[t], % the global invariant step: pred[[t, t]], % the step relation fwd: [nat -> pred[[t, t]]] % weak fairness relations #] s: VAR specification enabled(s)(k)(x): bool = EXISTS y: s`fwd(k)(x, y) good(s): bool = reflexive?(s`step) % AND (s`inv <= wp(s`step)(s`inv)) % AND (FORALL k: s`fwd(k) <= s`step) % all used in machine closed AND (FORALL x: s`inv(x) IMPLIES % locally finite(s) is_finite({k | enabled(s)(k)(x)}) ) % nuspec: (good) = (# inv := fullset, step := fullset, fwd := (LAMBDA i: emptyset) #) co(s)(p, q): bool = cap(p, s`inv) <= wp(s`step)(q) unless(s)(p, q): bool = cap(cap(p, neg(q)), s`inv) <= wp(s`step)(cup(p, q)) unless_co: LEMMA unless(s)(p, q) = co(s)(cap(p, neg(q)), cup(p, q)) co_unless: LEMMA pm = difference(q, p) AND p <= pa AND pa <= q IMPLIES co(s)(p, q) = unless(s)(pa, pm) stable(s)(p): bool = co(s)(p, p) cobar(s)(p, q): bool = EXISTS k: p <= enabled(s)(k) AND FORALL x, y: p(x) AND s`fwd(k)(x, y) IMPLIES q(y) transient(s)(p): bool = EXISTS k: cap(p, s`inv) <= enabled(s)(k) AND FORALL x, y: p(x) AND s`fwd(k)(x, y) AND s`inv(x) IMPLIES NOT p(y) ensuresA(s)(p, q): bool = co(s)(cap(p, neg(q)), cup(p, q)) AND cobar(s)(cap(cap(p, neg(q)), s`inv), q) ensures(s)(p, q): bool = co(s)(cap(p, neg(q)), cup(p, q)) AND transient(s)(cap(p, neg(q))) ensuresA_ensures: LEMMA good(s) IMPLIES ensuresA(s)(p, q) = ensures(s)(p, q) fw(s)(k)(x, y): bool = s`fwd(k)(x, y) OR NOT enabled(s)(k)(x) subset_ensures: LEMMA % cap(p, s`inv) <= q IMPLIES ensures(s)(p, q) stable_unless: LEMMA unless(s)(p, q) AND stable(s)(pq) IMPLIES unless(s)(cap(p, pq), q) stable_ensures: LEMMA % ensures(s)(p, q) AND stable(s)(pq) IMPLIES ensures(s)(cap(p, pq), q) % Formal semantics of bounded unity % An operational interpretation exec(s)(xs): bool = FORALL n: s`step(xs(n), xs(n+1)) AND s`inv(xs(n)) weakfair(s)(k)(xs): bool = FORALL n: EXISTS i: fw(s)(k)(xs(n+i), xs(n+i+1)) run(s)(xs): bool = exec(s)(xs) AND FORALL k: weakfair(s)(k)(xs) sched(n): nat = min({i | EXISTS k: k * k + i = n}) sched_schedules: LEMMA i <= j IMPLIES sched(j * j + i) = i choice(s, k, x): pred[t] = { y | s`fwd(k)(x, y)} chosen(s, k, x): t = IF empty?(choice(s, k, x)) THEN x ELSE epsilon(choice(s, k, x)) ENDIF runfrom(s, x)(n): RECURSIVE t = IF n = 0 THEN x ELSE chosen(s, sched(n - 1), runfrom(s, x)(n - 1)) ENDIF MEASURE n runfrom_run: LEMMA s`inv(x) AND good(s) IMPLIES run(s)(runfrom(s, x)) run_exists: LEMMA s`inv(x) AND good(s) IMPLIES EXISTS xs: run(s)(xs) AND xs(0) = x machine_closed: LEMMA exec(s)(xs) AND good(s) IMPLIES EXISTS ys: run(s)(ys) AND (FORALL i: i <= n IMPLIES ys(i) = xs(i)) drop(n)(xs)(i): t = xs(n + i) drop_run: LEMMA run(s)(xs) IMPLIES run(s)(drop(n)(xs)) round(s)(n, xs): bool = FORALL k: EXISTS i: i < n AND fw(s)(k)(xs(i), xs(i+1)) run_round: LEMMA % locally finite run(s)(xs) AND good(s) IMPLIES EXISTS n: round(s)(n, xs) rounds(s)(i)(n, xs): RECURSIVE bool = IF i = 0 THEN true ELSE EXISTS j: j <= n AND round(s)(j, xs) AND rounds(s)(i-1)(n-j, drop(j)(xs)) ENDIF MEASURE i run_rounds: LEMMA run(s)(xs) AND good(s) IMPLIES EXISTS n: rounds(s)(i)(n, xs) rounds_split: LEMMA rounds(s)(j+m)(n, xs) IMPLIES EXISTS i: i <= n AND rounds(s)(j)(i, xs) AND rounds(s)(m)(n-i, drop(i)(xs)) rounds_down: LEMMA i <= j AND rounds(s)(j)(n, xs) IMPLIES rounds(s)(i)(n, xs) rounds_furtheron: LEMMA rounds(s)(j)(n, drop(i)(xs)) IMPLIES rounds(s)(j)(n + i, xs) leto(s)(j, p, q): bool = % bounded leads-to FORALL xs: exec(s)(xs) AND p(xs(0)) IMPLIES FORALL n: rounds(s)(j)(n, xs) IMPLIES EXISTS i: i <= n AND q(xs(i)) leadsto(s)(p, q): bool = FORALL xs: run(s)(xs) AND p(xs(0)) IMPLIES EXISTS i: q(xs(i)) leto_leadsto: LEMMA leto(s)(j, p, q) AND good(s) IMPLIES leadsto(s)(p, q) % Fundamental rules for leto subset_leto: LEMMA % cap(p, s`inv) <= q IMPLIES leto(s)(j, p, q) ensures_leto: LEMMA % ensures(s)(p, q) IMPLIES leto(s)(1, p, q) leto_union: LEMMA (FORALL p: pset(p) IMPLIES leto(s)(n, p, q)) IMPLIES leto(s)(n, Union(pset), q) leto_transitive: LEMMA leto(s)(m, p, pq) AND leto(s)(n, pq, q) IMPLIES leto(s)(m + n, p, q) PSP_leto: LEMMA % leto(s)(n, p, q) AND unless(s)(pa, pm) IMPLIES leto(s)(n, cap(p, pa), cup(cap(q, pa), pm)) PSP0_leto: LEMMA % unless(s)(p, q) AND leto(s)(n, fullset, neg(pa)) AND p <= pa IMPLIES leto(s)(n, p, q) leto_completion: LEMMA (FORALL q: pset(q) IMPLIES leto(s)(n, p, q) AND unless(s)(q, pm) ) IMPLIES leto(s)(n, p, cup(Intersection(pset), pm)) % Derived rules stable_conjunction: LEMMA leto(s)(n, p, q) AND stable(s)(pa) IMPLIES leto(s) (n, cap(p, pa), cap(q, pa)) cup_leto: LEMMA leto(s)(m, p, q) AND leto(s)(m, pq, q) IMPLIES leto(s)(m, cup(p, pq), q) leto_transitive_2: LEMMA leto(s)(m, p, cup(pq, pa)) AND leto(s)(n, pq, cup(q, pa)) IMPLIES leto(s)(m + n, p, cup(q, pa)) leto_transitive_1: LEMMA leto(s)(m, p, cup(pq, q)) AND leto(s)(n, pq, q) IMPLIES leto(s)(m + n, p, q) leto_up: LEMMA % leto(s)(i, p, q) AND i <= j IMPLIES leto(s)(j, p, q) sub_leto: LEMMA cap(p, s`inv) <= pq AND leto(s)(n, pq, q) IMPLIES leto(s)(n, p, q) leto_sub: LEMMA cap(pq, s`inv) <= q AND leto(s)(n, p, pq) IMPLIES leto(s)(n, p, q) shunting_leto: LEMMA leto(s)(n, cap(p, neg(pq)), q) IMPLIES leto(s)(n, p, cup(q, pq)) leto_inv: LEMMA leto(s)(j, cap(p, s`inv), q) = leto(s)(j, p, q) %%%%%%%% Measure z: VAR int vf, svf: VAR [t -> int] vena: VAR [nat -> pred[t]] r: VAR posnat fac, del: VAR posnat % factor, delay delay, offset: VAR nat cov: VAR [nat -> pred[t]] we: VAR [posnat -> posnat] mwe: VAR posnat alt, exc: VAR pred[t] leq(z, vf)(x): bool = z <= vf(x) disgrowth(s, vf, we, cov): bool = (FORALL z, r: leto(s)(we(r), cap(leq(z, vf), cov(r)), leq(z + we(r), vf) )) distributed_progress: THEOREM % disgrowth(s, vf, we, cov) AND (FORALL r: we(r) <= mwe) AND (FORALL x: s`inv(x) IMPLIES EXISTS i: cov(i)(x)) IMPLIES leto(s)(n + mwe - 1, leq(z, vf), cup(leq(z + n, vf), cov(0))) proportional_progress: THEOREM (FORALL k, z: leto(s)(k + offset, leq(z, vf), cup(leq(z + k, vf), alt))) AND (FORALL x: s`inv(x) IMPLIES fac * svf(x) <= vf(x)) AND (FORALL x: s`inv(x) IMPLIES vf(x) <= fac * svf(x) + delay OR exc(x)) IMPLIES leto(s)(fac * i + delay + offset, leq(z, svf), cup(leq(z + i, svf), cup(alt, exc)) ) fwd_measure(vf, vena, s): bool = (FORALL x, y: s`step(x, y) AND s`inv(x) IMPLIES vf(x) <= vf(y)) % 1 AND (FORALL k: cap(vena(k), s`inv) <= enabled(s)(k)) % 2 AND (FORALL k, x, y: s`fwd(k)(x, y) AND vena(k)(x) AND s`inv(x) % 3 IMPLIES vf(x) < vf(y) ) AND (FORALL k, x, y: s`step(x, y) AND vena(k)(x) AND s`inv(x) % 4 IMPLIES vena(k)(y) OR vf(x) < vf(y) ) fwd_measure_ensures: LEMMA %% using %1, %4, %2, %3, using ensures fwd_measure(vf, vena, s) IMPLIES leto(s)(1, cap(leq(z, vf), vena(k)), leq(z + 1, vf)) none(vena, s)(x): bool = FORALL k: NOT vena(k)(x) fwd_measure_leadsto: LEMMA fwd_measure(vf, vena, s) IMPLIES leto(s)(1, leq(z, vf), cup(leq(z + 1, vf), none(vena, s))) fwd_measure_leadsto_more: LEMMA fwd_measure(vf, vena, s) IMPLIES leto(s)(n, leq(z, vf), cup(leq(z + n, vf), none(vena, s))) proportional(vf, svf, fac, del)(x): bool = fac * svf(x) <= vf(x) AND vf(x) < fac * svf(x) + del proportional_measure_leadsto: THEOREM fwd_measure(vf, vena, s) AND subset?(s`inv, proportional(vf, svf, fac, del)) AND fac * (i - 1) + del <= n IMPLIES leto(s)(n, leq(z, svf), cup(leq(z + i, svf), none(vena, s))) proportionA(vf, svf, fac)(x): bool = fac * svf(x) <= vf(x) proportionB(vf, svf, fac, del)(x): bool = vf(x) < fac * svf(x) + del proportional_measure_leadsto1: THEOREM fwd_measure(vf, vena, s) AND subset?(s`inv, proportionA(vf, svf, fac)) AND subset?(cap(s`inv, p), proportionB(vf, svf, fac, del)) AND fac * (i - 1) + del <= n IMPLIES leto(s)(n, leq(z, svf), cup(neg(p), cup(leq(z + i, svf), none(vena, s))) ) %%%% now the same for leadsto subset_leadsto: LEMMA % cap(p, s`inv) <= q IMPLIES leadsto(s)(p, q) ensures_leadsto: LEMMA % ensures(s)(p, q) IMPLIES leadsto(s)(p, q) leadsto_union: LEMMA (FORALL p: pset(p) IMPLIES leadsto(s)(p, q)) IMPLIES leadsto(s)(Union(pset), q) leadsto_transitive: LEMMA leadsto(s)(p, pq) AND leadsto(s)(pq, q) IMPLIES leadsto(s)(p, q) PSP_leadsto: LEMMA % leadsto(s)(p, q) AND unless(s)(pa, pm) IMPLIES leadsto(s)(cap(p, pa), cup(cap(q, pa), pm)) % leadsto_completion: LEMMA % This can be proved if pset is finite. % (FORALL q: pset(q) % IMPLIES leadsto(s)(n, p, q) AND unless(s)(q, pm) ) % IMPLIES leadsto(s)(n, p, cup(Intersection(pset), pm)) % Derived rules cup_leadsto: LEMMA % can be derived from leadsto_union leadsto(s)(p, q) AND leadsto(s)(pq, q) IMPLIES leadsto(s)(cup(p, pq), q) leadsto_transitive_2: LEMMA leadsto(s)(p, cup(pq, pa)) AND leadsto(s)(pq, cup(q, pa)) IMPLIES leadsto(s)(p, cup(q, pa)) leadsto_transitive_1: LEMMA leadsto(s)(p, cup(pq, q)) AND leadsto(s)(pq, q) IMPLIES leadsto(s)(p, q) sub_leadsto: LEMMA cap(p, s`inv) <= pq AND leadsto(s)(pq, q) IMPLIES leadsto(s)(p, q) leadsto_sub: LEMMA cap(pq, s`inv) <= q AND leadsto(s)(p, pq) IMPLIES leadsto(s)(p, q) shunting_leadsto: LEMMA leadsto(s)(cap(p, neg(pq)), q) IMPLIES leadsto(s)(p, cup(q, pq)) leadsto_inv: LEMMA leadsto(s)(cap(p, s`inv), q) = leadsto(s)(p, q) bounding_leadsto: LEMMA leadsto(s)(p, q) AND leto(s)(n, p, cup(q, pa)) AND stable(s)(pa) AND empty?(cap(q, pa)) AND good(s) IMPLIES leto(s)(n, p, q) END bdUnity $$$bdUnity.prf (bdUnity (nuspec_TCC1 0 (nuspec_TCC1-1 nil 3591000903 ("" (expand "good") (("" (split) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (grind) nil nil) ("4" (skosimp) (("4" (expand "is_finite") (("4" (inst + 1 id) (("1" (grind) nil nil) ("2" (skosimp) (("2" (expand "id") (("2" (expand "fullset") (("2" (typepred x1!1) (("2" (expand "enabled") (("2" (expand "emptyset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((fullset const-decl "set" sets nil) (reflexive? const-decl "bool" relations nil) (wp const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (emptyset const-decl "set" sets nil) (is_finite const-decl "bool" finite_sets nil) (injective? const-decl "bool" functions nil) (NOT const-decl "[bool -> bool]" booleans nil) (below type-eq-decl nil nat_types nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (specification type-eq-decl nil bdUnity nil) (enabled const-decl "bool" bdUnity nil) (set type-eq-decl nil sets nil) (x!1 skolem-const-decl "t" bdUnity nil) (< const-decl "bool" reals nil) (bijective? const-decl "bool" functions nil) (id const-decl "(bijective?[T, T])" identity nil) (good const-decl "bool" bdUnity nil)) nil)) (unless_co 0 (unless_co-1 nil 3588931070 ("" (grind) nil nil) ((neg const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (unless const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil)) shostak)) (co_unless 0 (co_unless-1 nil 3590830368 ("" (skosimp) (("" (use unless_co) (("" (replace -1 :hide? t) (("" (case "cap(pa!1, neg(pm!1)) = p!1 AND cup(pa!1, pm!1) = q!1") (("1" (flatten) (("1" (assert) nil nil)) nil) ("2" (hide 2) (("2" (split) (("1" (apply-extensionality :hide? t) (("1" (iff) (("1" (grind) nil nil)) nil)) nil) ("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((unless_co formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil) (cup const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (= const-decl "[T, T -> boolean]" equalities nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (<= const-decl "bool" mucalculus nil) (member const-decl "bool" sets nil) (difference const-decl "set" sets nil)) shostak)) (ensuresA_ensures 0 (ensuresA_ensures-2 nil 3679320788 ("" (skosimp) (("" (iff) (("" (prop) (("1" (expand "ensuresA") (("1" (expand "ensures") (("1" (flatten) (("1" (assert) (("1" (expand "transient") (("1" (expand "cobar") (("1" (skosimp) (("1" (inst? +) (("1" (assert) (("1" (skosimp) (("1" (expand "cap") (("1" (inst?) (("1" (flatten) (("1" (assert) (("1" (expand "neg") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "ensuresA") (("2" (expand "ensures") (("2" (flatten) (("2" (assert) (("2" (expand "cobar") (("2" (expand "transient") (("2" (skosimp) (("2" (inst? +) (("2" (assert) (("2" (skosimp) (("2" (inst?) (("2" (assert) (("2" (expand "cap") (("2" (flatten) (("2" (expand "neg") (("2" (assert) (("2" (hide -2) (("2" (expand "co") (("2" (expand "<=") (("2" (expand "wp") (("2" (expand "cap") (("2" (inst - x!1) (("2" (assert) (("2" (expand "cup") (("2" (inst - y!1) (("2" (assert) (("2" (expand "good") (("2" (flatten) (("2" (inst? -6) (("2" (expand "<=") (("2" (inst? -6) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((<= const-decl "bool" mucalculus nil) (good const-decl "bool" bdUnity nil) (cup const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (co const-decl "bool" bdUnity nil) (ensuresA const-decl "bool" bdUnity nil) (transient const-decl "bool" bdUnity nil) (cap const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (cobar const-decl "bool" bdUnity nil) (ensures const-decl "bool" bdUnity nil)) nil) (ensuresA_ensures-1 nil 3679319991 ("" (skolem!) (("" (iff) (("" (prop) (("1" (expand "ensuresA") (("1" (expand "ensures") (("1" (flatten) (("1" (assert) (("1" (expand "transient") (("1" (expand "cobar") (("1" (skosimp) (("1" (inst? +) (("1" (assert) (("1" (skosimp) (("1" (expand "cap") (("1" (inst?) (("1" (flatten) (("1" (assert) (("1" (expand "neg") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "ensuresA") (("2" (expand "ensures") (("2" (flatten) (("2" (assert) (("2" (expand "cobar") (("2" (expand "transient") (("2" (skosimp) (("2" (inst? +) (("2" (assert) (("2" (skosimp) (("2" (inst?) (("2" (assert) (("2" (expand "cap") (("2" (flatten) (("2" (expand "neg") (("2" (assert) (("2" (hide -2) (("2" (expand "co") (("2" (expand "<=") (("2" (expand "wp") (("2" (expand "cap") (("2" (inst - x!1) (("2" (assert) (("2" (postpone) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) nil shostak)) (subset_ensures 0 (subset_ensures-1 nil 3679321705 ("" (expand "ensures") (("" (expand "co") (("" (expand "transient") (("" (expand "<=") (("" (expand "wp") (("" (expand "cap") (("" (skosimp*) (("" (split) (("1" (skosimp*) (("1" (expand "cup") (("1" (expand "neg") (("1" (inst - s!2) (("1" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (inst + 0) (("2" (expand "neg") (("2" (split) (("1" (skosimp) (("1" (inst - s!2) (("1" (assert) nil nil)) nil)) nil) ("2" (skosimp) (("2" (inst - x!1) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((co const-decl "bool" bdUnity nil) (<= const-decl "bool" mucalculus nil) (cap const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (t formal-type-decl nil bdUnity nil) (neg const-decl "bool" ownpred nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (wp const-decl "bool" ownpred nil) (transient const-decl "bool" bdUnity nil) (ensures const-decl "bool" bdUnity nil)) shostak)) (stable_unless 0 (stable_unless-1 nil 3588931363 ("" (expand "unless") (("" (expand "<=") (("" (expand "wp") (("" (skosimp*) (("" (expand "cup") (("" (expand "cap") (("" (flatten) (("" (expand "neg") (("" (inst?) (("" (assert) (("" (inst - y!1) (("" (assert) (("" (expand "stable") (("" (expand "co") (("" (expand "wp") (("" (expand "<=") (("" (expand "cap") (("" (inst?) (("" (assert) (("" (inst - y!1) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((<= const-decl "bool" mucalculus nil) (cap const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (co const-decl "bool" bdUnity nil) (stable const-decl "bool" bdUnity nil) (t formal-type-decl nil bdUnity nil) (cup const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (unless const-decl "bool" bdUnity nil)) shostak)) (stable_ensures 0 (stable_ensures-1 nil 3679322160 ("" (expand "ensures") (("" (skosimp) (("" (split) (("1" (lemma stable_unless) (("1" (inst?) (("1" (inst - q!1 s!1) (("1" (lemma unless_co) (("1" (assert) (("1" (inst-cp - p!1 q!1 s!1) (("1" (assert) (("1" (hide -2) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "transient") (("2" (skosimp) (("2" (inst? +) (("2" (split) (("1" (expand "<=") (("1" (expand "cap") (("1" (skosimp) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (expand "cap") (("2" (skosimp) (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((transient const-decl "bool" bdUnity nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (>= const-decl "bool" reals nil) (<= const-decl "bool" mucalculus nil) (stable_unless formula-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (specification type-eq-decl nil bdUnity nil) (cap const-decl "bool" ownpred nil) (unless_co formula-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil) (ensures const-decl "bool" bdUnity nil)) shostak)) (sched_TCC1 0 (sched_TCC1-1 nil 3624340822 ("" (expand "nonempty?") (("" (expand "empty?") (("" (expand "member") (("" (skosimp) (("" (inst?) (("" (inst + 0) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((empty? const-decl "bool" sets nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (even_times_int_is_even application-judgement "even_int" integers nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (member const-decl "bool" sets nil) (nonempty? const-decl "bool" sets nil) (mult_divides1 application-judgement "(divides(n))" divides nil) (nnint_times_nnint_is_nnint application-judgement "nonneg_int" integers nil)) nil)) (sched_schedules 0 (sched_schedules-1 nil 3624340824 ("" (skosimp) (("" (expand "sched") (("" (name-replace mn "min({i | EXISTS k: i + k * k = j!1 * j!1 + i!1})") (("1" (typepred mn) (("1" (skolem!) (("1" (inst - i!1) (("1" (split) (("1" (case "forall (x, y: nat): x <= y IMPLIES x*x <= y*y") (("1" (case "k!1 + 1 <= j!1") (("1" (assert) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil) ("2" (case "j!1 + 1 <= k!1") (("1" (inst?) (("1" (assert) nil nil)) nil) ("2" (assert) nil nil)) nil)) nil) ("2" (hide - 2) (("2" (skosimp) (("2" (name dd "y!1-x!1") (("2" (case "y!1= dd + x!1") (("1" (replaceh -1) (("1" (assert) (("1" (case "dd >= 0") (("1" (hide -2 -3) (("1" (typepred x!1) (("1" (case "dd > 0") (("1" (assert) (("1" (case "x!1>0") (("1" (hide -3 -4) (("1" (lemma both_sides_times_pos_ge1) (("1" (case "dd * x!1 >= 0") (("1" (case "dd * dd >= 0") (("1" (assert) nil nil) ("2" (inst - dd dd 0) (("2" (assert) nil nil)) nil)) nil) ("2" (inst - x!1 dd 0) (("2" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst + j!1) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "nonempty?") (("2" (expand "empty?") (("2" (expand "member") (("2" (inst - i!1) (("2" (inst + j!1) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nnint_times_nnint_is_nnint application-judgement "nonneg_int" integers nil) (mult_divides1 application-judgement "(divides(n))" divides nil) (sched const-decl "nat" bdUnity nil) (member const-decl "bool" sets nil) (empty? const-decl "bool" sets nil) (NOT const-decl "[bool -> bool]" booleans nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (int_plus_int_is_int application-judgement "int" integers nil) (mult_divides2 application-judgement "(divides(m))" divides nil) (> const-decl "bool" reals nil) (both_sides_times_pos_ge1 formula-decl nil real_props nil) (even_times_int_is_even application-judgement "even_int" integers nil) (nonneg_real nonempty-type-eq-decl nil real_types nil) (posreal nonempty-type-eq-decl nil real_types nil) (real_gt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (int_minus_int_is_int application-judgement "int" integers nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (min const-decl "{a | S(a) AND (FORALL x: S(x) IMPLIES a <= x)}" min_nat nil) (<= const-decl "bool" reals nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (nonempty? const-decl "bool" sets nil) (set type-eq-decl nil sets nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil)) shostak)) (chosen_TCC1 0 (chosen_TCC1-1 nil 3624344465 ("" (existence-tcc) nil nil) ((boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (>= const-decl "bool" reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (t formal-type-decl nil bdUnity nil) (choice const-decl "pred[t]" bdUnity nil) (member const-decl "bool" sets nil) (empty? const-decl "bool" sets nil)) nil)) (runfrom_TCC1 0 (runfrom_TCC1-1 nil 3624344465 ("" (subtype-tcc) nil nil) ((boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (>= const-decl "bool" reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil)) nil)) (runfrom_TCC2 0 (runfrom_TCC2-1 nil 3624344465 ("" (termination-tcc) nil nil) nil nil)) (runfrom_run 0 (runfrom_run-1 nil 3624344650 ("" (expand "run") (("" (skosimp) (("" (split) (("1" (expand "exec") (("1" (name-replace xss "runfrom(s!1, x!1)" nil) (("1" (case "FORALL n: s!1`step(xss(n), xss(1 + n))") (("1" (case "FORALL n: s!1`inv(xss(n))") (("1" (skolem!) (("1" (inst?) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (hide 2) (("2" (induct n) (("1" (expand "xss") (("1" (expand "runfrom") (("1" (propax) nil nil)) nil)) nil) ("2" (skosimp) (("2" (inst?) (("2" (expand "good") (("2" (flatten) (("2" (expand "<=") (("2" (inst?) (("2" (assert) (("2" (expand "wp") (("2" (inst - "xss(1 + j!1)") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide 2) (("2" (skolem!) (("2" (name-replace xss1 "xss(1 + n!1)" nil) (("2" (expand xss -1) (("2" (expand runfrom -1) (("2" (replace -2) (("2" (expand "chosen") (("2" (lift-if) (("2" (assert) (("2" (split) (("1" (flatten) (("1" (expand "good") (("1" (flatten) (("1" (expand "reflexive?") (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (flatten) (("2" (use epsilon_ax[t]) (("2" (replace -2) (("2" (split) (("1" (hide -2) (("1" (expand "choice") (("1" (expand "good") (("1" (flatten) (("1" (inst?) (("1" (expand "<=") (("1" (hide -5) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "empty?") (("2" (expand "member") (("2" (hide - 3) (("2" (skosimp) (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "weakfair") (("2" (skosimp*) (("2" (name jj "k!1+n!1+1") (("2" (name ii "jj * jj + k!1 - n!1") (("2" (case "ii >= 0") (("1" (use sched_schedules (i k!1 j jj)) (("1" (assert) (("1" (inst + ii) (("1" (name-replace yy "runfrom(s!1, x!1)(1 + ii + n!1)" nil) (("1" (expand runfrom -1) (("1" (case "jj * jj + k!1 = ii + n!1") (("1" (replaceh -1) (("1" (replaceh -2) (("1" (expand "fw") (("1" (flatten) (("1" (name-replace xx "runfrom(s!1, x!1)(ii + n!1)") (("1" (expand "chosen") (("1" (lift-if) (("1" (split) (("1" (flatten) (("1" (expand "empty?") (("1" (expand "member") (("1" (expand "choice") (("1" (expand "enabled") (("1" (skolem!) (("1" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (flatten) (("2" (use epsilon_ax[t]) (("2" (split) (("1" (replaceh -2) (("1" (expand "choice") (("1" (propax) nil nil)) nil)) nil) ("2" (hide - 3) (("2" (expand "empty?") (("2" (expand "member") (("2" (skolem!) (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -3 -4 2) (("2" (expand "ii") (("2" (expand "jj") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((weakfair const-decl "bool" bdUnity nil) (posint nonempty-type-eq-decl nil integers nil) (> const-decl "bool" reals nil) (nonneg_int nonempty-type-eq-decl nil integers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (mult_divides1 application-judgement "(divides(n))" divides nil) (posint_times_posint_is_posint application-judgement "posint" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_plus_int_is_int application-judgement "int" integers nil) (enabled const-decl "bool" bdUnity nil) (fw const-decl "bool" bdUnity nil) (sched_schedules formula-decl nil bdUnity nil) (ii skolem-const-decl "int" bdUnity nil) (even_times_int_is_even application-judgement "even_int" integers nil) (jj skolem-const-decl "posint" bdUnity nil) (mult_divides2 application-judgement "(divides(m))" divides nil) (nnint_times_nnint_is_nnint application-judgement "nonneg_int" integers nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (exec const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (good const-decl "bool" bdUnity nil) (<= const-decl "bool" mucalculus nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (wp const-decl "bool" ownpred nil) (xss skolem-const-decl "[nat -> t]" bdUnity nil) (nat_induction formula-decl nil naturalnumbers nil) (reflexive? const-decl "bool" relations nil) (epsilon_ax formula-decl nil epsilons nil) (choice const-decl "pred[t]" bdUnity nil) (sched const-decl "nat" bdUnity nil) (member const-decl "bool" sets nil) (empty? const-decl "bool" sets nil) (chosen const-decl "t" bdUnity nil) (int_minus_int_is_int application-judgement "int" integers nil) (runfrom def-decl "t" bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (= const-decl "[T, T -> boolean]" equalities nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (run const-decl "bool" bdUnity nil)) shostak)) (run_exists 0 (run_exists-1 nil 3624347702 ("" (skosimp) (("" (use runfrom_run) (("" (assert) (("" (inst?) (("" (assert) (("" (expand "runfrom") (("" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((runfrom_run formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (runfrom def-decl "t" bdUnity nil)) shostak)) (machine_closed 0 (machine_closed-1 nil 3624347743 ("" (skosimp) (("" (name xx "xs!1(n!1)") (("" (use run_exists) (("" (assert) (("" (split) (("1" (skosimp) (("1" (name yys "lambda i: IF i <= n!1 THEN xs!1(i) ELSE xs!2(i - n!1) ENDIF") (("1" (inst + yys) (("1" (expand "run") (("1" (flatten) (("1" (split) (("1" (expand "exec") (("1" (skolem!) (("1" (case "n!2 < n!1") (("1" (expand "yys") (("1" (assert) (("1" (inst? -7) nil nil)) nil)) nil) ("2" (expand "yys") (("2" (assert) (("2" (inst -2 "n!2-n!1") (("2" (assert) (("2" (flatten) (("2" (assert) (("2" (lift-if) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "weakfair") (("2" (skosimp*) (("2" (inst - k!1) (("2" (inst - n!2) (("2" (skolem!) (("2" (inst + "i!1+n!1") (("2" (expand "yys") (("2" (assert) (("2" (lift-if) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("3" (skosimp) (("3" (expand "yys") (("3" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp) (("2" (assert) nil nil)) nil)) nil)) nil) ("2" (expand "exec") (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number nonempty-type-decl nil numbers nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil) (weakfair const-decl "bool" bdUnity nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (exec const-decl "bool" bdUnity nil) (< const-decl "bool" reals nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (yys skolem-const-decl "[nat -> t]" bdUnity nil) (int_plus_int_is_int application-judgement "int" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (run const-decl "bool" bdUnity nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (IF const-decl "[boolean, T, T -> T]" if_def nil) (<= const-decl "bool" reals nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (run_exists formula-decl nil bdUnity nil)) shostak)) (drop_run 0 (drop_run-1 nil 3589011688 ("" (expand "run") (("" (skosimp) (("" (split) (("1" (expand "exec") (("1" (expand "drop") (("1" (skolem!) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (skolem!) (("2" (inst?) (("2" (expand "weakfair") (("2" (skolem!) (("2" (expand "drop") (("2" (inst - "n!1+n!2") (("2" (skolem!) (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((weakfair const-decl "bool" bdUnity nil) (odd_minus_odd_is_even application-judgement "even_int" integers nil) (exec const-decl "bool" bdUnity nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (int_minus_int_is_int application-judgement "int" integers nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (drop const-decl "t" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (run const-decl "bool" bdUnity nil)) shostak)) (run_round 0 (run_round-4 nil 3624353673 ("" (expand "run") (("" (expand "round") (("" (skosimp) (("" (expand "weakfair") (("" (expand "good") (("" (flatten) (("" (inst -6 "xs!1(0)") (("" (split) (("1" (name-replace ena "{k | enabled(s!1)(k)(xs!1(0))}" nil) (("1" (case "EXISTS n: FORALL k: ena(k) IMPLIES EXISTS i: i < n AND fw(s!1)(k)(xs!1(i), xs!1(1 + i))") (("1" (skosimp) (("1" (inst + "1+n!1") (("1" (skolem!) (("1" (inst? -) (("1" (split) (("1" (skosimp) (("1" (inst? +) (("1" (assert) nil nil)) nil)) nil) ("2" (inst + 0) (("2" (expand "ena") (("2" (expand "fw") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 -3 2) (("2" (name ff "lambda k: min({i | fw(s!1)(k)(xs!1(i), xs!1(i+1))})") (("1" (name nn "maximum(ff, ena)") (("1" (use maximum_prop[nat]) (("1" (assert) (("1" (inst + "1+nn") (("1" (skosimp) (("1" (replace -2 :hide? t) (("1" (inst? -) (("1" (assert) (("1" (name-replace fk "ff(k!1)" nil) (("1" (inst + fk) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil)) nil) ("2" (hide -1 2) (("2" (expand "nonempty?") (("2" (expand "empty?") (("2" (expand "member") (("2" (skosimp) (("2" (inst? -2) (("2" (inst -2 0) (("2" (skolem!) (("2" (assert) (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "exec") (("2" (inst - 0) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((round const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (weakfair const-decl "bool" bdUnity nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (< const-decl "bool" reals nil) (fw const-decl "bool" bdUnity nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (ena skolem-const-decl "[nat -> bool]" bdUnity nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (<= const-decl "bool" reals nil) (set type-eq-decl nil sets nil) (nonempty? const-decl "bool" sets nil) (min const-decl "{a | S(a) AND (FORALL x: S(x) IMPLIES a <= x)}" min_nat nil) (maximum_prop formula-decl nil maxfinset nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (maximum def-decl "nat" maxfinset nil) (finite_set type-eq-decl nil finite_sets nil) (is_finite const-decl "bool" finite_sets nil) (member const-decl "bool" sets nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (empty? const-decl "bool" sets nil) (= const-decl "[T, T -> boolean]" equalities nil) (pred type-eq-decl nil defined_types nil) (specification type-eq-decl nil bdUnity nil) (enabled const-decl "bool" bdUnity nil) (odd_plus_even_is_odd application-judgement "odd_int" integers nil) (exec const-decl "bool" bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (t formal-type-decl nil bdUnity nil) (good const-decl "bool" bdUnity nil) (run const-decl "bool" bdUnity nil)) nil) (run_round-3 nil 3624286690 ("" (expand "run") (("" (expand "round") (("" (skosimp) (("" (expand "weakfair") (("" (expand "locallyfinite") (("" (inst -3 "xs!1(0)") (("" (split) (("1" (name-replace ena "{k | enabled(s!1)(k)(xs!1(0))}" nil) (("1" (case "EXISTS n: FORALL k: ena(k) IMPLIES EXISTS i: i < n AND fw(s!1)(k)(xs!1(i), xs!1(1 + i))") (("1" (skosimp) (("1" (inst + "1+n!1") (("1" (skolem!) (("1" (inst? -) (("1" (split) (("1" (skosimp) (("1" (inst? +) (("1" (assert) nil nil)) nil)) nil) ("2" (inst + 0) (("2" (expand "ena") (("2" (expand "fw") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 -3 2) (("2" (name ff "lambda k: min({i | fw(s!1)(k)(xs!1(i), xs!1(i+1))})") (("1" (name nn "maximum(ff, ena)") (("1" (use maximum_prop[nat]) (("1" (assert) (("1" (inst + "1+nn") (("1" (skosimp) (("1" (replace -2 :hide? t) (("1" (inst? -) (("1" (assert) (("1" (name-replace fk "ff(k!1)" nil) (("1" (inst + fk) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil)) nil) ("2" (hide -1 2) (("2" (expand "nonempty?") (("2" (expand "empty?") (("2" (expand "member") (("2" (skosimp) (("2" (inst? -2) (("2" (inst -2 0) (("2" (skolem!) (("2" (assert) (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "exec") (("2" (inst - 0) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((round const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (weakfair const-decl "bool" bdUnity nil) (t formal-type-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (exec const-decl "bool" bdUnity nil) (odd_plus_even_is_odd application-judgement "odd_int" integers nil) (enabled const-decl "bool" bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (= const-decl "[T, T -> boolean]" equalities nil) (empty? const-decl "bool" sets nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (member const-decl "bool" sets nil) (is_finite const-decl "bool" finite_sets nil) (finite_set type-eq-decl nil finite_sets nil) (maximum def-decl "nat" maxfinset nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (maximum_prop formula-decl nil maxfinset nil) (min const-decl "{a | S(a) AND (FORALL x: S(x) IMPLIES a <= x)}" min_nat nil) (nonempty? const-decl "bool" sets nil) (set type-eq-decl nil sets nil) (<= const-decl "bool" reals nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (fw const-decl "bool" bdUnity nil) (< const-decl "bool" reals nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (run const-decl "bool" bdUnity nil)) nil) (run_round-2 nil 3589013264 ("" (expand "run") (("" (expand "round") (("" (skosimp) (("" (expand "weakfair") (("" (expand "locallyfinite") (("" (inst -3 "xs!1(0)") (("" (split) (("1" (name-replace ena "{k | NOT disabled(s!1)(k)(xs!1(0))}" nil) (("1" (case "EXISTS n: FORALL k: ena(k) IMPLIES EXISTS i: i < n AND fw(s!1)(k)(xs!1(i), xs!1(1 + i))") (("1" (skosimp) (("1" (inst + "1+n!1") (("1" (skolem!) (("1" (inst? -) (("1" (split) (("1" (skosimp) (("1" (inst? +) (("1" (assert) nil nil)) nil)) nil) ("2" (inst + 0) (("2" (expand "ena") (("2" (expand "fw") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 -3 2) (("2" (name ff "lambda k: min({i | fw(s!1)(k)(xs!1(i), xs!1(i+1))})") (("1" (name nn "maximum(ff, ena)") (("1" (use maximum_prop[nat]) (("1" (assert) (("1" (inst + "1+nn") (("1" (skosimp) (("1" (replace -2 :hide? t) (("1" (inst? -) (("1" (assert) (("1" (name-replace fk "ff(k!1)" nil) (("1" (inst + fk) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (propax) nil nil)) nil) ("2" (hide -1 2) (("2" (expand "nonempty?") (("2" (expand "empty?") (("2" (expand "member") (("2" (skosimp) (("2" (inst? -2) (("2" (inst -2 0) (("2" (skolem!) (("2" (assert) (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "exec") (("2" (inst - 0) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((round const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (weakfair const-decl "bool" bdUnity nil) (t formal-type-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (exec const-decl "bool" bdUnity nil) (odd_plus_even_is_odd application-judgement "odd_int" integers nil) (= const-decl "[T, T -> boolean]" equalities nil) (NOT const-decl "[bool -> bool]" booleans nil) (pred type-eq-decl nil defined_types nil) (specification type-eq-decl nil bdUnity nil) (empty? const-decl "bool" sets nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (member const-decl "bool" sets nil) (is_finite const-decl "bool" finite_sets nil) (finite_set type-eq-decl nil finite_sets nil) (maximum def-decl "nat" maxfinset nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (maximum_prop formula-decl nil maxfinset nil) (min const-decl "{a | S(a) AND (FORALL x: S(x) IMPLIES a <= x)}" min_nat nil) (nonempty? const-decl "bool" sets nil) (set type-eq-decl nil sets nil) (<= const-decl "bool" reals nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (fw const-decl "bool" bdUnity nil) (< const-decl "bool" reals nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (run const-decl "bool" bdUnity nil)) nil) (run_round-1 nil 3589012562 ("" (expand "run") (("" (expand "round") (("" (skosimp) (("" (expand "weakfair") (("" (expand "locallyfinite") (("" (inst -3 "xs!1(0)") (("" (split) (("1" (name-replace ena "{k | NOT disabled(s!1)(k)(xs!1(0))}" nil) (("1" (case "EXISTS n: FORALL k: ena(k) IMPLIES EXISTS i: i < n AND fw(s!1)(k)(xs!1(i), xs!1(1 + i))") (("1" (skosimp) (("1" (inst + n!1) (("1" (skolem!) (("1" (inst? -) (("1" (split) (("1" (propax) nil nil) ("2" (inst + 0) (("2" (expand "ena") (("2" (expand "fw") (("2" (assert) (("2" (postpone) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (postpone) nil nil)) nil)) nil) ("2" (postpone) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) nil shostak)) (rounds_TCC1 0 (rounds_TCC1-1 nil 3588952490 ("" (subtype-tcc) nil nil) ((boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (>= const-decl "bool" reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (enabled const-decl "bool" bdUnity nil) (fw const-decl "bool" bdUnity nil) (round const-decl "bool" bdUnity nil)) nil)) (rounds_TCC2 0 (rounds_TCC2-1 nil 3588952490 ("" (termination-tcc) nil nil) ((enabled const-decl "bool" bdUnity nil) (fw const-decl "bool" bdUnity nil) (round const-decl "bool" bdUnity nil)) nil)) (rounds_TCC3 0 (rounds_TCC3-1 nil 3588952490 ("" (subtype-tcc) nil nil) ((boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (>= const-decl "bool" reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (enabled const-decl "bool" bdUnity nil) (fw const-decl "bool" bdUnity nil) (round const-decl "bool" bdUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) nil)) (run_rounds 0 (run_rounds-1 nil 3589016742 ("" (induct i) (("1" (expand "rounds") (("1" (propax) nil nil)) nil) ("2" (skosimp*) (("2" (expand rounds +) (("2" (use run_round) (("2" (assert) (("2" (skolem!) (("2" (inst - "s!1" "drop(n!1)(xs!1)") (("2" (assert) (("2" (split) (("1" (skolem!) (("1" (inst + "n!2+n!1" n!1) (("1" (assert) nil nil)) nil)) nil) ("2" (use drop_run) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((run_round formula-decl nil bdUnity nil) (drop_run formula-decl nil bdUnity nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (drop const-decl "t" bdUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (nat_induction formula-decl nil naturalnumbers nil) (rounds def-decl "bool" bdUnity nil) (good const-decl "bool" bdUnity nil) (run const-decl "bool" bdUnity nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (specification type-eq-decl nil bdUnity nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (rounds_split_TCC1 0 (rounds_split_TCC1-1 nil 3588952490 ("" (subtype-tcc) nil nil) ((boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (>= const-decl "bool" reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) nil)) (rounds_split 0 (rounds_split-1 nil 3588952890 ("" (induct j) (("1" (skosimp) (("1" (inst + 0) (("1" (assert) (("1" (case "drop(0)(xs!1) = xs!1") (("1" (assert) (("1" (expand "rounds") (("1" (propax) nil nil)) nil)) nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (expand "drop") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp*) (("2" (expand rounds -2) (("2" (skosimp) (("2" (inst?) (("1" (assert) (("1" (skosimp) (("1" (inst + "i!1+j!2") (("1" (assert) (("1" (split) (("1" (expand rounds +) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil) ("2" (case "drop(i!1)(drop(j!2)(xs!1)) = drop(i!1 + j!2)(xs!1)") (("1" (assert) nil nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (expand "drop") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil) ("3" (hide 2) (("3" (skosimp*) (("3" (assert) nil nil)) nil)) nil)) nil) ((mult_divides2 application-judgement "(divides(m))" divides nil) (mult_divides1 application-judgement "(divides(n))" divides nil) (int_plus_int_is_int application-judgement "int" integers nil) (j!2 skolem-const-decl "nat" bdUnity nil) (n!1 skolem-const-decl "nat" bdUnity nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (= const-decl "[T, T -> boolean]" equalities nil) (nat_induction formula-decl nil naturalnumbers nil) (drop const-decl "t" bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (specification type-eq-decl nil bdUnity nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (rounds def-decl "bool" bdUnity nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (<= const-decl "bool" reals nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) shostak)) (rounds_down 0 (rounds_down-1 nil 3588997970 ("" (induct i) (("1" (expand "rounds") (("1" (propax) nil nil)) nil) ("2" (skosimp*) (("2" (expand rounds (-3 1)) (("2" (assert) (("2" (skosimp) (("2" (inst?) (("1" (assert) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nnint_plus_posint_is_posint application-judgement "posint" integers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (n!1 skolem-const-decl "nat" bdUnity nil) (j!3 skolem-const-decl "nat" bdUnity nil) (drop const-decl "t" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (nat_induction formula-decl nil naturalnumbers nil) (rounds def-decl "bool" bdUnity nil) (<= const-decl "bool" reals nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (specification type-eq-decl nil bdUnity nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (rounds_furtheron 0 (rounds_furtheron-1 nil 3588998257 ("" (induct j) (("1" (expand "rounds") (("1" (propax) nil nil)) nil) ("2" (skosimp*) (("2" (expand rounds (-2 1)) (("2" (skosimp) (("2" (inst + "i!1+j!2") (("2" (assert) (("2" (case "drop(j!2)(drop(i!1)(xs!1)) = drop(i!1 + j!2)(xs!1)") (("1" (assert) (("1" (hide-all-but -4 -) (("1" (expand "round") (("1" (skolem!) (("1" (inst? -) (("1" (skosimp) (("1" (expand "drop") (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (expand "drop") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (round const-decl "bool" bdUnity nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (= const-decl "[T, T -> boolean]" equalities nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (nat_induction formula-decl nil naturalnumbers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (drop const-decl "t" bdUnity nil) (rounds def-decl "bool" bdUnity nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (specification type-eq-decl nil bdUnity nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil)) shostak)) (leto_leadsto 0 (leto_leadsto-1 nil 3589011046 ("" (expand "leadsto") (("" (expand "leto") (("" (skosimp*) (("" (inst? -) (("" (assert) (("" (split) (("1" (use run_rounds) (("1" (assert) (("1" (skolem!) (("1" (inst?) (("1" (assert) (("1" (skosimp) (("1" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "run") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leto const-decl "bool" bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (run_rounds formula-decl nil bdUnity nil) (run const-decl "bool" bdUnity nil) (leadsto const-decl "bool" bdUnity nil)) shostak)) (subset_leto 0 (subset_leto-1 nil 3589000108 ("" (expand "leto") (("" (skosimp*) (("" (inst?) (("" (assert) (("" (expand "exec") (("" (inst?) (("" (flatten) (("" (expand "<=") (("" (expand "cap") (("" (inst?) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (<= const-decl "bool" mucalculus nil) (t formal-type-decl nil bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (odd_plus_even_is_odd application-judgement "odd_int" integers nil) (cap const-decl "bool" ownpred nil) (exec const-decl "bool" bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (leto const-decl "bool" bdUnity nil)) shostak)) (ensures_leto 0 (ensures_leto-1 nil 3679324615 ("" (expand "leto") (("" (expand "ensures") (("" (expand "co") (("" (expand "transient") (("" (expand "cap") (("" (skosimp*) (("" (expand "<=" -) (("" (expand "neg") (("" (expand "rounds") (("" (expand "rounds") (("" (expand "round") (("" (skosimp) (("" (inst? -7) (("" (expand "fw") (("" (expand "wp") (("" (expand "exec") (("" (case "forall n: n <= n!1 implies p!1(xs!1(n))") (("1" (skosimp) (("1" (split) (("1" (inst? -5) (("1" (inst? -6) (("1" (flatten) (("1" (assert) (("1" (inst-cp - i!1) (("1" (inst - "1+i!1") (("1" (assert) (("1" (inst-cp + i!1) (("1" (inst + "1+i!1") (("1" (assert) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst? -3) (("2" (inst? -5) (("2" (flatten) (("2" (inst?) (("2" (assert) (("2" (inst + i!1) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (induct n) (("1" (assert) nil nil) ("2" (skosimp) (("2" (assert) (("2" (inst?) (("2" (inst? -6) (("2" (flatten) (("2" (assert) (("2" (split) (("1" (inst?) (("1" (expand "cup") (("1" (inst + "1+j!2") (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (inst + j!2) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((ensures const-decl "bool" bdUnity nil) (transient const-decl "bool" bdUnity nil) (neg const-decl "bool" ownpred nil) (fw const-decl "bool" bdUnity nil) (exec const-decl "bool" bdUnity nil) (nat_induction formula-decl nil naturalnumbers nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (cup const-decl "bool" ownpred nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (<= const-decl "bool" reals nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (wp const-decl "bool" ownpred nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (round const-decl "bool" bdUnity nil) (rounds def-decl "bool" bdUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (<= const-decl "bool" mucalculus nil) (cap const-decl "bool" ownpred nil) (co const-decl "bool" bdUnity nil) (leto const-decl "bool" bdUnity nil)) shostak)) (leto_union 0 (leto_union-1 nil 3589002235 ("" (expand "leto") (("" (skosimp*) (("" (expand "Union") (("" (skosimp) (("" (typepred a!1) (("" (inst? -) (("" (assert) (("" (inst?) (("" (assert) (("" (inst? -) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (Union const-decl "set" sets nil) (leto const-decl "bool" bdUnity nil)) shostak)) (leto_transitive 0 (leto_transitive-2 nil 3624287781 ("" (expand "leto") (("" (skosimp*) (("" (use rounds_split (j m!1 m n!1)) (("" (assert) (("" (skosimp) (("" (inst? -) (("" (assert) (("" (inst? -) (("" (assert) (("" (skosimp) (("" (inst - "drop(i!2)(xs!1)") (("" (split) (("1" (inst - "n!2-i!2") (("1" (split) (("1" (skosimp) (("1" (expand "drop") (("1" (inst + "i!2+i!3") (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (hide -2 -8 2) (("2" (use rounds_furtheron (n "n!2-i!1" i "i!1-i!2")) (("1" (assert) (("1" (case "drop(i!1 - i!2)(drop(i!2)(xs!1)) = drop(i!1)(xs!1)") (("1" (assert) nil nil) ("2" (hide - 2 3) (("2" (apply-extensionality :hide? t) (("2" (expand "drop") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil) ("2" (hide-all-but (-6 1)) (("2" (expand "exec") (("2" (expand "drop") (("2" (skolem!) (("2" (inst?) (("2" (ground) nil nil)) nil)) nil)) nil)) nil)) nil) ("3" (expand "drop") (("3" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((minus_odd_is_odd application-judgement "odd_int" integers nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (rounds_furtheron formula-decl nil bdUnity nil) (= const-decl "[T, T -> boolean]" equalities nil) (i!2 skolem-const-decl "nat" bdUnity nil) (n!2 skolem-const-decl "nat" bdUnity nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (exec const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (drop const-decl "t" bdUnity nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (specification type-eq-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (rounds_split formula-decl nil bdUnity nil) (leto const-decl "bool" bdUnity nil)) nil) (leto_transitive-1 nil 3589002397 ("" (expand "leto") (("" (skosimp*) (("" (use rounds_split (j n!1 m m!1)) (("" (assert) (("" (skosimp) (("" (inst? -) (("" (assert) (("" (inst? -) (("" (assert) (("" (skosimp) (("" (inst - "drop(i!2)(xs!1)") (("" (split) (("1" (inst - "n!2-i!2") (("1" (split) (("1" (skosimp) (("1" (expand "drop") (("1" (inst + "i!2+i!3") (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (hide -2 -8 2) (("2" (use rounds_furtheron (n "n!2-i!1" i "i!1-i!2")) (("1" (assert) (("1" (case "drop(i!1 - i!2)(drop(i!2)(xs!1)) = drop(i!1)(xs!1)") (("1" (assert) nil nil) ("2" (hide - 2 3) (("2" (apply-extensionality :hide? t) (("2" (expand "drop") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil) ("2" (hide-all-but (-6 1)) (("2" (expand "exec") (("2" (expand "drop") (("2" (skolem!) (("2" (inst?) (("2" (ground) nil nil)) nil)) nil)) nil)) nil)) nil) ("3" (expand "drop") (("3" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((minus_odd_is_odd application-judgement "odd_int" integers nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (rounds_furtheron formula-decl nil bdUnity nil) (= const-decl "[T, T -> boolean]" equalities nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (exec const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (drop const-decl "t" bdUnity nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (specification type-eq-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (rounds_split formula-decl nil bdUnity nil) (leto const-decl "bool" bdUnity nil)) shostak)) (PSP_leto 0 (PSP_leto-1 nil 3616922384 ("" (expand "leto") (("" (skosimp*) (("" (inst?) (("" (assert) (("" (expand "cap") (("" (flatten) (("" (assert) (("" (expand "cup") (("" (inst?) (("" (assert) (("" (skosimp) (("" (case "forall n: n <= n!2 implies pa!1(xs!1(n))") (("1" (inst - i!1) (("1" (inst + i!1) (("1" (assert) nil nil)) nil)) nil) ("2" (induct n) (("1" (assert) nil nil) ("2" (skosimp) (("2" (assert) (("2" (expand "unless") (("2" (expand "<=" -5) (("2" (expand "cap") (("2" (expand "wp") (("2" (expand "neg") (("2" (expand "cup") (("2" (inst? -) (("2" (assert) (("2" (expand "exec") (("2" (inst? -) (("2" (flatten) (("2" (assert) (("2" (split) (("1" (inst - "xs!1(1 + j!1)") (("1" (assert) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (inst + j!1) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((cup const-decl "bool" ownpred nil) (pred type-eq-decl nil defined_types nil) (<= const-decl "bool" reals nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (unless const-decl "bool" bdUnity nil) (neg const-decl "bool" ownpred nil) (exec const-decl "bool" bdUnity nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (wp const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (nat_induction formula-decl nil naturalnumbers nil) (cap const-decl "bool" ownpred nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (leto const-decl "bool" bdUnity nil)) shostak)) (PSP0_leto 0 (PSP0_leto-2 nil 3679111200 ("" (skosimp) (("" (lemma PSP_leto) (("" (inst?) (("" (inst?) (("" (assert) (("" (case "cap(fullset, p!1) = p!1") (("1" (replaceh -1) (("1" (case "cup(cap(neg(pa!1), p!1), q!1) = q!1") (("1" (assert) nil nil) ("2" (hide -1 -2 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (expand "cup") (("2" (prop) (("2" (expand "cap") (("2" (expand "neg") (("2" (flatten) (("2" (expand "<=") (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 -2 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (expand "cap") (("2" (prop) (("2" (expand "fullset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((PSP_leto formula-decl nil bdUnity nil) (= const-decl "[T, T -> boolean]" equalities nil) (cap const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (specification type-eq-decl nil bdUnity nil) (neg const-decl "bool" ownpred nil) (fullset const-decl "set" sets nil) (set type-eq-decl nil sets nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) nil) (PSP0_leto-1 nil 3671098970 ("" (skosimp) (("" (lemma PSP_leto) (("" (inst?) (("" (inst?) (("" (assert) (("" (case "cap(pa!1, p!1) = p!1") (("1" (replaceh -1) (("1" (case "cup(cap(neg(pa!1), p!1), q!1) = q!1") (("1" (assert) nil nil) ("2" (hide -1 -2 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (expand "cup") (("2" (prop) (("2" (expand "cap") (("2" (expand "neg") (("2" (flatten) (("2" (expand "<=") (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 -2 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (expand "cap") (("2" (prop) (("2" (expand "<=") (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((PSP_leto formula-decl nil bdUnity nil) (= const-decl "[T, T -> boolean]" equalities nil) (cap const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (specification type-eq-decl nil bdUnity nil) (neg const-decl "bool" ownpred nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (leto_completion 0 (leto_completion-1 nil 3616918278 ("" (expand "leto") (("" (skosimp*) (("" (case "FORALL q: pset!1(q) IMPLIES (EXISTS i: i <= n!2 AND q(xs!1(i))) AND unless(s!1)(q, pm!1)") (("1" (hide -2) (("1" (expand "cup") (("1" (case "EXISTS i: i <= n!2 AND pm!1(xs!1(i))") (("1" (skolem!) (("1" (flatten) (("1" (inst? +) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (inst 2 n!2) (("2" (assert) (("2" (flatten) (("2" (expand "Intersection") (("2" (skolem!) (("2" (inst - a!1) (("2" (assert) (("2" (flatten) (("2" (skosimp) (("2" (expand "unless") (("2" (expand "<=" -3) (("2" (expand "wp") (("2" (expand "cup") (("2" (expand "cap") (("2" (expand "neg") (("2" (expand "exec") (("2" (case "forall n: i!1+n <= n!2 IMPLIES a!1(xs!1(i!1+n))") (("1" (inst - "n!2-i!1") (("1" (assert) nil nil) ("2" (assert) nil nil)) nil) ("2" (induct n) (("1" (assert) nil nil) ("2" (skosimp) (("2" (assert) (("2" (inst? -) (("2" (inst? -6) (("2" (flatten) (("2" (assert) (("2" (split) (("1" (inst - "xs!1(1 + i!1 + j!1)") (("1" (assert) (("1" (inst? 2) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (inst + "i!1 + j!1") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide 2) (("2" (skosimp) (("2" (inst?) (("2" (assert) (("2" (flatten) (("2" (inst?) (("2" (assert) (("2" (inst? -2) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (Intersection const-decl "set" sets nil) (wp const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (exec const-decl "bool" bdUnity nil) (nat_induction formula-decl nil naturalnumbers nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (n!2 skolem-const-decl "nat" bdUnity nil) (i!1 skolem-const-decl "nat" bdUnity nil) (int_plus_int_is_int application-judgement "int" integers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (neg const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (cup const-decl "bool" ownpred nil) (t formal-type-decl nil bdUnity nil) (boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (pred type-eq-decl nil defined_types nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (<= const-decl "bool" reals nil) (specification type-eq-decl nil bdUnity nil) (unless const-decl "bool" bdUnity nil) (leto const-decl "bool" bdUnity nil)) shostak)) (stable_conjunction 0 (stable_conjunction-2 nil 3624287101 ("" (skosimp) (("" (lemma PSP_leto) (("" (inst?) (("" (inst - pa!1 emptyset) (("" (assert) (("" (split) (("1" (case "cup(cap(q!1, pa!1), emptyset) =cap(q!1, pa!1)") (("1" (assert) nil nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (expand "cup") (("2" (expand "emptyset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 2) (("2" (expand "unless") (("2" (expand "stable") (("2" (expand "co") (("2" (expand "<=") (("2" (expand "wp") (("2" (expand "cup") (("2" (expand "cap") (("2" (expand "neg") (("2" (expand "emptyset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((PSP_leto formula-decl nil bdUnity nil) (emptyset const-decl "set" sets nil) (set type-eq-decl nil sets nil) (cap const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (= const-decl "[T, T -> boolean]" equalities nil) (unless const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (wp const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (stable const-decl "bool" bdUnity nil) (finite_emptyset name-judgement "finite_set" finite_sets nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) nil) (stable_conjunction-1 nil 3617510892 ("" (skosimp) (("" (lemma PSP_leadold) (("" (inst?) (("" (inst - pa!1 emptyset) (("" (assert) (("" (split) (("1" (case "cup(cap(q!1, pa!1), emptyset) =cap(q!1, pa!1)") (("1" (assert) nil nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (expand "cup") (("2" (expand "emptyset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 2) (("2" (expand "unless") (("2" (expand "stable") (("2" (expand "co") (("2" (expand "<=") (("2" (expand "wp") (("2" (expand "cup") (("2" (expand "cap") (("2" (expand "neg") (("2" (expand "emptyset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((emptyset const-decl "set" sets nil) (set type-eq-decl nil sets nil) (cap const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (= const-decl "[T, T -> boolean]" equalities nil) (unless const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (wp const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (stable const-decl "bool" bdUnity nil) (finite_emptyset name-judgement "finite_set" finite_sets nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (cup_leto 0 (cup_leto-1 nil 3624287140 ("" (skosimp) (("" (lemma leto_union) (("" (name ppset "{p:pred[t] | p = p!1 OR p = pq!1}") (("" (inst - m!1 ppset q!1 s!1) (("" (case "Union(ppset) = cup(p!1, pq!1)") (("1" (replaceh -1) (("1" (assert) (("1" (skosimp) (("1" (expand "ppset") (("1" (split) (("1" (assert) nil nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (prop) (("1" (expand "Union") (("1" (expand "cup") (("1" (flatten) (("1" (skolem!) (("1" (typepred a!1) (("1" (expand "ppset") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "Union") (("2" (expand "cup") (("2" (split) (("1" (inst?) (("1" (expand "ppset") (("1" (propax) nil nil)) nil)) nil) ("2" (inst?) (("2" (assert) (("2" (expand "ppset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leto_union formula-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (specification type-eq-decl nil bdUnity nil) (p!1 skolem-const-decl "pred[t]" bdUnity nil) (pq!1 skolem-const-decl "pred[t]" bdUnity nil) (NOT const-decl "[bool -> bool]" booleans nil) (Union_surjective name-judgement "(surjective?[setofsets[T], set[T]])" sets_lemmas nil) (ppset skolem-const-decl "[pred[t] -> boolean]" bdUnity nil) (cup const-decl "bool" ownpred nil) (Union const-decl "set" sets nil) (setofsets type-eq-decl nil sets nil) (setof type-eq-decl nil defined_types nil) (set type-eq-decl nil sets nil) (t formal-type-decl nil bdUnity nil) (boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (pred type-eq-decl nil defined_types nil) (= const-decl "[T, T -> boolean]" equalities nil) (OR const-decl "[bool, bool -> bool]" booleans nil)) shostak)) (leto_transitive_2 0 (leto_transitive_2-1 nil 3624287477 ("" (skosimp) (("" (lemma leto_transitive) (("" (inst - m!1 n!1 p!1 "cup(pq!1, pa!1)" "cup(q!1, pa!1)" s!1) (("" (assert) (("" (hide -1 2) (("" (use cup_leto) (("" (assert) (("" (hide - 2) (("" (use subset_leto) (("" (assert) (("" (hide 2) (("" (expand "<=") (("" (expand "cup") (("" (expand "cap") (("" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leto_transitive formula-decl nil bdUnity nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (cup_leto formula-decl nil bdUnity nil) (<= const-decl "bool" mucalculus nil) (cap const-decl "bool" ownpred nil) (subset_leto formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (cup const-decl "bool" ownpred nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (leto_transitive_1 0 (leto_transitive_1-1 nil 3624287959 ("" (skosimp) (("" (lemma leto_transitive_2) (("" (inst - m!1 n!1 p!1 q!1 pq!1 q!1 s!1) (("" (assert) (("" (case "cup(q!1, q!1)=q!1") (("1" (assert) nil nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (expand "cup") (("2" (iff) (("2" (prop) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leto_transitive_2 formula-decl nil bdUnity nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (cup const-decl "bool" ownpred nil) (= const-decl "[T, T -> boolean]" equalities nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (leto_up 0 (leto_up-1 nil 3624288190 ("" (skosimp) (("" (lemma leto_transitive) (("" (inst - i!1 "j!1-i!1" p!1 q!1 q!1 s!1) (("1" (assert) (("1" (hide -1 2) (("1" (use subset_leto) (("1" (assert) (("1" (hide -1 2) (("1" (expand "<=") (("1" (expand "cap") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ((leto_transitive formula-decl nil bdUnity nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (subset_leto formula-decl nil bdUnity nil) (cap const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (j!1 skolem-const-decl "nat" bdUnity nil) (i!1 skolem-const-decl "nat" bdUnity nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) shostak)) (sub_leto 0 (sub_leto-1 nil 3624288385 ("" (skosimp) (("" (lemma leto_transitive) (("" (inst - 0 n!1 p!1 pq!1 q!1 s!1) (("" (assert) (("" (hide -2 2) (("" (use subset_leto) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leto_transitive formula-decl nil bdUnity nil) (subset_leto formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (leto_sub 0 (leto_sub-1 nil 3624288461 ("" (skosimp) (("" (lemma leto_transitive) (("" (inst - n!1 0 p!1 pq!1 q!1 s!1) (("" (assert) (("" (hide -2 2) (("" (use subset_leto) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leto_transitive formula-decl nil bdUnity nil) (subset_leto formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (shunting_leto 0 (shunting_leto-1 nil 3624288527 ("" (skosimp) (("" (lemma sub_leto) (("" (inst - n!1 p!1 "cup(cap(p!1, neg(pq!1)), pq!1)" "cup(q!1, pq!1)" s!1) (("" (assert) (("" (hide 2) (("" (split) (("1" (hide -) (("1" (expand "<=") (("1" (expand "cap") (("1" (expand "cup") (("1" (expand "neg") (("1" (skosimp) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (use cup_leto) (("2" (assert) (("2" (hide 2) (("2" (split) (("1" (lemma leto_sub) (("1" (inst - n!1 "cap(p!1, neg(pq!1))" q!1 "cup(q!1, pq!1)" s!1) (("1" (assert) (("1" (hide - 2) (("1" (expand "<=") (("1" (expand "cap") (("1" (expand "cup") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -) (("2" (use subset_leto) (("2" (assert) (("2" (hide 2) (("2" (expand "<=") (("2" (expand "cap") (("2" (expand "cup") (("2" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((sub_leto formula-decl nil bdUnity nil) (<= const-decl "bool" mucalculus nil) (leto_sub formula-decl nil bdUnity nil) (subset_leto formula-decl nil bdUnity nil) (cup_leto formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (neg const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (leto_inv 0 (leto_inv-1 nil 3624288950 ("" (skosimp) (("" (iff) (("" (lemma sub_leto) (("" (inst - j!1 _ _ q!1 s!1) (("" (prop) (("1" (inst - p!1 "cap(p!1, s!1`inv)") (("1" (assert) (("1" (hide - 1) (("1" (expand "<=") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil) ("2" (inst - "cap(p!1, s!1`inv)" p!1) (("2" (assert) (("2" (hide - 1) (("2" (expand "<=") (("2" (expand "cap") (("2" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (specification type-eq-decl nil bdUnity nil) (cap const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (sub_leto formula-decl nil bdUnity nil)) shostak)) (distributed_progress_TCC1 0 (distributed_progress_TCC1-1 nil 3670922272 ("" (subtype-tcc) nil nil) ((exec const-decl "bool" bdUnity nil) (leq const-decl "bool" bdUnity nil) (cap const-decl "bool" ownpred nil) (leto const-decl "bool" bdUnity nil) (disgrowth const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil)) nil)) (distributed_progress 0 (distributed_progress-2 nil 3670927228 ("" (skosimp) (("" (case "FORALL n: FORALL z, k: k < n IMPLIES leto(s!1) (k + mwe!1 - 1, leq(z, vf!1), cup(leq(z + k, vf!1), cov!1(0)))") (("1" (inst - "n!1+1") (("1" (inst?) (("1" (assert) nil nil)) nil)) nil) ("2" (hide 2) (("2" (induct n) (("1" (skosimp) (("1" (assert) nil nil)) nil) ("2" (skosimp*) (("2" (case "k!1=j!1") (("1" (replaceh -1) (("1" (hide -2) (("1" (name ppset "{pp: pred[t] | EXISTS i: pp = cap(leq(z!2, vf!1), cov!1(i))}") (("1" (lemma sub_leto) (("1" (inst - "j!1 + mwe!1 - 1" "leq(z!2, vf!1)" "Union(ppset)" "cup(leq(z!2 + j!1, vf!1), cov!1(0))" s!1) (("1" (assert) (("1" (hide -1) (("1" (split) (("1" (hide-all-but (-4 1)) (("1" (expand "<=") (("1" (skosimp) (("1" (inst?) (("1" (expand "cap") (("1" (flatten) (("1" (assert) (("1" (skolem!) (("1" (expand "Union") (("1" (inst + "cap(leq(z!2, vf!1), cov!1(i!1))") (("1" (expand "cap") (("1" (propax) nil nil)) nil) ("2" (expand "ppset") (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide 2) (("2" (use leto_union) (("2" (assert) (("2" (hide 2) (("2" (skosimp) (("2" (expand "ppset") (("2" (skolem!) (("2" (replaceh -1) (("2" (case "i!1=0") (("1" (replaceh -1) (("1" (hide -) (("1" (use subset_leto) (("1" (assert) (("1" (hide 2) (("1" (expand "<=") (("1" (expand "cup") (("1" (expand "cap") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (case "j!1=0") (("1" (replaceh -1) (("1" (assert) (("1" (hide -) (("1" (use subset_leto) (("1" (assert) (("1" (hide 3) (("1" (expand "<=") (("1" (expand "cup") (("1" (expand "cap") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "disgrowth") (("2" (inst -2 z!2 i!1) (("1" (name-replace pp0 "cap(leq(z!2, vf!1), cov!1(i!1))") (("1" (case "j!1 <= we!1(i!1)") (("1" (hide -2) (("1" (lemma leto_sub) (("1" (inst - "we!1(i!1)" pp0 _ "cup(leq(j!1 + z!2, vf!1), cov!1(0))" s!1) (("1" (inst?) (("1" (assert) (("1" (split) (("1" (hide -3) (("1" (lemma leto_up) (("1" (inst - "we!1(i!1)" "j!1 - 1 + mwe!1" _ _ s!1) (("1" (inst?) (("1" (assert) (("1" (inst? -3) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -2 4) (("2" (expand "<=" +) (("2" (expand "cup") (("2" (expand "cap") (("2" (expand "leq") (("2" (skosimp) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst - "z!2 + we!1(i!1)" "j!1-we!1(i!1)") (("1" (assert) (("1" (name-replace pp1 "leq(we!1(i!1) + z!2, vf!1)") (("1" (name-replace pp2 "cup(leq(j!1 + z!2, vf!1), cov!1(0))") (("1" (lemma leto_transitive) (("1" (inst - "we!1(i!1)" "-1 - we!1(i!1) + j!1 + mwe!1" _ _ _ _) (("1" (inst?) (("1" (assert) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((cup const-decl "bool" ownpred nil) (leq const-decl "bool" bdUnity nil) (posnat nonempty-type-eq-decl nil integers nil) (> const-decl "bool" reals nil) (nonneg_int nonempty-type-eq-decl nil integers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (leto const-decl "bool" bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (< const-decl "bool" reals nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (int_plus_int_is_int application-judgement "int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (nat_induction formula-decl nil naturalnumbers nil) (= const-decl "[T, T -> boolean]" equalities nil) (sub_leto formula-decl nil bdUnity nil) (Union_surjective name-judgement "(surjective?[setofsets[T], set[T]])" sets_lemmas nil) (<= const-decl "bool" mucalculus nil) (ppset skolem-const-decl "[pred[t] -> boolean]" bdUnity nil) (z!2 skolem-const-decl "int" bdUnity nil) (vf!1 skolem-const-decl "[t -> int]" bdUnity nil) (cov!1 skolem-const-decl "[nat -> pred[t]]" bdUnity nil) (i!1 skolem-const-decl "nat" bdUnity nil) (leto_union formula-decl nil bdUnity nil) (even_minus_odd_is_odd application-judgement "odd_int" integers nil) (real_gt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (i!1 skolem-const-decl "nat" bdUnity nil) (<= const-decl "bool" reals nil) (leto_sub formula-decl nil bdUnity nil) (leto_up formula-decl nil bdUnity nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (- const-decl "[numfield -> numfield]" number_fields nil) (leto_transitive formula-decl nil bdUnity nil) (we!1 skolem-const-decl "[posnat -> posnat]" bdUnity nil) (j!1 skolem-const-decl "nat" bdUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (disgrowth const-decl "bool" bdUnity nil) (subset_leto formula-decl nil bdUnity nil) (setof type-eq-decl nil defined_types nil) (setofsets type-eq-decl nil sets nil) (set type-eq-decl nil sets nil) (Union const-decl "set" sets nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (cap const-decl "bool" ownpred nil)) nil) (distributed_progress-1 nil 3670922293 ("" (skosimp) (("" (case "FORALL n: FORALL k: k < n IMPLIES leto(s!1)(k + mweight!1 - 1, leq(z1!1, vf!1), cup(leq(z1!1 + k, vf!1), cover!1(0)))") (("1" (inst - "n!1+1") (("1" (inst - n!1) (("1" (assert) nil nil)) nil)) nil) ("2" (hide 2) (("2" (induct n) (("1" (assert) nil nil) ("2" (skosimp*) (("2" (inst -3 z1!1 _) (("2" (name ppset "{pp: pred[t] | EXISTS i: pp = cap(leq(z1!1, vf!1), cover!1(i))}") (("2" (lemma leto_union) (("2" (inst - "k!1 + mweight!1 - 1" ppset "cup(leq(z1!1 + k!1, vf!1), cover!1(0))" s!1) (("2" (split) (("1" (case "Union(ppset) = leq(z1!1, vf!1)") (("1" (assert) nil nil) ("2" (hide -1 -2 -3 -5 -6 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (prop) (("1" (expand "Union") (("1" (skolem!) (("1" (typepred a!1) (("1" (expand "ppset") (("1" (skolem!) (("1" (replaceh -1) (("1" (expand "cap") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst?) (("2" (skolem!) (("2" (expand "Union") (("2" (inst + "cap(leq(z1!1, vf!1), cover!1(i!1))") (("1" (expand "cap") (("1" (assert) nil nil)) nil) ("2" (expand "ppset") (("2" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide 2 -1) (("2" (skosimp) (("2" (expand "ppset") (("2" (skosimp) (("2" (replaceh -1) (("2" (case "i!1 = 0") (("1" (replace -1) (("1" (hide -) (("1" (use subset_leto) (("1" (assert) (("1" (hide 2) (("1" (expand "<=") (("1" (expand "cup") (("1" (expand "cap") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst? -3) (("1" (case "k!1=0") (("1" (replaceh -1) (("1" (assert) (("1" (hide -) (("1" (use subset_leto) (("1" (assert) (("1" (hide 3) (("1" (expand "<=") (("1" (expand "cup") (("1" (expand "cap") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (name-replace pp0 "cap(leq(z1!1, vf!1), cover!1(i!1))") (("2" (case "k!1 <= weight!1(i!1)") (("1" (hide -2) (("1" (lemma leto_sub) (("1" (inst - "weight!1(i!1)" pp0 "leq(z1!1 + weight!1(i!1), vf!1)" "cup(leq(z1!1 + k!1, vf!1), cover!1(0))" s!1) (("1" (assert) (("1" (split) (("1" (lemma leto_up) (("1" (inst - "weight!1(i!1)" "k!1 - 1 + mweight!1" _ _ s!1) (("1" (inst?) (("1" (assert) (("1" (inst? -5) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -3 4) (("2" (expand "<=" +) (("2" (expand "cup") (("2" (expand "leq") (("2" (expand "cap") (("2" (skosimp) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (postpone) nil nil)) nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) nil shostak)) (proportional_progress 0 (proportional_progress-1 nil 3671005404 ("" (skosimp) (("" (inst - "fac!1 * i!1 + delay!1" "fac!1 * z1!1") (("" (assert) (("" (name-replace nn1 "fac!1 * i!1 + delay!1 + offset!1") (("" (name-replace pp0 "leq(z1!1, svf!1)") (("" (name-replace pp1 "leq(fac!1 * z1!1, vf!1)") (("" (name-replace pp2 "cup(leq(fac!1 * i!1 + fac!1 * z1!1 + delay!1, vf!1), alt!1)") (("" (name-replace pp3 "cup(leq(i!1 + z1!1, svf!1), cup(alt!1, exc!1))") (("" (lemma sub_leto) (("" (inst - nn1 pp0 pp1 pp2 s!1) (("" (assert) (("" (split) (("1" (hide -2) (("1" (lemma leto_sub) (("1" (inst - nn1 pp0 pp2 pp3 s!1) (("1" (assert) (("1" (hide -1 2) (("1" (expand "<=" +) (("1" (expand "pp2") (("1" (expand "pp3") (("1" (expand "cup") (("1" (expand "cap") (("1" (expand "leq") (("1" (skosimp) (("1" (assert) (("1" (inst? -4) (("1" (assert) (("1" (lemma both_sides_times_pos_le2) (("1" (inst - fac!1 "i!1+z1!1" "svf!1(s!2)") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -1 2) (("2" (expand "<=" +) (("2" (expand "pp0") (("2" (expand "pp1") (("2" (expand "cap") (("2" (expand "leq") (("2" (skosimp) (("2" (inst?) (("2" (assert) (("2" (lemma both_sides_times_pos_le2) (("2" (inst?) (("2" (inst - "svf!1(s!2)") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((mult_divides2 application-judgement "(divides(m))" divides nil) (mult_divides1 application-judgement "(divides(n))" divides nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (nonneg_int nonempty-type-eq-decl nil integers nil) (> const-decl "bool" reals nil) (posnat nonempty-type-eq-decl nil integers nil) (= const-decl "[T, T -> boolean]" equalities nil) (specification type-eq-decl nil bdUnity nil) (leto_sub formula-decl nil bdUnity nil) (<= const-decl "bool" mucalculus nil) (pp3 skolem-const-decl "[t -> bool]" bdUnity nil) (cap const-decl "bool" ownpred nil) (both_sides_times_pos_le2 formula-decl nil real_props nil) (nonneg_real nonempty-type-eq-decl nil real_types nil) (posreal nonempty-type-eq-decl nil real_types nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (pp2 skolem-const-decl "[t -> bool]" bdUnity nil) (pp1 skolem-const-decl "[t -> bool]" bdUnity nil) (pp0 skolem-const-decl "[t -> bool]" bdUnity nil) (sub_leto formula-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (cup const-decl "bool" ownpred nil) (t formal-type-decl nil bdUnity nil) (leq const-decl "bool" bdUnity nil) (nnint_times_nnint_is_nnint application-judgement "nonneg_int" integers nil) (int_plus_int_is_int application-judgement "int" integers nil)) shostak)) (fwd_measure_ensures 0 (fwd_measure_ensures-1 nil 3679326125 ("" (expand "fwd_measure") (("" (skosimp) (("" (use ensures_leto) (("" (assert) (("" (hide 2) (("" (expand "ensures") (("" (expand "transient") (("" (expand "co") (("" (expand "<=" +) (("" (expand "wp") (("" (expand "cap") (("" (expand "neg") (("" (expand "cup") (("" (expand "leq") (("" (split) (("1" (skosimp*) (("1" (inst?) (("1" (assert) (("1" (inst -8 k!1 s!2 y!1) (("1" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (inst + k!1) (("2" (split) (("1" (skosimp) (("1" (expand "<=" -5) (("1" (inst? -5) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (skosimp) (("2" (inst? -9) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((ensures const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (wp const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (cup const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (transient const-decl "bool" bdUnity nil) (int_plus_int_is_int application-judgement "int" integers nil) (t formal-type-decl nil bdUnity nil) (boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (pred type-eq-decl nil defined_types nil) (cap const-decl "bool" ownpred nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (leq const-decl "bool" bdUnity nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (specification type-eq-decl nil bdUnity nil) (ensures_leto formula-decl nil bdUnity nil) (fwd_measure const-decl "bool" bdUnity nil)) shostak)) (fwd_measure_leadsto 0 (fwd_measure_leadsto-2 nil 3679372903 ("" (skosimp) (("" (use shunting_leto) (("" (assert) (("" (hide 2) (("" (lemma leto_union) (("" (inst?) (("" (inst - 1 _ "leq(1 + z!1, vf!1)") (("" (name ppset "{pp: pred[t] | exists k: pp = cap(leq(z!1, vf!1), vena!1(k))}") (("" (inst - ppset) (("" (split) (("1" (case "Union(ppset)=cap(leq(z!1, vf!1), neg(none(vena!1, s!1)))") (("1" (assert) nil nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (prop) (("1" (expand "Union") (("1" (skolem!) (("1" (typepred a!1) (("1" (expand "ppset") (("1" (skolem!) (("1" (replaceh -1) (("1" (expand "cap") (("1" (flatten) (("1" (assert) (("1" (expand "neg") (("1" (expand "none") (("1" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "cap") (("2" (flatten) (("2" (expand "neg") (("2" (expand "none") (("2" (expand "Union") (("2" (skosimp) (("2" (inst + "cap(leq(z!1, vf!1), vena!1(k!1))") (("1" (expand "cap") (("1" (assert) nil nil)) nil) ("2" (expand "ppset") (("2" (inst + k!1) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide 2 -1) (("2" (skosimp) (("2" (expand "ppset") (("2" (skolem!) (("2" (use fwd_measure_ensures) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leto_union formula-decl nil bdUnity nil) (fwd_measure_ensures formula-decl nil bdUnity nil) (neg const-decl "bool" ownpred nil) (Union const-decl "set" sets nil) (setofsets type-eq-decl nil sets nil) (setof type-eq-decl nil defined_types nil) (set type-eq-decl nil sets nil) (Union_surjective name-judgement "(surjective?[setofsets[T], set[T]])" sets_lemmas nil) (ppset skolem-const-decl "[pred[t] -> boolean]" bdUnity nil) (NOT const-decl "[bool -> bool]" booleans nil) (k!1 skolem-const-decl "nat" bdUnity nil) (vena!1 skolem-const-decl "[nat -> pred[t]]" bdUnity nil) (vf!1 skolem-const-decl "[t -> int]" bdUnity nil) (z!1 skolem-const-decl "int" bdUnity nil) (cap const-decl "bool" ownpred nil) (= const-decl "[T, T -> boolean]" equalities nil) (int_plus_int_is_int application-judgement "int" integers nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (leq const-decl "bool" bdUnity nil) (specification type-eq-decl nil bdUnity nil) (none const-decl "bool" bdUnity nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (shunting_leto formula-decl nil bdUnity nil)) nil) (fwd_measure_leadsto-1 nil 3629006572 ("" (skosimp) (("" (use shunting_leto) (("" (assert) (("" (hide 2) (("" (lemma leto_union) (("" (inst?) (("" (inst - 1 _ "leq(1 + z!1, vf!1)") (("" (name ppset "{pp: pred[t] | exists k: pp = cap(leq(z!1, vf!1), vena!1(k))}") (("" (inst - ppset) (("" (split) (("1" (case "Union(ppset)=cap(leq(z!1, vf!1), neg(none(vena!1, s!1)))") (("1" (assert) nil nil) ("2" (hide - 2) (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (prop) (("1" (expand "Union") (("1" (skolem!) (("1" (typepred a!1) (("1" (expand "ppset") (("1" (skolem!) (("1" (replaceh -1) (("1" (expand "cap") (("1" (flatten) (("1" (assert) (("1" (expand "neg") (("1" (expand "none") (("1" (inst?) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "cap") (("2" (flatten) (("2" (expand "neg") (("2" (expand "none") (("2" (expand "Union") (("2" (skosimp) (("2" (inst + "cap(leq(z!1, vf!1), vena!1(k!1))") (("1" (expand "cap") (("1" (assert) nil nil)) nil) ("2" (expand "ppset") (("2" (inst + k!1) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide 2 -1) (("2" (skosimp) (("2" (expand "ppset") (("2" (skolem!) (("2" (use fwd_measure_ensuresA) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((shunting_leto formula-decl nil bdUnity nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (none const-decl "bool" bdUnity nil) (specification type-eq-decl nil bdUnity nil) (leq const-decl "bool" bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (int_plus_int_is_int application-judgement "int" integers nil) (= const-decl "[T, T -> boolean]" equalities nil) (cap const-decl "bool" ownpred nil) nil nil nil nil (NOT const-decl "[bool -> bool]" booleans nil) nil (Union_surjective name-judgement "(surjective?[setofsets[T], set[T]])" sets_lemmas nil) (set type-eq-decl nil sets nil) (setof type-eq-decl nil defined_types nil) (setofsets type-eq-decl nil sets nil) (Union const-decl "set" sets nil) (neg const-decl "bool" ownpred nil) nil (leto_union formula-decl nil bdUnity nil)) shostak)) (fwd_measure_leadsto_more 0 (fwd_measure_leadsto_more-1 nil 3629007165 ("" (induct n) (("1" (skosimp) (("1" (use subset_leto) (("1" (assert) (("1" (hide - 2) (("1" (expand "<=") (("1" (expand "cap") (("1" (expand "cup") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp*) (("2" (inst?) (("2" (assert) (("2" (lemma leto_transitive_2) (("2" (inst?) (("2" (lemma fwd_measure_leadsto) (("2" (inst - _ _ _ z!1) (("2" (inst?) (("2" (assert) (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((posint_plus_nnint_is_posint application-judgement "posint" integers nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (odd_minus_odd_is_even application-judgement "even_int" integers nil) (fwd_measure_leadsto formula-decl nil bdUnity nil) (leto_transitive_2 formula-decl nil bdUnity nil) (<= const-decl "bool" mucalculus nil) (cap const-decl "bool" ownpred nil) (subset_leto formula-decl nil bdUnity nil) (nat_induction formula-decl nil naturalnumbers nil) (none const-decl "bool" bdUnity nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (cup const-decl "bool" ownpred nil) (leq const-decl "bool" bdUnity nil) (leto const-decl "bool" bdUnity nil) (fwd_measure const-decl "bool" bdUnity nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (specification type-eq-decl nil bdUnity nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (int_plus_int_is_int application-judgement "int" integers nil)) shostak)) (proportional_measure_leadsto 0 (proportional_measure_leadsto-1 nil 3629009375 ("" (skosimp) (("" (lemma fwd_measure_leadsto_more) (("" (inst - n!1 s!1 vena!1 vf!1 _) (("" (assert) (("" (inst - "fac!1 * z!1") (("" (hide -2) (("" (name-replace pp0 "leq(z!1, svf!1)") (("" (name-replace pp1 "leq(fac!1 * z!1, vf!1)") (("" (name-replace pp2 "cup(leq(fac!1 * z!1 + n!1, vf!1), none(vena!1, s!1))") (("" (name-replace pp3 "cup(leq(i!1 + z!1, svf!1), none(vena!1, s!1))") (("" (lemma sub_leto) (("" (inst - n!1 pp0 pp1 pp3 s!1) (("" (assert) (("" (hide 2) (("" (split) (("1" (expand "<=" +) (("1" (hide -1) (("1" (expand "pp0") (("1" (expand "pp1") (("1" (expand "cap") (("1" (expand "leq") (("1" (skosimp) (("1" (expand "subset?") (("1" (expand "member") (("1" (expand "proportional") (("1" (inst?) (("1" (assert) (("1" (flatten) (("1" (assert) (("1" (lemma both_sides_times_pos_le2) (("1" (inst?) (("1" (inst - "svf!1(s!2)") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (lemma leto_sub) (("2" (inst - n!1 pp1 pp2 pp3 s!1) (("2" (assert) (("2" (hide -1 2) (("2" (expand "<=" +) (("2" (expand "pp2") (("2" (expand "pp3") (("2" (expand "cap") (("2" (expand "cup") (("2" (skosimp) (("2" (assert) (("2" (expand "leq") (("2" (hide 2) (("2" (expand "subset?") (("2" (expand "member") (("2" (expand "proportional") (("2" (inst?) (("2" (assert) (("2" (flatten) (("2" (hide -3 -2) (("2" (lemma both_sides_times_pos_le2) (("2" (inst - fac!1 "svf!1(s!2)" "i!1 + z!1-1") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((fwd_measure_leadsto_more formula-decl nil bdUnity nil) (nnint_times_nnint_is_nnint application-judgement "nonneg_int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (mult_divides2 application-judgement "(divides(m))" divides nil) (mult_divides1 application-judgement "(divides(n))" divides nil) (int_plus_int_is_int application-judgement "int" integers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (subset_is_partial_order name-judgement "(partial_order?[set[T]])" sets_lemmas nil) (leto_sub formula-decl nil bdUnity nil) (pp3 skolem-const-decl "[t -> bool]" bdUnity nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (pp2 skolem-const-decl "[t -> bool]" bdUnity nil) (<= const-decl "bool" mucalculus nil) (pp0 skolem-const-decl "[t -> bool]" bdUnity nil) (cap const-decl "bool" ownpred nil) (member const-decl "bool" sets nil) (both_sides_times_pos_le2 formula-decl nil real_props nil) (nonneg_real nonempty-type-eq-decl nil real_types nil) (posreal nonempty-type-eq-decl nil real_types nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (proportional const-decl "bool" bdUnity nil) (subset? const-decl "bool" sets nil) (pp1 skolem-const-decl "[t -> bool]" bdUnity nil) (sub_leto formula-decl nil bdUnity nil) (cup const-decl "bool" ownpred nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (none const-decl "bool" bdUnity nil) (= const-decl "[T, T -> boolean]" equalities nil) (leq const-decl "bool" bdUnity nil) (numfield nonempty-type-eq-decl nil number_fields nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (nonneg_int nonempty-type-eq-decl nil integers nil) (> const-decl "bool" reals nil) (posnat nonempty-type-eq-decl nil integers nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (proportional_measure_leadsto1 0 (proportional_measure_leadsto1-1 nil 3669543573 ("" (skosimp) (("" (lemma fwd_measure_leadsto_more) (("" (inst - n!1 s!1 vena!1 vf!1 _) (("" (inst - "fac!1 * z!1") (("" (assert) (("" (hide -2) (("" (name-replace pp0 "leq(z!1, svf!1)") (("" (name-replace pp1 "leq(fac!1 * z!1, vf!1)") (("" (name-replace pp2 "cup(leq(fac!1 * z!1 + n!1, vf!1), none(vena!1, s!1))") (("" (name-replace pp3 "cup(neg(p!1), cup(leq(i!1 + z!1, svf!1), none(vena!1, s!1)))") (("" (lemma sub_leto) (("" (inst - n!1 pp0 pp1 pp3 s!1) (("" (assert) (("" (hide 2) (("" (split) (("1" (expand "<=") (("1" (expand "pp0") (("1" (expand "pp1") (("1" (expand "cap") (("1" (expand "leq") (("1" (expand "subset?") (("1" (expand "member") (("1" (skosimp) (("1" (inst?) (("1" (assert) (("1" (expand "proportionA") (("1" (hide-all-but (-1 -4) -) (("1" (lemma both_sides_times_pos_le2) (("1" (inst?) (("1" (inst - "svf!1(s!2)") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (lemma leto_sub) (("2" (inst - n!1 pp1 pp2 pp3 s!1) (("2" (assert) (("2" (hide -1 2) (("2" (expand "<=" +) (("2" (expand "pp2") (("2" (expand "pp3") (("2" (expand "subset?") (("2" (expand "member") (("2" (expand "cap") (("2" (expand "proportionB") (("2" (expand "cup") (("2" (expand "neg") (("2" (expand "leq") (("2" (skosimp) (("2" (replace 2) (("2" (inst?) (("2" (inst?) (("2" (assert) (("2" (lemma both_sides_times_pos_le2) (("2" (inst - fac!1 "svf!1(s!2)" "z!1+i!1-1") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((fwd_measure_leadsto_more formula-decl nil bdUnity nil) (mult_divides2 application-judgement "(divides(m))" divides nil) (mult_divides1 application-judgement "(divides(n))" divides nil) (posnat nonempty-type-eq-decl nil integers nil) (> const-decl "bool" reals nil) (nonneg_int nonempty-type-eq-decl nil integers nil) (* const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (neg const-decl "bool" ownpred nil) (leto_sub formula-decl nil bdUnity nil) (pp3 skolem-const-decl "[t -> bool]" bdUnity nil) (proportionB const-decl "bool" bdUnity nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (pp2 skolem-const-decl "[t -> bool]" bdUnity nil) (<= const-decl "bool" reals nil) (<= const-decl "bool" mucalculus nil) (pp1 skolem-const-decl "[t -> bool]" bdUnity nil) (member const-decl "bool" sets nil) (proportionA const-decl "bool" bdUnity nil) (both_sides_times_pos_le2 formula-decl nil real_props nil) (nonneg_real nonempty-type-eq-decl nil real_types nil) (posreal nonempty-type-eq-decl nil real_types nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (subset? const-decl "bool" sets nil) (cap const-decl "bool" ownpred nil) (pp0 skolem-const-decl "[t -> bool]" bdUnity nil) (sub_leto formula-decl nil bdUnity nil) (cup const-decl "bool" ownpred nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (none const-decl "bool" bdUnity nil) (= const-decl "[T, T -> boolean]" equalities nil) (leq const-decl "bool" bdUnity nil) (subset_is_partial_order name-judgement "(partial_order?[set[T]])" sets_lemmas nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_plus_int_is_int application-judgement "int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (nnint_times_nnint_is_nnint application-judgement "nonneg_int" integers nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) shostak)) (subset_leadsto 0 (subset_leadsto-1 nil 3624290934 ("" (expand "leadsto") (("" (expand "<=") (("" (skosimp*) (("" (inst?) (("" (inst?) (("" (expand "cap") (("" (assert) (("" (expand "run") (("" (expand "exec") (("" (flatten) (("" (inst?) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((<= const-decl "bool" mucalculus nil) (t formal-type-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (cap const-decl "bool" ownpred nil) (run const-decl "bool" bdUnity nil) (odd_plus_even_is_odd application-judgement "odd_int" integers nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (exec const-decl "bool" bdUnity nil) (leadsto const-decl "bool" bdUnity nil)) shostak)) (ensures_leadsto 0 (ensures_leadsto-1 nil 3679326644 ("" (expand "leadsto") (("" (expand "ensures") (("" (skosimp*) (("" (expand "co") (("" (expand "transient") (("" (expand "<=") (("" (expand "wp") (("" (expand "cap") (("" (expand "neg") (("" (skosimp) (("" (expand "cup") (("" (expand "run") (("" (flatten) (("" (inst? -5) (("" (expand "exec") (("" (case "forall n: p!1(xs!1(n))") (("1" (expand "weakfair") (("1" (expand "fw") (("1" (inst -6 0) (("1" (assert) (("1" (skolem!) (("1" (split) (("1" (inst? -5) (("1" (inst-cp - i!1) (("1" (inst-cp + i!1) (("1" (inst + "1+i!1") (("1" (inst - "1+i!1") (("1" (assert) (("1" (inst? -6) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst? -3) (("2" (inst?) (("2" (inst? -5) (("2" (flatten) (("2" (assert) (("2" (inst? +) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (induct n) (("2" (skosimp) (("2" (inst? -) (("2" (inst? -5) (("2" (flatten) (("2" (assert) (("2" (split -) (("1" (inst - "xs!1(j!1+1)") (("1" (assert) (("1" (inst + "j!1+1") (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (inst? +) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((ensures const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (<= const-decl "bool" mucalculus nil) (cap const-decl "bool" ownpred nil) (run const-decl "bool" bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (fw const-decl "bool" bdUnity nil) (numfield nonempty-type-eq-decl nil number_fields nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (weakfair const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (nat_induction formula-decl nil naturalnumbers nil) (exec const-decl "bool" bdUnity nil) (cup const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (transient const-decl "bool" bdUnity nil) (leadsto const-decl "bool" bdUnity nil)) shostak)) (leadsto_union 0 (leadsto_union-1 nil 3624291802 ("" (expand "leadsto") (("" (skosimp*) (("" (expand "Union") (("" (skolem!) (("" (inst?) (("" (assert) (("" (inst?) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number nonempty-type-decl nil numbers nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil) (Union const-decl "set" sets nil) (leadsto const-decl "bool" bdUnity nil)) shostak)) (leadsto_transitive 0 (leadsto_transitive-1 nil 3624291868 ("" (expand "leadsto") (("" (skosimp*) (("" (inst? -) (("" (assert) (("" (skolem!) (("" (use drop_run) (("" (assert) (("" (inst - "drop(i!1)(xs!1)") (("" (assert) (("" (expand "drop") (("" (skolem!) (("" (inst + "i!2+i!1") nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((drop_run formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (drop const-decl "t" bdUnity nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (leadsto const-decl "bool" bdUnity nil)) shostak)) (PSP_leadsto 0 (PSP_leadsto-1 nil 3624292063 ("" (expand "leadsto") (("" (skosimp*) (("" (expand "cap") (("" (expand "cup") (("" (flatten) (("" (inst?) (("" (assert) (("" (case "forall i: pa!1(xs!1(i))") (("1" (skolem!) (("1" (inst - i!1) (("1" (inst + i!1) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (induct i) (("2" (skosimp) (("2" (expand "unless") (("2" (expand "<=") (("2" (expand "wp") (("2" (expand "cap") (("2" (expand "neg") (("2" (expand "run") (("2" (flatten) (("2" (expand "exec") (("2" (inst? -) (("2" (inst? -) (("2" (flatten) (("2" (assert) (("2" (split) (("1" (inst - "xs!1(1 + j!1)") (("1" (expand "cup") (("1" (assert) (("1" (inst + "1+j!1") (("1" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (inst + j!1) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((cup const-decl "bool" ownpred nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (<= const-decl "bool" mucalculus nil) (run const-decl "bool" bdUnity nil) (exec const-decl "bool" bdUnity nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (neg const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (unless const-decl "bool" bdUnity nil) (nat_induction formula-decl nil naturalnumbers nil) (cap const-decl "bool" ownpred nil) (leadsto const-decl "bool" bdUnity nil)) shostak)) (cup_leadsto 0 (cup_leadsto-1 nil 3624292410 ("" (expand "leadsto") (("" (skosimp*) (("" (expand "cup") (("" (inst?) (("" (inst?) (("" (assert) (("" (replace 1) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (t formal-type-decl nil bdUnity nil) (cup const-decl "bool" ownpred nil) (leadsto const-decl "bool" bdUnity nil)) shostak)) (leadsto_transitive_2 0 (leadsto_transitive_2-1 nil 3624292491 ("" (skosimp) (("" (lemma leadsto_transitive) (("" (inst - p!1 "cup(pq!1, pa!1)" "cup(q!1, pa!1)" s!1) (("" (assert) (("" (hide -1 2) (("" (use cup_leadsto) (("" (assert) (("" (hide - 2) (("" (use subset_leadsto) (("" (assert) (("" (hide 2) (("" (expand "<=") (("" (expand "cap") (("" (expand "cup") (("" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leadsto_transitive formula-decl nil bdUnity nil) (cup_leadsto formula-decl nil bdUnity nil) (<= const-decl "bool" mucalculus nil) (cap const-decl "bool" ownpred nil) (subset_leadsto formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (cup const-decl "bool" ownpred nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil)) shostak)) (leadsto_transitive_1 0 (leadsto_transitive_1-1 nil 3624292624 ("" (skosimp) (("" (lemma leadsto_transitive_2) (("" (inst - p!1 q!1 pq!1 q!1 s!1) (("" (assert) (("" (case "cup(q!1, q!1) = q!1") (("1" (assert) nil nil) ("2" (hide - 2) (("2" (expand "cup") (("2" (apply-extensionality :hide? t) (("2" (iff) (("2" (prop) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leadsto_transitive_2 formula-decl nil bdUnity nil) (OR const-decl "[bool, bool -> bool]" booleans nil) (cup const-decl "bool" ownpred nil) (= const-decl "[T, T -> boolean]" equalities nil) (specification type-eq-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil)) shostak)) (sub_leadsto 0 (sub_leadsto-1 nil 3624292734 ("" (skosimp) (("" (lemma leadsto_transitive) (("" (inst - p!1 pq!1 q!1 s!1) (("" (assert) (("" (hide -2 2) (("" (use subset_leadsto) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leadsto_transitive formula-decl nil bdUnity nil) (subset_leadsto formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil)) shostak)) (leadsto_sub 0 (leadsto_sub-1 nil 3624292814 ("" (skosimp) (("" (lemma leadsto_transitive) (("" (inst - p!1 pq!1 q!1 s!1) (("" (assert) (("" (hide -2 2) (("" (use subset_leadsto) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leadsto_transitive formula-decl nil bdUnity nil) (subset_leadsto formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil)) shostak)) (shunting_leadsto 0 (shunting_leadsto-1 nil 3624292902 ("" (skosimp) (("" (lemma sub_leadsto) (("" (inst - p!1 "cup(cap(p!1, neg(pq!1)), pq!1)" "cup(q!1, pq!1)" s!1) (("" (assert) (("" (hide 2) (("" (split) (("1" (hide -) (("1" (expand "<=") (("1" (expand "cap") (("1" (expand "cup") (("1" (expand "neg") (("1" (skosimp) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (use cup_leadsto) (("2" (assert) (("2" (hide 2) (("2" (split) (("1" (lemma leadsto_sub) (("1" (inst - "cap(p!1, neg(pq!1))" q!1 "cup(q!1, pq!1)" s!1) (("1" (assert) (("1" (hide - 2) (("1" (expand "<=") (("1" (expand "cap") (("1" (expand "cup") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (hide -) (("2" (use subset_leadsto) (("2" (assert) (("2" (hide 2) (("2" (expand "<=") (("2" (expand "cap") (("2" (expand "cup") (("2" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((sub_leadsto formula-decl nil bdUnity nil) (<= const-decl "bool" mucalculus nil) (leadsto_sub formula-decl nil bdUnity nil) (subset_leadsto formula-decl nil bdUnity nil) (cup_leadsto formula-decl nil bdUnity nil) (specification type-eq-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (neg const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (pred type-eq-decl nil defined_types nil) (bool nonempty-type-eq-decl nil booleans nil) (boolean nonempty-type-decl nil booleans nil) (t formal-type-decl nil bdUnity nil)) shostak)) (leadsto_inv 0 (leadsto_inv-1 nil 3624293310 ("" (skolem!) (("" (iff) (("" (lemma sub_leadsto) (("" (inst - _ _ q!1 s!1) (("" (prop) (("1" (inst - p!1 "cap(p!1, s!1`inv)") (("1" (assert) (("1" (hide 1 -) (("1" (expand "<=") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil) ("2" (inst - "cap(p!1, s!1`inv)" p!1) (("2" (assert) (("2" (hide 1 -) (("2" (expand "<=") (("2" (expand "cap") (("2" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((t formal-type-decl nil bdUnity nil) (boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (pred type-eq-decl nil defined_types nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (specification type-eq-decl nil bdUnity nil) (cap const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (sub_leadsto formula-decl nil bdUnity nil)) shostak)) (bounding_leadsto 0 (bounding_leadsto-1 nil 3624293638 ("" (expand "leto") (("" (skosimp*) (("" (inst?) (("" (assert) (("" (inst?) (("" (assert) (("" (expand "cup") (("" (skosimp) (("" (split) (("1" (inst?) (("1" (assert) nil nil)) nil) ("2" (expand "leadsto") (("2" (lemma machine_closed) (("2" (inst - i!1 s!1 xs!1) (("2" (assert) (("2" (skosimp) (("2" (inst? -4) (("2" (assert) (("2" (split) (("1" (skolem!) (("1" (inst + i!2) (("1" (case "i!2 <= i!1") (("1" (inst - i!2) (("1" (assert) nil nil)) nil) ("2" (inst - i!1) (("2" (assert) (("2" (replace -3 * rl) (("2" (hide-all-but (-1 -2 -4 -6 -7 1)) (("2" (case "forall i: pa!1(ys!1(i!1 + i))") (("1" (inst - "i!2-i!1") (("1" (assert) (("1" (expand "empty?") (("1" (expand "member") (("1" (expand "cap") (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (induct i) (("1" (assert) nil nil) ("2" (skosimp) (("2" (expand "stable") (("2" (expand "co") (("2" (expand "<=" -) (("2" (expand "wp") (("2" (expand "cap") (("2" (expand "run") (("2" (flatten) (("2" (expand "exec") (("2" (inst?) (("2" (flatten) (("2" (assert) (("2" (inst? -7) (("2" (assert) (("2" (inst -7 "ys!1(1 + i!1 + j!1)") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst - 0) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((leadsto const-decl "bool" bdUnity nil) (specification type-eq-decl nil bdUnity nil) (pred type-eq-decl nil defined_types nil) (<= const-decl "bool" reals nil) (nat_induction formula-decl nil naturalnumbers nil) (stable const-decl "bool" bdUnity nil) (<= const-decl "bool" mucalculus nil) (posint_plus_nnint_is_posint application-judgement "posint" integers nil) (nnint_plus_posint_is_posint application-judgement "posint" integers nil) (exec const-decl "bool" bdUnity nil) (run const-decl "bool" bdUnity nil) (wp const-decl "bool" ownpred nil) (co const-decl "bool" bdUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (empty? const-decl "bool" sets nil) (cap const-decl "bool" ownpred nil) (member const-decl "bool" sets nil) (int_plus_int_is_int application-judgement "int" integers nil) (+ const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (nnint_plus_nnint_is_nnint application-judgement "nonneg_int" integers nil) (machine_closed formula-decl nil bdUnity nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (cup const-decl "bool" ownpred nil) (t formal-type-decl nil bdUnity nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (leto const-decl "bool" bdUnity nil)) shostak))) $$$petersonSafe.pvs % Wim H. Hesselink, August 2016 % Auxiliary analysis for Tournaments for mutual exclusion. % This file proves safety and FCFS for Peterson's two-thread % mutual exclusion algorithm. % The file petersonUnity proves progress at the waiting section. petersonSafe: THEORY BEGIN % 21 NCS % 22 prio[p] := cur ; flag[p] := true; % 23 turn := 1-p ; add p to cur; % 24 await (not flag(1-p) or turn = p) then mu := p ; % remove p from cur ; for all q do remove p from prio[q] ; % 25 CS % 26 mu := bot ; flag(p) := false ; goto 21 . child: TYPE+ = nbit pstate: TYPE = [# turn: child, flag: pred[child], pc: [child -> nat], mu: int, cur: pred[child], prio: [child -> pred[child]] #] x, y: VAR pstate p, q, r: VAR child i, k: VAR nat goto(p, k, x): pstate = x WITH [ `pc(p) := k ] step21(p, x, y): bool = y = goto(p, 22, x) AND x`pc(p) = 21 next22(p, x): pstate = x WITH [ `flag(p) := true, `prio(p) := x`cur, `pc(p) := 23 ] step22(p, x, y): bool = y = next22(p, x) AND x`pc(p) = 22 next23(p, x): pstate = x WITH [ `turn := 1 - p, `cur := add(p, x`cur), `pc(p) := 24 ] step23(p, x, y): bool = y = next23(p, x) AND x`pc(p) = 23 next24(p, x): pstate = x WITH [ `mu := p , `cur := remove(p, x`cur), `prio := (LAMBDA q: remove(p, x`prio(q))), `pc(p) := 25 ] step24(p, x, y): bool = y = next24(p, x) AND x`pc(p) = 24 AND (NOT x`flag(1- p) OR x`turn = p) step25(p, x, y): bool = y = goto(p, 26, x) AND x`pc(p) = 25 next26(p, x): pstate = x WITH [ `flag(p) := false, `mu := -1, `pc(p) := 21 ] step26(p, x, y): bool = y = next26(p, x) AND x`pc(p) = 26 step(p, x, y): bool = step21(p, x, y) OR step22(p, x, y) OR step23(p, x, y) OR step24(p, x, y) OR step25(p, x, y) OR step26(p, x, y) jq0(q, x): bool = 25 <= x`pc(q) IMPLIES x`mu = q jq1(q, x): bool = 23 <= x`pc(q) IMPLIES x`flag(q) jq2(q, x): bool = 25 <= x`pc(q) AND x`pc(1-q) = 24 IMPLIES x`turn = q this_or_other: LEMMA q = p OR q = 1 - p jq0_rest: LEMMA jq0(q, x) AND step(p, x, y) IMPLIES jq0(q, y) OR step24(p, x, y) OR step26(p, x, y) jq0_24: LEMMA jq0(q, x) AND step24(p, x, y) AND jq1(q, x) AND jq2(q, x) IMPLIES jq0(q, y) jq0_26: LEMMA jq0(q, x) AND step26(p, x, y) AND jq0(p, x) IMPLIES jq0(q, y) jq0_step: LEMMA jq0(q, x) AND step(p, x, y) AND jq0(p, x) AND jq1(q, x) AND jq2(q, x) IMPLIES jq0(q, y) jq1_step: LEMMA jq1(q, x) AND step(p, x, y) IMPLIES jq1(q, y) jq2_rest: LEMMA jq2(q, x) AND step(p, x, y) IMPLIES jq2(q, y) OR step24(p, x, y) jq2_24: LEMMA jq2(q, x) AND step24(p, x, y) AND jq1(1-q, x) IMPLIES jq2(q, y) jq2_step: LEMMA jq2(q, x) AND step(p, x, y) AND jq1(1-q, x) IMPLIES jq2(q, y) jq3(q, x): bool = x`flag(q) IMPLIES 23 <= x`pc(q) jq3_step: LEMMA jq3(q, x) AND step(p, x, y) IMPLIES jq3(q, y) jqall(x): bool = FORALL q: jq0(q, x) AND jq1(q, x) AND jq2(q, x) AND jq3(q, x) jqall_step: LEMMA jqall(x) AND step(p, x, y) IMPLIES jqall(y) init(x): bool = x`mu = -1 AND FORALL q: x`pc(q) = 21 AND NOT x`flag(q) AND NOT x`cur(q) AND empty?(x`prio(q)) init_jqall: LEMMA init(x) IMPLIES jqall(x) % To show that Peterson's algorithm satisfies FCFS, we prove that % step 24 can only be taken by thread q if prio(q) is empty. fcfs(q, x): bool = x`pc(q) = 24 AND (NOT x`flag(1-q) OR x`turn = q) IMPLIES empty?(x`prio(q)) % to prove this, we need some more invariants: nq0(q, x): bool = x`cur(q) IMPLIES x`pc(q) = 24 nq0_step: LEMMA nq0(q, x) AND step(p, x, y) IMPLIES nq0(q, y) nq1(q, x): bool = % q is not in prio(q) NOT x`prio(q)(q) nq1_rest: LEMMA nq1(q, x) AND step(p, x, y) IMPLIES nq1(q, y) OR step22(p, x, y) nq1_22: LEMMA nq1(q, x) AND step22(p, x, y) AND nq0(q, x) IMPLIES nq1(q, y) nq1_step: LEMMA nq1(q, x) AND step(p, x, y) AND nq0(q, x) IMPLIES nq1(q, y) nq2(q, r, x): bool = x`prio(q)(r) IMPLIES x`pc(r) = 24 nq2_rest: LEMMA nq2(q, r, x) AND step(p, x, y) IMPLIES nq2(q, r, y) OR step22(p, x, y) nq2_22: LEMMA nq2(q, r, x) AND step22(p, x, y) AND nq0(r, x) IMPLIES nq2(q, r, y) nq2_step: LEMMA nq2(q, r, x) AND step(p, x, y) AND nq0(r, x) IMPLIES nq2(q, r, y) nq3(q, r, x): bool = x`prio(q)(r) AND x`pc(q) = 24 IMPLIES x`turn = r nq3_rest: LEMMA nq3(q, r, x) AND step(p, x, y) IMPLIES nq3(q, r, y) OR step23(p, x, y) nq3_23: LEMMA nq3(q, r, x) AND step23(p, x, y) AND nq1(q, x) AND nq2(q, r, x) IMPLIES nq3(q, r, y) nq3_step: LEMMA nq3(q, r, x) AND step(p, x, y) AND nq1(q, x) AND nq2(q, r, x) IMPLIES nq3(q, r, y) nqall(x): bool = (FORALL q: nq0(q, x) AND nq1(q, x)) AND (FORALL q, r: nq2(q, r, x) AND nq3(q, r, x)) nqall_step: LEMMA nqall(x) AND step(p, x, y) IMPLIES nqall(y) init_nqall: LEMMA init(x) IMPLIES nqall(x) fcfs_implied: LEMMA nq1(q, x) AND nq2(q, 1-q, x) AND nq3(q, 1-q, x) AND jq1(1-q, x) IMPLIES fcfs(q, x) fcfs_again: LEMMA jqall(x) AND nqall(x) IMPLIES fcfs(q, x) END petersonSafe $$$petersonSafe.prf (petersonSafe (child_TCC1 0 (child_TCC1-1 nil 3679130155 ("" (inst + 0) nil nil) ((< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil)) nil)) (next23_TCC1 0 (next23_TCC1-1 nil 3679130155 ("" (subtype-tcc) nil nil) ((minus_odd_is_odd application-judgement "odd_int" integers nil)) nil)) (this_or_other 0 (this_or_other-1 nil 3679130764 ("" (skosimp) (("" (case "p!1=0") (("1" (assert) nil nil) ("2" (assert) nil nil)) nil)) nil) ((child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) shostak)) (jq0_rest 0 (jq0_rest-1 nil 3679130159 ("" (skosimp) (("" (assert) (("" (hide-all-but (1) +) (("" (grind) nil nil)) nil)) nil)) nil) ((minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (step const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (jq0 const-decl "bool" petersonSafe nil)) shostak)) (jq0_24 0 (jq0_24-1 nil 3679130557 ("" (expand "step24") (("" (expand "jq0") (("" (skosimp) (("" (replaceh -2) (("" (expand "next24") (("" (case "q!1=p!1") (("1" (assert) nil nil) ("2" (assert) (("2" (use this_or_other) (("2" (assert) (("2" (replaceh -1) (("2" (assert) (("2" (expand "jq1") (("2" (assert) (("2" (expand "jq2") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((jq0 const-decl "bool" petersonSafe nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (this_or_other formula-decl nil petersonSafe nil) (jq1 const-decl "bool" petersonSafe nil) (jq2 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) shostak)) (jq0_26 0 (jq0_26-1 nil 3679130479 ("" (expand "step26") (("" (expand "jq0") (("" (skosimp) (("" (replaceh -2) (("" (expand "next26") (("" (case "q!1=p!1") (("1" (assert) nil nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((jq0 const-decl "bool" petersonSafe nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil)) shostak)) (jq0_step 0 (jq0_step-1 nil 3679131120 ("" (skosimp) (("" (use jq0_rest (y y!1)) (("" (use jq0_24 (y y!1)) (("" (use jq0_26 (y y!1)) (("" (assert) nil nil)) nil)) nil)) nil)) nil) ((jq0_rest formula-decl nil petersonSafe nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (jq0_26 formula-decl nil petersonSafe nil) (jq0_24 formula-decl nil petersonSafe nil)) shostak)) (jq1_step 0 (jq1_step-1 nil 3679131188 ("" (skosimp) (("" (expand "step") (("" (assert) (("" (split) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (grind) nil nil) ("4" (grind) nil nil) ("5" (grind) nil nil) ("6" (grind) nil nil)) nil)) nil)) nil)) nil) ((step const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (jq1 const-decl "bool" petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (step24 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil)) shostak)) (jq2_rest 0 (jq2_rest-1 nil 3679131268 ("" (skosimp) (("" (expand "step") (("" (assert) (("" (hide-all-but (1) +) (("" (split) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (grind) nil nil) ("4" (grind) nil nil) ("5" (grind) nil nil)) nil)) nil)) nil)) nil)) nil) ((step const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (goto const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (jq2 const-decl "bool" petersonSafe nil)) shostak)) (jq2_24_TCC1 0 (jq2_24_TCC1-1 nil 3679131507 ("" (subtype-tcc) nil nil) ((jq2 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) nil)) (jq2_24 0 (jq2_24-1 nil 3679131305 ("" (expand "step24") (("" (expand "jq2") (("" (skosimp) (("" (replaceh -2) (("" (expand "next24") (("" (case "q!1=p!1") (("1" (assert) (("1" (replaceh -1) (("1" (expand "jq1") (("1" (propax) nil nil)) nil)) nil)) nil) ("2" (assert) (("2" (use this_or_other) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((jq2 const-decl "bool" petersonSafe nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (jq1 const-decl "bool" petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (this_or_other formula-decl nil petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) shostak)) (jq2_step_TCC1 0 (jq2_step_TCC1-1 nil 3679131541 ("" (subtype-tcc) nil nil) ((jq2 const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (step const-decl "bool" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) nil)) (jq2_step 0 (jq2_step-1 nil 3679131542 ("" (skosimp) (("" (use jq2_rest (y y!1)) (("" (use jq2_24 (y y!1)) (("" (assert) nil nil)) nil)) nil)) nil) ((jq2_rest formula-decl nil petersonSafe nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (jq2_24 formula-decl nil petersonSafe nil)) shostak)) (jq3_step 0 (jq3_step-1 nil 3679200812 ("" (skosimp) (("" (expand "step") (("" (assert) (("" (split) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (grind) nil nil) ("4" (grind) nil nil) ("5" (grind) nil nil) ("6" (grind) nil nil)) nil)) nil)) nil)) nil) ((step const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (jq3 const-decl "bool" petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (step24 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil)) shostak)) (jqall_step 0 (jqall_step-2 nil 3679200849 ("" (expand "jqall") (("" (skosimp*) (("" (use jq0_step (p p!1 x x!1 y y!1)) (("" (use jq1_step (p p!1 x x!1 y y!1)) (("" (use jq2_step (p p!1 x x!1 y y!1)) (("" (use jq3_step (p p!1 x x!1 y y!1)) (("" (inst-cp - q!1) (("" (flatten) (("" (assert) (("" (inst-cp - p!1) (("" (flatten) (("" (assert) (("" (assert) (("" (inst - "1-q!1") (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((jq1_step formula-decl nil petersonSafe nil) (jq3_step formula-decl nil petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (jq2_step formula-decl nil petersonSafe nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (jq0_step formula-decl nil petersonSafe nil) (jqall const-decl "bool" petersonSafe nil)) nil) (jqall_step-1 nil 3679131657 ("" (expand "jqall") (("" (skosimp*) (("" (use jq0_step (p p!1 x x!1 y y!1)) (("" (use jq1_step (p p!1 x x!1 y y!1)) (("" (use jq2_step (p p!1 x x!1 y y!1)) (("" (inst-cp - q!1) (("" (flatten) (("" (assert) (("" (inst-cp - p!1) (("" (flatten) (("" (assert) (("" (assert) (("" (inst - "1-q!1") (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((jq1_step formula-decl nil petersonSafe nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (jq2_step formula-decl nil petersonSafe nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (jq0_step formula-decl nil petersonSafe nil) (jqall const-decl "bool" petersonSafe nil)) shostak)) (init_jqall 0 (init_jqall-1 nil 3679131938 ("" (expand "jqall") (("" (skosimp*) (("" (expand "init") (("" (flatten) (("" (inst - q!1) (("" (flatten) (("" (expand "jq0") (("" (assert) (("" (expand "jq1") (("" (expand "jq2") (("" (expand "jq3") (("" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (jq2 const-decl "bool" petersonSafe nil) (jq3 const-decl "bool" petersonSafe nil) (jq1 const-decl "bool" petersonSafe nil) (jq0 const-decl "bool" petersonSafe nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (init const-decl "bool" petersonSafe nil) (jqall const-decl "bool" petersonSafe nil)) shostak)) (nq0_step 0 (nq0_step-1 nil 3679572073 ("" (skosimp) (("" (expand "step") (("" (assert) (("" (split) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (grind) nil nil) ("4" (grind) nil nil) ("5" (grind) nil nil) ("6" (grind) nil nil)) nil)) nil)) nil)) nil) ((step const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (nq0 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (member const-decl "bool" sets nil) (add const-decl "(nonempty?)" sets nil) (next23 const-decl "pstate" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (/= const-decl "boolean" notequal nil) (remove const-decl "set" sets nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil)) shostak)) (nq1_rest 0 (nq1_rest-1 nil 3679572155 ("" (skosimp) (("" (expand "step") (("" (assert) (("" (hide-all-but (1) +) (("" (split) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (grind) nil nil) ("4" (grind) nil nil) ("5" (grind) nil nil)) nil)) nil)) nil)) nil)) nil) ((step const-decl "bool" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (remove const-decl "set" sets nil) (member const-decl "bool" sets nil) (/= const-decl "boolean" notequal nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (step23 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (nq1 const-decl "bool" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil)) shostak)) (nq1_22 0 (nq1_22-1 nil 3679572195 ("" (expand "step22") (("" (expand "nq1") (("" (skosimp) (("" (replaceh -1) (("" (expand "next22") (("" (case "q!1=p!1") (("1" (assert) (("1" (expand "nq0") (("1" (propax) nil nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nq1 const-decl "bool" petersonSafe nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (nq0 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil)) shostak)) (nq1_step 0 (nq1_step-1 nil 3679572288 ("" (skosimp) (("" (use nq1_rest (y y!1)) (("" (use nq1_22 (y y!1)) (("" (assert) nil nil)) nil)) nil)) nil) ((nq1_rest formula-decl nil petersonSafe nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (nq1_22 formula-decl nil petersonSafe nil)) shostak)) (nq2_rest 0 (nq2_rest-1 nil 3679572491 ("" (skosimp) (("" (expand "step") (("" (assert) (("" (hide-all-but (1) +) (("" (split) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (grind) nil nil) ("4" (grind) nil nil) ("5" (grind) nil nil)) nil)) nil)) nil)) nil)) nil) ((step const-decl "bool" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (remove const-decl "set" sets nil) (member const-decl "bool" sets nil) (/= const-decl "boolean" notequal nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (step23 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (nq2 const-decl "bool" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil)) shostak)) (nq2_22 0 (nq2_22-1 nil 3679572573 ("" (expand "step22") (("" (expand "nq2") (("" (skosimp) (("" (replaceh -2) (("" (expand "next22") (("" (case "q!1=p!1") (("1" (assert) (("1" (replaceh -1) (("1" (expand "nq0") (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (assert) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nq2 const-decl "bool" petersonSafe nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (nq0 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil)) shostak)) (nq2_step 0 (nq2_step-1 nil 3679572908 ("" (skosimp) (("" (use nq2_rest (y y!1)) (("" (use nq2_22 (y y!1)) (("" (assert) nil nil)) nil)) nil)) nil) ((nq2_rest formula-decl nil petersonSafe nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (nq2_22 formula-decl nil petersonSafe nil)) shostak)) (nq3_rest 0 (nq3_rest-1 nil 3679573708 ("" (skosimp) (("" (expand "step") (("" (assert) (("" (split) (("1" (grind) nil nil) ("2" (grind) nil nil) ("3" (grind) nil nil) ("4" (grind) nil nil) ("5" (grind) nil nil)) nil)) nil)) nil)) nil) ((step const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (nq3 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (/= const-decl "boolean" notequal nil) (member const-decl "bool" sets nil) (remove const-decl "set" sets nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil)) shostak)) (nq3_23 0 (nq3_23-1 nil 3679573764 ("" (expand "step23") (("" (expand "nq3") (("" (skosimp) (("" (replaceh -2) (("" (expand "next23") (("" (case "q!1=p!1") (("1" (assert) (("1" (replaceh -1) (("1" (expand "nq1") (("1" (use this_or_other) (("1" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (lemma this_or_other) (("2" (inst - p!1 r!1) (("2" (assert) (("2" (replaceh -1) (("2" (expand "nq2") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nq3 const-decl "bool" petersonSafe nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (this_or_other formula-decl nil petersonSafe nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (nq1 const-decl "bool" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (nq2 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (step23 const-decl "bool" petersonSafe nil)) shostak)) (nq3_step 0 (nq3_step-1 nil 3679579912 ("" (skosimp) (("" (use nq3_rest (y y!1)) (("" (use nq3_23 (y y!1)) (("" (assert) nil nil)) nil)) nil)) nil) ((nq3_rest formula-decl nil petersonSafe nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (nq3_23 formula-decl nil petersonSafe nil)) shostak)) (nqall_step 0 (nqall_step-1 nil 3679580232 ("" (expand "nqall") (("" (skosimp) (("" (split) (("1" (skolem!) (("1" (use nq0_step (p p!1 x x!1 y y!1)) (("1" (use nq1_step (p p!1 x x!1 y y!1)) (("1" (inst?) (("1" (flatten) (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (skolem!) (("2" (use nq2_step (p p!1 x x!1 y y!1)) (("2" (use nq3_step (p p!1 x x!1 y y!1)) (("2" (inst? -4) (("2" (flatten) (("2" (assert) (("2" (inst-cp - q!1) (("2" (inst - r!1) (("2" (flatten) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nq3_step formula-decl nil petersonSafe nil) (nq2_step formula-decl nil petersonSafe nil) (nq1_step formula-decl nil petersonSafe nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (nq0_step formula-decl nil petersonSafe nil) (nqall const-decl "bool" petersonSafe nil)) shostak)) (init_nqall 0 (init_nqall-1 nil 3679580428 ("" (expand "init") (("" (expand "nqall") (("" (skosimp) (("" (split) (("1" (skolem!) (("1" (inst - q!1) (("1" (flatten) (("1" (expand "nq1") (("1" (expand "nq0") (("1" (assert) (("1" (expand "empty?") (("1" (inst?) (("1" (expand "member") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (skolem!) (("2" (inst - q!1) (("2" (flatten) (("2" (split) (("1" (expand "nq2") (("1" (flatten) (("1" (expand "empty?") (("1" (expand "member") (("1" (inst?) nil nil)) nil)) nil)) nil)) nil) ("2" (expand "nq3") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((nqall const-decl "bool" petersonSafe nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (nq1 const-decl "bool" petersonSafe nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (member const-decl "bool" sets nil) (empty? const-decl "bool" sets nil) (nq0 const-decl "bool" petersonSafe nil) (nq2 const-decl "bool" petersonSafe nil) (nq3 const-decl "bool" petersonSafe nil) (init const-decl "bool" petersonSafe nil)) shostak)) (fcfs_implied 0 (fcfs_implied-1 nil 3679573102 ("" (expand "fcfs") (("" (expand "empty?") (("" (skosimp*) (("" (expand "member") (("" (expand "nq1") (("" (lemma this_or_other) (("" (inst - q!1 x!2) (("" (assert) (("" (expand "nq2") (("" (expand "jq1") (("" (assert) (("" (expand "nq3") (("" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((empty? const-decl "bool" sets nil) (member const-decl "bool" sets nil) (this_or_other formula-decl nil petersonSafe nil) (jq1 const-decl "bool" petersonSafe nil) (nq3 const-decl "bool" petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (nq2 const-decl "bool" petersonSafe nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (nq1 const-decl "bool" petersonSafe nil) (fcfs const-decl "bool" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) shostak)) (fcfs_again 0 (fcfs_again-1 nil 3679581507 ("" (skosimp) (("" (use fcfs_implied) (("" (assert) (("" (expand "nqall") (("" (flatten) (("" (inst?) (("" (inst?) (("" (flatten) (("" (assert) (("" (expand "jqall") (("" (inst?) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((fcfs_implied formula-decl nil petersonSafe nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (nqall const-decl "bool" petersonSafe nil) (jqall const-decl "bool" petersonSafe nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) shostak))) $$$petersonUnity.pvs % Wim H. Hesselink, August 2016 % Auxiliary analysis for Tournaments for mutual exclusion. % This file proves progress at the waiting section. petersonUnity: THEORY BEGIN IMPORTING petersonSafe, bdUnity[pstate] p, q, r: VAR child x, y: VAR pstate i: VAR nat step(x, y): bool = x = y OR EXISTS p: step(p, x, y) forward(p)(x, y): bool = step22(p, x, y) OR step23(p, x, y) OR step24(p, x, y) OR step25(p, x, y) OR step26(p, x, y) enabled(q)(x): bool = 22 <= x`pc(q) AND x`pc(q) <= 26 AND (x`pc(q) = 24 IMPLIES NOT x`flag(1-q) OR x`turn = q) enabled_necessary: LEMMA forward(q)(x, y) IMPLIES enabled(q)(x) enabled_sufficient: LEMMA % enabled(q)(x) IMPLIES EXISTS y: forward(q)(x, y) E: specification[pstate] = (# inv := jqall, step := step, fwd := LAMBDA i: IF i < 2 THEN forward(i) ELSE emptyset ENDIF #) enabled_E: LEMMA E`inv(x) IMPLIES enabled(E)(i)(x) = (i < 2 AND enabled(i)(x)) good_E: LEMMA good(E) at(i, q)(x): bool = x`pc(q) = i from22_to_23: LEMMA leto(E)(1, at(22, q), at(23, q)) from23_to_24: LEMMA leto(E)(1, at(23, q), at(24, q)) goal(x): bool = x`mu >= 0 pr1(q)(x): bool = x`pc(q) = 24 AND NOT x`flag(1-q) pr2(q)(x): bool = x`pc(q) = 24 AND x`pc(1-q) = 23 pr3(q)(x): bool = x`pc(q) = 24 AND x`turn = q AND x`pc(1-q) = 24 pr1_to_pr2: LEMMA % ensures, uses jq1 leto(E)(1, pr1(q), cup(pr2(q), goal)) pr2_to_pr3: LEMMA % ensures leto(E)(1, pr2(q), cup(pr3(q), goal)) pr3_to_goal: LEMMA % ensures leto(E)(1, pr3(q), goal) pr2_to_goal: LEMMA % leto(E)(2, pr2(q), goal) pr1_to_goal: LEMMA % leto(E)(3, pr1(q), goal) at24_to_goal: LEMMA leto(E)(3, at(24, q), goal) END petersonUnity $$$petersonUnity.prf (petersonUnity (enabled_TCC1 0 (enabled_TCC1-1 nil 3679136791 ("" (subtype-tcc) nil nil) ((minus_odd_is_odd application-judgement "odd_int" integers nil)) nil)) (enabled_necessary 0 (enabled_necessary-1 nil 3679136797 ("" (grind) nil nil) ((boolean nonempty-type-decl nil booleans nil) (bool nonempty-type-eq-decl nil booleans nil) (NOT const-decl "[bool -> bool]" booleans nil) (number nonempty-type-decl nil numbers nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (< const-decl "bool" reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (child nonempty-type-eq-decl nil petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (forward const-decl "bool" petersonUnity nil) (enabled const-decl "bool" petersonUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil)) shostak)) (enabled_sufficient 0 (enabled_sufficient-1 nil 3679136805 ("" (expand "enabled") (("" (expand "forward") (("" (skosimp) (("" (case "x!1`pc(q!1) = 24") (("1" (assert) (("1" (expand "step24") (("1" (replaceh -4) (("1" (inst + "next24(q!1, x!1) ") nil nil)) nil)) nil)) nil) ("2" (assert) (("2" (hide -3) (("2" (case "x!1`pc(q!1) = 22") (("1" (expand "step22") (("1" (assert) (("1" (inst + "next22(q!1, x!1)") nil nil)) nil)) nil) ("2" (case "x!1`pc(q!1) = 23") (("1" (expand "step23") (("1" (assert) (("1" (inst + "next23(q!1, x!1)") nil nil)) nil)) nil) ("2" (case "x!1`pc(q!1) = 25") (("1" (expand "step25") (("1" (assert) (("1" (inst + "goto(q!1, 26, x!1)") nil nil)) nil)) nil) ("2" (case "x!1`pc(q!1) = 26") (("1" (expand "step26") (("1" (assert) (("1" (inst + "next26(q!1, x!1)") nil nil)) nil)) nil) ("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((forward const-decl "bool" petersonUnity nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (= const-decl "[T, T -> boolean]" equalities nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (step24 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (next23 const-decl "pstate" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (enabled const-decl "bool" petersonUnity nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil)) shostak)) (enabled_E 0 (enabled_E-1 nil 3679137046 ("" (skosimp) (("" (iff) (("" (prop) (("1" (expand "enabled") (("1" (skolem!) (("1" (expand "E") (("1" (assert) (("1" (expand "emptyset") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand enabled -) (("2" (skolem!) (("2" (expand "E") (("2" (split) (("1" (flatten) (("1" (use enabled_necessary) (("1" (assert) nil nil)) nil)) nil) ("2" (flatten) (("2" (expand "emptyset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("3" (expand enabled +) (("3" (use enabled_sufficient) (("3" (expand "E") (("3" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((enabled_sufficient formula-decl nil petersonUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (enabled_necessary formula-decl nil petersonUnity nil) (enabled const-decl "bool" bdUnity nil) (E const-decl "specification[pstate]" petersonUnity nil) (emptyset const-decl "set" sets nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (finite_emptyset name-judgement "finite_set" finite_sets nil)) shostak)) (good_E 0 (good_E-1 nil 3679137220 ("" (expand "good") (("" (split) (("1" (expand "E") (("1" (expand "reflexive?") (("1" (skolem!) (("1" (expand "step") (("1" (propax) nil nil)) nil)) nil)) nil)) nil) ("2" (expand "<=") (("2" (expand "wp") (("2" (expand "E") (("2" (skosimp*) (("2" (expand "step") (("2" (assert) (("2" (skolem!) (("2" (use jqall_step) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("3" (expand "<=") (("3" (expand "E") (("3" (skosimp*) (("3" (expand "emptyset") (("3" (ground) (("3" (expand "step") (("3" (expand "forward") (("3" (flatten) (("3" (inst + k!1) (("3" (expand "step") (("3" (flatten) (("3" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("4" (skosimp) (("4" (expand "is_finite") (("4" (inst + 2 id) (("1" (hide -) (("1" (grind) nil nil)) nil) ("2" (skolem!) (("2" (expand "id") (("2" (typepred x1!1) (("2" (expand "enabled") (("2" (expand "E") (("2" (skosimp) (("2" (assert) (("2" (expand "emptyset") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((reflexive? const-decl "bool" relations nil) (step const-decl "bool" petersonUnity nil) (E const-decl "specification[pstate]" petersonUnity nil) (wp const-decl "bool" ownpred nil) (jqall_step formula-decl nil petersonSafe nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (<= const-decl "bool" mucalculus nil) (emptyset const-decl "set" sets nil) (step const-decl "bool" petersonSafe nil) (forward const-decl "bool" petersonUnity nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil) (is_finite const-decl "bool" finite_sets nil) (finite_emptyset name-judgement "finite_set" finite_sets nil) (NOT const-decl "[bool -> bool]" booleans nil) (injective? const-decl "bool" functions nil) (below type-eq-decl nil nat_types nil) (specification type-eq-decl nil bdUnity nil) (enabled const-decl "bool" bdUnity nil) (x!1 skolem-const-decl "pstate" petersonUnity nil) (bijective? const-decl "bool" functions nil) (id const-decl "(bijective?[T, T])" identity nil) (good const-decl "bool" bdUnity nil)) shostak)) (from22_to_23 0 (from22_to_23-1 nil 3679137687 ("" (s-ensures) (("" (split) (("1" (skosimp*) (("1" (expand "E") (("1" (expand "step") (("1" (assert) (("1" (skolem!) (("1" (hide -2) (("1" (case "q!1=p!1") (("1" (replaceh -1) (("1" (hide 1 2) (("1" (grind) nil nil)) nil)) nil) ("2" (hide 2 4) (("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst + q!1) (("2" (split) (("1" (skosimp) (("1" (use enabled_E) (("1" (assert) (("1" (hide 3) (("1" (expand "enabled") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp) (("2" (expand "E") (("2" (hide -3 -4 1) (("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((goto const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (step const-decl "bool" petersonSafe nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (= const-decl "[T, T -> boolean]" equalities nil) (step const-decl "bool" petersonUnity nil) (enabled_E formula-decl nil petersonUnity nil) (enabled const-decl "bool" petersonUnity nil) (forward const-decl "bool" petersonUnity nil) (neg const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (transient const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (ensures const-decl "bool" bdUnity nil) (ensures_leto formula-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (E const-decl "specification[pstate]" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (at const-decl "bool" petersonUnity nil)) shostak)) (from23_to_24 0 (from23_to_24-1 nil 3679137913 ("" (s-ensures) (("" (split) (("1" (expand "E") (("1" (skosimp*) (("1" (expand "step") (("1" (assert) (("1" (skolem!) (("1" (hide -2 1) (("1" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst + q!1) (("2" (split) (("1" (skosimp) (("1" (use enabled_E) (("1" (assert) (("1" (hide 3) (("1" (expand "enabled") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (skosimp) (("2" (expand "E") (("2" (hide -3 -4 1) (("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((step const-decl "bool" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (step const-decl "bool" petersonUnity nil) (enabled_E formula-decl nil petersonUnity nil) (enabled const-decl "bool" petersonUnity nil) (forward const-decl "bool" petersonUnity nil) (neg const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (transient const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (ensures const-decl "bool" bdUnity nil) (ensures_leto formula-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (E const-decl "specification[pstate]" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (at const-decl "bool" petersonUnity nil)) shostak)) (pr1_TCC1 0 (pr1_TCC1-1 nil 3679138394 ("" (subtype-tcc) nil nil) ((minus_odd_is_odd application-judgement "odd_int" integers nil)) nil)) (pr1_to_pr2 0 (pr1_to_pr2-2 nil 3679153397 ("" (s-ensures) (("" (split) (("1" (expand "pr1") (("1" (expand "pr2") (("1" (skosimp*) (("1" (expand "E") (("1" (expand "step") (("1" (split -) (("1" (assert) nil nil) ("2" (skolem!) (("2" (case "q!1=p!1") (("1" (replaceh -1) (("1" (expand "step") (("1" (expand "step21") (("1" (assert) (("1" (expand "step22") (("1" (expand "step23") (("1" (expand "step25") (("1" (expand "step26") (("1" (expand "step24") (("1" (replaceh -1) (("1" (expand "next24") (("1" (expand "goal") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (use this_or_other) (("2" (assert) (("2" (replaceh -1) (("2" (assert) (("2" (case "y!1`pc(1 - p!1) = 24") (("1" (assert) (("1" (case "jq1(p!1, s!1)") (("1" (expand "jq1") (("1" (expand "step") (("1" (expand "step23") (("1" (expand "step24") (("1" (assert) (("1" (expand "step25") (("1" (expand "step26") (("1" (split -) (("1" (expand "step21") (("1" (flatten) (("1" (replaceh -1) (("1" (expand "goto") (("1" (propax) nil nil)) nil)) nil)) nil)) nil) ("2" (expand "step22") (("2" (flatten) (("2" (replaceh -1) (("2" (expand "next22") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "jqall") (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (hide-all-but (-1 -2 1)) (("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst + q!1) (("2" (split) (("1" (expand "pr1") (("1" (skosimp) (("1" (use enabled_E) (("1" (assert) (("1" (hide 5) (("1" (expand "enabled") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "pr1") (("2" (expand "pr2") (("2" (expand "goal") (("2" (skosimp) (("2" (expand "E") (("2" (expand "forward") (("2" (expand "step22") (("2" (assert) (("2" (expand "step23") (("2" (expand "step25") (("2" (expand "step26") (("2" (expand "step24") (("2" (expand "next24") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((= const-decl "[T, T -> boolean]" equalities nil) (step const-decl "bool" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (this_or_other formula-decl nil petersonSafe nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (jq1 const-decl "bool" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (next22 const-decl "pstate" petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (jqall const-decl "bool" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (next26 const-decl "pstate" petersonSafe nil) (step const-decl "bool" petersonUnity nil) (int_minus_int_is_int application-judgement "int" integers nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (enabled const-decl "bool" petersonUnity nil) (enabled_E formula-decl nil petersonUnity nil) (forward const-decl "bool" petersonUnity nil) (neg const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (transient const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (ensures const-decl "bool" bdUnity nil) (ensures_leto formula-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (E const-decl "specification[pstate]" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (goal const-decl "bool" petersonUnity nil) (pr2 const-decl "bool" petersonUnity nil) (cup const-decl "bool" ownpred nil) (pr1 const-decl "bool" petersonUnity nil)) nil) (pr1_to_pr2-1 nil 3679138396 ("" (s-ensures) (("" (split) (("1" (expand "pr1") (("1" (expand "pr2") (("1" (skosimp*) (("1" (expand "E") (("1" (expand "step") (("1" (split -) (("1" (assert) nil nil) ("2" (skolem!) (("2" (case "q!1=p!1") (("1" (replaceh -1) (("1" (expand "step") (("1" (expand "step21") (("1" (assert) (("1" (expand "step22") (("1" (expand "step23") (("1" (expand "step25") (("1" (expand "step26") (("1" (expand "step24") (("1" (replaceh -1) (("1" (expand "next24") (("1" (expand "goal") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (use this_or_other) (("2" (assert) (("2" (replaceh -1) (("2" (assert) (("2" (case "y!1`pc(1 - p!1) = 24") (("1" (assert) (("1" (case "jq1(p!1, s!1)") (("1" (expand "jq1") (("1" (expand "step") (("1" (expand "step23") (("1" (expand "step24") (("1" (assert) (("1" (expand "step25") (("1" (expand "step26") (("1" (split -) (("1" (expand "step21") (("1" (flatten) (("1" (replaceh -1) (("1" (expand "goto") (("1" (propax) nil nil)) nil)) nil)) nil)) nil) ("2" (expand "step22") (("2" (flatten) (("2" (replaceh -1) (("2" (expand "next22") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "jqall") (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (hide-all-but (-1 -2 1)) (("2" (grind) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst + q!1) (("2" (split) (("1" (expand "pr1") (("1" (skosimp) (("1" (use enabled_E) (("1" (assert) (("1" (hide 5) (("1" (expand "enabled") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "pr1") (("2" (expand "pr2") (("2" (expand "goal") (("2" (skosimp) (("2" (expand "E") (("2" (expand "forward") (("2" (expand "step22") (("2" (assert) (("2" (expand "step23") (("2" (expand "step25") (("2" (expand "step26") (("2" (expand "step24") (("2" (expand "next24") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((pr1 const-decl "bool" petersonUnity nil) (cup const-decl "bool" ownpred nil) (pr2 const-decl "bool" petersonUnity nil) (goal const-decl "bool" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (E const-decl "specification[pstate]" petersonUnity nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (ensures_leto formula-decl nil bdUnity nil) (ensures const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (cobar const-decl "bool" bdUnity nil) (<= const-decl "bool" mucalculus nil) (wp const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (forward const-decl "bool" petersonUnity nil) (enabled_E formula-decl nil petersonUnity nil) (enabled const-decl "bool" petersonUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (int_minus_int_is_int application-judgement "int" integers nil) (step const-decl "bool" petersonUnity nil) (next26 const-decl "pstate" petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (jqall const-decl "bool" petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (next22 const-decl "pstate" petersonSafe nil) (goto const-decl "pstate" petersonSafe nil) (jq1 const-decl "bool" petersonSafe nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (this_or_other formula-decl nil petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (step26 const-decl "bool" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (step const-decl "bool" petersonSafe nil) (= const-decl "[T, T -> boolean]" equalities nil)) shostak)) (pr2_to_pr3 0 (pr2_to_pr3-2 nil 3679153828 ("" (s-ensures) (("" (split) (("1" (expand "pr2") (("1" (expand "pr3") (("1" (skosimp*) (("1" (expand "E") (("1" (expand "step") (("1" (split -) (("1" (assert) nil nil) ("2" (skolem!) (("2" (case "q!1=p!1") (("1" (replaceh -1) (("1" (expand "step") (("1" (expand "step21") (("1" (assert) (("1" (expand "step22") (("1" (expand "step23") (("1" (expand "step25") (("1" (expand "step26") (("1" (expand "step24") (("1" (flatten) (("1" (expand "goal") (("1" (replaceh -1) (("1" (expand "next24") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (use this_or_other) (("2" (assert) (("2" (replaceh -1) (("2" (assert) (("2" (expand "step") (("2" (expand "step21") (("2" (expand "step22") (("2" (expand "step24") (("2" (expand "step25") (("2" (expand "step26") (("2" (expand "step23") (("2" (replaceh -1) (("2" (expand "next23") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst + "1-q!1") (("2" (split) (("1" (expand "pr2") (("1" (skosimp) (("1" (use enabled_E) (("1" (assert) (("1" (hide 3) (("1" (expand "enabled") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "pr2") (("2" (expand "pr3") (("2" (skosimp) (("2" (expand "E") (("2" (expand "forward") (("2" (expand "step22") (("2" (assert) (("2" (expand "step25") (("2" (expand "step24") (("2" (expand "step26") (("2" (expand "step23") (("2" (replaceh -3) (("2" (expand "next23") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((int_minus_int_is_int application-judgement "int" integers nil) (= const-decl "[T, T -> boolean]" equalities nil) (step const-decl "bool" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (this_or_other formula-decl nil petersonSafe nil) (next23 const-decl "pstate" petersonSafe nil) (step const-decl "bool" petersonUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (enabled const-decl "bool" bdUnity nil) (enabled const-decl "bool" petersonUnity nil) (enabled_E formula-decl nil petersonUnity nil) (forward const-decl "bool" petersonUnity nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (neg const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (transient const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (ensures const-decl "bool" bdUnity nil) (ensures_leto formula-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (E const-decl "specification[pstate]" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (goal const-decl "bool" petersonUnity nil) (pr3 const-decl "bool" petersonUnity nil) (cup const-decl "bool" ownpred nil) (pr2 const-decl "bool" petersonUnity nil)) nil) (pr2_to_pr3-1 nil 3679151962 ("" (s-ensures) (("" (split) (("1" (expand "pr2") (("1" (expand "pr3") (("1" (skosimp*) (("1" (expand "E") (("1" (expand "step") (("1" (split -) (("1" (assert) nil nil) ("2" (skolem!) (("2" (case "q!1=p!1") (("1" (replaceh -1) (("1" (expand "step") (("1" (expand "step21") (("1" (assert) (("1" (expand "step22") (("1" (expand "step23") (("1" (expand "step25") (("1" (expand "step26") (("1" (expand "step24") (("1" (flatten) (("1" (case "jq1(1-p!1, s!1)") (("1" (expand "jq1") (("1" (expand "goal") (("1" (replaceh -2) (("1" (expand "next24") (("1" (assert) nil nil)) nil)) nil)) nil)) nil) ("2" (expand "jqall") (("2" (inst?) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (assert) (("2" (use this_or_other) (("2" (assert) (("2" (replaceh -1) (("2" (assert) (("2" (expand "step") (("2" (expand "step21") (("2" (expand "step22") (("2" (expand "step24") (("2" (expand "step25") (("2" (expand "step26") (("2" (expand "step23") (("2" (replaceh -1) (("2" (expand "next23") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst + "1-q!1") (("2" (split) (("1" (expand "pr2") (("1" (skosimp) (("1" (use enabled_E) (("1" (assert) (("1" (hide 3) (("1" (expand "enabled") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "pr2") (("2" (expand "pr3") (("2" (skosimp) (("2" (expand "E") (("2" (expand "forward") (("2" (expand "step22") (("2" (assert) (("2" (expand "step25") (("2" (expand "step24") (("2" (expand "step26") (("2" (expand "step23") (("2" (replaceh -4) (("2" (expand "next23") (("2" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((pr2 const-decl "bool" petersonUnity nil) (cup const-decl "bool" ownpred nil) (pr3 const-decl "bool" petersonUnity nil) (goal const-decl "bool" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (E const-decl "specification[pstate]" petersonUnity nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (ensures_leto formula-decl nil bdUnity nil) (ensures const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (cobar const-decl "bool" bdUnity nil) (<= const-decl "bool" mucalculus nil) (wp const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (neg const-decl "bool" ownpred nil) (forward const-decl "bool" petersonUnity nil) (enabled_E formula-decl nil petersonUnity nil) (enabled const-decl "bool" petersonUnity nil) (enabled const-decl "bool" bdUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (step const-decl "bool" petersonUnity nil) (next23 const-decl "pstate" petersonSafe nil) (this_or_other formula-decl nil petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (jq1 const-decl "bool" petersonSafe nil) (numfield nonempty-type-eq-decl nil number_fields nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (next24 const-decl "pstate" petersonSafe nil) (jqall const-decl "bool" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (step const-decl "bool" petersonSafe nil) (= const-decl "[T, T -> boolean]" equalities nil) (int_minus_int_is_int application-judgement "int" integers nil)) shostak)) (pr3_to_goal 0 (pr3_to_goal-1 nil 3679152468 ("" (s-ensures) (("" (split) (("1" (expand "pr3") (("1" (expand "goal") (("1" (skosimp*) (("1" (expand "E") (("1" (expand "step") (("1" (split -) (("1" (assert) nil nil) ("2" (skolem!) (("2" (case "q!1=p!1") (("1" (replaceh -1) (("1" (expand "step") (("1" (expand "step21") (("1" (assert) (("1" (expand "step22") (("1" (expand "step23") (("1" (expand "step25") (("1" (expand "step26") (("1" (expand "step24") (("1" (replaceh -1) (("1" (expand "next24") (("1" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (use this_or_other) (("2" (assert) (("2" (replaceh -1) (("2" (assert) (("2" (expand "step") (("2" (expand "step21") (("2" (expand "step22") (("2" (expand "step23") (("2" (expand "step25") (("2" (expand "step26") (("2" (expand "step24") (("2" (flatten) (("2" (replaceh -1) (("2" (expand "next24") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (inst + q!1) (("2" (split) (("1" (expand "pr3") (("1" (skosimp) (("1" (use enabled_E) (("1" (assert) (("1" (hide 3) (("1" (expand "enabled") (("1" (propax) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (expand "pr3") (("2" (expand "goal") (("2" (skosimp) (("2" (expand "E") (("2" (expand "forward") (("2" (expand "step22") (("2" (assert) (("2" (expand "step23") (("2" (expand "step25") (("2" (expand "step26") (("2" (expand "step24") (("2" (replaceh -5) (("2" (expand "next24") (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((int_minus_int_is_int application-judgement "int" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (= const-decl "[T, T -> boolean]" equalities nil) (step const-decl "bool" petersonSafe nil) (step23 const-decl "bool" petersonSafe nil) (step26 const-decl "bool" petersonSafe nil) (next24 const-decl "pstate" petersonSafe nil) (step24 const-decl "bool" petersonSafe nil) (step25 const-decl "bool" petersonSafe nil) (step22 const-decl "bool" petersonSafe nil) (step21 const-decl "bool" petersonSafe nil) (this_or_other formula-decl nil petersonSafe nil) (step const-decl "bool" petersonUnity nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (enabled const-decl "bool" petersonUnity nil) (enabled_E formula-decl nil petersonUnity nil) (forward const-decl "bool" petersonUnity nil) (neg const-decl "bool" ownpred nil) (cup const-decl "bool" ownpred nil) (cap const-decl "bool" ownpred nil) (wp const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (transient const-decl "bool" bdUnity nil) (co const-decl "bool" bdUnity nil) (ensures const-decl "bool" bdUnity nil) (ensures_leto formula-decl nil bdUnity nil) (number nonempty-type-decl nil numbers nil) (boolean nonempty-type-decl nil booleans nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (number_field nonempty-type-from-decl nil number_fields nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (real nonempty-type-from-decl nil reals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (rational nonempty-type-from-decl nil rationals nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (int nonempty-type-eq-decl nil integers nil) (bool nonempty-type-eq-decl nil booleans nil) (>= const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (< const-decl "bool" reals nil) (child nonempty-type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (pstate type-eq-decl nil petersonSafe nil) (E const-decl "specification[pstate]" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (goal const-decl "bool" petersonUnity nil) (pr3 const-decl "bool" petersonUnity nil)) shostak)) (pr2_to_goal 0 (pr2_to_goal-1 nil 3679154171 ("" (skolem!) (("" (use pr2_to_pr3) (("" (use pr3_to_goal) (("" (lemma leto_transitive_1) (("" (inst - 1 1 "pr2(q!1)" "pr3(q!1)" goal E) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil) ((pr2_to_pr3 formula-decl nil petersonUnity nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (leto_transitive_1 formula-decl nil bdUnity nil) (E const-decl "specification[pstate]" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (goal const-decl "bool" petersonUnity nil) (pr3 const-decl "bool" petersonUnity nil) (pr2 const-decl "bool" petersonUnity nil) (pr3_to_goal formula-decl nil petersonUnity nil)) shostak)) (pr1_to_goal 0 (pr1_to_goal-1 nil 3679154289 ("" (skolem!) (("" (use pr1_to_pr2) (("" (use pr2_to_goal) (("" (lemma leto_transitive_1) (("" (inst - 1 2 _ _ _ _) (("" (inst?) (("" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) ((pr1_to_pr2 formula-decl nil petersonUnity nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (leto_transitive_1 formula-decl nil bdUnity nil) (pr1 const-decl "bool" petersonUnity nil) (pr2 const-decl "bool" petersonUnity nil) (goal const-decl "bool" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (E const-decl "specification[pstate]" petersonUnity nil) (pr2_to_goal formula-decl nil petersonUnity nil)) shostak)) (at24_to_goal 0 (at24_to_goal-2 nil 3679200422 ("" (skolem!) (("" (lemma sub_leto) (("" (inst - 3 "at(24, q!1)" "cup(goal, cup(pr1(q!1), cup(pr2(q!1), cup (pr3(q!1), pr3(1-q!1)))))" "goal" E) (("" (assert) (("" (hide 2) (("" (split) (("1" (expand "<=") (("1" (expand "cup") (("1" (expand "cap") (("1" (expand "at") (("1" (expand "goal") (("1" (expand "pr1") (("1" (expand "pr2") (("1" (expand "pr3") (("1" (skosimp) (("1" (assert) (("1" (case "jq0(1 - q!1, s!1) AND jq3(1 - q!1, s!1)") (("1" (flatten) (("1" (expand "jq0") (("1" (expand "jq3") (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (expand "E") (("2" (expand "jqall") (("2" (inst?) (("2" (flatten) (("2" (assert) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (use cup_leto) (("2" (assert) (("2" (hide 2) (("2" (split) (("1" (use subset_leto) (("1" (assert) (("1" (hide 2) (("1" (expand "<=") (("1" (expand "cap") (("1" (skosimp) nil nil)) nil)) nil)) nil)) nil)) nil) ("2" (use cup_leto) (("2" (assert) (("2" (hide 2) (("2" (split) (("1" (use pr1_to_goal) nil nil) ("2" (use cup_leto) (("2" (assert) (("2" (hide 2) (("2" (lemma leto_up) (("2" (split) (("1" (use pr2_to_goal) (("1" (inst - 2 3 _ _ _) (("1" (inst?) (("1" (assert) nil nil)) nil)) nil)) nil) ("2" (inst - 1 3 _ _ _) (("2" (inst?) (("2" (assert) (("2" (hide 1) (("2" (use cup_leto) (("2" (assert) (("2" (hide 2) (("2" (split) (("1" (use pr3_to_goal) nil nil) ("2" (use pr3_to_goal (q "1-q!1")) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ((pstate type-eq-decl nil petersonSafe nil) (pred type-eq-decl nil defined_types nil) (child nonempty-type-eq-decl nil petersonSafe nil) (< const-decl "bool" reals nil) (nat nonempty-type-eq-decl nil naturalnumbers nil) (>= const-decl "bool" reals nil) (bool nonempty-type-eq-decl nil booleans nil) (int nonempty-type-eq-decl nil integers nil) (integer_pred const-decl "[rational -> boolean]" integers nil) (rational nonempty-type-from-decl nil rationals nil) (rational_pred const-decl "[real -> boolean]" rationals nil) (real nonempty-type-from-decl nil reals nil) (real_pred const-decl "[number_field -> boolean]" reals nil) (number_field nonempty-type-from-decl nil number_fields nil) (number_field_pred const-decl "[number -> boolean]" number_fields nil) (boolean nonempty-type-decl nil booleans nil) (number nonempty-type-decl nil numbers nil) (sub_leto formula-decl nil bdUnity nil) (jqall const-decl "bool" petersonSafe nil) (real_le_is_total_order name-judgement "(total_order?[real])" real_props nil) (IMPLIES const-decl "[bool, bool -> bool]" booleans nil) (jq3 const-decl "bool" petersonSafe nil) (jq0 const-decl "bool" petersonSafe nil) (AND const-decl "[bool, bool -> bool]" booleans nil) (cap const-decl "bool" ownpred nil) (<= const-decl "bool" mucalculus nil) (subset_leto formula-decl nil bdUnity nil) (pr1_to_goal formula-decl nil petersonUnity nil) (leto_up formula-decl nil bdUnity nil) (pr3_to_goal formula-decl nil petersonUnity nil) (pr2_to_goal formula-decl nil petersonUnity nil) (cup_leto formula-decl nil bdUnity nil) (E const-decl "specification[pstate]" petersonUnity nil) (specification type-eq-decl nil bdUnity nil) (- const-decl "[numfield, numfield -> numfield]" number_fields nil) (numfield nonempty-type-eq-decl nil number_fields nil) (pr3 const-decl "bool" petersonUnity nil) (pr2 const-decl "bool" petersonUnity nil) (pr1 const-decl "bool" petersonUnity nil) (goal const-decl "bool" petersonUnity nil) (cup const-decl "bool" ownpred nil) (at const-decl "bool" petersonUnity nil) (int_minus_int_is_int application-judgement "int" integers nil) (real_ge_is_total_order name-judgement "(total_order?[real])" real_props nil) (minus_odd_is_odd application-judgement "odd_int" integers nil) (real_lt_is_strict_total_order name-judgement "(strict_total_order?[real])" real_props nil)) nil) (at24_to_goal-1 nil 3679200003 ("" (skolem!) (("" (lemma sub_leto) (("" (inst - 3 "at(q!1, 24)" "cup(goal, cup(pr1(q!1), cup(pr2(q!1), cup (pr3(q!1), pr3(1-q!1)))))" "goal" E) (("" (assert) (("" (hide 2) (("" (split) (("1" (expand "<=") (("1" (expand "cup") (("1" (expand "cap") (("1" (expand "at") (("1" (expand "goal") (("1" (expand "pr1") (("1" (expand "pr2") (("1" (expand "pr3") (("1" (skosimp) (("1" (assert) (("1" (postpone) nil nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil)) nil) ("2" (postpone) nil nil)) nil)) nil)) nil)) nil)) nil)) nil) nil shostak)))