diff --git a/README.md b/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..62c674a68fbc889315d38e05e5a44bf7f24f3c36
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+based on branch extract_bv32_reg
diff --git a/bv_op.mlw b/bv_op.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..46de61bf59a387059ae9fbe1e5acd81d17aa7300
--- /dev/null
+++ b/bv_op.mlw
@@ -0,0 +1,38 @@
+module BV_OP
+
+ use bv.BV32
+
+ let function bv_add i1 i2:int
+ ensures {
+ result = BV32.to_int (BV32.add (BV32.of_int i1) (BV32.of_int i2))
+ }
+ =
+ let v1: BV32.t = BV32.of_int i1 in
+ let v2: BV32.t = BV32.of_int i2 in
+ let v: BV32.t = BV32.add v1 v2 in
+ BV32.to_int v
+
+ meta rewrite_def function bv_add
+
+ (*meta rewrite_def function bv_add
+ (* stupid test *)
+ use int.Int
+ use bv.BV32
+ (*
+ constant bv_add : int -> int -> int = fun x y -> x + y
+ *)
+
+ let function bv_add i1 i2:int
+ ensures {
+ result = i1 + i2
+ }
+ = i1 + i2
+
+ meta rewrite_def function bv_add
+
+ (*
+ lemma bv_add_com:
+ forall v1 v2. bv_add v1 v2 = bv_add v2 v1
+ *)
+ *)
+end
\ No newline at end of file
diff --git a/bv_op/why3session.xml b/bv_op/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..862d5d275903944da611b76e34e3cf44e70cc8e8
--- /dev/null
+++ b/bv_op/why3session.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="5">
+<prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="2000"/>
+<file name="../bv_op.mlw" proved="true">
+<theory name="BV_OP" proved="true">
+ <goal name="VC bv_add" expl="VC for bv_add" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="70"/></proof>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/bv_op/why3shapes.gz b/bv_op/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..3b196670a019599de42f91301dcf9ea38f4aa54d
Binary files /dev/null and b/bv_op/why3shapes.gz differ
diff --git a/com_aexpr.mlw b/com_aexpr.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..9318d8021d52147096ad70515ffd20ff250a4c07
--- /dev/null
+++ b/com_aexpr.mlw
@@ -0,0 +1,322 @@
+(* Register based compiler for arithmetic expressions *)
+
+module Compile_aexpr_reg
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use state.Reg
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+
+ (* Compilation scheme: the generated code for arithmetic expressions
+ put the result of the expression on the stack. *)
+ function aexpr_post (a:aexpr) (len:pos) (idr:idr) : post 'a =
+ fun _ p ms ms' ->
+ let VMS p1 r1 s1 m1 = ms in
+ let VMS p2 r2 s2 m2 = ms' in
+ p1 = p /\
+ p2 = p + len /\
+ (forall r'. r' < idr -> read r1 r' = read r2 r') /\ (* preserve lower registers *)
+ read r2 idr = aeval m1 a /\ (* result in idr *)
+ s2 = s1 /\ (* preserve stack *)
+ m2 = m1 (* preserve memory *)
+
+ meta rewrite_def function aexpr_post
+
+ let rec compile_aexpr (a:aexpr) (idr: idr) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> aexpr_post a result.code.length idr}
+ variant { a }
+ = let c = match a with
+ | Anum n -> $ iimmf idr n
+ | Avar x -> $ iloadf idr x
+ | Aadd a1 a2 -> $
+ compile_aexpr a1 idr -- $ compile_aexpr a2 (idr + 1) -- $ iaddrf (idr + 1) idr idr
+ | Aaddu a1 a2 -> $
+ compile_aexpr a1 idr -- $ compile_aexpr a2 (idr + 1) -- $ iaddurf (idr + 1) idr idr
+ | Asub a1 a2 -> $
+ compile_aexpr a2 idr -- $ compile_aexpr a1 (idr + 1) -- $ isubrf (idr + 1) idr idr
+ end in
+ hoare trivial_pre c (aexpr_post a c.wcode.length idr)
+
+ (* Check that the above specification indeed implies the
+ natural one. *)
+
+ let compile_aexpr_natural (a:aexpr) (idr:idr) : code
+ ensures { forall c p r1 s m. codeseq_at c p result ->
+ exists r2.
+ transition_star c (VMS p r1 s m)
+ (VMS (p + length result) r2 s m)
+ /\
+ forall r. r < idr -> read r2 r = read r1 r /\
+ read r2 idr = aeval m a
+ }
+ = let res = compile_aexpr a idr : hl unit in
+ assert { res.pre = trivial_pre }; (* we have a trivial precod *)
+ assert { forall p r s m. res.pre () p (VMS p r s m) };
+
+ assert { forall p ms. res.pre () p ms ->
+ exists ms'.
+ res.post () p ms ms' /\ contextual_irrelevance res.code p ms ms' /\
+ let VMS p1 r1 s1 m1 = ms in
+ let VMS p2 r2 s2 m2 = ms' in
+ p2 = p1 + res.code.length /\ m2 = m1 /\ s2 = s1 /\
+ forall r. r < idr -> read r2 r = read r1 r /\
+ read r2 idr = aeval m1 a
+ };
+
+ res.code
+
+end
+
+(*
+(* Register based compiler for arithmetic expressions, k registers *)
+module Compile_aexpr_reg_k
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use state.Reg
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+
+ (** we have k registers, namely 0,1,...,k-1,
+ and there are at least two of them, otherwise we can't add *)
+ val constant k: int
+ ensures { 2 <= result }
+
+ (* Compilation scheme: the generated code for arithmetic expressions
+ put the result of the expression on the stack. *)
+ function aexpr_post (a:aexpr) (len:pos) (idr:idr) : post 'a =
+ fun _ p ms ms' ->
+ let VMS p1 r1 s1 m1 = ms in
+ let VMS p2 r2 s2 m2 = ms' in
+ p1 = p /\
+ p2 = p + len /\
+ (forall r'. r' < idr -> read r1 r' = read r2 r') /\ (* preserve lower registers *)
+ read r2 idr = aeval m1 a /\ (* result in idr *)
+ s2 = s1 /\ (* preserve stack *)
+ m2 = m1 (* preserve memory *)
+
+ meta rewrite_def function aexpr_post
+
+ let rec compile_aexpr (a:aexpr) (idr: idr) : hl 'a
+ requires { 0 <= idr < k }
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> aexpr_post a result.code.length idr}
+ variant { a }
+ = let c = match a with
+ | Anum n -> $ iimmf idr n
+ | Avar x -> $ iloadf idr x
+ | Aadd a1 a2 ->
+ if idr < k - 1 then
+ $ compile_aexpr a1 idr --
+ $ compile_aexpr a2 (idr + 1) --
+ $ iaddrf (idr + 1) idr idr
+ else
+ $ ipushf (k - 2) --
+ $ compile_aexpr a1 (k - 2) --
+ $ compile_aexpr a2 (k - 1) --
+ $ iaddrf (k - 2) (k - 1) (k - 1)--
+ $ ipopf (k - 2)
+
+ | Asub a1 a2 ->
+ if idr < k - 1 then
+ $ compile_aexpr a2 idr --
+ $ compile_aexpr a1 (idr + 1) --
+ $ isubrf (idr + 1) idr idr
+ else
+ $ ipushf (k - 2) --
+ $ compile_aexpr a1 (k - 2) --
+ $ compile_aexpr a2 (k - 1) --
+ $ isubrf (k - 2) (k - 1) (k - 1) --
+ $ ipopf (k - 2)
+ end in
+ hoare trivial_pre c (aexpr_post a c.wcode.length idr)
+
+ (* Check that the above specification indeed implies the
+ natural one. *)
+
+ let compile_aexpr_natural (a:aexpr) (idr:idr) : code
+ requires { 0 <= idr < k }
+ ensures { forall c p r1 s m. codeseq_at c p result ->
+ exists r2.
+ transition_star c (VMS p r1 s m)
+ (VMS (p + length result) r2 s m)
+ /\
+ forall r. r < idr -> read r2 r = read r1 r /\
+ read r2 idr = aeval m a
+ }
+ = let res = compile_aexpr a idr : hl unit in
+ assert { res.pre = trivial_pre }; (* we have a trivial precod *)
+ assert { forall p r s m. res.pre () p (VMS p r s m) };
+
+ assert { forall p ms. res.pre () p ms ->
+ exists ms'.
+ res.post () p ms ms' /\ contextual_irrelevance res.code p ms ms' /\
+ let VMS p1 r1 s1 m1 = ms in
+ let VMS p2 r2 s2 m2 = ms' in
+ p2 = p1 + res.code.length /\ m2 = m1 /\ s2 = s1 /\
+ forall r. r < idr -> read r2 r = read r1 r /\
+ read r2 idr = aeval m1 a
+ };
+
+ res.code
+
+end
+
+(* Register based compiler for arithmetic expressions, optimal k registers *)
+module Compile_aexpr_reg_k_optimal
+
+ use int.Int
+ use int.MinMax
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use state.Reg
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+
+ (** we have k registers, namely 0,1,...,k-1,
+ and there are at least two of them, otherwise we can't add *)
+ val constant k: int
+ ensures { 2 <= result }
+
+ (** the minimal number of registers needed to evaluate e *)
+ let rec function n (e: aexpr) : int
+ variant { e }
+ ensures { result > 0 }
+ = match e with
+ | Anum _ -> 1
+ | Avar _ -> 1
+ | Aadd e1 e2 -> let n1 = n e1 in let n2 = n e2 in
+ if n1 = n2 then 1 + n1 else max n1 n2
+ | Asub e1 e2 -> let n1 = n e1 in let n2 = n e2 in
+ if n1 = n2 then 1 + n1 else max n1 n2
+ end
+ meta rewrite_def function n
+
+
+ (** Note: This is of course inefficient to recompute function `n` many
+ times. A realistic implementation would compute `n e` once for
+ each sub-expression `e`, either with a first pass of tree decoration,
+ or with function `compile` returning the value of `n e` as well,
+ in a bottom-up way *)
+
+ function measure (e: aexpr) : int =
+ match e with
+ | Anum _ -> 0
+ | Avar _ -> 0
+ | Aadd e1 e2 -> 1 + measure e1 + measure e2 + if n e1 >= n e2 then 0 else 1
+ | Aaddu e1 e2 -> 1 + measure e1 + measure e2 + if n e1 >= n e2 then 0 else 1
+ | Asub e1 e2 -> 1 + measure e1 + measure e2 + if n e1 >= n e2 then 0 else 1
+ end
+
+ lemma measure_nonneg: forall e. measure e >= 0
+
+ (* Compilation scheme: the generated code for arithmetic expressions
+ put the result of the expression on the stack. *)
+ function aexpr_post (a:aexpr) (len:pos) (idr:idr) : post 'a =
+ fun _ p ms ms' ->
+ let VMS p1 r1 s1 m1 = ms in
+ let VMS p2 r2 s2 m2 = ms' in
+ p1 = p /\
+ p2 = p + len /\
+ (forall r'. r' < idr -> read r1 r' = read r2 r') /\ (* preserve lower registers *)
+ read r2 idr = aeval m1 a /\ (* result in idr *)
+ s2 = s1 /\ (* preserve stack *)
+ m2 = m1 (* preserve memory *)
+
+ meta rewrite_def function aexpr_post
+
+ let rec compile_aexpr (a:aexpr) (idr: idr) (ghost left: int) : hl 'a
+ requires { n a <= left }
+ requires { 0 <= idr < k }
+ variant { measure a }
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> aexpr_post a result.code.length idr }
+ =
+ let c = match a with
+ | Anum n -> $ iimmf idr n
+ | Avar x -> $ iloadf idr x
+ | Aadd a1 a2 ->
+ if n a1 >= n a2 then (* we compile a1 first *)
+ if idr < k - 1 then
+ $ compile_aexpr a1 idr left --
+ $ compile_aexpr a2 (idr + 1) (left - 1) --
+ $ iaddrf (idr + 1) idr idr
+ else
+ (
+ assert { idr = k - 1 };
+ $ ipushf (idr - 1) --
+ $ compile_aexpr a1 (idr - 1) (left + 1) --
+ $ compile_aexpr a2 idr left --
+ $ iaddrf (idr - 1) idr idr --
+ $ ipopf (idr - 1)
+ )
+ else (* we compile a2 first, by swapping *)
+ $ compile_aexpr (Aadd a2 a1) idr left
+ | Asub a1 a2 ->
+ if idr < k - 1 then
+ if n a1 >= n a2 then (* we compile a1 first *)
+ $ compile_aexpr a1 idr left --
+ $ compile_aexpr a2 (idr + 1) (left - 1) --
+ $ isubrf idr (idr + 1) idr
+ else
+ $ compile_aexpr a2 idr left --
+ $ compile_aexpr a1 (idr + 1) (left - 1) --
+ $ isubrf (idr + 1) idr idr
+ else
+ $ ipushf (idr - 1) --
+ $ compile_aexpr a1 (idr - 1) (left + 1) --
+ $ compile_aexpr a2 idr left --
+ $ isubrf (idr - 1) idr idr --
+ $ ipopf (idr - 1)
+
+ end in
+ hoare trivial_pre c (aexpr_post a c.wcode.length idr)
+
+ (* Check that the above specification indeed implies the
+ natural one. *)
+
+ let compile_aexpr_natural (a:aexpr) (idr:idr) : code
+ requires { 0 <= idr < k }
+ ensures { forall c p r1 s m. codeseq_at c p result ->
+ exists r2.
+ transition_star c (VMS p r1 s m)
+ (VMS (p + length result) r2 s m)
+ /\
+ forall r. r < idr -> read r2 r = read r1 r /\
+ read r2 idr = aeval m a
+ }
+ = let res = compile_aexpr a idr (ghost n a): hl unit in
+ assert { res.pre = trivial_pre }; (* we have a trivial precod *)
+ assert { forall p r s m. res.pre () p (VMS p r s m) };
+
+ assert { forall p ms. res.pre () p ms ->
+ exists ms'.
+ res.post () p ms ms' /\ contextual_irrelevance res.code p ms ms' /\
+ let VMS p1 r1 s1 m1 = ms in
+ let VMS p2 r2 s2 m2 = ms' in
+ p2 = p1 + res.code.length /\ m2 = m1 /\ s2 = s1 /\
+ forall r. r < idr -> read r2 r = read r1 r /\
+ read r2 idr = aeval m1 a
+ };
+
+ res.code
+
+end
+
+*)
diff --git a/com_aexpr/why3session.xml b/com_aexpr/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..31e679e0b60a42498603dad9ab1866fd76dac6a1
--- /dev/null
+++ b/com_aexpr/why3session.xml
@@ -0,0 +1,834 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="5">
+<prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="1" name="CVC4" version="1.6" alternative="counterexamples" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="2" name="Alt-Ergo" version="2.2.0" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="3" name="Eprover" version="2.1" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="4" name="Z3" version="4.7.1" alternative="counterexamples" timelimit="5" steplimit="0" memlimit="2000"/>
+<file name="../com_aexpr.mlw">
+<theory name="Compile_aexpr_reg">
+ <goal name="VC compile_aexpr" expl="VC for compile_aexpr">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.0" expl="variant decrease">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.14" steps="162"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.1" expl="variant decrease">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.15" steps="172"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.2" expl="variant decrease">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.14" steps="162"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.3" expl="variant decrease">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.15" steps="172"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.4" expl="unreachable point">
+ </goal>
+ <goal name="VC compile_aexpr.5" expl="precondition">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.5.0" expl="precondition">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.5.0.0" expl="precondition">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.5.0.0.0" expl="precondition">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.5.0.0.0.0" expl="precondition">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.27" steps="326"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.5.1" expl="precondition">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.5.1.0" expl="precondition">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.5.1.0.0" expl="precondition">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.5.1.0.0.0" expl="precondition">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.27" steps="316"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.5.2" expl="precondition">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.5.2.0" expl="precondition">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.5.2.0.0" expl="precondition">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.5.2.0.0.0" expl="precondition">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.81" steps="500"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.5.3" expl="precondition">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.5.3.0" expl="precondition">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.5.3.0.0" expl="precondition">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.5.3.0.0.0" expl="precondition">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.78" steps="500"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6" expl="postcondition">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.10" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.7" expl="postcondition">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.09" steps="81"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr_natural" expl="VC for compile_aexpr_natural">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr_natural.0" expl="assertion">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.09" steps="80"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.1" expl="assertion">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.11" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.2" expl="assertion">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.19" steps="172"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.3" expl="postcondition">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.29" steps="309"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_aexpr_reg_k">
+ <goal name="VC k">
+ <proof prover="0"><result status="valid" time="0.07" steps="78"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.0">
+ <proof prover="0"><result status="valid" time="0.15" steps="175"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.1">
+ <proof prover="0"><result status="valid" time="0.10" steps="88"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.2">
+ <proof prover="0"><result status="valid" time="0.20" steps="185"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.3">
+ <proof prover="0"><result status="valid" time="0.11" steps="92"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.4">
+ <proof prover="0"><result status="valid" time="0.16" steps="192"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.5">
+ <proof prover="0"><result status="valid" time="0.11" steps="93"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.6">
+ <proof prover="0"><result status="valid" time="0.16" steps="202"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.7">
+ <proof prover="0"><result status="valid" time="0.10" steps="97"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.8">
+ <proof prover="0"><result status="valid" time="0.22" steps="175"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.9">
+ <proof prover="0"><result status="valid" time="0.09" steps="88"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.10">
+ <proof prover="0"><result status="valid" time="0.20" steps="185"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.11">
+ <proof prover="0"><result status="valid" time="0.15" steps="92"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.12">
+ <proof prover="0"><result status="valid" time="0.13" steps="192"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.13">
+ <proof prover="0"><result status="valid" time="0.10" steps="93"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.14">
+ <proof prover="0"><result status="valid" time="0.14" steps="202"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.15">
+ <proof prover="0"><result status="valid" time="0.10" steps="97"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.16.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.0.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.16.0.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.0.0.0.0">
+ <proof prover="0"><result status="valid" time="0.32" steps="348"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.16.1">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.1.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.16.1.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.1.0.0.0">
+ <proof prover="0"><result status="valid" time="0.32" steps="338"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.16.2">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.2.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.16.2.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.2.0.0.0">
+ <proof prover="1" timelimit="10" memlimit="1000"><result status="valid" time="1.09"/></proof>
+ <proof prover="2" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.16.3">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.3.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.16.3.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.3.0.0.0">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.16.3.0.0.0.0">
+ <proof prover="0"><result status="valid" time="0.14" steps="141"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.1">
+ <proof prover="0"><result status="valid" time="0.16" steps="144"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.2">
+ <proof prover="0"><result status="valid" time="0.13" steps="116"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.3">
+ <proof prover="0"><result status="valid" time="0.12" steps="125"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.4">
+ <proof prover="0"><result status="valid" time="0.21" steps="204"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.5">
+ <proof prover="0"><result status="valid" time="0.13" steps="129"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.6">
+ <proof prover="0"><result status="valid" time="0.18" steps="180"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.7">
+ <proof prover="0"><result status="valid" time="2.53" steps="973"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.8">
+ <proof prover="0"><result status="valid" time="2.00" steps="754"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.9">
+ <proof prover="0"><result status="valid" time="0.23" steps="213"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.3.0.0.0.10">
+ <proof prover="0"><result status="valid" time="0.19" steps="183"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.16.4">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.4.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.16.4.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.4.0.0.0">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.16.4.0.0.0.0">
+ <proof prover="0"><result status="valid" time="0.13" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.4.0.0.0.1">
+ <proof prover="0"><result status="valid" time="0.11" steps="104"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.4.0.0.0.2">
+ <proof prover="0"><result status="valid" time="0.12" steps="113"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.4.0.0.0.3">
+ <proof prover="0"><result status="valid" time="0.12" steps="116"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.4.0.0.0.4">
+ <proof prover="0"><result status="valid" time="0.15" steps="150"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.4.0.0.0.5">
+ <proof prover="0"><result status="valid" time="0.35" steps="204"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.4.0.0.0.6">
+ <proof prover="0"><result status="valid" time="0.18" steps="174"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.4.0.0.0.7">
+ <proof prover="0"><result status="valid" time="0.19" steps="149"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.4.0.0.0.8">
+ <proof prover="0"><result status="valid" time="0.16" steps="153"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.16.5">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.5.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.16.5.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.16.5.0.0.0">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.16.5.0.0.0.0">
+ <proof prover="0"><result status="valid" time="0.14" steps="141"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.1">
+ <proof prover="0"><result status="valid" time="0.15" steps="144"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.2">
+ <proof prover="0"><result status="valid" time="0.12" steps="116"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.3">
+ <proof prover="0"><result status="valid" time="0.12" steps="125"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.4">
+ <proof prover="0"><result status="valid" time="0.35" steps="204"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.5">
+ <proof prover="0"><result status="valid" time="0.13" steps="129"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.6">
+ <proof prover="0"><result status="valid" time="0.19" steps="180"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.7">
+ <proof prover="0"><result status="valid" time="2.41" steps="963"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.8">
+ <proof prover="0"><result status="valid" time="2.02" steps="741"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.9">
+ <proof prover="0"><result status="valid" time="0.22" steps="213"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16.5.0.0.0.10">
+ <proof prover="0"><result status="valid" time="0.22" steps="183"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.17">
+ <proof prover="0"><result status="valid" time="0.13" steps="84"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.18">
+ <proof prover="0"><result status="valid" time="0.12" steps="84"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr_natural">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr_natural.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr_natural.0.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr_natural.0.0.0">
+ <proof prover="0"><result status="valid" time="0.09" steps="81"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr_natural.1">
+ <proof prover="0"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.2">
+ <proof prover="0"><result status="valid" time="0.14" steps="84"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.3">
+ <proof prover="0"><result status="valid" time="0.35" steps="212"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.4">
+ <proof prover="0"><result status="valid" time="0.94" steps="350"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_aexpr_reg_k_optimal">
+ <goal name="VC k">
+ <proof prover="0"><result status="valid" time="0.09" steps="78"/></proof>
+ </goal>
+ <goal name="VC n">
+ <proof prover="0"><result status="valid" time="0.72" steps="460"/></proof>
+ </goal>
+ <goal name="measure_nonneg">
+ <transf name="induction_ty_lex" >
+ <goal name="measure_nonneg.0">
+ <proof prover="0"><result status="valid" time="0.14" steps="155"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr">
+ <proof prover="0" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.0">
+ <proof prover="0"><result status="valid" time="0.18" steps="129"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.1">
+ <proof prover="0"><result status="valid" time="0.22" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.2">
+ <proof prover="0"><result status="valid" time="0.15" steps="93"/></proof>
+ <proof prover="1"><result status="valid" time="0.25"/></proof>
+ <proof prover="4"><result status="valid" time="0.05"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.3">
+ <proof prover="0"><result status="valid" time="0.18" steps="138"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.4">
+ <proof prover="0"><result status="valid" time="0.10" steps="154"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.5">
+ <proof prover="0"><result status="valid" time="0.20" steps="97"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.6">
+ <proof prover="0"><result status="valid" time="0.10" steps="87"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.7">
+ <proof prover="0"><result status="valid" time="0.14" steps="139"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.8">
+ <proof prover="0"><result status="valid" time="0.15" steps="155"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.9">
+ <proof prover="0"><result status="valid" time="0.17" steps="99"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.10">
+ <proof prover="0"><result status="valid" time="0.21" steps="148"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.11">
+ <proof prover="0"><result status="valid" time="0.17" steps="164"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.12">
+ <proof prover="0"><result status="valid" time="0.17" steps="103"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.13">
+ <proof prover="0"><result status="valid" time="0.12" steps="120"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.14">
+ <proof prover="0"><result status="valid" time="0.14" steps="121"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.15">
+ <proof prover="0"><result status="valid" time="0.12" steps="87"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.16">
+ <proof prover="0"><result status="valid" time="0.20" steps="129"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.17">
+ <proof prover="0"><result status="valid" time="0.26" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.18">
+ <proof prover="0"><result status="valid" time="0.11" steps="93"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.19">
+ <proof prover="0"><result status="valid" time="0.19" steps="138"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.20">
+ <proof prover="0"><result status="valid" time="0.16" steps="154"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.21">
+ <proof prover="0"><result status="valid" time="0.10" steps="97"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.22">
+ <proof prover="0"><result status="valid" time="0.14" steps="130"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.23">
+ <proof prover="0"><result status="valid" time="0.15" steps="166"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.24">
+ <proof prover="0"><result status="valid" time="0.12" steps="93"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.25">
+ <proof prover="0"><result status="valid" time="0.17" steps="139"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.26">
+ <proof prover="0"><result status="valid" time="0.17" steps="171"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.27">
+ <proof prover="0"><result status="valid" time="0.17" steps="97"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.28">
+ <proof prover="0"><result status="valid" time="0.17" steps="157"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.29">
+ <proof prover="0"><result status="valid" time="0.18" steps="215"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.30">
+ <proof prover="0"><result status="valid" time="0.15" steps="95"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.31">
+ <proof prover="0"><result status="valid" time="0.24" steps="169"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.32">
+ <proof prover="0"><result status="valid" time="0.18" steps="226"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.33">
+ <proof prover="0"><result status="valid" time="0.12" steps="99"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34">
+ <proof prover="0" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.34.0">
+ <proof prover="0"><result status="timeout" time="5.00"/></proof>
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.0.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.34.0.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.0.0.0.0">
+ <proof prover="0"><result status="valid" time="0.36" steps="476"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.34.1">
+ <proof prover="0"><result status="timeout" time="5.00"/></proof>
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.1.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.34.1.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.1.0.0.0">
+ <proof prover="0"><result status="valid" time="0.35" steps="493"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.34.2">
+ <proof prover="0" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.34.2.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.2.0.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.34.2.0.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.2.0.0.0.0">
+ <proof prover="0"><result status="valid" time="1.65" steps="1358"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1">
+ <proof prover="0" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.2.1.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.34.2.1.0.0">
+ <proof prover="0" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <proof prover="3" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <proof prover="4" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.2.1.0.0.0">
+ <proof prover="0" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <proof prover="1" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <proof prover="4" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.0">
+ <proof prover="0"><result status="valid" time="0.20" steps="173"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.1">
+ <proof prover="0"><result status="valid" time="0.20" steps="176"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.2">
+ <proof prover="0"><result status="valid" time="0.13" steps="117"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.3">
+ <proof prover="0"><result status="valid" time="0.13" steps="126"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.4">
+ <proof prover="0"><result status="valid" time="0.27" steps="247"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.5">
+ <proof prover="0"><result status="valid" time="0.16" steps="130"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.6">
+ <proof prover="0"><result status="valid" time="0.26" steps="212"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.7">
+ <proof prover="0"><result status="valid" time="2.36" steps="1115"/></proof>
+ <proof prover="1" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <proof prover="3" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ <proof prover="4" obsolete="true"><result status="timeout" time="5.00"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.8">
+ <proof prover="0"><result status="valid" time="0.59" steps="398"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.9">
+ <proof prover="0"><result status="valid" time="0.33" steps="248"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.1.0.0.0.10">
+ <proof prover="0"><result status="valid" time="0.26" steps="217"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.34.2.2">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.2.2.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.34.2.2.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.2.2.0.0.0">
+ <proof prover="0"><result status="valid" time="0.31" steps="344"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.34.3">
+ <proof prover="0"><result status="timeout" time="5.00"/></proof>
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.34.3.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.3.0.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.34.3.0.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.3.0.0.0.0">
+ <proof prover="0"><result status="valid" time="1.75" steps="1332"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.34.3.1">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.3.1.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.34.3.1.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.3.1.0.0.0">
+ <proof prover="0"><result status="valid" time="1.97" steps="1522"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.34.4">
+ <proof prover="0"><result status="timeout" time="5.00"/></proof>
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.4.0">
+ <transf name="introduce_premises" >
+ <goal name="VC compile_aexpr.34.4.0.0">
+ <transf name="compute_specified" >
+ <goal name="VC compile_aexpr.34.4.0.0.0">
+ <proof prover="0"><result status="timeout" time="5.00"/></proof>
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr.34.4.0.0.0.0">
+ <proof prover="0"><result status="valid" time="0.16" steps="151"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.1">
+ <proof prover="0"><result status="valid" time="0.17" steps="154"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.2">
+ <proof prover="0"><result status="valid" time="0.13" steps="116"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.3">
+ <proof prover="0"><result status="valid" time="0.13" steps="125"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.4">
+ <proof prover="0"><result status="valid" time="0.27" steps="219"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.5">
+ <proof prover="0"><result status="valid" time="0.14" steps="129"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.6">
+ <proof prover="0"><result status="valid" time="0.22" steps="190"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.7">
+ <proof prover="0"><result status="valid" time="1.91" steps="1012"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.8">
+ <proof prover="0"><result status="valid" time="0.46" steps="330"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.9">
+ <proof prover="0"><result status="valid" time="0.26" steps="225"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.34.4.0.0.0.10">
+ <proof prover="0"><result status="valid" time="0.21" steps="195"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.35">
+ <proof prover="0"><result status="valid" time="0.12" steps="85"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.36">
+ <proof prover="0"><result status="valid" time="0.10" steps="85"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr_natural">
+ <transf name="split_goal_right" >
+ <goal name="VC compile_aexpr_natural.0">
+ <proof prover="0"><result status="valid" time="0.10" steps="82"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.1">
+ <proof prover="0"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.2">
+ <proof prover="0"><result status="valid" time="0.10" steps="84"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.3">
+ <proof prover="0"><result status="valid" time="0.10" steps="85"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.4">
+ <proof prover="0"><result status="valid" time="0.27" steps="216"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.5">
+ <proof prover="0"><result status="valid" time="0.66" steps="354"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+<file name="../specs.mlw">
+<theory name="VM_instr_spec">
+ <goal name="VC ifunf" expl="VC for ifunf">
+ </goal>
+ <goal name="VC iimmf" expl="VC for iimmf">
+ </goal>
+ <goal name="VC iloadf" expl="VC for iloadf">
+ </goal>
+ <goal name="VC istoref" expl="VC for istoref">
+ </goal>
+ <goal name="VC ipushf" expl="VC for ipushf">
+ </goal>
+ <goal name="VC ipopf" expl="VC for ipopf">
+ </goal>
+ <goal name="VC iaddrf" expl="VC for iaddrf">
+ </goal>
+ <goal name="VC iaddurf" expl="VC for iaddurf">
+ </goal>
+ <goal name="VC isubrf" expl="VC for isubrf">
+ </goal>
+ <goal name="VC ibeqrf" expl="VC for ibeqrf">
+ </goal>
+ <goal name="VC ibnerf" expl="VC for ibnerf">
+ </goal>
+ <goal name="VC iblerf" expl="VC for iblerf">
+ </goal>
+ <goal name="VC ibgtrf" expl="VC for ibgtrf">
+ </goal>
+ <goal name="VC iconstf" expl="VC for iconstf">
+ </goal>
+ <goal name="VC ivarf" expl="VC for ivarf">
+ </goal>
+ <goal name="VC create_binop" expl="VC for create_binop">
+ </goal>
+ <goal name="VC iaddf" expl="VC for iaddf">
+ </goal>
+ <goal name="VC iadduf" expl="VC for iadduf">
+ </goal>
+ <goal name="VC isubf" expl="VC for isubf">
+ </goal>
+ <goal name="VC inil" expl="VC for inil">
+ </goal>
+ <goal name="VC ibranchf" expl="VC for ibranchf">
+ </goal>
+ <goal name="VC create_cjump" expl="VC for create_cjump">
+ </goal>
+ <goal name="VC ibeqf" expl="VC for ibeqf">
+ </goal>
+ <goal name="VC ibnef" expl="VC for ibnef">
+ </goal>
+ <goal name="VC iblef" expl="VC for iblef">
+ </goal>
+ <goal name="VC ibgtf" expl="VC for ibgtf">
+ </goal>
+ <goal name="VC isetvarf" expl="VC for isetvarf">
+ </goal>
+</theory>
+</file>
+<file name="../imp.mlw">
+<theory name="Imp">
+ <goal name="ceval_deterministic_aux">
+ </goal>
+ <goal name="ceval_deterministic">
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/com_aexpr/why3shapes.gz b/com_aexpr/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..238d567b3ed12c7b0b97449406bb81b4a56e3121
Binary files /dev/null and b/com_aexpr/why3shapes.gz differ
diff --git a/compiler.mlw b/compiler.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..a159aa9f4eeaac3caca035561e7669ada59bdc64
--- /dev/null
+++ b/compiler.mlw
@@ -0,0 +1,534 @@
+
+
+(*Imp to Vm compiler *)
+(**************************************************************************)
+(* Compiler for arithmetic expressions *)
+module Compile_aexpr
+
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+
+ (* Compilation scheme: the generated code for arithmetic expressions
+ put the result of the expression on the stack. *)
+ function aexpr_post (a:aexpr) (len:pos) : post 'a =
+ fun _ p ms ms' -> let VMS _ r s m = ms in ms' = VMS (p+len) r (push (aeval m a) s) m
+ meta rewrite_def function aexpr_post
+
+ let rec compile_aexpr (a:aexpr) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> aexpr_post a result.code.length }
+ variant { a }
+ = let c = match a with
+ | Anum n -> $ iconstf n
+ | Avar x -> $ ivarf x
+ | Aadd a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ iaddf ()
+ | Aaddu a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ iadduf ()
+ | Asub a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ isubf ()
+ (* | Amul a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ imulf () *)
+ end in
+ hoare trivial_pre c (aexpr_post a c.wcode.length)
+
+ (* Check that the above specification indeed implies the
+ natural one. *)
+ let compile_aexpr_natural (a:aexpr) : code
+ ensures { forall c p r s m. codeseq_at c p result ->
+ transition_star c (VMS p r s m)
+ (VMS (p + length result) r (push (aeval m a) s) m) }
+ = let res = compile_aexpr a : hl unit in
+ assert { forall p r s m. res.pre () p (VMS p r s m) }; res.code
+
+end
+
+(* Compiler for boolean expressions. *)
+module Compile_bexpr
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+ use Compile_aexpr
+
+ (* Compilation scheme: the generated code perform a jump
+ iff the boolean expression evaluate to cond. *)
+ function bexpr_post (b:bexpr) (cond: bool) (out_t:ofs) (out_f:ofs) : post 'a =
+ fun _ p ms ms' -> let VMS _ r s m = ms in if beval m b = cond
+ then ms' = VMS (p + out_t) r s m
+ else ms' = VMS (p + out_f) r s m
+ meta rewrite_def function bexpr_post
+
+ function exec_cond (b1:bexpr) (cond:bool) : pre 'a =
+ fun _ _ ms -> let VMS _ _ _ m = ms in beval m b1 = cond
+ meta rewrite_def function exec_cond
+
+ let rec compile_bexpr (b:bexpr) (cond:bool) (ofs:ofs) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> let len = result.code.length in
+ bexpr_post b cond (len + ofs) len }
+ variant { b }
+ = let c = match b with
+ | Btrue -> $ if cond then ibranchf ofs else inil ()
+ | Bfalse -> $ if cond then inil () else ibranchf ofs
+ | Bnot b1 -> $ compile_bexpr b1 (not cond) ofs
+ | Beq a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 --
+ $ if cond then ibeqf ofs else ibnef ofs
+ | Ble a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 --
+ $ if cond then iblef ofs else ibgtf ofs
+ | Band b1 b2 ->
+ let c2 = $ compile_bexpr b2 cond ofs % exec_cond b1 true in
+ let ofs = if cond then length c2.wcode else ofs + length c2.wcode in
+ $ compile_bexpr b1 false ofs -- c2
+ end in
+ let ghost post = bexpr_post b cond (c.wcode.length + ofs) c.wcode.length in
+ hoare trivial_pre c post
+
+ (* Check that the above specification implies the natural one. *)
+ let compile_bexpr_natural (b:bexpr) (cond:bool) (ofs:ofs) : code
+ ensures { forall c p r s m. codeseq_at c p result ->
+ transition_star c (VMS p r s m)
+ (VMS (p + length result + if beval m b = cond then ofs else 0) r s m) }
+ = let res = compile_bexpr b cond ofs : hl unit in
+ assert { forall p r s m. res.pre () p (VMS p r s m) }; res.code
+
+end
+
+(* Register based compiler for arithmetic expressions *)
+module Compile_aexpr_reg
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use state.Reg
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+
+ (* Compilation scheme: the generated code for arithmetic expressions
+ put the result of the expression on the stack. *)
+ function aexpr_post (a:aexpr) (len:pos) (idr:idr) : post 'a =
+ fun _ p ms ms' ->
+ let VMS p1 r1 s1 m1 = ms in
+ let VMS p2 r2 s2 m2 = ms' in
+ p1 = p /\
+ p2 = p + len /\
+ (forall r'. r' < idr -> read r1 r' = read r2 r') /\ (* preserve lower registers *)
+ read r2 idr = aeval m1 a /\ (* result in idr *)
+ s2 = s1 /\ (* preserve stack *)
+ m2 = m1 (* preserve memory *)
+
+ meta rewrite_def function aexpr_post
+
+ let rec compile_aexpr (a:aexpr) (idr: idr) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> aexpr_post a result.code.length idr}
+ variant { a }
+ = let c = match a with
+ | Anum n -> $ iimmf idr n
+ | Avar x -> $ iloadf idr x
+ | Aadd a1 a2 -> $
+ compile_aexpr a1 idr -- $ compile_aexpr a2 (idr + 1) -- $ iaddrf (idr + 1) idr idr
+ | Aaddu a1 a2 -> $
+ compile_aexpr a1 idr -- $ compile_aexpr a2 (idr + 1) -- $ iaddurf (idr + 1) idr idr
+ | Asub a1 a2 -> $
+ compile_aexpr a2 idr -- $ compile_aexpr a1 (idr + 1) -- $ isubrf (idr + 1) idr idr
+ end in
+ hoare trivial_pre c (aexpr_post a c.wcode.length idr)
+
+ (* Check that the above specification indeed implies the
+ natural one. *)
+
+ let compile_aexpr_natural (a:aexpr) (idr:idr) : code
+ ensures { forall c p r1 s m. codeseq_at c p result ->
+ exists r2.
+ transition_star c (VMS p r1 s m)
+ (VMS (p + length result) r2 s m)
+ /\
+ forall r. r < idr -> read r2 r = read r1 r /\
+ read r2 idr = aeval m a
+ }
+ = let res = compile_aexpr a idr : hl unit in
+ assert { res.pre = trivial_pre }; (* we have a trivial precod *)
+ assert { forall p r s m. res.pre () p (VMS p r s m) };
+
+ assert { forall p ms. res.pre () p ms ->
+ exists ms'.
+ res.post () p ms ms' /\ contextual_irrelevance res.code p ms ms' /\
+ let VMS p1 r1 s1 m1 = ms in
+ let VMS p2 r2 s2 m2 = ms' in
+ p2 = p1 + res.code.length /\ m2 = m1 /\ s2 = s1 /\
+ forall r. r < idr -> read r2 r = read r1 r /\
+ read r2 idr = aeval m1 a
+ };
+
+ res.code
+
+end
+
+(* Compiler for Boolean expressions. *)
+module Compile_bexpr_reg
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use state.Reg
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+ use Compile_aexpr_reg
+
+ (* Compilation scheme: the generated code perform a jump
+ iff the boolean expression evaluate to cond. *)
+ function bexpr_post (b:bexpr) (cond: bool) (out_t:ofs) (out_f:ofs) (idr: idr): post 'a =
+ fun _ p ms ms' ->
+ let VMS _ r s m = ms in
+ let VMS p1 r1 s1 m1 = ms' in
+ (
+ if beval m b = cond then
+ p1 = p + out_t
+ else
+ p1 = p + out_f
+ ) /\
+ m1 = m /\
+ s1 = s /\
+ forall r'. r' < idr -> read r1 r' = read r r'
+
+ meta rewrite_def function bexpr_post
+
+ function exec_cond (b1:bexpr) (cond:bool) : pre 'a =
+ fun _ _ ms -> let VMS _ _ _ m = ms in beval m b1 = cond
+ meta rewrite_def function exec_cond
+
+ let rec compile_bexpr (b:bexpr) (cond:bool) (ofs:ofs) (idr:idr): hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> let len = result.code.length in
+ bexpr_post b cond (len + ofs) len idr }
+ variant { b }
+ = let c = match b with
+ | Btrue -> $ if cond then ibranchf ofs else inil ()
+ | Bfalse -> $ if cond then inil () else ibranchf ofs
+ | Bnot b1 -> $ compile_bexpr b1 (not cond) ofs idr
+ | Beq a1 a2 -> $ compile_aexpr a1 idr -- $ compile_aexpr a2 (idr + 1) --
+ $ if cond then ibeqrf idr (idr + 1) ofs else ibnerf idr (idr + 1) ofs
+ | Ble a1 a2 -> $ compile_aexpr a1 idr -- $ compile_aexpr a2 (idr + 1) --
+ $ if cond then iblerf idr (idr + 1) ofs else ibgtrf idr (idr + 1) ofs
+
+ | Band b1 b2 ->
+ let c2 = $ compile_bexpr b2 cond ofs idr % exec_cond b1 true in
+ let ofs = if cond then length c2.wcode else ofs + length c2.wcode in
+ $ compile_bexpr b1 false ofs idr -- c2
+
+ end in
+ let ghost post = bexpr_post b cond (c.wcode.length + ofs) c.wcode.length idr in
+ hoare trivial_pre c post
+
+
+ let compile_bexpr_natural (b:bexpr) (cond:bool) (ofs:ofs) (idr): code
+ ensures { forall c p s m. codeseq_at c p result ->
+ if beval m b = cond then
+ forall r1. exists r2.
+ transition_star c (VMS p r1 s m)
+ (VMS (p + length result + ofs) r2 s m)
+ else
+ forall r1. exists r2.
+ transition_star c (VMS p r1 s m)
+ (VMS (p + length result) r2 s m)
+ }
+
+ = let res = compile_bexpr b cond ofs idr : hl unit in
+ assert { forall p r s m. res.pre () p (VMS p r s m) };
+ assert { forall p ms. res.pre () p ms ->
+ exists ms'.
+ res.post () p ms ms' /\ contextual_irrelevance res.code p ms ms' /\
+ let VMS _ _ s1 m1 = ms in
+ let VMS _ _ s2 m2 = ms' in
+ m2 = m1 /\ s2 = s1
+ };
+ res.code
+
+end
+
+(* Compiler for commands, no regs used *)
+
+module Compile_com
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+ use Compile_aexpr
+ use Compile_bexpr
+
+ (* Compilation scheme: the generated code for a command
+ simulates the command on the memory part of the machine state. *)
+ (* As we specify only terminating behavior, we have to require
+ that the source program terminates in the initial conditions. *)
+ function com_pre (cmd:com) : pre 'a =
+ fun _ p ms -> let VMS p' _ _ m = ms in p = p' /\ exists m'. ceval m cmd m'
+ meta rewrite_def function com_pre
+
+ function com_post (cmd:com) (len:pos) : post 'a =
+ fun _ _ ms ms' -> let VMS p r s m = ms in let VMS p' r' s' m' = ms' in
+ p' = p + len /\ s' = s /\ ceval m cmd m' /\ r' = r
+ meta rewrite_def function com_post
+
+ function exec_cond_old (b1:bexpr) (cond:bool) : pre ('a,machine_state) =
+ fun x _ _ -> let VMS _ _ _ m = snd x in beval m b1 = cond
+ meta rewrite_def function exec_cond_old
+
+ (* Invariant for loop compilation: any intermediate state
+ would evaluate to the same final state as the initial state. *)
+ function loop_invariant (c:com) : pre ('a,machine_state) =
+ fun x p msi -> let VMS _ r0 s0 m0 = snd x in let VMS pi ri si mi = msi in
+ pi = p /\ s0 = si /\ r0 = ri /\ exists mf. ceval m0 c mf /\ ceval mi c mf
+ meta rewrite_def function loop_invariant
+
+ function loop_variant (c:com) (test:bexpr) : post 'a =
+ fun _ _ msj msi -> let VMS _pj _rj _sj mj = msj in let VMS _pi _ri _si mi = msi in
+ ceval mi c mj /\ beval mi test
+ (* meta rewrite_def function loop_variant *)
+
+ lemma loop_variant_lemma : forall c test,x:'a,p msj msi.
+ loop_variant c test x p msj msi =
+ let VMS _pj _rj _sj mj = msj in let VMS _pi _ri _si mi = msi in
+ ceval mi c mj /\ beval mi test
+ meta rewrite lemma loop_variant_lemma
+
+ (* Well-foundedness of the loop variant. *)
+ lemma loop_variant_acc : forall c test,x:'a,p mi mj.
+ let wh = Cwhile test c in let var = (loop_variant c test x p) in
+ (ceval mi wh mj -> forall pi ri si. acc var (VMS pi ri si mi))
+ by forall pi ri si mi mj mf. ceval mi c mj /\ beval mi test ->
+ ceval mj wh mf /\ (forall pj rj sj. acc var (VMS pj rj sj mj)) ->
+ acc var (VMS pi ri si mi) by
+ (forall pk rk sk mk. var (VMS pk rk sk mk) (VMS pi ri si mi) -> mk = mj)
+
+ let rec compile_com (cmd: com) : hl 'a
+ ensures { result.pre --> com_pre cmd }
+ ensures { result.post --> let len = result.code.length in com_post cmd len }
+ variant { cmd }
+ = let res = match cmd with
+ | Cskip -> $ inil ()
+ | Cassign x a -> $ compile_aexpr a -- $ isetvarf x
+ | Cseq cmd1 cmd2 -> $ compile_com cmd1 -- $ compile_com cmd2
+ | Cif cond cmd1 cmd2 -> let code_false = compile_com cmd2 in
+ let code_true = $ compile_com cmd1 -- $ ibranchf code_false.code.length in
+ $ compile_bexpr cond false code_true.wcode.length --
+ (code_true % exec_cond cond true) --
+ ($ code_false % exec_cond_old cond false)
+ | Cwhile test body ->
+ let code_body = compile_com body in
+ let body_length = length code_body.code + 1 in
+ let code_test = compile_bexpr test false body_length in
+ let ofs = length code_test.code + body_length in
+ let wp_while = $ code_test --
+ ($ code_body -- $ ibranchf (- ofs)) % exec_cond test true in
+ let ghost inv = loop_invariant cmd in
+ let ghost var = loop_variant body test in
+ $ inil () -- make_loop wp_while inv (exec_cond test true) var
+ end in
+ hoare (com_pre cmd) res (com_post cmd res.wcode.length)
+
+ (* Get back to natural specification for the compiler. *)
+ let compile_com_natural (com: com) : code
+ ensures { forall c p r s m m'. ceval m com m' -> codeseq_at c p result ->
+
+ transition_star c (VMS p r s m) (VMS (p + length result) r s m') }
+ = let res = compile_com com : hl unit in
+ assert { forall c p r s m m'. ceval m com m' -> codeseq_at c p res.code ->
+ res.pre () p (VMS p r s m) && (forall ms'. res.post () p (VMS p r s m) ms' ->
+ ms' = VMS (p + length res.code) r s m') };
+ res.code
+
+ (* Insert the final halting instruction. *)
+ let compile_program (prog : com) : code
+ ensures { forall mi mf: state.
+ ceval mi prog mf -> vm_terminates result mi mf }
+ = let code = compile_com_natural prog in
+ let code2 = code ++ ihalt in
+
+ assert {
+ forall r m m'. ceval m prog m' -> codeseq_at code2 0 code ->
+ transition_star code2 (VMS 0 r Nil m) (VMS (length code) r Nil m')
+ };
+
+ code2
+
+
+(*
+ (* Execution test: compile a simple factorial program, e.g
+ X := 1; WHILE NOT (Y <= 0) DO X := X * Y; Y := Y - 1 DONE
+ (why3 execute -L . compiler.mlw Compile_com.test) *)
+ let test () : code =
+ let x = Id 0 in
+ let y = Id 1 in
+ let cond = Bnot (Ble (Avar y) (Anum 0)) in
+ let body1 = Cassign x (Amul (Avar x) (Avar y)) in
+ let body2 = Cassign y (Asub (Avar y) (Anum 1)) in
+ let lp = Cwhile cond (Cseq body1 body2) in
+ let code = Cseq (Cassign x (Anum 1)) lp in
+ compile_program code
+
+ let test2 () : code =
+ compile_program (Cwhile Btrue Cskip)
+*)
+
+end
+
+(* Compiler for commands, regs used *)
+
+module Compile_com_reg
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use imp.Imp
+ use vm.Vm
+ use state.State
+ use logic.Compiler_logic
+ use specs.VM_instr_spec
+ use Compile_aexpr_reg
+ use Compile_bexpr_reg
+
+ (* Compilation scheme: the generated code for a command
+ simulates the command on the memory part of the machine state. *)
+ (* As we specify only terminating behavior, we have to require
+ that the source program terminates in the initial conditions. *)
+ function com_pre (cmd:com) : pre 'a =
+ fun _ p ms -> let VMS p' _ _ m = ms in p = p' /\ exists m'. ceval m cmd m'
+ meta rewrite_def function com_pre
+
+ function com_post (cmd:com) (len:pos) : post 'a =
+ fun _ _ ms ms' -> let VMS p _ (* r *) s m = ms in let VMS p' _ (*r'*) s' m' = ms' in
+ p' = p + len /\ s' = s /\ ceval m cmd m' (* /\ r' = r *)
+ meta rewrite_def function com_post
+
+ function exec_cond_old (b1:bexpr) (cond:bool) : pre ('a,machine_state) =
+ fun x _ _ -> let VMS _ _ _ m = snd x in beval m b1 = cond
+ meta rewrite_def function exec_cond_old
+
+ (* Invariant for loop compilation: any intermediate state
+ would evaluate to the same final state as the initial state. *)
+ function loop_invariant (c:com) : pre ('a,machine_state) =
+ fun x p msi -> let VMS _ _ (* r0 *) s0 m0 = snd x in let VMS pi _ (* ri *) si mi = msi in
+ pi = p /\ s0 = si /\ (* r0 = ri /\ *) exists mf. ceval m0 c mf /\ ceval mi c mf
+ meta rewrite_def function loop_invariant
+
+ function loop_variant (c:com) (test:bexpr) : post 'a =
+ fun _ _ msj msi -> let VMS _pj _rj _sj mj = msj in let VMS _pi _ri _si mi = msi in
+ ceval mi c mj /\ beval mi test
+ (* meta rewrite_def function loop_variant *)
+
+ lemma loop_variant_lemma : forall c test,x:'a,p msj msi.
+ loop_variant c test x p msj msi =
+ let VMS _pj _rj _sj mj = msj in let VMS _pi _ri _si mi = msi in
+ ceval mi c mj /\ beval mi test
+ meta rewrite lemma loop_variant_lemma
+
+ (* Well-foundedness of the loop variant. *)
+ lemma loop_variant_acc : forall c test,x:'a,p mi mj.
+ let wh = Cwhile test c in let var = (loop_variant c test x p) in
+ (ceval mi wh mj -> forall pi ri si. acc var (VMS pi ri si mi))
+ by forall pi ri si mi mj mf. ceval mi c mj /\ beval mi test ->
+ ceval mj wh mf /\ (forall pj rj sj. acc var (VMS pj rj sj mj)) ->
+ acc var (VMS pi ri si mi) by
+ (forall pk rk sk mk. var (VMS pk rk sk mk) (VMS pi ri si mi) -> mk = mj)
+
+ let rec compile_com (cmd: com) : hl 'a
+ ensures { result.pre --> com_pre cmd }
+ ensures { result.post --> let len = result.code.length in com_post cmd len }
+ variant { cmd }
+ = let res = match cmd with
+ | Cskip -> $ inil ()
+ | Cassign x a -> $ compile_aexpr a 0 -- $ istoref 0 x
+ | Cseq cmd1 cmd2 -> $ compile_com cmd1 -- $ compile_com cmd2
+ | Cif cond cmd1 cmd2 -> let code_false = compile_com cmd2 in
+ let code_true = $ compile_com cmd1 -- $ ibranchf code_false.code.length in
+ $ compile_bexpr cond false code_true.wcode.length 0 --
+ (code_true % exec_cond cond true) --
+ ($ code_false % exec_cond_old cond false)
+ | Cwhile test body ->
+ let code_body = compile_com body in
+ let body_length = length code_body.code + 1 in
+ let code_test = compile_bexpr test false body_length 0 in
+ let ofs = length code_test.code + body_length in
+ let wp_while = $ code_test --
+ ($ code_body -- $ ibranchf (- ofs)) % exec_cond test true in
+ let ghost inv = loop_invariant cmd in
+ let ghost var = loop_variant body test in
+ $ inil () -- make_loop wp_while inv (exec_cond test true) var
+ end in
+ hoare (com_pre cmd) res (com_post cmd res.wcode.length)
+
+ (* Get back to natural specification for the compiler. *)
+ let compile_com_natural (com: com) : code
+ ensures { forall c p r s m m'. ceval m com m' -> codeseq_at c p result ->
+ exists r'.
+ transition_star c (VMS p r s m) (VMS (p + length result) r' s m') }
+ = let res = compile_com com : hl unit in
+ assert { forall c p r s m m'. ceval m com m' -> codeseq_at c p res.code ->
+ res.pre () p (VMS p r s m) && (forall ms'. res.post () p (VMS p r s m) ms' ->
+ exists r'.
+ ms' = VMS (p + length res.code) r' s m') };
+ res.code
+
+ (* Insert the final halting instruction. *)
+ let compile_program (prog : com) : code
+ ensures { forall mi mf: state.
+ ceval mi prog mf -> vm_terminates_reg result mi mf }
+
+ = let code = compile_com_natural prog in
+ let code2 = code ++ ihalt in
+
+ assert {
+ forall r m m'. ceval m prog m' -> codeseq_at code2 0 code ->
+ exists r'.
+ transition_star code2 (VMS 0 r Nil m) (VMS (length code) r' Nil m')
+ };
+
+ code2
+
+
+(*
+ (* Execution test: compile a simple factorial program, e.g
+ X := 1; WHILE NOT (Y <= 0) DO X := X * Y; Y := Y - 1 DONE
+ (why3 execute -L . compiler.mlw Compile_com.test) *)
+ let test () : code =
+ let x = Id 0 in
+ let y = Id 1 in
+ let cond = Bnot (Ble (Avar y) (Anum 0)) in
+ let body1 = Cassign x (Amul (Avar x) (Avar y)) in
+ let body2 = Cassign y (Asub (Avar y) (Anum 1)) in
+ let lp = Cwhile cond (Cseq body1 body2) in
+ let code = Cseq (Cassign x (Anum 1)) lp in
+ compile_program code
+
+ let test2 () : code =
+ compile_program (Cwhile Btrue Cskip)
+*)
+
+end
+
diff --git a/compiler/why3session.xml b/compiler/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..1c6b29a8b16cfe25cedce75528af8690ccfbdcf2
--- /dev/null
+++ b/compiler/why3session.xml
@@ -0,0 +1,1234 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="4">
+<prover id="0" name="CVC4" version="1.6" alternative="counterexamples" timelimit="10" steplimit="0" memlimit="2000"/>
+<prover id="1" name="Eprover" version="2.1" timelimit="10" steplimit="0" memlimit="2000"/>
+<prover id="3" name="Alt-Ergo" version="2.0.0" timelimit="10" steplimit="0" memlimit="2000"/>
+<file name="../compiler.mlw" proved="true">
+<theory name="Compile_aexpr" proved="true">
+ <goal name="VC compile_aexpr" expl="VC for compile_aexpr" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr.0" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.11" steps="159"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.1" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="169"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.2" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.08" steps="159"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.3" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="169"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.4" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr.4.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.4.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.08" steps="151"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.4.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.4.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.08" steps="148"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.4.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.4.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.20" steps="226"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.4.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.4.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.21" steps="226"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.5" expl="postcondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.12" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.6" expl="postcondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.09" steps="81"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr_natural" expl="VC for compile_aexpr_natural" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.16" steps="196"/></proof>
+ </goal>
+</theory>
+<theory name="Compile_bexpr" proved="true">
+ <goal name="VC compile_bexpr" expl="VC for compile_bexpr" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.0" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.09" steps="175"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.1" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.08" steps="180"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.2" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.18" steps="218"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.3" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.08" steps="183"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.0.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.05" steps="161"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.1" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.06" steps="161"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.1.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.08" steps="163"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.26" steps="292"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.3" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.58" steps="526"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.3.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.3.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.48" steps="477"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.4" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.62" steps="524"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.4.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.4.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.58" steps="481"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.5" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.50" steps="405"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.5.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.5.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.46" steps="406"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.4" expl="postcondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.09" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.5" expl="postcondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.10" steps="81"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr_natural" expl="VC for compile_bexpr_natural" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.24" steps="291"/></proof>
+ </goal>
+</theory>
+<theory name="Compile_aexpr_reg" proved="true">
+ <goal name="VC compile_aexpr" expl="VC for compile_aexpr" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr.0" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="162"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.1" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="172"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.2" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="162"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.3" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="172"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.4" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr.4.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="timeout" time="10.00"/></proof>
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.4.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.26" steps="326"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.4.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="timeout" time="10.00"/></proof>
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.4.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.26" steps="316"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.4.2" expl="precondition" proved="true">
+ <proof prover="3"><result status="timeout" time="10.00"/></proof>
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.4.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.54" steps="500"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.4.3" expl="precondition" proved="true">
+ <proof prover="3"><result status="timeout" time="10.00"/></proof>
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.4.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.4.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.53" steps="500"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.5" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.6" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="81"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr_natural" expl="VC for compile_aexpr_natural" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr_natural.0" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.09" steps="80"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.1" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.2" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.18" steps="172"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.26" steps="309"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_bexpr_reg" proved="true">
+ <goal name="VC compile_bexpr" expl="VC for compile_bexpr" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.0" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="175"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.1" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="180"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.2" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.19" steps="218"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.3" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.25" steps="298"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.0.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.18" steps="169"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.1" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="169"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.1.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.25" steps="279"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.32" steps="343"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.73" steps="937"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.72" steps="937"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.5" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.63" steps="533"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.5.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.5.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.75" steps="534"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.5" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="81"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr_natural" expl="VC for compile_bexpr_natural" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr_natural.0" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr_natural.1" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="155"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr_natural.2" expl="postcondition" proved="true">
+ <proof prover="3" obsolete="true"><result status="timeout" time="10.00"/></proof>
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr_natural.2.0" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.34" steps="251"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr_natural.2.1" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.37" steps="325"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_com" proved="true">
+ <goal name="loop_variant_lemma" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.16" steps="154"/></proof>
+ </goal>
+ <goal name="loop_variant_acc" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="loop_variant_acc.0" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.29" steps="298"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.1" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.15" steps="113"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="loop_variant_acc.2.0" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.0.0" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.05" steps="82"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.1" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.1.0" proved="true">
+ <proof prover="1" timelimit="5" memlimit="1000"><result status="valid" time="0.11"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.2" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.2.0" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.08" steps="86"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.3" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.3.0" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.06" steps="85"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.4" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.4.0" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.09" steps="85"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.5" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.5.0" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0" proved="true">
+ <transf name="apply" proved="true" arg1="Acc">
+ <goal name="loop_variant_acc.2.5.0.0.0.0" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0.0.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0.0.0.0" proved="true">
+ <proof prover="1"><result status="valid" time="0.41"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.6" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.6.0" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.21" steps="227"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com" expl="VC for compile_com" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.0" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.17" steps="165"/></proof>
+ </goal>
+ <goal name="VC compile_com.1" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.23" steps="177"/></proof>
+ </goal>
+ <goal name="VC compile_com.2" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.07" steps="169"/></proof>
+ </goal>
+ <goal name="VC compile_com.3" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.26" steps="196"/></proof>
+ </goal>
+ <goal name="VC compile_com.4" expl="variant decrease" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.19" steps="165"/></proof>
+ </goal>
+ <goal name="VC compile_com.5" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.14" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.41" steps="421"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="1.16" steps="955"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.85" steps="1157"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.4.0.0.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.4.0.0.0.0" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.22" steps="132"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.1" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="104"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.2" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.10" steps="104"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.3" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.21" steps="104"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.4" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.27" steps="164"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.5" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.12" steps="112"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.6" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="120"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.7" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.15" steps="127"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.8" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.12" steps="127"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.9" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="127"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.10" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="5" memlimit="1000"><result status="valid" time="0.20" steps="126"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.11" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.17" steps="134"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.12" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.15" steps="133"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.13" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.12" steps="127"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.14" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="1.25" steps="669"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.15" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="134"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.16" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.25" steps="174"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.17" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.14" steps="174"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.18" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.15" steps="174"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.19" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="2.96" steps="1488"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.20" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.22" steps="181"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.21" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="144"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.22" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.11" steps="120"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.23" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.19" steps="128"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.24" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="127"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.25" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.67" steps="471"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.26" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.09" steps="127"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.27" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.25" steps="127"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.28" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.11" steps="125"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.29" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.12" steps="134"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.30" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.25" steps="139"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.31" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.20" steps="138"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.32" expl="VC for compile_com" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.13" steps="138"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.33" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.18" steps="138"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.6" expl="postcondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.08" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_com.7" expl="postcondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.09" steps="81"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com_natural" expl="VC for compile_com_natural" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com_natural.0" expl="assertion" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com_natural.0.0" expl="assertion" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com_natural.0.0.0" expl="assertion" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com_natural.0.0.0.0" expl="assertion" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.04" steps="127"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com_natural.1" expl="postcondition" proved="true">
+ <proof prover="3" timelimit="1" memlimit="1000"><result status="valid" time="0.06" steps="125"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_program" expl="VC for compile_program" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_program.0" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="181"/></proof>
+ </goal>
+ <goal name="VC compile_program.1" expl="postcondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.46"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_com_reg" proved="true">
+ <goal name="loop_variant_lemma" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="154"/></proof>
+ </goal>
+ <goal name="loop_variant_acc" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="loop_variant_acc.0" proved="true">
+ <proof prover="3"><result status="valid" time="0.27" steps="298"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.1" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="113"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="loop_variant_acc.2.0" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="85"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.1" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="85"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.2" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="87"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.3" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="87"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.4" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="87"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.5" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.5.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0" proved="true">
+ <transf name="apply" proved="true" arg1="Acc">
+ <goal name="loop_variant_acc.2.5.0.0.0" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0.0.0" proved="true">
+ <proof prover="1"><result status="valid" time="0.44"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.6" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.6.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.6.0.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.42"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com" expl="VC for compile_com" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.0" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="165"/></proof>
+ </goal>
+ <goal name="VC compile_com.1" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="177"/></proof>
+ </goal>
+ <goal name="VC compile_com.2" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="169"/></proof>
+ </goal>
+ <goal name="VC compile_com.3" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.18" steps="196"/></proof>
+ </goal>
+ <goal name="VC compile_com.4" expl="variant decrease" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="165"/></proof>
+ </goal>
+ <goal name="VC compile_com.5" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.26" steps="269"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="1.35" steps="953"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.93" steps="1068"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.4.0.0.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.4.0.0.0.0" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="132"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.1" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="104"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.2" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="104"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.3" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="164"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.4" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="111"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.5" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="118"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.6" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.7" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.8" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.9" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.10" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.11" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="128"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.12" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="1.76" steps="680"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.13" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="134"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.14" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.21" steps="174"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.15" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.22" steps="174"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.16" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="3.68" steps="1564"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.17" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.24" steps="180"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.18" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.23" steps="143"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.19" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.19" steps="118"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.20" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="129"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.21" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="127"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.22" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.78" steps="452"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.23" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.24" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.23" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.25" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.22" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.26" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.24" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.27" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.24" steps="123"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.28" expl="VC for compile_com" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="123"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.6" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="81"/></proof>
+ </goal>
+ <goal name="VC compile_com.7" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="81"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com_natural" expl="VC for compile_com_natural" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com_natural.0" expl="assertion" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com_natural.0.0" expl="assertion" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com_natural.0.0.0" expl="assertion" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com_natural.0.0.0.0" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="140"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com_natural.1" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="137"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_program" expl="VC for compile_program" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_program.0" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="86"/></proof>
+ </goal>
+ <goal name="VC compile_program.1" expl="postcondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.51"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/compiler/why3shapes.gz b/compiler/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..bafb9ddc1958fe1d3031504b4f42a4e280807c2f
Binary files /dev/null and b/compiler/why3shapes.gz differ
diff --git a/extract.sh b/extract.sh
new file mode 100755
index 0000000000000000000000000000000000000000..163a99508b2766225b02e3816bd655acc1c79fca
--- /dev/null
+++ b/extract.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "why3 extract --recursive --modular -D ocaml64 -D ocaml64_bv.drv *.mlw -o ../../ocaml/extract -L ."
+why3 extract --recursive --modular -D ocaml64 -D ocaml64_bv.drv *.mlw -o ../../ocaml/extract -L .
diff --git a/imp.mlw b/imp.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..8f72e117c18c937cdc2c935dcd7db7c10cf683d7
--- /dev/null
+++ b/imp.mlw
@@ -0,0 +1,88 @@
+theory Imp
+
+ use state.State
+ use bool.Bool
+ use int.Int
+ use bv_op.BV_OP
+
+ (* ************************ SYNTAX ************************ *)
+ type aexpr =
+ | Anum int
+ | Avar id
+ | Aadd aexpr aexpr
+ | Asub aexpr aexpr
+ | Aaddu aexpr aexpr
+
+ type bexpr =
+ | Btrue
+ | Bfalse
+ | Bnot bexpr
+ | Beq aexpr aexpr
+ | Ble aexpr aexpr
+ | Band bexpr bexpr
+
+ type com =
+ | Cskip
+ | Cassign id aexpr
+ | Cseq com com
+ | Cif bexpr com com
+ | Cwhile bexpr com
+
+
+ (* ************************ SEMANTICS ************************ *)
+ function aeval (st:state) (e:aexpr) : int =
+ match e with
+ | Anum n -> n
+ | Avar x -> st[x]
+ | Aadd e1 e2 -> aeval st e1 + aeval st e2
+ | Asub e1 e2 -> aeval st e1 - aeval st e2
+ | Aaddu e1 e2 -> bv_add (aeval st e1) (aeval st e2)
+ end
+
+ function beval (st:state) (b:bexpr) : bool =
+ match b with
+ | Btrue -> true
+ | Bfalse -> false
+ | Bnot b' -> notb (beval st b')
+ | Beq a1 a2 -> aeval st a1 = aeval st a2
+ | Ble a1 a2 -> aeval st a1 <= aeval st a2
+ | Band b1 b2 -> andb (beval st b1) (beval st b2)
+
+ end
+
+ inductive ceval state com state =
+ (* skip *)
+ | E_Skip : forall m. ceval m Cskip m
+
+ (* assignement *)
+ | E_Ass : forall m a x. ceval m (Cassign x a) m[x <- aeval m a]
+
+ (* sequence *)
+ | E_Seq : forall cmd1 cmd2 m0 m1 m2.
+ ceval m0 cmd1 m1 -> ceval m1 cmd2 m2 -> ceval m0 (Cseq cmd1 cmd2) m2
+
+ (* if then else *)
+ | E_IfTrue : forall m0 m1 cond cmd1 cmd2. beval m0 cond ->
+ ceval m0 cmd1 m1 -> ceval m0 (Cif cond cmd1 cmd2) m1
+
+ | E_IfFalse : forall m0 m1 cond cmd1 cmd2. not beval m0 cond ->
+ ceval m0 cmd2 m1 -> ceval m0 (Cif cond cmd1 cmd2) m1
+
+ (* while *)
+ | E_WhileEnd : forall cond m body. not beval m cond ->
+ ceval m (Cwhile cond body) m
+
+ | E_WhileLoop : forall mi mj mf cond body. beval mi cond ->
+ ceval mi body mj -> ceval mj (Cwhile cond body) mf ->
+ ceval mi (Cwhile cond body) mf
+
+
+ (* Determinstic semantics *)
+ lemma ceval_deterministic_aux : forall c mi mf1. ceval mi c mf1 ->
+ forall mf2. ([@inversion] ceval mi c mf2) -> mf1 = mf2
+
+ lemma ceval_deterministic : forall c mi mf1 mf2.
+ ceval mi c mf1 -> ceval mi c mf2 -> mf1 = mf2
+
+end
+
diff --git a/imp/why3session.xml b/imp/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..64bd48c277c5fee330ab47540fe851444f065cf1
--- /dev/null
+++ b/imp/why3session.xml
@@ -0,0 +1,2149 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="4">
+<prover id="0" name="Alt-Ergo" version="2.2.0" timelimit="10" steplimit="0" memlimit="1000"/>
+<prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="2" name="Z3" version="4.7.1" alternative="counterexamples" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="3" name="Eprover" version="2.0" timelimit="10" steplimit="0" memlimit="1000"/>
+<prover id="4" name="CVC4" version="1.6" alternative="counterexamples" timelimit="10" steplimit="0" memlimit="2000"/>
+<file name="../state.mlw" proved="true">
+<theory name="State" proved="true">
+ <goal name="VC get" expl="VC for get" proved="true">
+ <proof prover="1"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC set" expl="VC for set" proved="true">
+ <proof prover="1"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC mixfix []" expl="VC for mixfix []" proved="true">
+ <proof prover="1"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC mixfix [<-]" expl="VC for mixfix [<-]" proved="true">
+ <proof prover="1"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC const" expl="VC for const" proved="true">
+ <proof prover="1" timelimit="10"><result status="valid" time="0.00" steps="2"/></proof>
+ </goal>
+</theory>
+<theory name="Reg" proved="true">
+ <goal name="VC read" expl="VC for read" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.00" steps="0"/></proof>
+ </goal>
+ <goal name="VC write" expl="VC for write" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.00" steps="0"/></proof>
+ </goal>
+ <goal name="VC const" expl="VC for const" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.00" steps="2"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../specs.mlw" proved="true">
+<theory name="VM_instr_spec" proved="true">
+ <goal name="VC ifunf" expl="VC for ifunf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ifunf.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="5"><result status="valid" time="0.25"/></proof>
+ </goal>
+ <goal name="VC ifunf.1" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.02" steps="152"/></proof>
+ </goal>
+ <goal name="VC ifunf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.02" steps="152"/></proof>
+ </goal>
+ <goal name="VC ifunf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.02" steps="152"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iimmf" expl="VC for iimmf" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC iimmf.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="0.13"/></proof>
+ </goal>
+ <goal name="VC iimmf.1" expl="precondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.10" steps="451"/></proof>
+ </goal>
+ <goal name="VC iimmf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.06" steps="162"/></proof>
+ </goal>
+ <goal name="VC iimmf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.06" steps="162"/></proof>
+ </goal>
+ <goal name="VC iimmf.4" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.07" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iloadf" expl="VC for iloadf" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC iloadf.0" expl="precondition" proved="true">
+ <proof prover="2" timelimit="10" memlimit="1000"><result status="valid" time="0.10"/></proof>
+ </goal>
+ <goal name="VC iloadf.1" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="451"/></proof>
+ </goal>
+ <goal name="VC iloadf.2" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.04" steps="162"/></proof>
+ </goal>
+ <goal name="VC iloadf.3" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="162"/></proof>
+ </goal>
+ <goal name="VC iloadf.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.09" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC istoref" expl="VC for istoref" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC istoref.0" expl="precondition" proved="true">
+ <proof prover="4"><result status="valid" time="0.25"/></proof>
+ </goal>
+ <goal name="VC istoref.1" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="451"/></proof>
+ </goal>
+ <goal name="VC istoref.2" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="162"/></proof>
+ </goal>
+ <goal name="VC istoref.3" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.04" steps="162"/></proof>
+ </goal>
+ <goal name="VC istoref.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.09" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ipushf" expl="VC for ipushf" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC ipushf.0" expl="precondition" proved="true">
+ <proof prover="4"><result status="valid" time="0.27"/></proof>
+ </goal>
+ <goal name="VC ipushf.1" expl="precondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.11" steps="449"/></proof>
+ </goal>
+ <goal name="VC ipushf.2" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.11" steps="162"/></proof>
+ </goal>
+ <goal name="VC ipushf.3" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.09" steps="162"/></proof>
+ </goal>
+ <goal name="VC ipushf.4" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.09" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ipopf" expl="VC for ipopf" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC ipopf.0" expl="precondition" proved="true">
+ <proof prover="4"><result status="valid" time="0.29"/></proof>
+ </goal>
+ <goal name="VC ipopf.1" expl="precondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.13" steps="518"/></proof>
+ </goal>
+ <goal name="VC ipopf.2" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.07" steps="162"/></proof>
+ </goal>
+ <goal name="VC ipopf.3" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.09" steps="162"/></proof>
+ </goal>
+ <goal name="VC ipopf.4" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.09" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iaddrf" expl="VC for iaddrf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iaddrf.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC iaddrf.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC iaddrf.0.0.0" expl="precondition" proved="true">
+ <proof prover="2" timelimit="10" memlimit="1000"><result status="valid" time="0.39"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iaddrf.1" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.12" steps="453"/></proof>
+ </goal>
+ <goal name="VC iaddrf.2" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="162"/></proof>
+ </goal>
+ <goal name="VC iaddrf.3" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.06" steps="162"/></proof>
+ </goal>
+ <goal name="VC iaddrf.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iaddurf" expl="VC for iaddurf" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC iaddurf.0" expl="precondition" proved="true">
+ <proof prover="4" memlimit="1000"><result status="valid" time="0.28"/></proof>
+ </goal>
+ <goal name="VC iaddurf.1" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="453"/></proof>
+ </goal>
+ <goal name="VC iaddurf.2" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="162"/></proof>
+ </goal>
+ <goal name="VC iaddurf.3" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.06" steps="162"/></proof>
+ </goal>
+ <goal name="VC iaddurf.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC isubrf" expl="VC for isubrf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC isubrf.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC isubrf.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC isubrf.0.0.0" expl="precondition" proved="true">
+ <proof prover="2" timelimit="10" memlimit="1000"><result status="valid" time="0.55"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC isubrf.1" expl="precondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.11" steps="453"/></proof>
+ </goal>
+ <goal name="VC isubrf.2" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.11" steps="162"/></proof>
+ </goal>
+ <goal name="VC isubrf.3" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.09" steps="162"/></proof>
+ </goal>
+ <goal name="VC isubrf.4" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.09" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ibeqrf" expl="VC for ibeqrf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ibeqrf.0" expl="precondition" proved="true">
+ <proof prover="4"><result status="valid" time="0.33"/></proof>
+ </goal>
+ <goal name="VC ibeqrf.1" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.25" steps="475"/></proof>
+ </goal>
+ <goal name="VC ibeqrf.2" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="162"/></proof>
+ </goal>
+ <goal name="VC ibeqrf.3" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.06" steps="162"/></proof>
+ </goal>
+ <goal name="VC ibeqrf.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ibnerf" expl="VC for ibnerf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ibnerf.0" expl="precondition" proved="true">
+ <proof prover="4" memlimit="1000"><result status="valid" time="0.20"/></proof>
+ </goal>
+ <goal name="VC ibnerf.1" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.12" steps="477"/></proof>
+ </goal>
+ <goal name="VC ibnerf.2" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="162"/></proof>
+ </goal>
+ <goal name="VC ibnerf.3" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.04" steps="162"/></proof>
+ </goal>
+ <goal name="VC ibnerf.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iblerf" expl="VC for iblerf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iblerf.0" expl="precondition" proved="true">
+ <proof prover="4" memlimit="1000"><result status="valid" time="0.28"/></proof>
+ </goal>
+ <goal name="VC iblerf.1" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.25" steps="476"/></proof>
+ </goal>
+ <goal name="VC iblerf.2" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="162"/></proof>
+ </goal>
+ <goal name="VC iblerf.3" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.06" steps="162"/></proof>
+ </goal>
+ <goal name="VC iblerf.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ibgtrf" expl="VC for ibgtrf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ibgtrf.0" expl="precondition" proved="true">
+ <proof prover="4" memlimit="1000"><result status="valid" time="0.24"/></proof>
+ </goal>
+ <goal name="VC ibgtrf.1" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.25" steps="478"/></proof>
+ </goal>
+ <goal name="VC ibgtrf.2" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="162"/></proof>
+ </goal>
+ <goal name="VC ibgtrf.3" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.07" steps="162"/></proof>
+ </goal>
+ <goal name="VC ibgtrf.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iconstf" expl="VC for iconstf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iconstf.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="0.04"/></proof>
+ </goal>
+ <goal name="VC iconstf.1" expl="precondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.19" steps="449"/></proof>
+ </goal>
+ <goal name="VC iconstf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.14" steps="162"/></proof>
+ </goal>
+ <goal name="VC iconstf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.13" steps="162"/></proof>
+ </goal>
+ <goal name="VC iconstf.4" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.14" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ivarf" expl="VC for ivarf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ivarf.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="0.02"/></proof>
+ </goal>
+ <goal name="VC ivarf.1" expl="precondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.15" steps="449"/></proof>
+ </goal>
+ <goal name="VC ivarf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.14" steps="162"/></proof>
+ </goal>
+ <goal name="VC ivarf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.14" steps="162"/></proof>
+ </goal>
+ <goal name="VC ivarf.4" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.17" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC create_binop" expl="VC for create_binop" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC create_binop.0" expl="precondition" proved="true">
+ <proof prover="4"><result status="valid" time="0.44"/></proof>
+ </goal>
+ <goal name="VC create_binop.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC create_binop.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC create_binop.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC create_binop.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="4" memlimit="1000"><result status="valid" time="0.22"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC create_binop.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.13" steps="162"/></proof>
+ </goal>
+ <goal name="VC create_binop.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.14" steps="162"/></proof>
+ </goal>
+ <goal name="VC create_binop.4" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.13" steps="162"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iaddf" expl="VC for iaddf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iaddf.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC iaddf.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC iaddf.0.0.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="0.05"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iaddf.1" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.06" steps="152"/></proof>
+ </goal>
+ <goal name="VC iaddf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.06" steps="152"/></proof>
+ </goal>
+ <goal name="VC iaddf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.16" steps="154"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iadduf" expl="VC for iadduf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iadduf.0" expl="precondition" proved="true">
+ <proof prover="2" timelimit="10" memlimit="1000"><result status="valid" time="0.03"/></proof>
+ </goal>
+ <goal name="VC iadduf.1" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.05" steps="152"/></proof>
+ </goal>
+ <goal name="VC iadduf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.05" steps="152"/></proof>
+ </goal>
+ <goal name="VC iadduf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.18" steps="154"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC isubf" expl="VC for isubf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC isubf.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC isubf.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC isubf.0.0.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="0.05"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC isubf.1" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.06" steps="152"/></proof>
+ </goal>
+ <goal name="VC isubf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.06" steps="152"/></proof>
+ </goal>
+ <goal name="VC isubf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.06" steps="154"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC inil" expl="VC for inil" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC inil.0" expl="precondition" proved="true">
+ <proof prover="3" timelimit="5"><result status="valid" time="0.24"/></proof>
+ </goal>
+ <goal name="VC inil.1" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.15" steps="152"/></proof>
+ </goal>
+ <goal name="VC inil.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.14" steps="152"/></proof>
+ </goal>
+ <goal name="VC inil.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.13" steps="154"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ibranchf" expl="VC for ibranchf" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC ibranchf.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="0.05"/></proof>
+ </goal>
+ <goal name="VC ibranchf.1" expl="precondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.12" steps="453"/></proof>
+ </goal>
+ <goal name="VC ibranchf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.08" steps="162"/></proof>
+ </goal>
+ <goal name="VC ibranchf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.06" steps="162"/></proof>
+ </goal>
+ <goal name="VC ibranchf.4" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.20" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC create_cjump" expl="VC for create_cjump" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.33" steps="1090"/></proof>
+ </goal>
+ <goal name="VC ibeqf" expl="VC for ibeqf" proved="true">
+ <proof prover="2"><result status="valid" time="0.07"/></proof>
+ </goal>
+ <goal name="VC ibnef" expl="VC for ibnef" proved="true">
+ <proof prover="2"><result status="valid" time="0.07"/></proof>
+ </goal>
+ <goal name="VC iblef" expl="VC for iblef" proved="true">
+ <proof prover="2"><result status="valid" time="0.06"/></proof>
+ </goal>
+ <goal name="VC ibgtf" expl="VC for ibgtf" proved="true">
+ <proof prover="2"><result status="valid" time="0.06"/></proof>
+ </goal>
+ <goal name="VC isetvarf" expl="VC for isetvarf" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC isetvarf.0" expl="precondition" proved="true">
+ <proof prover="4"><result status="valid" time="0.35"/></proof>
+ </goal>
+ <goal name="VC isetvarf.1" expl="precondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.29" steps="552"/></proof>
+ </goal>
+ <goal name="VC isetvarf.2" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.14" steps="162"/></proof>
+ </goal>
+ <goal name="VC isetvarf.3" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.13" steps="162"/></proof>
+ </goal>
+ <goal name="VC isetvarf.4" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.16" steps="390"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+<file name="../compiler.mlw" proved="true">
+<theory name="Compile_aexpr" proved="true">
+ <goal name="VC compile_aexpr" expl="VC for compile_aexpr" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr.0" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="485"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.1" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="524"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.2" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="486"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.3" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.12" steps="525"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.4" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.12" steps="486"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.5" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.21" steps="525"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.6" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr.6.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="445"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="445"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.30" steps="645"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.16" steps="696"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.4.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="646"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.7" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.11" steps="158"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.8" expl="postcondition" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.10" steps="158"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr_natural" expl="VC for compile_aexpr_natural" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.08" steps="841"/></proof>
+ </goal>
+</theory>
+<theory name="Compile_bexpr" proved="true">
+ <goal name="VC compile_bexpr" expl="VC for compile_bexpr" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.0" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.12" steps="434"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.1" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="440"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.2" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.25" steps="519"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.3" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.13" steps="453"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.0.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.13" steps="422"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.1" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.19" steps="422"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.1.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="462"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.2" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="852"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.68" steps="1627"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.85" steps="1614"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.5" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.58" steps="1336"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.08" steps="158"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.5" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="158"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr_natural" expl="VC for compile_bexpr_natural" proved="true">
+ <transf name="split_vc" proved="true" >
+ <goal name="VC compile_bexpr_natural.0" expl="assertion" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="381"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr_natural.1" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="548"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_aexpr_reg" proved="true">
+ <goal name="VC compile_aexpr" expl="VC for compile_aexpr" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr.0" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.27" steps="491"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.1" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.14" steps="530"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.2" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.25" steps="492"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.3" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="531"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.4" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.16" steps="492"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.5" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="531"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.6" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr.6.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="585"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="513"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.98" steps="1928"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="4" memlimit="1000"><result status="valid" time="1.04"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.6.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_aexpr.6.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_aexpr.6.4.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.97" steps="1929"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr.7" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="158"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr.8" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="158"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_aexpr_natural" expl="VC for compile_aexpr_natural" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_aexpr_natural.0" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.08" steps="156"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.1" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.22" steps="379"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.2" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.28" steps="526"/></proof>
+ </goal>
+ <goal name="VC compile_aexpr_natural.3" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.24" steps="686"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_bexpr_reg" proved="true">
+ <goal name="VC compile_bexpr" expl="VC for compile_bexpr" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.0" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.13" steps="434"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.1" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.26" steps="440"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.2" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="519"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.3" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="489"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.0.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.0.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.14" steps="438"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.1" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.13" steps="438"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.1.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.1.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.19" steps="489"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.37" steps="876"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="1.24" steps="2763"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.4.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="1.19" steps="2899"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.3.5" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_bexpr.3.5.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.71" steps="1534"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr.4" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="158"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr.5" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="158"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_bexpr_natural" expl="VC for compile_bexpr_natural" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr_natural.0" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.22" steps="381"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr_natural.1" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.28" steps="454"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr_natural.2" expl="postcondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_bexpr_natural.2.0" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.31" steps="679"/></proof>
+ </goal>
+ <goal name="VC compile_bexpr_natural.2.1" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.29" steps="677"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_com" proved="true">
+ <goal name="loop_variant_lemma" proved="true">
+ <proof prover="0"><result status="valid" time="0.29" steps="427"/></proof>
+ </goal>
+ <goal name="loop_variant_acc" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="loop_variant_acc.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.25" steps="492"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.1" proved="true">
+ <proof prover="3"><result status="valid" time="7.98"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="loop_variant_acc.2.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.08" steps="162"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="162"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.2" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="168"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.3" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="167"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.4" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="167"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.5" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.5.0" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0" proved="true">
+ <transf name="apply" proved="true" arg1="Acc">
+ <goal name="loop_variant_acc.2.5.0.0.0.0" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0.0.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0.0.0.0" proved="true">
+ <proof prover="3"><result status="valid" time="0.47"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.6" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="loop_variant_acc.2.6.0" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.17" steps="552"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com" expl="VC for compile_com" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.0" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.26" steps="438"/></proof>
+ </goal>
+ <goal name="VC compile_com.1" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="479"/></proof>
+ </goal>
+ <goal name="VC compile_com.2" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="444"/></proof>
+ </goal>
+ <goal name="VC compile_com.3" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="493"/></proof>
+ </goal>
+ <goal name="VC compile_com.4" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.14" steps="439"/></proof>
+ </goal>
+ <goal name="VC compile_com.5" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.26" steps="410"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="582"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.2.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.89" steps="1929"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.84" steps="1855"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.4.0.0.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.4.0.0.0.0" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="198"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.1" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="206"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.2" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="206"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.3" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.19" steps="206"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.4" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.27" steps="486"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.5" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.33" steps="521"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.6" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.14" steps="252"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.7" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="270"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.8" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="270"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.9" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="270"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.10" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="268"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.11" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="290"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.12" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="288"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.13" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="270"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.14" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.81" steps="1439"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.15" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="294"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.16" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.29" steps="307"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.17" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.21" steps="307"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.18" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="307"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.19" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="3.91" steps="10128"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.20" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="327"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.21" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="322"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.22" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.23" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="268"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.24" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="268"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.25" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="1.33" steps="2890"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.26" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="268"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.27" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.16" steps="268"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.28" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="266"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.29" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.13" steps="292"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.30" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="302"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.31" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="302"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.32" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="302"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.33" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="302"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.6" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="158"/></proof>
+ </goal>
+ <goal name="VC compile_com.7" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.09" steps="158"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com_natural" expl="VC for compile_com_natural" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com_natural.0" expl="assertion" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com_natural.0.0" expl="assertion" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com_natural.0.0.0" expl="assertion" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com_natural.0.0.0.0" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.28" steps="418"/></proof>
+ <proof prover="3"><result status="valid" time="0.60"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com_natural.1" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.24" steps="501"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_program" expl="VC for compile_program" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_program.0" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.13" steps="158"/></proof>
+ </goal>
+ <goal name="VC compile_program.1" expl="postcondition" proved="true">
+ <proof prover="3" memlimit="2000"><result status="valid" time="0.61"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Compile_com_reg" proved="true">
+ <goal name="loop_variant_lemma" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="427"/></proof>
+ </goal>
+ <goal name="loop_variant_acc" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="loop_variant_acc.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.25" steps="492"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.1" proved="true">
+ <proof prover="3"><result status="valid" time="8.36"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="loop_variant_acc.2.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.09" steps="162"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="162"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.2" proved="true">
+ <proof prover="0"><result status="valid" time="0.25" steps="168"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.3" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="167"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.4" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="167"/></proof>
+ </goal>
+ <goal name="loop_variant_acc.2.5" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.5.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0" proved="true">
+ <transf name="apply" proved="true" arg1="Acc">
+ <goal name="loop_variant_acc.2.5.0.0.0" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.5.0.0.0.0.0" proved="true">
+ <proof prover="3"><result status="valid" time="0.60"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="loop_variant_acc.2.6" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="loop_variant_acc.2.6.0" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="loop_variant_acc.2.6.0.0" proved="true">
+ <proof prover="4" timelimit="5"><result status="valid" time="0.55"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com" expl="VC for compile_com" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.0" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.26" steps="438"/></proof>
+ </goal>
+ <goal name="VC compile_com.1" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.26" steps="479"/></proof>
+ </goal>
+ <goal name="VC compile_com.2" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.19" steps="444"/></proof>
+ </goal>
+ <goal name="VC compile_com.3" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="493"/></proof>
+ </goal>
+ <goal name="VC compile_com.4" expl="variant decrease" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="439"/></proof>
+ </goal>
+ <goal name="VC compile_com.5" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.0.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.0.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.14" steps="410"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.1.0.0.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.1.0.0.0.0" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="172"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.1.0.0.0.1" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="195"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.1.0.0.0.2" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.21" steps="205"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.1.0.0.0.3" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.21" steps="205"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.1.0.0.0.4" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.27" steps="459"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.2" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.2.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.2.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.2.0.0.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.2.0.0.0.0" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.12" steps="170"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.2.0.0.0.1" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.31" steps="563"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.2.0.0.0.2" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.08" steps="192"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.2.0.0.0.3" expl="VC for compile_com" proved="true">
+ <proof prover="2" timelimit="10" memlimit="1000"><result status="valid" time="0.06"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.2.0.0.0.4" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="218"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.2.0.0.0.5" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="218"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.2.0.0.0.6" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="220"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.3" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.3.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.3.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.3.0.0.0" expl="precondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.76" steps="1894"/></proof>
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.3.0.0.0.0" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.12" steps="196"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.1" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="216"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.2" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="216"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.3" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.09" steps="216"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.4" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.21" steps="226"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.5" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="1.42" steps="2962"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.6" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.21" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.7" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.8" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.19" steps="255"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.9" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="222"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.10" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.54" steps="850"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.11" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="244"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.12" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="261"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.13" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.21" steps="261"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.14" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="261"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.15" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.16" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.16" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.17" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.18" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.13" steps="250"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.3.0.0.0.19" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="250"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.5.4" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.4.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com.5.4.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com.5.4.0.0.0" expl="precondition" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com.5.4.0.0.0.0" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="198"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.1" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.21" steps="206"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.2" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.09" steps="206"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.3" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.27" steps="486"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.4" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.16" steps="519"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.5" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="248"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.6" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.16" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.7" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.8" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.9" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.10" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.11" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.11" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.23" steps="277"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.12" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="1.83" steps="4302"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.13" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="301"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.14" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.32" steps="311"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.15" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.27" steps="311"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.16" expl="VC for compile_com" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="2.88" steps="6082"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.17" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.33" steps="329"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.18" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.24" steps="327"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.19" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.10" steps="246"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.20" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.19" steps="275"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.21" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.15" steps="275"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.22" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="1.57" steps="3688"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.23" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.24" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.25" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.18" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.26" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.27" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="269"/></proof>
+ </goal>
+ <goal name="VC compile_com.5.4.0.0.0.28" expl="VC for compile_com" proved="true">
+ <proof prover="0"><result status="valid" time="0.17" steps="269"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com.6" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="158"/></proof>
+ </goal>
+ <goal name="VC compile_com.7" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="158"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com_natural" expl="VC for compile_com_natural" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_com_natural.0" expl="assertion" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com_natural.0.0" expl="assertion" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC compile_com_natural.0.0.0" expl="assertion" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC compile_com_natural.0.0.0.0" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.25" steps="455"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_com_natural.1" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.25" steps="496"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC compile_program" expl="VC for compile_program" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC compile_program.0" expl="assertion" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.21" steps="405"/></proof>
+ </goal>
+ <goal name="VC compile_program.1" expl="postcondition" proved="true">
+ <proof prover="3" memlimit="2000"><result status="valid" time="0.56"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+<file name="../logic.mlw" proved="true">
+<theory name="Compiler_logic" proved="true">
+ <goal name="VC hl" expl="VC for hl" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.01" steps="148"/></proof>
+ </goal>
+ <goal name="VC wp" expl="VC for wp" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.01" steps="148"/></proof>
+ </goal>
+ <goal name="seq_wp_lemma" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.01" steps="148"/></proof>
+ </goal>
+ <goal name="VC infix --" expl="VC for infix --" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.15" steps="606"/></proof>
+ </goal>
+ <goal name="fork_wp_lemma" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.12" steps="365"/></proof>
+ </goal>
+ <goal name="VC infix %" expl="VC for infix %" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.15" steps="423"/></proof>
+ </goal>
+ <goal name="towp_wp_lemma" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.14" steps="385"/></proof>
+ </goal>
+ <goal name="VC prefix $" expl="VC for prefix $" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.13" steps="398"/></proof>
+ </goal>
+ <goal name="VC hoare" expl="VC for hoare" proved="true">
+ <proof prover="2" memlimit="1000"><result status="valid" time="0.03"/></proof>
+ </goal>
+ <goal name="pconj_lemma" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.01" steps="149"/></proof>
+ </goal>
+ <goal name="loop_wp_lemma" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.87" steps="2024"/></proof>
+ <proof prover="2"><result status="valid" time="0.04"/></proof>
+ </goal>
+ <goal name="VC make_loop" expl="VC for make_loop" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC make_loop.0" expl="assertion" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="VC make_loop.0.0" expl="assertion" proved="true">
+ <proof prover="2" memlimit="1000"><result status="valid" time="0.04"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC make_loop.1" expl="precondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.12" steps="390"/></proof>
+ </goal>
+ <goal name="VC make_loop.2" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="150"/></proof>
+ </goal>
+ <goal name="VC make_loop.3" expl="postcondition" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="150"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+<file name="../vm.mlw" proved="true">
+<theory name="ReflTransClosure" proved="true">
+ <goal name="transition_star_one" proved="true">
+ <proof prover="2" memlimit="1000"><result status="valid" time="0.01"/></proof>
+ </goal>
+ <goal name="transition_star_transitive" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="transition_star_transitive.0" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.00" steps="8"/></proof>
+ </goal>
+ <goal name="transition_star_transitive.1" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.00" steps="16"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Vm" proved="true">
+ <goal name="codeseq_at_app_right" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.01" steps="407"/></proof>
+ </goal>
+ <goal name="codeseq_at_app_left" proved="true">
+ <proof prover="0" timelimit="5" memlimit="2000"><result status="valid" time="0.13" steps="460"/></proof>
+ </goal>
+ <goal name="list_app_eq_nil" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.05" steps="403"/></proof>
+ </goal>
+ <goal name="list_app_eq_left_cons" proved="true">
+ <transf name="induction_ty_lex" proved="true" >
+ <goal name="list_app_eq_left_cons.0" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="list_app_eq_left_cons.0.0" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.05" steps="392"/></proof>
+ </goal>
+ <goal name="list_app_eq_left_cons.0.1" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="list_app_eq_left_cons.0.1.0" proved="true">
+ <transf name="subst_all" proved="true" >
+ <goal name="list_app_eq_left_cons.0.1.0.0" proved="true">
+ <proof prover="4"><result status="valid" time="0.13"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="list_app_eq_last" proved="true">
+ <transf name="induction_ty_lex" proved="true" >
+ <goal name="list_app_eq_last.0" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="list_app_eq_last.0.0" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.05" steps="405"/></proof>
+ </goal>
+ <goal name="list_app_eq_last.0.1" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="list_app_eq_last.0.1.0" proved="true">
+ <transf name="subst_all" proved="true" >
+ <goal name="list_app_eq_last.0.1.0.0" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.05" steps="451"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="list_app_eq_left" proved="true">
+ <transf name="induction_ty_lex" proved="true" >
+ <goal name="list_app_eq_left.0" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="list_app_eq_left.0.0" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.04" steps="154"/></proof>
+ </goal>
+ <goal name="list_app_eq_left.0.1" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="list_app_eq_left.0.1.0" proved="true">
+ <transf name="subst_all" proved="true" >
+ <goal name="list_app_eq_left.0.1.0.0" proved="true">
+ <proof prover="4"><result status="valid" time="0.32"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="codeseq_at_right" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.06" steps="432"/></proof>
+ </goal>
+ <goal name="VC push" expl="VC for push" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC iimm" expl="VC for iimm" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC iload" expl="VC for iload" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC istore" expl="VC for istore" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC ipushr" expl="VC for ipushr" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.03" steps="146"/></proof>
+ </goal>
+ <goal name="VC ipopr" expl="VC for ipopr" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.03" steps="146"/></proof>
+ </goal>
+ <goal name="VC iaddr" expl="VC for iaddr" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC iaddur" expl="VC for iaddur" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="146"/></proof>
+ </goal>
+ <goal name="VC isubr" expl="VC for isubr" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC ibeqr" expl="VC for ibeqr" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC ibner" expl="VC for ibner" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC ibler" expl="VC for ibler" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC ibgtr" expl="VC for ibgtr" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.02" steps="146"/></proof>
+ </goal>
+ <goal name="VC iconst" expl="VC for iconst" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC ivar" expl="VC for ivar" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC isetvar" expl="VC for isetvar" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC iadd" expl="VC for iadd" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC iaddu" expl="VC for iaddu" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.01" steps="146"/></proof>
+ </goal>
+ <goal name="VC isub" expl="VC for isub" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC ibeq" expl="VC for ibeq" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC ible" expl="VC for ible" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.01" steps="146"/></proof>
+ </goal>
+ <goal name="VC ibne" expl="VC for ibne" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC ibgt" expl="VC for ibgt" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="VC ibranch" expl="VC for ibranch" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.01" steps="146"/></proof>
+ </goal>
+ <goal name="VC ihalt" expl="VC for ihalt" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.00" steps="146"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux" proved="true">
+ <transf name="inversion_pr" proved="true" >
+ <goal name="trans_deterministic_aux.0" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.23" steps="3225"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.1" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.25" steps="3225"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.2" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.23" steps="3227"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.3" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.35" steps="3495"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.4" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.25" steps="3240"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.5" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.25" steps="3249"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.6" proved="true">
+ <proof prover="0"><result status="valid" time="1.47" steps="4083"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.7" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.27" steps="3241"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.8" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="2.30" steps="3630"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.9" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.77" steps="3633"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.10" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="2.63" steps="3881"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.11" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.92" steps="3855"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.12" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.30" steps="3247"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.13" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.26" steps="3247"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.14" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.25" steps="3239"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.15" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.84" steps="3305"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.16" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.40" steps="3934"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.17" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.32" steps="3084"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.18" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="2.00" steps="3751"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.19" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.57" steps="3614"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.20" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.69" steps="3738"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.21" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.56" steps="3800"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.22" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="1.68" steps="3668"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="trans_deterministic" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.10" steps="376"/></proof>
+ </goal>
+ <goal name="trans_deterministic_star" proved="true">
+ <proof prover="0" memlimit="2000"><result status="valid" time="0.10" steps="152"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../bv_op.mlw" proved="true">
+<theory name="BV_OP" proved="true">
+ <goal name="VC bv_add" expl="VC for bv_add" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.00" steps="138"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../imp.mlw" proved="true">
+<theory name="Imp" proved="true">
+ <goal name="ceval_deterministic_aux" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.0" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.14" steps="465"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.1" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.15" steps="524"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="ceval_deterministic_aux.2.0" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.22" steps="722"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.3" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="ceval_deterministic_aux.3.0" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.19" steps="613"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.4" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="ceval_deterministic_aux.4.0" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.17" steps="671"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.5" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.16" steps="501"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="ceval_deterministic_aux.6.0" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.21" steps="805"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic" proved="true">
+ <proof prover="0" timelimit="5"><result status="valid" time="0.12" steps="374"/></proof>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/imp/why3shapes.gz b/imp/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..a89b14d39911b97c0c8c2df4932fb67dba368b31
Binary files /dev/null and b/imp/why3shapes.gz differ
diff --git a/imp_ex_assignment.mlw b/imp_ex_assignment.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..64edbff43158c61f77524be938bbce2255713628
--- /dev/null
+++ b/imp_ex_assignment.mlw
@@ -0,0 +1,47 @@
+module Imp_ex
+
+ use imp.Imp
+ use state.State
+ use bool.Bool
+ use int.Int
+ use bv_op.BV_OP
+
+ let rec aeval_ex (st:state) (e:aexpr) : int
+ variant { e }
+ ensures { result = aeval st e }
+ =
+ match e with
+ | Anum n -> n
+ | Avar x -> st[x]
+ | Aadd e1 e2 -> aeval_ex st e1 + aeval_ex st e2
+ | Aaddu e1 e2 -> bv_add (aeval_ex st e1) (aeval_ex st e2)
+ | Asub e1 e2 -> aeval_ex st e1 - aeval_ex st e2
+ end
+
+
+ let rec beval_ex (st:state) (b:bexpr) : bool
+ variant { b }
+ ensures { result = beval st b }
+ =
+ match b with
+ | Btrue -> true
+ | Bfalse -> false
+ | Bnot b' -> notb (beval_ex st b')
+ | Band b1 b2 -> andb (beval_ex st b1) (beval_ex st b2)
+ | Beq a1 a2 -> aeval_ex st a1 = aeval_ex st a2
+ | Ble a1 a2 -> aeval_ex st a1 <= aeval_ex st a2
+ end
+
+
+ let rec ceval_ex (st:state) (c:com): state
+ (* diverges (* uncomment when actually diverging*) *)
+ ensures { ceval st c result }
+ =
+ match c with
+ | Cskip -> st
+ | Cassign id aexpr -> st
+ | Cseq c1 c2 -> st
+ | Cif bexpr c1 c2 -> st
+ | Cwhile bexpr com -> st
+ end
+end
\ No newline at end of file
diff --git a/imp_test.mlw b/imp_test.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..c39818a8cbc9c52032e548e2911356029b1ee4c4
--- /dev/null
+++ b/imp_test.mlw
@@ -0,0 +1,40 @@
+module Imp_test
+
+ use state.State
+ use imp.Imp
+ use int.Int
+
+ constant st : state = const 0
+
+ goal ex1: (* 1 + 2 *)
+ aeval st (Aadd (Anum 1) (Anum 2)) = 3
+
+ goal ex2: (* (1 - 2) + 2 *)
+ aeval st (Aadd (Asub (Anum 1) (Anum 2)) (Anum 2)) = 1
+
+ goal ex3: (* a = 0, a + 2 *)
+ aeval st (Aadd (Avar (Id 1)) (Anum 2)) = 2
+
+ goal ex4: (* a = 7, a + 2 *)
+ let st' = st[(Id 1) <- 7] in (* <-- update the state, st[Id 1] = 7 *)
+ aeval st' (Aadd (Avar (Id 1)) (Anum 2)) = 9
+
+ constant a_id : id = Id 1 (* <-- we introduce the constant a_id *)
+
+ goal ex5: (* a = 7, a + 2 *)
+ let st = st[a_id <- 7] in (* <-- used in the following *)
+ aeval st (Aadd (Avar a_id) (Anum 2)) = 9
+
+ goal ex6: (* on primitive "+" *)
+ forall a. a > 2 -> 2 + a > 4
+
+ goal ex7: (* addition on "imp" expression *)
+ forall a. a > 2 ->
+ aeval st (Aadd (Anum a) (Anum 2)) > 4
+
+ goal ex8: (* addition via state *)
+ forall a. a > 2 ->
+ let st = st[a_id <- a] in
+ aeval st (Aadd (Avar a_id) (Anum 2)) > 4
+
+end
diff --git a/imp_test/why3session.xml b/imp_test/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..a511523a70a729e52898c37d648cc9b66a030e2a
--- /dev/null
+++ b/imp_test/why3session.xml
@@ -0,0 +1,238 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="5">
+<prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/>
+<prover id="1" name="CVC4" version="1.4" timelimit="1" steplimit="0" memlimit="1000"/>
+<file name="../state.mlw" proved="true">
+<theory name="State" proved="true">
+ <goal name="VC get" expl="VC for get" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC set" expl="VC for set" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC mixfix []" expl="VC for mixfix []" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC mixfix [<-]" expl="VC for mixfix [<-]" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC const" expl="VC for const" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="2"/></proof>
+ </goal>
+</theory>
+<theory name="Reg" proved="true">
+ <goal name="VC read" expl="VC for read" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC write" expl="VC for write" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC const" expl="VC for const" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="2"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../imp_test.mlw">
+<theory name="Imp_test">
+ <goal name="ex1">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.02" steps="82"/></proof>
+ </goal>
+ <goal name="ex2">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.03" steps="101"/></proof>
+ </goal>
+ <goal name="ex3">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.02" steps="97"/></proof>
+ <proof prover="1" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ <goal name="ex4" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="97"/></proof>
+ </goal>
+ <goal name="ex5">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.02" steps="97"/></proof>
+ </goal>
+ <goal name="ex6">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.01" steps="74"/></proof>
+ </goal>
+ <goal name="ex7">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="ex8">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.03" steps="100"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../imp_ex.mlw" proved="true">
+<theory name="Imp_Ex" proved="true">
+ <goal name="VC aeval_ex" expl="VC for aeval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.52" steps="783"/></proof>
+ </goal>
+ <goal name="VC beval_ex" expl="VC for beval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="667"/></proof>
+ </goal>
+ <goal name="VC ceval_ex" expl="VC for ceval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.08" steps="237"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../imp_ex_assignment.mlw">
+<theory name="Imp_ex">
+ <goal name="VC aeval_ex" expl="VC for aeval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.68" steps="783"/></proof>
+ </goal>
+ <goal name="VC beval_ex" expl="VC for beval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="667"/></proof>
+ </goal>
+ <goal name="VC ceval_ex" expl="VC for ceval_ex">
+ <transf name="split_vc" >
+ <goal name="VC ceval_ex.0" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="74"/></proof>
+ </goal>
+ <goal name="VC ceval_ex.1" expl="postcondition">
+ <proof prover="0"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ <goal name="VC ceval_ex.2" expl="postcondition">
+ <proof prover="0"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ <goal name="VC ceval_ex.3" expl="postcondition">
+ <proof prover="0"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ <goal name="VC ceval_ex.4" expl="postcondition">
+ <proof prover="0"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+<file name="../imp.mlw" proved="true">
+<theory name="Imp" proved="true">
+ <goal name="ceval_deterministic_aux" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="135"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.08" steps="180"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.2.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.2" proved="true">
+ <proof prover="0" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ <proof prover="1"><result status="valid" time="0.11"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.3" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.4" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="85"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.6" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="87"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.3" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.3.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.2" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.3" proved="true">
+ <proof prover="0" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ <proof prover="1"><result status="valid" time="0.06"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.4" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="85"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.6" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="87"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.4" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.4.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.2" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.3" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.4" proved="true">
+ <proof prover="0" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ <proof prover="1"><result status="valid" time="0.06"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="85"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.6" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="87"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="133"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.6.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="85"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="87"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.2" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="87"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.3" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="87"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.4" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="87"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.6" proved="true">
+ <proof prover="0" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ <proof prover="1"><result status="valid" time="0.11"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="107"/></proof>
+ </goal>
+ <goal name="VC beval">
+ <proof prover="0"><result status="valid" time="0.02" steps="73"/></proof>
+ </goal>
+ <goal name="VC aeval">
+ <proof prover="0"><result status="valid" time="0.01" steps="73"/></proof>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/imp_test/why3session.xml.bak b/imp_test/why3session.xml.bak
new file mode 100644
index 0000000000000000000000000000000000000000..428557c944439ba953d1200d5dc192a91bd6887f
--- /dev/null
+++ b/imp_test/why3session.xml.bak
@@ -0,0 +1,238 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="5">
+<prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/>
+<prover id="1" name="CVC4" version="1.4" timelimit="1" steplimit="0" memlimit="1000"/>
+<file name="../state.mlw" proved="true">
+<theory name="State" proved="true">
+ <goal name="VC get" expl="VC for get" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC set" expl="VC for set" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC mixfix []" expl="VC for mixfix []" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC mixfix [<-]" expl="VC for mixfix [<-]" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC const" expl="VC for const" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="2"/></proof>
+ </goal>
+</theory>
+<theory name="Reg" proved="true">
+ <goal name="VC read" expl="VC for read" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC write" expl="VC for write" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC const" expl="VC for const" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="2"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../imp_test.mlw">
+<theory name="Imp_test">
+ <goal name="ex1" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="82"/></proof>
+ </goal>
+ <goal name="ex2" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="101"/></proof>
+ </goal>
+ <goal name="ex3" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="97"/></proof>
+ <proof prover="1" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ <goal name="ex4">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.02" steps="97"/></proof>
+ </goal>
+ <goal name="ex5">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.02" steps="97"/></proof>
+ </goal>
+ <goal name="ex6">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.01" steps="74"/></proof>
+ </goal>
+ <goal name="ex7">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="ex8">
+ <proof prover="0" obsolete="true"><result status="valid" time="0.03" steps="100"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../imp_ex_assignment.mlw">
+<theory name="Imp_ex">
+ <goal name="VC aeval_ex" expl="VC for aeval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.68" steps="783"/></proof>
+ </goal>
+ <goal name="VC beval_ex" expl="VC for beval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.20" steps="667"/></proof>
+ </goal>
+ <goal name="VC ceval_ex" expl="VC for ceval_ex">
+ <transf name="split_vc" >
+ <goal name="VC ceval_ex.0" expl="postcondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="74"/></proof>
+ </goal>
+ <goal name="VC ceval_ex.1" expl="postcondition">
+ <proof prover="0"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ <goal name="VC ceval_ex.2" expl="postcondition">
+ <proof prover="0"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ <goal name="VC ceval_ex.3" expl="postcondition">
+ <proof prover="0"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ <goal name="VC ceval_ex.4" expl="postcondition">
+ <proof prover="0"><result status="timeout" time="1.00"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+<file name="../imp_ex.mlw" proved="true">
+<theory name="Imp_Ex" proved="true">
+ <goal name="VC aeval_ex" expl="VC for aeval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.52" steps="783"/></proof>
+ </goal>
+ <goal name="VC beval_ex" expl="VC for beval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.22" steps="667"/></proof>
+ </goal>
+ <goal name="VC ceval_ex" expl="VC for ceval_ex" proved="true">
+ <proof prover="0"><result status="valid" time="0.08" steps="237"/></proof>
+ </goal>
+</theory>
+</file>
+<file name="../imp.mlw" proved="true">
+<theory name="Imp" proved="true">
+ <goal name="ceval_deterministic_aux" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="135"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.08" steps="180"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.2.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.2" proved="true">
+ <proof prover="0" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ <proof prover="1"><result status="valid" time="0.11"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.3" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.4" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="85"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.2.6" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="87"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.3" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.3.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.2" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.3" proved="true">
+ <proof prover="0" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ <proof prover="1"><result status="valid" time="0.06"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.4" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="85"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.3.6" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="87"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.4" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.4.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.2" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.3" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.4" proved="true">
+ <proof prover="0" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ <proof prover="1"><result status="valid" time="0.06"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="85"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.4.6" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="87"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic_aux.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.05" steps="133"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="ceval_deterministic_aux.6.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="85"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.1" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="87"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.2" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="87"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.3" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="87"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.4" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="87"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.5" proved="true">
+ <proof prover="0"><result status="valid" time="0.02" steps="86"/></proof>
+ </goal>
+ <goal name="ceval_deterministic_aux.6.6" proved="true">
+ <proof prover="0" obsolete="true"><result status="timeout" time="1.00"/></proof>
+ <proof prover="1"><result status="valid" time="0.11"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="ceval_deterministic" proved="true">
+ <proof prover="0"><result status="valid" time="0.03" steps="107"/></proof>
+ </goal>
+ <goal name="VC beval">
+ <proof prover="0"><result status="valid" time="0.02" steps="73"/></proof>
+ </goal>
+ <goal name="VC aeval">
+ <proof prover="0"><result status="valid" time="0.01" steps="73"/></proof>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/imp_test/why3shapes.gz b/imp_test/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..527dbbaaa0a8756a227cdfe895f87a3dc77d2479
Binary files /dev/null and b/imp_test/why3shapes.gz differ
diff --git a/imp_test/why3shapes.gz.bak b/imp_test/why3shapes.gz.bak
new file mode 100644
index 0000000000000000000000000000000000000000..f0927eda25523e6df29d23ed01f9d1f0349555b8
Binary files /dev/null and b/imp_test/why3shapes.gz.bak differ
diff --git a/logic.mlw b/logic.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..ba4af0705a13e50c5012d79cf447be098bc01c38
--- /dev/null
+++ b/logic.mlw
@@ -0,0 +1,160 @@
+
+(* Program logic (hoare logic + weakest preconditions) over
+ Virtual Machine language. *)
+module Compiler_logic
+
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use vm.Vm
+ use state.State
+
+ function fst (p: ('a,'b)) : 'a = let (x,_) = p in x
+ meta rewrite_def function fst
+
+ function snd (p: ('a,'b)) : 'b = let (_,y) = p in y
+ meta rewrite_def function snd
+
+ predicate (-->) (x y:'a) = [@rewrite] x = y
+ meta rewrite_def predicate (-->)
+
+ (* Unary predicates over machine states *)
+ type pred = machine_state -> bool
+
+ (* Binary predicates over machine states *)
+ type rel = machine_state -> pred
+
+ (* pre/post-conditions types, as parameterized unary/binary predicates.
+ 'a represents auxiliary variables
+ pos is an auxiliary variable representing the absolute position at which
+ the code is loaded. *)
+ type pre 'a = 'a -> pos -> pred
+ type post 'a = 'a -> pos -> rel
+
+ (* Machine transition valid whatever the global code is. *)
+ predicate contextual_irrelevance (c:code) (p:pos) (ms1 ms2:machine_state) =
+ forall c_glob. codeseq_at c_glob p c -> transition_star c_glob ms1 ms2
+
+ (* Hoare triples with explicit pre & post *)
+ type hl 'a = { code: code; ghost pre : pre 'a; ghost post: post 'a }
+ (* (Total) correctness for hoare triple. *)
+ invariant { forall x:'a,p ms. pre x p ms ->
+ exists ms'. post x p ms ms' /\ contextual_irrelevance code p ms ms' }
+ by { code = Nil; pre = (fun _ _ _ -> false); post = fun _ _ _ _ -> true }
+
+ (* Predicate transformer type. Same auxiliary variables as for
+ Hoare triples. *)
+ type wp_trans 'a = 'a -> pos -> pred -> pred
+
+ (* Code with backward predicate transformer. *)
+ type wp 'a = { wcode : code; ghost wp : wp_trans 'a }
+ (* Similar invariant for backward predicate transformers *)
+ invariant { forall x:'a,p post ms. wp x p post ms ->
+ exists ms'. post ms' /\ contextual_irrelevance wcode p ms ms' }
+ by { wcode = Nil; wp = fun _ _ _ _ -> false }
+
+ (* WP combinator for sequence. Similar to the standard WP calculus
+ for sequence. The initial machine state is memorized in auxiliary
+ variables for potential use in the second code specification. *)
+ function seq_wp
+ (l1:int) (w1:wp_trans 'a) (w2:wp_trans ('a,machine_state)) : wp_trans 'a =
+ fun x p q ms -> w1 x p (w2 (x,ms) (p+l1) q) ms
+
+ lemma seq_wp_lemma: [@rewrite] forall l1,w1: wp_trans 'a,w2 x p q ms.
+ seq_wp l1 w1 w2 x p q ms = w1 x p (w2 (x,ms) (p+l1) q) ms
+
+ (* Code combinator for sequence, with wp. *)
+ let (--) (s1 : wp 'a) (s2 : wp ('a, machine_state)) : wp 'a
+ ensures { result.wcode.length --> s1.wcode.length + s2.wcode.length }
+ ensures { result.wp --> seq_wp s1.wcode.length s1.wp s2.wp }
+ = let code = s1.wcode ++ s2.wcode in
+ let res = { wcode = code; wp = seq_wp s1.wcode.length s1.wp s2.wp } in
+ assert { forall x: 'a, p post ms. res.wp x p post ms ->
+ not (exists ms'. post ms' /\ contextual_irrelevance res.wcode p ms ms') ->
+ (forall ms'. s2.wp (x,ms) (p + s1.wcode.length) post ms' /\
+ contextual_irrelevance res.wcode p ms ms' -> false) && false };
+ res
+
+ function fork_wp (w:wp_trans 'a) (cond:pre 'a) : wp_trans 'a =
+ fun x p q ms -> if cond x p ms then w x p q ms else q ms
+
+ lemma fork_wp_lemma: [@rewrite] forall w:wp_trans 'a,cond x p q ms.
+ fork_wp w cond x p q ms =
+ ((not cond x p ms -> q ms) /\ (cond x p ms -> w x p q ms))
+
+ (* Code combinator for conditional execution.
+ Similar to WP calculus for (if cond then s). *)
+
+ let (%) (s:wp 'a) (ghost cond:pre 'a) : wp 'a
+ ensures { result.wp --> fork_wp s.wp cond }
+ ensures { result.wcode.length --> s.wcode.length }
+ = { wcode = s.wcode; wp = fork_wp s.wp cond }
+
+ (* WP transformer for hoare triples. *)
+ function towp_wp (pr:pre 'a) (ps:post 'a) : wp_trans 'a =
+ fun x p q ms -> pr x p ms && (forall ms'. ps x p ms ms' -> q ms')
+
+ lemma towp_wp_lemma: [@rewrite]
+ forall pr ps, x:'a, p q ms. towp_wp pr ps x p q ms =
+ (pr x p ms && (forall ms'. ps x p ms ms' -> q ms'))
+
+ (* Unwrap code with hoare triple into code with wp.
+ Analogous to procedure call/abstract block. *)
+ let ($_) (c:hl 'a) : wp 'a
+ ensures { result.wcode.length --> c.code.length }
+ ensures { result.wp --> towp_wp c.pre c.post }
+ = { wcode = c.code; wp = towp_wp c.pre c.post }
+
+ (* Equip code with pre/post-condition. That is here that proof happen.
+ (P -> wp (c,Q)). Anologous to checking function/abstract block
+ specification. *)
+ let hoare (ghost pre:pre 'a) (c:wp 'a) (ghost post:post 'a) : hl 'a
+ requires { forall x p ms. pre x p ms -> (c.wp x p (post x p ms)) ms }
+ ensures { result.pre --> pre }
+ ensures { result.post --> post }
+ ensures { result.code.length --> c.wcode.length }
+ = { code = c.wcode ; pre = pre; post = post }
+
+ function trivial_pre: pre 'a = fun _ p ms -> let VMS p' _ _ _ = ms in p = p'
+ meta rewrite_def function trivial_pre
+
+ (* Accessibility predicate. *)
+ inductive acc ('a -> 'a -> bool) 'a =
+ | Acc : forall r, x:'a. (forall y. r y x -> acc r y) -> acc r x
+
+ (* Utility: some flavor of conjonction. *)
+ function pconj (p1:pred) (x:machine_state)
+ (p2:machine_state -> pred) : pred =
+ fun y -> p1 y && p2 y x
+ lemma pconj_lemma:[@rewrite] forall p1 x p2 y. pconj p1 x p2 y <-> p1 y && p2 y x
+
+ (* WP combinator for looping construction. Similar to weakest precondition
+ for while loops. *)
+
+ function loop_wp (w:wp_trans 'a) (inv cont:pre 'a)
+ (var:post 'a) : wp_trans 'a =
+ fun x p q ms -> inv x p ms && acc (var x p) ms && forall ms'. inv x p ms' ->
+ if cont x p ms'
+ then w x p (pconj (inv x p) ms' (var x p)) ms'
+ else w x p q ms'
+
+ lemma loop_wp_lemma: [@rewrite] forall w:wp_trans 'a,inv cont var x p q ms.
+ loop_wp w inv cont var x p q ms <->
+ inv x p ms && acc (var x p) ms && forall ms'. inv x p ms' ->
+ (cont x p ms' -> w x p (pconj (inv x p) ms' (var x p)) ms')
+ /\ (not cont x p ms' -> w x p q ms')
+
+ (* Code combinator for looping construct. *)
+ let make_loop (c:wp 'a) (ghost inv cont:pre 'a)
+ (ghost var:post 'a) : wp 'a
+ ensures { result.wp --> loop_wp c.wp inv cont var }
+ ensures { result.wcode.length --> c.wcode.length }
+ = let ghost wpt = loop_wp c.wp inv cont var in
+ assert { forall x p q ms0. wpt x p q ms0 ->
+ forall ms. inv x p ms -> acc (var x p) ms ->
+ exists ms'. contextual_irrelevance c.wcode p ms ms' /\ q ms'
+ };
+ { wcode = c.wcode; wp = wpt }
+
+end
diff --git a/logic/why3session.xml b/logic/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..db8eea6cbb9459be1ec6ce3892726d8eea9bdde2
--- /dev/null
+++ b/logic/why3session.xml
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="4">
+<prover id="3" name="Z3" version="4.7.1" alternative="counterexamples" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="4" name="CVC4" version="1.6" alternative="counterexamples" timelimit="5" steplimit="0" memlimit="1000"/>
+<prover id="5" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/>
+<file name="../logic.mlw" proved="true">
+<theory name="Compiler_logic" proved="true">
+ <goal name="VC hl" expl="VC for hl" proved="true">
+ <proof prover="5"><result status="valid" time="0.01" steps="76"/></proof>
+ </goal>
+ <goal name="VC wp" expl="VC for wp" proved="true">
+ <proof prover="5"><result status="valid" time="0.02" steps="76"/></proof>
+ </goal>
+ <goal name="seq_wp_lemma" proved="true">
+ <proof prover="5"><result status="valid" time="0.02" steps="75"/></proof>
+ </goal>
+ <goal name="VC infix --" expl="VC for infix --" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC infix --.0" expl="precondition" proved="true">
+ <proof prover="5"><result status="valid" time="0.02" steps="161"/></proof>
+ </goal>
+ <goal name="VC infix --.1" expl="assertion" proved="true">
+ <proof prover="5"><result status="valid" time="0.05" steps="98"/></proof>
+ </goal>
+ <goal name="VC infix --.2" expl="postcondition" proved="true">
+ <proof prover="5"><result status="valid" time="0.02" steps="84"/></proof>
+ </goal>
+ <goal name="VC infix --.3" expl="postcondition" proved="true">
+ <proof prover="5"><result status="valid" time="0.03" steps="78"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="fork_wp_lemma" proved="true">
+ <proof prover="5"><result status="valid" time="0.03" steps="84"/></proof>
+ </goal>
+ <goal name="VC infix %" expl="VC for infix %" proved="true">
+ <proof prover="4"><result status="valid" time="0.21"/></proof>
+ </goal>
+ <goal name="towp_wp_lemma" proved="true">
+ <proof prover="5"><result status="valid" time="0.04" steps="96"/></proof>
+ </goal>
+ <goal name="VC prefix $" expl="VC for prefix $" proved="true">
+ <proof prover="5"><result status="valid" time="0.05" steps="103"/></proof>
+ </goal>
+ <goal name="VC hoare" expl="VC for hoare" proved="true">
+ <proof prover="3"><result status="valid" time="0.07"/></proof>
+ </goal>
+ <goal name="pconj_lemma" proved="true">
+ <proof prover="5"><result status="valid" time="0.03" steps="79"/></proof>
+ </goal>
+ <goal name="loop_wp_lemma" proved="true">
+ <proof prover="3"><result status="valid" time="0.06"/></proof>
+ </goal>
+ <goal name="VC make_loop" expl="VC for make_loop" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC make_loop.0" expl="assertion" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="VC make_loop.0.0" expl="assertion" proved="true">
+ <proof prover="3"><result status="valid" time="0.07"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC make_loop.1" expl="precondition" proved="true">
+ <proof prover="5"><result status="valid" time="0.02" steps="94"/></proof>
+ </goal>
+ <goal name="VC make_loop.2" expl="postcondition" proved="true">
+ <proof prover="5"><result status="valid" time="0.05" steps="77"/></proof>
+ </goal>
+ <goal name="VC make_loop.3" expl="postcondition" proved="true">
+ <proof prover="5"><result status="valid" time="0.02" steps="77"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/logic/why3shapes.gz b/logic/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..a1dff018b0ac3096ed3ce784d017d8a1e930ca39
Binary files /dev/null and b/logic/why3shapes.gz differ
diff --git a/ocaml64_bv.drv b/ocaml64_bv.drv
new file mode 100644
index 0000000000000000000000000000000000000000..55f3afde7e1362517167e90bff5d661bf2e2e2df
--- /dev/null
+++ b/ocaml64_bv.drv
@@ -0,0 +1,72 @@
+
+(** OCaml bv, driver for 64-bit architecture *)
+
+printer "ocaml"
+
+
+
+module bv.BV32
+ syntax type t "int32"
+
+ syntax val zeros "SHOULD_NOT_BE_HERE"
+ syntax val one "SHOULD_NOT_BE_HERE"
+ syntax val ones "SHOULD_NOT_BE_HERE"
+ syntax val bw_and "SHOULD_NOT_BE_HERE"
+ syntax val bw_or "SHOULD_NOT_BE_HERE"
+ syntax val bw_xor "SHOULD_NOT_BE_HERE"
+ syntax val bw_not "SHOULD_NOT_BE_HERE"
+ syntax val lsr "SHOULD_NOT_BE_HERE"
+ syntax val asr "SHOULD_NOT_BE_HERE"
+ syntax val lsl "SHOULD_NOT_BE_HERE"
+ syntax val to_uint "SHOULD_NOT_BE_HERE"
+ syntax val to_int "Z.of_int (Int32.to_int %1)"
+ syntax val of_int "Int32.of_int(Z.to_int %1)"
+ syntax val add "Int32.add %1 %2"
+ syntax val sub "SHOULD_NOT_BE_HERE"
+ syntax val neg "SHOULD_NOT_BE_HERE"
+ syntax val mul "SHOULD_NOT_BE_HERE"
+ syntax val udiv "SHOULD_NOT_BE_HERE"
+ syntax val urem "SHOULD_NOT_BE_HERE"
+ syntax val nth "SHOULD_NOT_BE_HERE"
+ syntax val lsr_bv "SHOULD_NOT_BE_HERE"
+ syntax val asr_bv "SHOULD_NOT_BE_HERE"
+ syntax val lsl_bv "SHOULD_NOT_BE_HERE"
+ syntax val rotate_right_bv "SHOULD_NOT_BE_HERE"
+ syntax val rotate_left_bv "SHOULD_NOT_BE_HERE"
+ syntax val nth_bv "SHOULD_NOT_BE_HERE"
+syntax val eq "SHOULD_NOT_BE_HERE"
+syntax val nth_bv "SHOULD_NOT_BE_HERE"
+syntax val nth_bv "SHOULD_NOT_BE_HERE"
+
+(*
+ syntax literal int63 "%1"
+ syntax converter of_int "%1"
+
+ syntax val of_int "Z.to_int %1"
+ syntax val to_int "Z.of_int %1"
+
+ syntax constant min_int63 "Z.of_int min_int"
+ syntax constant max_int63 "Z.of_int max_int"
+ syntax constant min_int "min_int"
+ syntax constant max_int "max_int"
+ syntax constant zero "0"
+ syntax constant one "1"
+ syntax val ( + ) "%1 + %2"
+ syntax val ( - ) "%1 - %2"
+ syntax val (-_) "- %1"
+ syntax val ( * ) "%1 * %2"
+ syntax val ( / ) "%1 / %2"
+ syntax val ( % ) "%1 mod %2"
+ syntax val (=) "%1 = %2"
+ syntax val (<=) "%1 <= %2"
+ syntax val (<) "%1 < %2"
+ syntax val (>=) "%1 >= %2"
+ syntax val (>) "%1 > %2"
+*)
+
+(*
+ syntax val to_bv "(fun x -> x)"
+ syntax val of_bv "(fun x -> x)"
+ *)
+end
+
diff --git a/specs.mlw b/specs.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..bc69e2df43397ff8fe6642a234bc75dfa5c48623
--- /dev/null
+++ b/specs.mlw
@@ -0,0 +1,460 @@
+
+module VM_instr_spec
+
+ meta compute_max_steps 0x10000
+
+ use int.Int
+ use list.List
+ use list.Length
+ use vm.Vm
+ use state.State
+ use state.Reg
+ use logic.Compiler_logic
+ use bv_op.BV_OP
+
+ function ifun_post (f:machine_state -> machine_state) : post 'a =
+ fun _ _ ms ms' -> ms' = f ms
+ meta rewrite_def function ifun_post
+
+ (* General specification builder for determinstic machine
+ instructions. *)
+ let ifunf (ghost pre:pre 'a) (code_f:code)
+ (ghost f:machine_state -> machine_state) : hl 'a
+ requires { forall c p. codeseq_at c p code_f ->
+ forall x ms. pre x p ms -> transition c ms (f ms) }
+ ensures { result.pre --> pre }
+ ensures { result.post --> ifun_post f }
+ ensures { result.code --> code_f }
+ = { pre = pre; code = code_f; post = ifun_post f }
+
+ (* Register based VM instructions *)
+
+ (* Iimm spec *)
+ function iimm_post (x:idr) (n:int) : post 'a =
+ fun _ p ms ms' -> forall s r m. ms = VMS p r s m -> ms' = VMS (p+1) (write r x n) s m
+ meta rewrite_def function iimm_post
+
+ function iimm_fun (x:idr) (n:int) : machine_state -> machine_state =
+ fun ms -> let (VMS p r s m) = ms in VMS (p+1) (write r x n) s m
+ meta rewrite_def function iimm_fun
+
+ let iimmf (x:idr) (n: int) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> iimm_post x n }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre (iimm x n) (iimm_fun x n)) (iimm_post x n)
+
+ (* Iload spec *)
+ function iload_post (x:idr) (n:id) : post 'a =
+ fun _ p ms ms' -> forall s r m. ms = VMS p r s m -> ms' = VMS (p+1) (write r x m[n]) s m
+ meta rewrite_def function iload_post
+
+ function iload_fun (x:idr) (n:id) : machine_state -> machine_state =
+ fun ms -> let (VMS p r s m) = ms in VMS (p+1) (write r x m[n]) s m
+ meta rewrite_def function iload_fun
+
+ let iloadf (x:idr) (n: id) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> iload_post x n }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre (iload x n) (iload_fun x n)) (iload_post x n)
+
+ (* Istore spec *)
+ function istore_post (x:idr) (n:id) : post 'a =
+ fun _ p ms ms' -> forall s r m. ms = VMS p r s m -> ms' = VMS (p+1) r s m[n <- read r x]
+ meta rewrite_def function istore_post
+
+ function istore_fun (x:idr) (n:id) : machine_state -> machine_state =
+ fun ms -> let (VMS p r s m) = ms in VMS (p+1) r s m[n <- read r x]
+ meta rewrite_def function istore_fun
+
+ let istoref (x:idr) (n: id) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> istore_post x n }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre (istore x n) (istore_fun x n)) (istore_post x n)
+
+ (* Ipush spec *)
+ function ipush_post (x:idr) : post 'a =
+ fun _ p ms ms' -> forall s r m. ms = VMS p r s m -> ms' = VMS (p + 1) r (push (read r x) s) m
+ meta rewrite_def function ipush_post
+
+ function ipush_fun (x:idr) : machine_state -> machine_state =
+ fun ms -> let (VMS p r s m) = ms in VMS (p + 1) r (push (read r x) s) m
+ meta rewrite_def function ipush_fun
+
+ let ipushf (x:idr) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> ipush_post x }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre (ipushr x) (ipush_fun x)) (ipush_post x)
+
+ (* Ipop spec *)
+ constant ipop_pre : pre 'a =
+ fun _ p ms -> exists n r s m. ms = VMS p r (push n s) m
+ meta rewrite_def function ipop_pre
+
+ function ipop_post (x:idr) : post 'a =
+ fun _ p ms ms' -> forall s r n m. ms = VMS p r (push n s) m-> ms' = VMS (p + 1) (write r x n) s m
+ meta rewrite_def function ipop_post
+
+ function ipop_fun (x:idr) : machine_state -> machine_state =
+ fun ms ->
+ match ms with
+ | VMS p r (Cons n s) m -> VMS (p + 1) (write r x n) s m
+ | _ -> ms (* fail *)
+ end
+ meta rewrite_def function ipop_fun
+
+ let ipopf (x:idr) : hl 'a
+ ensures { result.pre --> ipop_pre }
+ ensures { result.post --> ipop_post x }
+ ensures { result.code.length --> 1 }
+ = hoare ipop_pre ($ ifunf ipop_pre (ipopr x) (ipop_fun x)) (ipop_post x)
+
+ (* Iaddr spec *)
+ function iaddr_post (x1 x2 x3:idr) : post 'a =
+ fun _ p ms ms' -> forall s r m.
+ ms = VMS p r s m ->
+ ms' = VMS (p+1) (write r x3 (read r x1 + read r x2)) s m
+ meta rewrite_def function iaddr_post
+
+ function iaddr_fun (x1 x2 x3:idr) : machine_state -> machine_state =
+ fun ms ->
+ let (VMS p r s m) = ms in
+ VMS (p+1) (write r x3 (read r x1 + read r x2)) s m
+ meta rewrite_def function iaddr_fun
+
+ let iaddrf (x1 x2 x3: idr) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> iaddr_post x1 x2 x3}
+ ensures { result.code.length --> 1 }
+ =
+ let c = $ ifunf trivial_pre (iaddr x1 x2 x3) (iaddr_fun x1 x2 x3) in
+ hoare trivial_pre c (iaddr_post x1 x2 x3)
+
+ (* Iaddur spec *)
+ function iaddur_post (x1 x2 x3:idr) : post 'a =
+ fun _ p ms ms' -> forall s r m.
+ ms = VMS p r s m ->
+ ms' = VMS (p+1) (write r x3 (bv_add (read r x1) (read r x2))) s m
+ meta rewrite_def function iaddur_post
+
+ function iaddur_fun (x1 x2 x3:idr) : machine_state -> machine_state =
+ fun ms ->
+ let (VMS p r s m) = ms in
+ VMS (p+1) (write r x3 (bv_add (read r x1) (read r x2))) s m
+ meta rewrite_def function iaddur_fun
+
+ let iaddurf (x1 x2 x3: idr) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> iaddur_post x1 x2 x3}
+ ensures { result.code.length --> 1 }
+ =
+ let c = $ ifunf trivial_pre (iaddur x1 x2 x3) (iaddur_fun x1 x2 x3) in
+ hoare trivial_pre c (iaddur_post x1 x2 x3)
+
+ (* Isubr spec *)
+ function isubr_post (x1 x2 x3:idr) : post 'a =
+ fun _ p ms ms' -> forall s r m.
+ ms = VMS p r s m ->
+ ms' = VMS (p + 1) (write r x3 (read r x1 - read r x2)) s m
+ meta rewrite_def function isubr_post
+
+ function isubr_fun (x1 x2 x3:idr) : machine_state -> machine_state =
+ fun ms ->
+ let (VMS p r s m) = ms in
+ VMS (p + 1) (write r x3 (read r x1 - read r x2)) s m
+ meta rewrite_def function isubr_fun
+
+ let isubrf (x1 x2 x3: idr) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> isubr_post x1 x2 x3}
+ ensures { result.code.length --> 1 }
+ =
+ let c = $ ifunf trivial_pre (isubr x1 x2 x3) (isubr_fun x1 x2 x3) in
+ hoare trivial_pre c (isubr_post x1 x2 x3)
+
+ (* Ibeqr spec *)
+ function ibeqr_post (x1:idr) (x2:idr) (ofs:int): post 'a =
+ fun _ p ms ms' -> forall s r m.
+ ms = VMS p r s m ->
+ ms' = VMS (if read r x1 = read r x2 then p + 1 + ofs else p + 1) r s m
+ meta rewrite_def function ibeqr_post
+
+ function ibeqr_fun (x1:idr) (x2:idr) (ofs:int) : machine_state -> machine_state =
+ fun ms ->
+ let (VMS p r s m) = ms in
+ VMS (if read r x1 = read r x2 then p + 1 + ofs else p + 1) r s m
+ meta rewrite_def function ibeqr_fun
+
+ let ibeqrf (x1:idr) (x2: idr) (ofs:int) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> ibeqr_post x1 x2 ofs }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre (ibeqr x1 x2 ofs) (ibeqr_fun x1 x2 ofs)) (ibeqr_post x1 x2 ofs)
+
+ (* Ibner spec *)
+ function ibner_post (x1:idr) (x2:idr) (ofs:int): post 'a =
+ fun _ p ms ms' -> forall s r m.
+ ms = VMS p r s m ->
+ ms' = VMS (if read r x1 <> read r x2 then p + 1 + ofs else p + 1) r s m
+ meta rewrite_def function ibner_post
+
+ function ibner_fun (x1:idr) (x2:idr) (ofs:int) : machine_state -> machine_state =
+ fun ms ->
+ let (VMS p r s m) = ms in
+ VMS (if read r x1 <> read r x2 then p + 1 + ofs else p + 1) r s m
+ meta rewrite_def function ibner_fun
+
+ let ibnerf (x1:idr) (x2: idr) (ofs:int) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> ibner_post x1 x2 ofs }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre (ibner x1 x2 ofs) (ibner_fun x1 x2 ofs)) (ibner_post x1 x2 ofs)
+
+ (* Ibler spec *)
+ function ibler_post (x1:idr) (x2:idr) (ofs:int): post 'a =
+ fun _ p ms ms' -> forall s r m.
+ ms = VMS p r s m ->
+ ms' = VMS (if read r x1 <= read r x2 then p + 1 + ofs else p + 1) r s m
+ meta rewrite_def function ibler_post
+
+ function ibler_fun (x1:idr) (x2:idr) (ofs:int) : machine_state -> machine_state =
+ fun ms ->
+ let (VMS p r s m) = ms in
+ VMS (if read r x1 <= read r x2 then p + 1 + ofs else p + 1) r s m
+ meta rewrite_def function ibler_fun
+
+ let iblerf (x1:idr) (x2: idr) (ofs:int) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> ibler_post x1 x2 ofs }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre (ibler x1 x2 ofs) (ibler_fun x1 x2 ofs)) (ibler_post x1 x2 ofs)
+
+ (* Ibgtr spec *)
+ function ibgtr_post (x1:idr) (x2:idr) (ofs:int): post 'a =
+ fun _ p ms ms' -> forall s r m.
+ ms = VMS p r s m ->
+ ms' = VMS (if read r x1 <= read r x2 then p + 1 else p + 1 + ofs) r s m
+ meta rewrite_def function ibgtr_post
+
+ function ibgtr_fun (x1:idr) (x2:idr) (ofs:int) : machine_state -> machine_state =
+ fun ms ->
+ let (VMS p r s m) = ms in
+ VMS (if read r x1 <= read r x2 then p + 1 else p + 1 + ofs) r s m
+ meta rewrite_def function ibgtr_fun
+
+ let ibgtrf (x1:idr) (x2: idr) (ofs:int) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> ibgtr_post x1 x2 ofs }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre (ibgtr x1 x2 ofs) (ibgtr_fun x1 x2 ofs)) (ibgtr_post x1 x2 ofs)
+
+ (* original vm *)
+
+ (* Iconst spec *)
+ function iconst_post (n:int) : post 'a =
+ fun _ p ms ms' -> forall s r m. ms = VMS p r s m -> ms' = VMS (p+1) r (push n s) m
+ meta rewrite_def function iconst_post
+
+ function iconst_fun (n:int) : machine_state -> machine_state =
+ fun ms -> let (VMS p r s m) = ms in VMS (p+1) r (push n s) m
+ meta rewrite_def function iconst_fun
+
+ let iconstf (n: int) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> iconst_post n }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre n.iconst n.iconst_fun) n.iconst_post
+
+ (* Ivar spec *)
+ function ivar_post (x:id) : post 'a =
+ fun _ p ms ms' -> forall r s m. ms = VMS p r s m -> ms' = VMS (p+1) r (push m[x] s) m
+ meta rewrite_def function ivar_post
+
+ function ivar_fun (x:id) : machine_state -> machine_state =
+ fun ms -> let (VMS p r s m) = ms in VMS (p+1) r (push m[x] s) m
+ meta rewrite_def function ivar_fun
+
+ let ivarf (x: id) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> ivar_post x }
+ ensures { result.code.length --> 1 }
+ = hoare trivial_pre ($ ifunf trivial_pre x.ivar x.ivar_fun) x.ivar_post
+
+ (* Binary arithmetic operators specification (Iadd, Isub, Imul)
+ via a generic builder. *)
+ type binop = int -> int -> int
+
+ constant ibinop_pre : pre 'a =
+ fun _ p ms -> exists n1 n2 r s m. ms = VMS p r (push n2 (push n1 s)) m
+ meta rewrite_def function ibinop_pre
+
+ function ibinop_post (op : binop) : post 'a =
+ fun _ p ms ms' -> forall n1 n2 r s m. ms = VMS p r (push n2 (push n1 s)) m ->
+ ms' = VMS (p+1) r (push (op n1 n2) s) m
+ meta rewrite_def function ibinop_post
+
+ function ibinop_fun (op:binop) : machine_state -> machine_state =
+ fun ms -> match ms with
+ | VMS p r (Cons n2 (Cons n1 s)) m -> VMS (p+1) r (push (op n1 n2) s) m
+ | _ -> ms
+ end
+ meta rewrite_def function ibinop_fun
+
+ let create_binop (code_b:code) (ghost op:binop) : hl 'a
+ requires { forall c p.
+ codeseq_at c p code_b ->
+ forall n1 n2 r s m. transition c
+ (VMS p r (push n2 (push n1 s)) m)
+ (VMS (p+1) r (push (op n1 n2) s) m)
+ }
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> ibinop_post op }
+ ensures { result.code.length --> code_b.length }
+ = hoare ibinop_pre ($ ifunf ibinop_pre code_b op.ibinop_fun) op.ibinop_post
+
+ constant plus : binop = fun x y -> x + y
+ meta rewrite_def function plus
+
+ constant sub : binop = fun x y -> x - y
+ meta rewrite_def function sub
+
+ constant mul : binop = fun x y -> x * y
+ meta rewrite_def function mul
+
+ let iaddf () : hl 'a
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> ibinop_post plus }
+ ensures { result.code.length --> 1 }
+ = create_binop iadd plus
+
+ let iadduf () : hl 'a
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> ibinop_post bv_add }
+ ensures { result.code.length --> 1 }
+ = create_binop iaddu bv_add
+
+ let isubf () : hl 'a
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> ibinop_post sub }
+ ensures { result.code.length --> 1 }
+ = create_binop isub sub
+
+ (* Inil spec *)
+ function inil_post : post 'a =
+ fun _ _ ms ms' -> ms = ms'
+ meta rewrite_def function inil_post
+
+ let inil () : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> inil_post }
+ ensures { result.code.length --> 0 }
+ = { pre = trivial_pre; code = Nil; post = inil_post }
+
+ (* Ibranch specification *)
+ function ibranch_post (ofs: ofs) : post 'a =
+ fun _ p ms ms' -> forall r s m. ms = VMS p r s m -> ms' = VMS (p + 1 + ofs) r s m
+ meta rewrite_def function ibranch_post
+
+ function ibranch_fun (ofs:ofs) : machine_state -> machine_state =
+ fun ms -> let (VMS p r s m) = ms in VMS (p+1+ofs) r s m
+ meta rewrite_def function ibranch_fun
+
+ let ibranchf (ofs:ofs) : hl 'a
+ ensures { result.pre --> trivial_pre }
+ ensures { result.post --> ibranch_post ofs }
+ ensures { result.code.length --> 1 }
+ = let cf = $ ifunf trivial_pre (ibranch ofs) (ibranch_fun ofs) in
+ hoare trivial_pre cf (ibranch_post ofs)
+
+ (* Conditional jump specification via a generic builder. *)
+ type cond = int -> int -> bool
+
+ function icjump_post (cond:cond) (ofs:ofs) : post 'a =
+ fun _ p ms ms' -> forall n1 n2 r s m. ms = VMS p r (push n2 (push n1 s)) m ->
+ (cond n1 n2 -> ms' = VMS (p + ofs + 1) r s m) /\
+ (not cond n1 n2 -> ms' = VMS (p+1) r s m)
+ meta rewrite_def function icjump_post
+
+ function icjump_fun (cond:cond) (ofs:ofs) : machine_state -> machine_state =
+ fun ms -> match ms with
+ | VMS p r (Cons n2 (Cons n1 s)) m ->
+ if cond n1 n2 then VMS (p+ofs+1) r s m else VMS (p+1) r s m
+ | _ -> ms
+ end
+ meta rewrite_def function icjump_fun
+
+ let create_cjump (code_cd:code) (ghost cond:cond) (ghost ofs:ofs) : hl 'a
+ requires { forall c p1 n1 n2 r s m. codeseq_at c p1 code_cd ->
+ let p2 = (if cond n1 n2 then p1 + ofs + 1 else p1 + 1) in
+ transition c (VMS p1 r (push n2 (push n1 s)) m) (VMS p2 r s m) }
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> icjump_post cond ofs }
+ ensures { result.code.length --> code_cd.length }
+ = let c = $ ifunf ibinop_pre code_cd (icjump_fun cond ofs) in
+ hoare ibinop_pre c (icjump_post cond ofs)
+
+ (* binary Boolean operators specification (Ibeq, Ibne, Ible, Ibgt) *)
+ constant beq : cond = fun x y -> x = y
+ meta rewrite_def function beq
+
+ constant bne : cond = fun x y -> x <> y
+ meta rewrite_def function bne
+
+ constant ble : cond = fun x y -> x <= y
+ meta rewrite_def function ble
+
+ constant bgt : cond = fun x y -> x > y
+ meta rewrite_def function bgt
+
+ let ibeqf (ofs:ofs) : hl 'a
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> icjump_post beq ofs }
+ ensures { result.code.length --> 1 }
+ = create_cjump (ibeq ofs) beq ofs
+
+ let ibnef (ofs:ofs) : hl 'a
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> icjump_post bne ofs }
+ ensures { result.code.length --> 1 }
+ = create_cjump (ibne ofs) bne ofs
+
+ let iblef (ofs:ofs) : hl 'a
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> icjump_post ble ofs }
+ ensures { result.code.length --> 1 }
+ = create_cjump (ible ofs) ble ofs
+
+ let ibgtf (ofs:ofs) : hl 'a
+ ensures { result.pre --> ibinop_pre }
+ ensures { result.post --> icjump_post bgt ofs }
+ ensures { result.code.length --> 1 }
+ = create_cjump (ibgt ofs) bgt ofs
+
+ (* Isetvar specification *)
+ constant isetvar_pre : pre 'a =
+ fun _ p ms -> exists n r s m. ms = VMS p r (push n s) m
+ meta rewrite_def function isetvar_pre
+
+ function isetvar_post (x:id) : post 'a =
+ fun _ p ms ms' -> forall r s n m.
+ ms = VMS p r (push n s) m -> ms' = VMS (p+1) r s m[x <- n]
+ meta rewrite_def function isetvar_post
+
+ function isetvar_fun (x:id) : machine_state -> machine_state =
+ fun ms -> match ms with
+ | VMS p r (Cons n s) m -> VMS (p+1) r s m[x <- n]
+ | _ -> ms
+ end
+ meta rewrite_def function isetvar_fun
+
+ let isetvarf (x: id) : hl 'a
+ ensures { result.pre --> isetvar_pre }
+ ensures { result.post --> isetvar_post x }
+ ensures { result.code.length --> 1 }
+ = let c = $ ifunf isetvar_pre (isetvar x) (isetvar_fun x) in
+ hoare isetvar_pre c (isetvar_post x)
+
+end
diff --git a/specs/why3session.xml b/specs/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..37ccff2f4f68db6f37b286d7889141ba2f126ea1
--- /dev/null
+++ b/specs/why3session.xml
@@ -0,0 +1,465 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="5">
+<prover id="0" name="Z3" version="4.7.1" alternative="counterexamples" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="1" name="CVC4" version="1.6" alternative="counterexamples" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="2" name="Eprover" version="2.1" timelimit="5" steplimit="0" memlimit="2000"/>
+<prover id="3" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="2000"/>
+<file name="../specs.mlw" proved="true">
+<theory name="VM_instr_spec" proved="true">
+ <goal name="VC ifunf" expl="VC for ifunf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ifunf.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="0.32"/></proof>
+ </goal>
+ <goal name="VC ifunf.1" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.06" steps="78"/></proof>
+ </goal>
+ <goal name="VC ifunf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.07" steps="78"/></proof>
+ </goal>
+ <goal name="VC ifunf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.06" steps="78"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iimmf" expl="VC for iimmf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iimmf.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="1.13"/></proof>
+ </goal>
+ <goal name="VC iimmf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="113"/></proof>
+ </goal>
+ <goal name="VC iimmf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC iimmf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.07" steps="83"/></proof>
+ </goal>
+ <goal name="VC iimmf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iloadf" expl="VC for iloadf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iloadf.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.79"/></proof>
+ </goal>
+ <goal name="VC iloadf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="113"/></proof>
+ </goal>
+ <goal name="VC iloadf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC iloadf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC iloadf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC istoref" expl="VC for istoref" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC istoref.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.31"/></proof>
+ </goal>
+ <goal name="VC istoref.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="113"/></proof>
+ </goal>
+ <goal name="VC istoref.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC istoref.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC istoref.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ipushf" expl="VC for ipushf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ipushf.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.24"/></proof>
+ </goal>
+ <goal name="VC ipushf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="113"/></proof>
+ </goal>
+ <goal name="VC ipushf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.07" steps="83"/></proof>
+ </goal>
+ <goal name="VC ipushf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.08" steps="83"/></proof>
+ </goal>
+ <goal name="VC ipushf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.08" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ipopf" expl="VC for ipopf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ipopf.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.31"/></proof>
+ </goal>
+ <goal name="VC ipopf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="155"/></proof>
+ </goal>
+ <goal name="VC ipopf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.08" steps="83"/></proof>
+ </goal>
+ <goal name="VC ipopf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.07" steps="83"/></proof>
+ </goal>
+ <goal name="VC ipopf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.09" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iaddrf" expl="VC for iaddrf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iaddrf.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.39"/></proof>
+ </goal>
+ <goal name="VC iaddrf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="113"/></proof>
+ </goal>
+ <goal name="VC iaddrf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC iaddrf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="83"/></proof>
+ </goal>
+ <goal name="VC iaddrf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC isubrf" expl="VC for isubrf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC isubrf.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="3.43"/></proof>
+ </goal>
+ <goal name="VC isubrf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="113"/></proof>
+ </goal>
+ <goal name="VC isubrf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.09" steps="83"/></proof>
+ </goal>
+ <goal name="VC isubrf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="83"/></proof>
+ </goal>
+ <goal name="VC isubrf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ibeqrf" expl="VC for ibeqrf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ibeqrf.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.26"/></proof>
+ </goal>
+ <goal name="VC ibeqrf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.19" steps="154"/></proof>
+ </goal>
+ <goal name="VC ibeqrf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="83"/></proof>
+ </goal>
+ <goal name="VC ibeqrf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="83"/></proof>
+ </goal>
+ <goal name="VC ibeqrf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ibnerf" expl="VC for ibnerf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ibnerf.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.26"/></proof>
+ </goal>
+ <goal name="VC ibnerf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.21" steps="154"/></proof>
+ </goal>
+ <goal name="VC ibnerf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="83"/></proof>
+ </goal>
+ <goal name="VC ibnerf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="83"/></proof>
+ </goal>
+ <goal name="VC ibnerf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iblerf" expl="VC for iblerf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iblerf.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.27"/></proof>
+ </goal>
+ <goal name="VC iblerf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.22" steps="154"/></proof>
+ </goal>
+ <goal name="VC iblerf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="83"/></proof>
+ </goal>
+ <goal name="VC iblerf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.09" steps="83"/></proof>
+ </goal>
+ <goal name="VC iblerf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ibgtrf" expl="VC for ibgtrf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ibgtrf.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.28"/></proof>
+ </goal>
+ <goal name="VC ibgtrf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.21" steps="154"/></proof>
+ </goal>
+ <goal name="VC ibgtrf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="83"/></proof>
+ </goal>
+ <goal name="VC ibgtrf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="83"/></proof>
+ </goal>
+ <goal name="VC ibgtrf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iconstf" expl="VC for iconstf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iconstf.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05"/></proof>
+ </goal>
+ <goal name="VC iconstf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="113"/></proof>
+ </goal>
+ <goal name="VC iconstf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="83"/></proof>
+ </goal>
+ <goal name="VC iconstf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="83"/></proof>
+ </goal>
+ <goal name="VC iconstf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ivarf" expl="VC for ivarf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ivarf.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.07"/></proof>
+ </goal>
+ <goal name="VC ivarf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="113"/></proof>
+ </goal>
+ <goal name="VC ivarf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="83"/></proof>
+ </goal>
+ <goal name="VC ivarf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="83"/></proof>
+ </goal>
+ <goal name="VC ivarf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC create_binop" expl="VC for create_binop" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC create_binop.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.91"/></proof>
+ </goal>
+ <goal name="VC create_binop.1" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC create_binop.1.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC create_binop.1.0.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC create_binop.1.0.0.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.52"/></proof>
+ <proof prover="3"><result status="valid" time="0.11" steps="127"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC create_binop.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.09" steps="83"/></proof>
+ </goal>
+ <goal name="VC create_binop.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.09" steps="83"/></proof>
+ </goal>
+ <goal name="VC create_binop.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.11" steps="83"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iaddf" expl="VC for iaddf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iaddf.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC iaddf.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC iaddf.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iaddf.1" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="78"/></proof>
+ </goal>
+ <goal name="VC iaddf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="78"/></proof>
+ </goal>
+ <goal name="VC iaddf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="79"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC iadduf" expl="VC for iadduf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC iadduf.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.08"/></proof>
+ </goal>
+ <goal name="VC iadduf.1" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="78"/></proof>
+ </goal>
+ <goal name="VC iadduf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="78"/></proof>
+ </goal>
+ <goal name="VC iadduf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="79"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC isubf" expl="VC for isubf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC isubf.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC isubf.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC isubf.0.0.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.04"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC isubf.1" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.10" steps="78"/></proof>
+ </goal>
+ <goal name="VC isubf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="78"/></proof>
+ </goal>
+ <goal name="VC isubf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="79"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC imulf" expl="VC for imulf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC imulf.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.07"/></proof>
+ </goal>
+ <goal name="VC imulf.1" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="78"/></proof>
+ </goal>
+ <goal name="VC imulf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.08" steps="78"/></proof>
+ </goal>
+ <goal name="VC imulf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.15" steps="79"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC inil" expl="VC for inil" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC inil.0" expl="precondition" proved="true">
+ <transf name="compute_specified" proved="true" >
+ <goal name="VC inil.0.0" expl="precondition" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="VC inil.0.0.0" expl="precondition" proved="true">
+ <proof prover="2"><result status="valid" time="0.47"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC inil.1" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="78"/></proof>
+ </goal>
+ <goal name="VC inil.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="78"/></proof>
+ </goal>
+ <goal name="VC inil.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.14" steps="80"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC ibranchf" expl="VC for ibranchf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC ibranchf.0" expl="precondition" proved="true">
+ <proof prover="0"><result status="valid" time="0.05"/></proof>
+ </goal>
+ <goal name="VC ibranchf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="113"/></proof>
+ </goal>
+ <goal name="VC ibranchf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="83"/></proof>
+ </goal>
+ <goal name="VC ibranchf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="83"/></proof>
+ </goal>
+ <goal name="VC ibranchf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.17" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="VC create_cjump" expl="VC for create_cjump" proved="true">
+ <proof prover="3" timelimit="10"><result status="valid" time="0.33" steps="478"/></proof>
+ </goal>
+ <goal name="VC ibeqf" expl="VC for ibeqf" proved="true">
+ <proof prover="0"><result status="valid" time="0.07"/></proof>
+ </goal>
+ <goal name="VC ibnef" expl="VC for ibnef" proved="true">
+ <proof prover="0"><result status="valid" time="0.08"/></proof>
+ </goal>
+ <goal name="VC iblef" expl="VC for iblef" proved="true">
+ <proof prover="0"><result status="valid" time="0.08"/></proof>
+ </goal>
+ <goal name="VC ibgtf" expl="VC for ibgtf" proved="true">
+ <proof prover="0"><result status="valid" time="0.08"/></proof>
+ </goal>
+ <goal name="VC isetvarf" expl="VC for isetvarf" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="VC isetvarf.0" expl="precondition" proved="true">
+ <proof prover="1"><result status="valid" time="0.34"/></proof>
+ </goal>
+ <goal name="VC isetvarf.1" expl="precondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.24" steps="176"/></proof>
+ </goal>
+ <goal name="VC isetvarf.2" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.13" steps="83"/></proof>
+ </goal>
+ <goal name="VC isetvarf.3" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.12" steps="83"/></proof>
+ </goal>
+ <goal name="VC isetvarf.4" expl="postcondition" proved="true">
+ <proof prover="3"><result status="valid" time="0.16" steps="105"/></proof>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/specs/why3shapes.gz b/specs/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..b4dbd45a390852ce7522c2e32b2da7010aee57d3
Binary files /dev/null and b/specs/why3shapes.gz differ
diff --git a/state.mlw b/state.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..a65547711f8bfaa9ba5d0541b7d91f58d53f1207
--- /dev/null
+++ b/state.mlw
@@ -0,0 +1,45 @@
+
+module State
+
+ use int.Int
+
+ type id = Id int
+ type state = id -> int
+
+ let function get (f: state) (x: id) = f x
+
+ let function set (f: state) (x: id) (v: int) : state =
+ fun (y: id) ->
+ match (x, y) with
+ | (Id xv, Id yv) -> if xv = yv then v else (f y)
+ end
+ meta rewrite_def function set
+
+ let function ([]) f x = f x
+ let function ([<-]) f x v = set f x v
+
+ let function const (v: int) : state
+ ensures { forall x. result[x] = v }
+ = fun _ -> v
+
+end
+
+module Reg
+
+ use int.Int
+
+ type idr = int
+ type regs = idr -> int
+
+ let function read (f: regs) (x: idr) = f x
+
+ let function write (f: regs) (x: idr) (v: int) : regs =
+ fun (y: idr) -> if x = y then v else (f y)
+
+ meta rewrite_def function write
+
+ let function const (v: int) : regs
+ ensures { forall x. read result x = v }
+ = fun _ -> v
+
+end
\ No newline at end of file
diff --git a/state/why3session.xml b/state/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..ef343d7acc309ebf48b9b92a036193ce8f7bb95c
--- /dev/null
+++ b/state/why3session.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="5">
+<prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="10" steplimit="0" memlimit="2000"/>
+<file name="../state.mlw" proved="true">
+<theory name="State" proved="true">
+ <goal name="VC get" expl="VC for get" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC set" expl="VC for set" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC mixfix []" expl="VC for mixfix []" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC mixfix [<-]" expl="VC for mixfix [<-]" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC const" expl="VC for const" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="2"/></proof>
+ </goal>
+</theory>
+<theory name="Reg" proved="true">
+ <goal name="VC read" expl="VC for read" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC write" expl="VC for write" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ <goal name="VC const" expl="VC for const" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="2"/></proof>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/state/why3shapes.gz b/state/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..9385862b7ce325e4052d89cfc878cb53955eef3e
Binary files /dev/null and b/state/why3shapes.gz differ
diff --git a/vm.mlw b/vm.mlw
new file mode 100644
index 0000000000000000000000000000000000000000..d8c4e5b10271e7a281417ac3de1d3b4f12c3db43
--- /dev/null
+++ b/vm.mlw
@@ -0,0 +1,298 @@
+
+(* Utility module: reflexive transitive closure of a parameterized
+ relation. *)
+module ReflTransClosure
+
+ type parameter
+ type state
+ predicate transition parameter state state
+
+ inductive transition_star parameter (x y:state) =
+ | Refl: forall p x. transition_star p x x
+ | Step: forall p x y z.
+ transition p x y -> transition_star p y z -> transition_star p x z
+
+ lemma transition_star_one: forall p s1 s2.
+ transition p s1 s2 -> transition_star p s1 s2
+
+ lemma transition_star_transitive: forall p s1 s2 s3.
+ transition_star p s1 s2 -> transition_star p s2 s3 ->
+ transition_star p s1 s3
+
+end
+
+
+(*****************************************************************************)
+
+(* The machine operates on a code c (a fixed list of instructions)
+ and three variable components:
+ - a program counter, denoting a position in c
+ - a register file, containing integers
+ - an evaluation stack, containing integers
+ - a memory state, assigning integer values to variables
+*)
+
+theory Vm
+
+ use state.State
+ use state.Reg
+ use int.Int
+ use list.List
+ use list.Length
+ use list.Append
+ use int.EuclideanDivision
+ use bv_op.BV_OP
+
+ type pos = int (* code position *)
+ type stack = list int (* stack contains just integers *)
+
+ (* virtual machine configuration *)
+ type machine_state = VMS pos regs stack state
+
+
+ type ofs = int
+ (* The instruction set of the machine. *)
+ type instr =
+ (* new instructions, register based *)
+ | Iload idr id (* load register with variable *)
+ | Iimm idr int (* load register with value n *)
+ | Istore idr id (* store a register to variable *)
+ | Ipushr idr (* push register on stack *)
+ | Ipopr idr (* pop register from stack *)
+ | Iaddr idr idr idr (* add two registers, store result in third *)
+ | Iaddur idr idr idr (* add two registers, store result in third (wrapping) *)
+ | Isubr idr idr idr (* subtract two registers, store result in third *)
+ | Ibeqr idr idr ofs (* skip ofs forward if r1 = r2 *)
+ | Ibner idr idr ofs (* skip ofs forward if r1 <> r2 *)
+ | Ibler idr idr ofs (* skip ofs forward if r1 <= r2 *)
+ | Ibgtr idr idr ofs (* skip ofs forward if r1 > r2 *)
+
+ (* original/old instructions for stack machine *)
+ | Iconst int (* push n on stack *)
+ | Ivar id (* push the value of variable *)
+ | Isetvar id (* pop an integer, assign it to variable *)
+ | Ibranch ofs (* skip ofs instructions *)
+ | Iadd (* pop two values, push their sum *)
+ | Iaddu (* pop two values, push their sum (wrapping) *)
+ | Isub (* pop two values, push their difference *)
+ | Ibeq ofs (* pop n2, pop n1, skip ofs forward if n1 = n2 *)
+ | Ibne ofs (* pop n2, pop n1, skip ofs forward if n1 <> n2 *)
+ | Ible ofs (* pop n2, pop n1, skip ofs forward if n1 <= n2 *)
+ | Ibgt ofs (* pop n2, pop n1, skip ofs forward if n1 > n2 *)
+ | Ihalt (* end of program *)
+
+ type code = list instr
+
+ (* Read pointer to code *)
+ inductive codeseq_at code pos code =
+ | codeseq_at_intro : forall c1 c2 c3.
+ codeseq_at (c1 ++ c2 ++ c3) (length c1) c2
+
+ lemma codeseq_at_app_right: forall c c1 c2 p.
+ codeseq_at c p (c1 ++ c2) -> codeseq_at c (p + length c1) c2
+
+ lemma codeseq_at_app_left: forall c c1 c2 p.
+ codeseq_at c p (c1 ++ c2) -> codeseq_at c p c1
+
+ lemma list_app_eq_nil: forall c3 c11 c1 i i'.
+ length c11 = length c1 ->
+ (c11 ++ Cons i (Nil: list instr))
+ = ((c1 ++ Cons i' (Nil: list instr)) ++ c3) ->
+ c3 = Nil
+
+ lemma list_app_eq_left_cons:
+ forall c1 [@induction] c2, i1 i2:'a.
+ c1 ++ Cons i1 Nil = c2 ++ Cons i2 Nil ->
+ c1 = c2
+
+ lemma list_app_eq_last:
+ forall c1 [@induction] c2 i, i':'a. length c1 = length c2 ->
+ c1 ++ Cons i Nil = c2 ++ Cons i' Nil ->
+ i = i'
+
+ (* more general *)
+ lemma list_app_eq_left:
+ forall c1 [@induction] c2 d1 d2:list 'a. length c1 = length d1 ->
+ c1 ++ c2 = d1 ++ d2 ->
+ c1 = d1
+
+ lemma codeseq_at_right: forall c1 [@induction] i.
+ let c = c1 ++ (Cons i Nil) in
+ forall i'.
+ codeseq_at c (length c1) (Cons i' Nil) -> i' = i
+
+ let function push (n:int) (s:stack) : stack = Cons n s
+
+ (* new instructions *)
+ let function iimm (x:idr) (n:int) = Cons (Iimm x n) Nil
+ let function iload (x:idr) (n:id) = Cons (Iload x n) Nil
+ let function istore (x:idr) (n:id) = Cons (Istore x n) Nil
+ let function ipushr (x:idr) = Cons (Ipushr x) Nil
+ let function ipopr (x:idr) = Cons (Ipopr x) Nil
+ let function iaddr (x1 x2 x3:idr) = Cons (Iaddr x1 x2 x3) Nil
+ let function iaddur (x1 x2 x3:idr) = Cons (Iaddur x1 x2 x3) Nil
+ let function isubr (x1 x2 x3:idr) = Cons (Isubr x1 x2 x3) Nil
+ let function ibeqr (x1 x2:idr) (ofs:ofs) : code = Cons (Ibeqr x1 x2 ofs) Nil
+ let function ibner (x1 x2:idr) (ofs:ofs) : code = Cons (Ibner x1 x2 ofs) Nil
+ let function ibler (x1 x2:idr) (ofs:ofs) : code = Cons (Ibler x1 x2 ofs) Nil
+ let function ibgtr (x1 x2:idr) (ofs:ofs) : code = Cons (Ibgtr x1 x2 ofs) Nil
+
+ (* original instructions *)
+ let function iconst (n:int) : code = Cons (Iconst n) Nil
+ let function ivar (x:id) : code = Cons (Ivar x) Nil
+ let function isetvar (x:id) : code = Cons (Isetvar x) Nil
+ let constant iadd : code = Cons Iadd Nil
+ let constant iaddu : code = Cons Iaddu Nil
+ let constant isub : code = Cons Isub Nil
+ let function ibeq (ofs:ofs) : code = Cons (Ibeq ofs) Nil
+ let function ible (ofs:ofs) : code = Cons (Ible ofs) Nil
+ let function ibne (ofs:ofs) : code = Cons (Ibne ofs) Nil
+ let function ibgt (ofs:ofs) : code = Cons (Ibgt ofs) Nil
+ let function ibranch (ofs:ofs) : code = Cons (Ibranch ofs) Nil
+ let constant ihalt : code = Cons Ihalt Nil
+
+ (* The semantics of the virtual machine is given in small-step style,
+ as a transition relation between machine states: tupels
+ (program counter, evaluation stack, variable state, register state).
+
+ The transition relation is parameterized by the code c. There is one
+ transition rule for each kind of instruction, except Ihalt,
+ which has no transition. *)
+
+ inductive transition code machine_state machine_state =
+ (* new/added specifications *)
+ | trans_imm : forall c p x n. codeseq_at c p (iimm x n) ->
+ forall s m r. transition c
+ (VMS p r s m)
+ (VMS (p + 1) (write r x n) s m)
+
+ | trans_load : forall c p x n. codeseq_at c p (iload x n) ->
+ forall s m r. transition c
+ (VMS p r s m)
+ (VMS (p + 1) (write r x m[n]) s m)
+
+ | trans_store : forall c p x n. codeseq_at c p (istore x n) ->
+ forall s m r. transition c
+ (VMS p r s m)
+ (VMS (p + 1) r s m[n <- read r x])
+
+ | trans_pushr : forall c p x. codeseq_at c p (ipushr x) ->
+ forall s m r. transition c
+ (VMS p r s m)
+ (VMS (p + 1) r (push (read r x) s) m)
+
+ | trans_popr : forall c p x n. codeseq_at c p (ipopr x) ->
+ forall s m r. transition c
+ (VMS p r (push n s) m)
+ (VMS (p + 1) (write r x n) s m)
+
+ | trans_addr : forall c p x1 x2 x3. codeseq_at c p (iaddr x1 x2 x3) ->
+ forall s m r. transition c
+ (VMS p r s m)
+ (VMS (p + 1) (write r x3 (read r x1 + read r x2)) s m)
+
+ | trans_addur : forall c p x1 x2 x3. codeseq_at c p (iaddur x1 x2 x3) ->
+ forall s m r. transition c
+ (VMS p r s m)
+ (VMS (p + 1) (write r x3 (bv_add (read r x1) (read r x2))) s m)
+
+ | trans_subr : forall c p x1 x2 x3. codeseq_at c p (isubr x1 x2 x3) ->
+ forall s m r. transition c
+ (VMS p r s m)
+ (VMS (p + 1) (write r x3 (read r x1 - read r x2)) s m)
+
+ | trans_beqr: forall c p x1 x2 r ofs. codeseq_at c p (ibeqr x1 x2 ofs) ->
+ forall s m. transition c
+ (VMS p r s m)
+ (VMS (if read r x1 = read r x2 then p + 1 + ofs else p + 1) r s m)
+
+ | trans_bner: forall c p x1 x2 r ofs. codeseq_at c p (ibner x1 x2 ofs) ->
+ forall s m. transition c
+ (VMS p r s m)
+ (VMS (if read r x1 <> read r x2 then p + 1 + ofs else p + 1) r s m)
+
+ | trans_bler: forall c p r x1 x2 ofs. codeseq_at c p (ibler x1 x2 ofs) ->
+ forall s m. transition c
+ (VMS p r s m)
+ (VMS (if read r x1 <= read r x2 then p + 1 + ofs else p + 1) r s m)
+
+ | trans_bgtr: forall c p r x1 x2 ofs. codeseq_at c p (ibgtr x1 x2 ofs) ->
+ forall s m. transition c
+ (VMS p r s m)
+ (VMS (if read r x1 <= read r x2 then p + 1 else p + 1 + ofs) r s m)
+
+ (* original specifications *)
+ | trans_const : forall c p r n. codeseq_at c p (iconst n) ->
+ forall s m. transition c (VMS p r s m) (VMS (p + 1) r (push n s) m)
+
+ | trans_var : forall c p r x. codeseq_at c p (ivar x) ->
+ forall s m. transition c (VMS p r s m) (VMS (p + 1) r (push m[x] s) m)
+
+ | trans_set_var: forall c p r x. codeseq_at c p (isetvar x) ->
+ forall n s m. transition c (VMS p r (push n s) m) (VMS (p + 1) r s m[x<-n])
+
+ | trans_add : forall c p r. codeseq_at c p iadd ->
+ forall n1 n2 s m. transition c
+ (VMS p r (push n2 (push n1 s)) m)
+ (VMS (p + 1) r (push (n1 + n2) s) m)
+
+ | trans_addu : forall c p r. codeseq_at c p iaddu ->
+ forall n1 n2 s m. transition c
+ (VMS p r (push n2 (push n1 s)) m)
+ (VMS (p + 1) r (push (bv_add n1 n2) s) m)
+
+ | trans_sub : forall c p r. codeseq_at c p isub ->
+ forall n1 n2 s m. transition c
+ (VMS p r (push n2 (push n1 s)) m)
+ (VMS (p + 1) r (push (n1 - n2) s) m)
+
+ | trans_beq: forall c p1 r ofs. codeseq_at c p1 (ibeq ofs) ->
+ forall s m n1 n2. transition c
+ (VMS p1 r (push n2 (push n1 s)) m)
+ (VMS (if n1 = n2 then p1 + 1 + ofs else p1 + 1) r s m)
+
+ | trans_bne: forall c p1 r ofs. codeseq_at c p1 (ibne ofs) ->
+ forall s m n1 n2. transition c
+ (VMS p1 r (push n2 (push n1 s)) m)
+ (VMS (if n1 = n2 then p1 + 1 else p1 + 1 + ofs) r s m)
+
+ | trans_ble: forall c p1 r ofs. codeseq_at c p1 (ible ofs) ->
+ forall s m n1 n2. transition c
+ (VMS p1 r (push n2 (push n1 s)) m)
+ (VMS (if n1 <= n2 then p1 + 1 + ofs else p1 + 1) r s m)
+
+ | trans_bgt: forall c p1 r ofs. codeseq_at c p1 (ibgt ofs) ->
+ forall s m n1 n2. transition c
+ (VMS p1 r (push n2 (push n1 s)) m)
+ (VMS (if n1 <= n2 then p1 + 1 else p1 + 1 + ofs) r s m)
+
+ | trans_branch: forall c p r ofs. codeseq_at c p (ibranch ofs) ->
+ forall s m. transition c (VMS p r s m) (VMS (p + 1 + ofs) r s m)
+
+ (* As usual with small-step semantics, we form sequences of machine
+ transitions to define the behavior of a code. We always start with pc
+ = 0 and an empty evaluation stack. We stop successfully if pc points
+ to an Ihalt instruction and the evaluation stack is empty. *)
+
+ clone export ReflTransClosure with type parameter = code,
+ type state = machine_state, predicate transition = transition
+
+ predicate vm_terminates (c:code) (mi mf:state) =
+ exists p r. codeseq_at c p ihalt /\
+ transition_star c (VMS 0 r Nil mi) (VMS p r Nil mf)
+
+ predicate vm_terminates_reg (c:code) (mi mf:state) =
+ forall r.
+ exists p r'. codeseq_at c p ihalt /\
+ transition_star c (VMS 0 r Nil mi) (VMS p r' Nil mf)
+
+ lemma trans_deterministic_aux : forall c mi mf1. transition c mi mf1 ->
+ forall mf2. ([@inversion] transition c mi mf2) -> mf1 = mf2
+
+ lemma trans_deterministic : forall c mi mf1 mf2.
+ transition c mi mf1 -> transition c mi mf2 -> mf1 = mf2
+
+ lemma trans_deterministic_star : forall c mi mf1 mf2.
+ transition c mi mf1 -> transition c mi mf2 -> mf1 = mf2
+
+end(* Determinstic semantics *)
diff --git a/vm/why3session.xml b/vm/why3session.xml
new file mode 100644
index 0000000000000000000000000000000000000000..e938597962c6eb6c1c4244735eb9c5049e927958
--- /dev/null
+++ b/vm/why3session.xml
@@ -0,0 +1,336 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
+"http://why3.lri.fr/why3session.dtd">
+<why3session shape_version="4">
+<prover id="0" name="Alt-Ergo" version="1.30" timelimit="1" steplimit="0" memlimit="1000"/>
+<prover id="1" name="Eprover" version="1.8-001" timelimit="5" steplimit="0" memlimit="1000"/>
+<prover id="2" name="Alt-Ergo" version="2.0.0" timelimit="10" steplimit="0" memlimit="2000"/>
+<prover id="3" name="Z3" version="4.7.1" alternative="counterexamples" timelimit="10" steplimit="0" memlimit="1000"/>
+<prover id="4" name="CVC4" version="1.6" alternative="counterexamples" timelimit="10" steplimit="0" memlimit="1000"/>
+<prover id="6" name="Alt-Ergo" version="2.2.0" timelimit="10" steplimit="0" memlimit="1000"/>
+<file name="../vm.mlw" proved="true">
+<theory name="ReflTransClosure" proved="true">
+ <goal name="transition_star_one" proved="true">
+ <proof prover="1"><result status="valid" time="0.01"/></proof>
+ </goal>
+ <goal name="transition_star_transitive" proved="true">
+ <transf name="induction_pr" proved="true" >
+ <goal name="transition_star_transitive.0" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="transition_star_transitive.0.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="transition_star_transitive.1" proved="true">
+ <transf name="simplify_trivial_quantification_in_goal" proved="true" >
+ <goal name="transition_star_transitive.1.0" proved="true">
+ <proof prover="0"><result status="valid" time="0.00" steps="7"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+</theory>
+<theory name="Vm" proved="true">
+ <goal name="codeseq_at_app_right" proved="true">
+ <proof prover="2" timelimit="1" memlimit="1000"><result status="valid" time="0.01" steps="114"/></proof>
+ </goal>
+ <goal name="codeseq_at_app_left" proved="true">
+ <proof prover="2" timelimit="1" memlimit="1000"><result status="valid" time="0.03" steps="144"/></proof>
+ </goal>
+ <goal name="list_app_eq_nil" proved="true">
+ <proof prover="2"><result status="valid" time="0.04" steps="121"/></proof>
+ </goal>
+ <goal name="list_app_eq_left_cons" proved="true">
+ <transf name="induction_ty_lex" proved="true" >
+ <goal name="list_app_eq_left_cons.0" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="list_app_eq_left_cons.0.0" proved="true">
+ <proof prover="2" memlimit="1000"><result status="valid" time="0.07" steps="116"/></proof>
+ </goal>
+ <goal name="list_app_eq_left_cons.0.1" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="list_app_eq_left_cons.0.1.0" proved="true">
+ <transf name="subst_all" proved="true" >
+ <goal name="list_app_eq_left_cons.0.1.0.0" proved="true">
+ <proof prover="4"><result status="valid" time="0.12"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="list_app_eq_last" proved="true">
+ <transf name="induction_ty_lex" proved="true" >
+ <goal name="list_app_eq_last.0" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="list_app_eq_last.0.0" proved="true">
+ <proof prover="6"><result status="valid" time="0.08" steps="407"/></proof>
+ </goal>
+ <goal name="list_app_eq_last.0.1" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="list_app_eq_last.0.1.0" proved="true">
+ <transf name="subst_all" proved="true" >
+ <goal name="list_app_eq_last.0.1.0.0" proved="true">
+ <proof prover="2"><result status="valid" time="0.05" steps="145"/></proof>
+ <transf name="cut" proved="true" arg1="(c2 = Cons x1 x)">
+ <goal name="list_app_eq_last.0.1.0.0.0" proved="true">
+ <proof prover="6"><result status="valid" time="0.08" steps="413"/></proof>
+ </goal>
+ <goal name="list_app_eq_last.0.1.0.0.1" proved="true">
+ <proof prover="3"><result status="valid" time="0.02"/></proof>
+ <proof prover="4"><result status="valid" time="0.05"/></proof>
+ <proof prover="6"><result status="valid" time="0.03" steps="154"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="list_app_eq_left" proved="true">
+ <transf name="induction_ty_lex" proved="true" >
+ <goal name="list_app_eq_left.0" proved="true">
+ <transf name="split_goal_right" proved="true" >
+ <goal name="list_app_eq_left.0.0" proved="true">
+ <proof prover="2" memlimit="1000"><result status="valid" time="0.06" steps="98"/></proof>
+ </goal>
+ <goal name="list_app_eq_left.0.1" proved="true">
+ <transf name="introduce_premises" proved="true" >
+ <goal name="list_app_eq_left.0.1.0" proved="true">
+ <transf name="subst_all" proved="true" >
+ <goal name="list_app_eq_left.0.1.0.0" proved="true">
+ <proof prover="4" memlimit="2000"><result status="valid" time="0.32"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="codeseq_at_right" proved="true">
+ <proof prover="2"><result status="valid" time="0.05" steps="123"/></proof>
+ </goal>
+ <goal name="VC push" expl="VC for push" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC iimm" expl="VC for iimm" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC iload" expl="VC for iload" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC istore" expl="VC for istore" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC iaddr" expl="VC for iaddr" proved="true">
+ <proof prover="2"><result status="valid" time="0.02" steps="75"/></proof>
+ </goal>
+ <goal name="VC isubr" expl="VC for isubr" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC ibeqr" expl="VC for ibeqr" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC ibner" expl="VC for ibner" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC ibler" expl="VC for ibler" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC ibgtr" expl="VC for ibgtr" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC iconst" expl="VC for iconst" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC ivar" expl="VC for ivar" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC isetvar" expl="VC for isetvar" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC iadd" expl="VC for iadd" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC iaddu" expl="VC for iaddu" proved="true">
+ <proof prover="2"><result status="valid" time="0.03" steps="75"/></proof>
+ </goal>
+ <goal name="VC isub" expl="VC for isub" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC imul" expl="VC for imul" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC ibeq" expl="VC for ibeq" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC ible" expl="VC for ible" proved="true">
+ <proof prover="2"><result status="valid" time="0.00" steps="75"/></proof>
+ </goal>
+ <goal name="VC ibne" expl="VC for ibne" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC ibgt" expl="VC for ibgt" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC ibranch" expl="VC for ibranch" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="VC ihalt" expl="VC for ihalt" proved="true">
+ <proof prover="2"><result status="valid" time="0.01" steps="75"/></proof>
+ </goal>
+ <goal name="g" proved="true">
+ <proof prover="2"><result status="valid" time="0.64" steps="2212"/></proof>
+ <transf name="inversion_pr" proved="true" >
+ <goal name="g.0" proved="true">
+ <proof prover="2"><result status="valid" time="0.08" steps="130"/></proof>
+ </goal>
+ <goal name="g.1" proved="true">
+ <proof prover="2"><result status="valid" time="0.07" steps="130"/></proof>
+ </goal>
+ <goal name="g.2" proved="true">
+ <proof prover="2"><result status="valid" time="0.07" steps="130"/></proof>
+ </goal>
+ <goal name="g.3" proved="true">
+ <proof prover="2"><result status="valid" time="0.08" steps="130"/></proof>
+ </goal>
+ <goal name="g.4" proved="true">
+ <proof prover="2"><result status="valid" time="0.10" steps="130"/></proof>
+ </goal>
+ <goal name="g.5" proved="true">
+ <proof prover="2"><result status="valid" time="0.10" steps="132"/></proof>
+ </goal>
+ <goal name="g.6" proved="true">
+ <proof prover="2"><result status="valid" time="0.08" steps="132"/></proof>
+ </goal>
+ <goal name="g.7" proved="true">
+ <proof prover="2"><result status="valid" time="0.10" steps="132"/></proof>
+ </goal>
+ <goal name="g.8" proved="true">
+ <proof prover="2"><result status="valid" time="0.10" steps="132"/></proof>
+ </goal>
+ <goal name="g.9" proved="true">
+ <proof prover="2"><result status="valid" time="0.10" steps="134"/></proof>
+ </goal>
+ <goal name="g.10" proved="true">
+ <proof prover="2"><result status="valid" time="0.07" steps="134"/></proof>
+ </goal>
+ <goal name="g.11" proved="true">
+ <proof prover="2"><result status="valid" time="0.07" steps="134"/></proof>
+ </goal>
+ <goal name="g.12" proved="true">
+ <proof prover="2"><result status="valid" time="0.08" steps="144"/></proof>
+ </goal>
+ <goal name="g.13" proved="true">
+ <proof prover="2"><result status="valid" time="0.07" steps="145"/></proof>
+ </goal>
+ <goal name="g.14" proved="true">
+ <proof prover="2"><result status="valid" time="0.11" steps="144"/></proof>
+ </goal>
+ <goal name="g.15" proved="true">
+ <proof prover="2"><result status="valid" time="0.13" steps="144"/></proof>
+ </goal>
+ <goal name="g.16" proved="true">
+ <proof prover="2"><result status="valid" time="0.08" steps="143"/></proof>
+ </goal>
+ <goal name="g.17" proved="true">
+ <proof prover="2"><result status="valid" time="0.09" steps="143"/></proof>
+ </goal>
+ <goal name="g.18" proved="true">
+ <proof prover="2"><result status="valid" time="0.10" steps="140"/></proof>
+ </goal>
+ <goal name="g.19" proved="true">
+ <proof prover="2"><result status="valid" time="0.07" steps="140"/></proof>
+ </goal>
+ <goal name="g.20" proved="true">
+ <proof prover="2"><result status="valid" time="0.06" steps="128"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="trans_deterministic_aux" proved="true">
+ <transf name="inversion_pr" proved="true" >
+ <goal name="trans_deterministic_aux.0" proved="true">
+ <proof prover="2"><result status="valid" time="1.22" steps="2215"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.1" proved="true">
+ <proof prover="2"><result status="valid" time="1.26" steps="2215"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.2" proved="true">
+ <proof prover="2"><result status="valid" time="1.27" steps="2216"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.3" proved="true">
+ <proof prover="2"><result status="valid" time="1.23" steps="2215"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.4" proved="true">
+ <proof prover="2"><result status="valid" time="1.32" steps="2215"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.5" proved="true">
+ <proof prover="2"><result status="valid" time="1.18" steps="2558"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.6" proved="true">
+ <proof prover="2"><result status="valid" time="1.49" steps="2558"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.7" proved="true">
+ <proof prover="2"><result status="valid" time="1.38" steps="2558"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.8" proved="true">
+ <proof prover="2"><result status="valid" time="1.73" steps="2589"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.9" proved="true">
+ <proof prover="2"><result status="valid" time="0.93" steps="2353"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.10" proved="true">
+ <proof prover="2"><result status="valid" time="1.32" steps="2353"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.11" proved="true">
+ <proof prover="2"><result status="valid" time="1.30" steps="2365"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.12" proved="true">
+ <proof prover="2"><result status="valid" time="1.15" steps="1939"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.13" proved="true">
+ <proof prover="2"><result status="valid" time="1.08" steps="2409"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.14" proved="true">
+ <proof prover="2"><result status="valid" time="1.02" steps="1951"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.15" proved="true">
+ <proof prover="2"><result status="valid" time="1.79" steps="1939"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.16" proved="true">
+ <proof prover="2"><result status="valid" time="1.54" steps="2817"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.17" proved="true">
+ <proof prover="2"><result status="valid" time="1.52" steps="2865"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.18" proved="true">
+ <proof prover="2"><result status="valid" time="1.18" steps="2676"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.19" proved="true">
+ <proof prover="2"><result status="valid" time="1.48" steps="2697"/></proof>
+ </goal>
+ <goal name="trans_deterministic_aux.20" proved="true">
+ <proof prover="2"><result status="valid" time="0.90" steps="2163"/></proof>
+ </goal>
+ </transf>
+ </goal>
+ <goal name="trans_deterministic" proved="true">
+ <proof prover="2"><result status="valid" time="0.07" steps="101"/></proof>
+ </goal>
+ <goal name="trans_deterministic_star" proved="true">
+ <proof prover="2"><result status="valid" time="0.06" steps="93"/></proof>
+ </goal>
+</theory>
+</file>
+</why3session>
diff --git a/vm/why3shapes.gz b/vm/why3shapes.gz
new file mode 100644
index 0000000000000000000000000000000000000000..be97a25c828fa3e2dcd96df3f98f9fad508359f1
Binary files /dev/null and b/vm/why3shapes.gz differ