do not take resource limits from more than one source

[why3.git] / bench / encoding / why2 / caduceus / pi_again_why.why

logic eq_unit : unit, unit -> prop

logic neq_unit : unit, unit -> prop

logic eq_bool : bool, bool -> prop

logic neq_bool : bool, bool -> prop

logic lt_int : int, int -> prop

logic le_int : int, int -> prop

logic gt_int : int, int -> prop

logic ge_int : int, int -> prop

logic eq_int : int, int -> prop

logic neq_int : int, int -> prop

logic add_int : int, int -> int

logic sub_int : int, int -> int

logic mul_int : int, int -> int

logic div_int : int, int -> int

logic mod_int : int, int -> int

logic neg_int : int -> int

predicate zwf_zero(a: int, b: int) = ((0 <= b) and (a < b))

logic lt_real : real, real -> prop

logic le_real : real, real -> prop

logic gt_real : real, real -> prop

logic ge_real : real, real -> prop

logic eq_real : real, real -> prop

logic neq_real : real, real -> prop

logic add_real : real, real -> real

logic sub_real : real, real -> real

logic mul_real : real, real -> real

logic div_real : real, real -> real

logic neg_real : real -> real

logic real_of_int : int -> real

logic int_of_real : real -> int

logic lt_real_bool : real, real -> bool

logic le_real_bool : real, real -> bool

logic gt_real_bool : real, real -> bool

logic ge_real_bool : real, real -> bool

logic eq_real_bool : real, real -> bool

logic neq_real_bool : real, real -> bool

axiom lt_real_bool_axiom:
  (forall x:real. (forall y:real. ((lt_real_bool(x, y) = true) <-> (x < y))))

axiom le_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((le_real_bool(x, y) = true) <-> (x <= y))))

axiom gt_real_bool_axiom:
  (forall x:real. (forall y:real. ((gt_real_bool(x, y) = true) <-> (x > y))))

axiom ge_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((ge_real_bool(x, y) = true) <-> (x >= y))))

axiom eq_real_bool_axiom:
  (forall x:real. (forall y:real. ((eq_real_bool(x, y) = true) <-> (x = y))))

axiom neq_real_bool_axiom:
  (forall x:real.
    (forall y:real. ((neq_real_bool(x, y) = true) <-> (x <> y))))

logic real_max : real, real -> real

logic real_min : real, real -> real

axiom real_max_is_ge:
  (forall x:real.
    (forall y:real. ((real_max(x, y) >= x) and (real_max(x, y) >= y))))

axiom real_max_is_some:
  (forall x:real.
    (forall y:real. ((real_max(x, y) = x) or (real_max(x, y) = y))))

axiom real_min_is_le:
  (forall x:real.
    (forall y:real. ((real_min(x, y) <= x) and (real_min(x, y) <= y))))

axiom real_min_is_some:
  (forall x:real.
    (forall y:real. ((real_min(x, y) = x) or (real_min(x, y) = y))))

logic sqrt_real : real -> real

logic pow_real : real, real -> real

logic abs_real : real -> real

axiom abs_real_pos:
  (forall x:real [abs_real(x)]. ((x >= 0.0) -> (abs_real(x) = x)))

axiom abs_real_neg:
  (forall x:real [abs_real(x)]. ((x <= 0.0) -> (abs_real(x) = (-x))))

logic exp : real -> real

logic log : real -> real

logic log10 : real -> real

axiom log_exp: (forall x:real. (log(exp(x)) = x))

logic cos : real -> real

logic sin : real -> real

logic tan : real -> real

logic cosh : real -> real

logic sinh : real -> real

logic tanh : real -> real

logic acos : real -> real

logic asin : real -> real

logic atan : real -> real

logic atan2 : real, real -> real

logic hypot : real, real -> real

axiom prod_pos:
  (forall x:real.
    (forall y:real.
      ((((x > 0.0) and (y > 0.0)) -> ((x * y) > 0.0)) and
       (((x < 0.0) and (y < 0.0)) -> ((x * y) > 0.0)))))

axiom abs_minus: (forall x:real. (abs_real((-x)) = abs_real(x)))

type mode

logic nearest_even : mode

logic to_zero : mode

logic up : mode

logic down : mode

logic nearest_away : mode

type single

logic add_single : mode, single, single -> single

logic sub_single : mode, single, single -> single

logic mul_single : mode, single, single -> single

logic div_single : mode, single, single -> single

logic neg_single : mode, single -> single

logic abs_single : mode, single -> single

logic sqrt_single : mode, single -> single

logic s_to_r : single -> real

logic s_to_exact : single -> real

logic s_to_model : single -> real

logic r_to_s : mode, real -> single

logic single_round_error : single -> real

logic single_total_error : single -> real

logic single_set_model : single, real -> single

logic max_single : real

type double

logic add_double : mode, double, double -> double

logic sub_double : mode, double, double -> double

logic mul_double : mode, double, double -> double

logic div_double : mode, double, double -> double

logic neg_double : mode, double -> double

logic abs_double : mode, double -> double

logic sqrt_double : mode, double -> double

logic d_to_r : double -> real

logic d_to_exact : double -> real

logic d_to_model : double -> real

logic r_to_d : mode, real -> double

logic double_round_error : double -> real

logic double_total_error : double -> real

logic double_set_model : double, real -> double

predicate eq_double(x: double, y: double) = (d_to_r(x) = d_to_r(y))

predicate neq_double(x: double, y: double) = (d_to_r(x) <> d_to_r(y))

predicate lt_double(x: double, y: double) = (d_to_r(x) < d_to_r(y))

predicate gt_double(x: double, y: double) = (d_to_r(x) > d_to_r(y))

predicate le_double(x: double, y: double) = (d_to_r(x) <= d_to_r(y))

predicate ge_double(x: double, y: double) = (d_to_r(x) >= d_to_r(y))

logic max_double : real

logic lt_double_bool : double, double -> bool

logic le_double_bool : double, double -> bool

logic gt_double_bool : double, double -> bool

logic ge_double_bool : double, double -> bool

logic eq_double_bool : double, double -> bool

logic neq_double_bool : double, double -> bool

axiom lt_double_bool_axiom:
  (forall x:double.
    (forall y:double.
      ((lt_double_bool(x, y) = true) <-> (d_to_r(x) < d_to_r(y)))))

axiom le_double_bool_axiom:
  (forall x:double.
    (forall y:double.
      ((le_double_bool(x, y) = true) <-> (d_to_r(x) <= d_to_r(y)))))

axiom gt_double_bool_axiom:
  (forall x:double.
    (forall y:double.
      ((gt_double_bool(x, y) = true) <-> (d_to_r(x) > d_to_r(y)))))

axiom ge_double_bool_axiom:
  (forall x:double.
    (forall y:double.
      ((ge_double_bool(x, y) = true) <-> (d_to_r(x) >= d_to_r(y)))))

axiom eq_double_bool_axiom:
  (forall x:double.
    (forall y:double.
      ((eq_double_bool(x, y) = true) <-> (d_to_r(x) = d_to_r(y)))))

axiom neq_double_bool_axiom:
  (forall x:double.
    (forall y:double.
      ((neq_double_bool(x, y) = true) <-> (d_to_r(x) <> d_to_r(y)))))

type quad

logic add_quad : mode, quad, quad -> quad

logic sub_quad : mode, quad, quad -> quad

logic mul_quad : mode, quad, quad -> quad

logic div_quad : mode, quad, quad -> quad

logic neg_quad : mode, quad -> quad

logic abs_quad : mode, quad -> quad

logic sqrt_quad : mode, quad -> quad

logic q_to_r : quad -> real

logic q_to_exact : quad -> real

logic q_to_model : quad -> real

logic r_to_q : mode, real -> quad

logic quad_round_error : quad -> real

logic quad_total_error : quad -> real

logic quad_set_model : quad, real -> quad

logic max_quad : real

logic double_of_single : single -> double

logic single_of_double : mode, double -> single

logic quad_of_single : single -> quad

logic single_of_quad : mode, quad -> single

logic quad_of_double : double -> quad

logic double_of_quad : mode, quad -> double

logic bw_compl : int -> int

logic bw_and : int, int -> int

logic bw_xor : int, int -> int

logic bw_or : int, int -> int

logic lsl : int, int -> int

logic lsr : int, int -> int

type 'z pointer

type 'z addr

type alloc_table

logic block_length : alloc_table, 'a1 pointer -> int

logic base_addr : 'a1 pointer -> 'a1 addr

logic offset : 'a1 pointer -> int

logic shift : 'a1 pointer, int -> 'a1 pointer

logic sub_pointer : 'a1 pointer, 'a1 pointer -> int

predicate lt_pointer(p1: 'a1 pointer, p2: 'a1 pointer) =
  ((base_addr(p1) = base_addr(p2)) and (offset(p1) < offset(p2)))

predicate le_pointer(p1: 'a1 pointer, p2: 'a1 pointer) =
  ((base_addr(p1) = base_addr(p2)) and (offset(p1) <= offset(p2)))

predicate gt_pointer(p1: 'a1 pointer, p2: 'a1 pointer) =
  ((base_addr(p1) = base_addr(p2)) and (offset(p1) > offset(p2)))

predicate ge_pointer(p1: 'a1 pointer, p2: 'a1 pointer) =
  ((base_addr(p1) = base_addr(p2)) and (offset(p1) >= offset(p2)))

predicate valid(a: alloc_table, p: 'a1 pointer) =
  ((0 <= offset(p)) and (offset(p) < block_length(a, p)))

predicate valid_index(a: alloc_table, p: 'a1 pointer, i: int) =
  ((0 <= (offset(p) + i)) and ((offset(p) + i) < block_length(a, p)))

predicate valid_range(a: alloc_table, p: 'a1 pointer, i: int, j: int) =
  ((0 <= (offset(p) + i)) and ((offset(p) + j) < block_length(a, p)))

axiom offset_shift:
  (forall p:'a1 pointer.
    (forall i:int [offset(shift(p, i))]. (offset(shift(p,
      i)) = (offset(p) + i))))

axiom shift_zero: (forall p:'a1 pointer [shift(p, 0)]. (shift(p, 0) = p))

axiom shift_shift:
  (forall p:'a1 pointer.
    (forall i:int.
      (forall j:int [shift(shift(p, i), j)]. (shift(shift(p, i),
        j) = shift(p, (i + j))))))

axiom base_addr_shift:
  (forall p:'a1 pointer.
    (forall i:int [base_addr(shift(p, i))]. (base_addr(shift(p,
      i)) = base_addr(p))))

axiom block_length_shift:
  (forall a:alloc_table.
    (forall p:'a1 pointer.
      (forall i:int [block_length(a, shift(p, i))]. (block_length(a, shift(p,
        i)) = block_length(a, p)))))

axiom base_addr_block_length:
  (forall a:alloc_table.
    (forall p1:'a1 pointer.
      (forall p2:'a1 pointer.
        ((base_addr(p1) = base_addr(p2)) -> (block_length(a,
         p1) = block_length(a, p2))))))

axiom pointer_pair_1:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      (((base_addr(p1) = base_addr(p2)) and (offset(p1) = offset(p2))) ->
       (p1 = p2))))

axiom pointer_pair_2:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((p1 = p2) ->
       ((base_addr(p1) = base_addr(p2)) and (offset(p1) = offset(p2))))))

axiom neq_base_addr_neq_shift:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      (forall i:int.
        (forall j:int.
          ((base_addr(p1) <> base_addr(p2)) -> (shift(p1, i) <> shift(p2, j)))))))

axiom neq_offset_neq_shift:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      (forall i:int.
        (forall j:int.
          (((offset(p1) + i) <> (offset(p2) + j)) -> (shift(p1,
           i) <> shift(p2, j)))))))

axiom eq_offset_eq_shift:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      (forall i:int.
        (forall j:int.
          ((base_addr(p1) = base_addr(p2)) ->
           (((offset(p1) + i) = (offset(p2) + j)) -> (shift(p1,
            i) = shift(p2, j))))))))

axiom valid_index_valid_shift:
  (forall a:alloc_table.
    (forall p:'a1 pointer.
      (forall i:int. (valid_index(a, p, i) -> valid(a, shift(p, i))))))

axiom valid_range_valid_shift:
  (forall a:alloc_table.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall j:int.
          (forall k:int.
            (valid_range(a, p, i, j) ->
             (((i <= k) and (k <= j)) -> valid(a, shift(p, k)))))))))

axiom valid_range_valid:
  (forall a:alloc_table.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall j:int.
          (valid_range(a, p, i, j) ->
           (((i <= 0) and (0 <= j)) -> valid(a, p)))))))

axiom valid_range_valid_index:
  (forall a:alloc_table.
    (forall p:'a1 pointer.
      (forall i:int.
        (forall j:int.
          (forall k:int.
            (valid_range(a, p, i, j) ->
             (((i <= k) and (k <= j)) -> valid_index(a, p, k))))))))

axiom sub_pointer_def:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer.
      ((base_addr(p1) = base_addr(p2)) -> (sub_pointer(p1,
       p2) = (offset(p1) - offset(p2))))))

type ('a, 'z) memory

logic acc : ('a1, 'a2) memory, 'a2 pointer -> 'a1

logic upd : ('a1, 'a2) memory, 'a2 pointer, 'a1 -> ('a1, 'a2) memory

axiom acc_upd:
  (forall m:('a1, 'a2) memory.
    (forall p:'a2 pointer.
      (forall a:'a1 [acc(upd(m, p, a), p)]. (acc(upd(m, p, a), p) = a))))

axiom acc_upd_neq:
  (forall m:('a1, 'a2) memory.
    (forall p1:'a2 pointer.
      (forall p2:'a2 pointer.
        (forall a:'a1 [acc(upd(m, p1, a), p2)].
          ((p1 <> p2) -> (acc(upd(m, p1, a), p2) = acc(m, p2)))))))

axiom false_not_true: (false <> true)

type 'z pset

logic pset_empty : 'a1 pset

logic pset_singleton : 'a1 pointer -> 'a1 pset

logic pset_star : 'a2 pset, ('a1 pointer, 'a2) memory -> 'a1 pset

logic pset_all : 'a1 pset -> 'a1 pset

logic pset_range : 'a1 pset, int, int -> 'a1 pset

logic pset_range_left : 'a1 pset, int -> 'a1 pset

logic pset_range_right : 'a1 pset, int -> 'a1 pset

logic pset_acc_all : 'a2 pset, ('a1 pointer, 'a2) memory -> 'a1 pset

logic pset_acc_range : 'a2 pset, ('a1 pointer, 'a2) memory, int,
int -> 'a1 pset

logic pset_acc_range_left : 'a2 pset, ('a1 pointer, 'a2) memory,
int -> 'a1 pset

logic pset_acc_range_right : 'a2 pset, ('a1 pointer, 'a2) memory,
int -> 'a1 pset

logic pset_union : 'a1 pset, 'a1 pset -> 'a1 pset

logic not_in_pset : 'a1 pointer, 'a1 pset -> prop

predicate not_assigns(a: alloc_table, m1: ('a1, 'a2) memory, m2: ('a1,
  'a2) memory, l: 'a2 pset) =
  (forall p:'a2 pointer.
    (valid(a, p) -> (not_in_pset(p, l) -> (acc(m2, p) = acc(m1, p)))))

axiom pset_empty_intro: (forall p:'a1 pointer. not_in_pset(p, pset_empty))

axiom pset_singleton_intro:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer [not_in_pset(p1, pset_singleton(p2))].
      ((p1 <> p2) -> not_in_pset(p1, pset_singleton(p2)))))

axiom pset_singleton_elim:
  (forall p1:'a1 pointer.
    (forall p2:'a1 pointer [not_in_pset(p1, pset_singleton(p2))].
      (not_in_pset(p1, pset_singleton(p2)) -> (p1 <> p2))))

axiom not_not_in_singleton:
  (forall p:'a1 pointer. (not not_in_pset(p, pset_singleton(p))))

axiom pset_union_intro:
  (forall l1:'a1 pset.
    (forall l2:'a1 pset.
      (forall p:'a1 pointer [not_in_pset(p, pset_union(l1, l2))].
        ((not_in_pset(p, l1) and not_in_pset(p, l2)) -> not_in_pset(p,
         pset_union(l1, l2))))))

axiom pset_union_elim1:
  (forall l1:'a1 pset.
    (forall l2:'a1 pset.
      (forall p:'a1 pointer [not_in_pset(p, pset_union(l1, l2))].
        (not_in_pset(p, pset_union(l1, l2)) -> not_in_pset(p, l1)))))

axiom pset_union_elim2:
  (forall l1:'a1 pset.
    (forall l2:'a1 pset.
      (forall p:'a1 pointer [not_in_pset(p, pset_union(l1, l2))].
        (not_in_pset(p, pset_union(l1, l2)) -> not_in_pset(p, l2)))))

axiom pset_star_intro:
  (forall l:'a1 pset.
    (forall m:('a2 pointer, 'a1) memory.
      (forall p:'a2 pointer [not_in_pset(p, pset_star(l, m))].
        ((forall p1:'a1 pointer. ((p = acc(m, p1)) -> not_in_pset(p1, l))) ->
         not_in_pset(p, pset_star(l, m))))))

axiom pset_star_elim:
  (forall l:'a1 pset.
    (forall m:('a2 pointer, 'a1) memory.
      (forall p:'a2 pointer [not_in_pset(p, pset_star(l, m))].
        (not_in_pset(p, pset_star(l, m)) ->
         (forall p1:'a1 pointer. ((p = acc(m, p1)) -> not_in_pset(p1, l)))))))

axiom pset_all_intro:
  (forall p:'a1 pointer.
    (forall l:'a1 pset [not_in_pset(p, pset_all(l))].
      ((forall p1:'a1 pointer.
         ((not not_in_pset(p1, l)) -> (base_addr(p) <> base_addr(p1)))) ->
       not_in_pset(p, pset_all(l)))))

axiom pset_all_elim:
  (forall p:'a1 pointer.
    (forall l:'a1 pset [not_in_pset(p, pset_all(l))].
      (not_in_pset(p, pset_all(l)) ->
       (forall p1:'a1 pointer.
         ((not not_in_pset(p1, l)) -> (base_addr(p) <> base_addr(p1)))))))

axiom pset_range_intro:
  (forall p:'a1 pointer.
    (forall l:'a1 pset.
      (forall a:int.
        (forall b:int [not_in_pset(p, pset_range(l, a, b))].
          ((forall p1:'a1 pointer.
             (not_in_pset(p1, l) or
              (forall i:int.
                (((a <= i) and (i <= b)) -> (p <> shift(p1, i)))))) ->
           not_in_pset(p, pset_range(l, a, b)))))))

axiom pset_range_elim:
  (forall p:'a1 pointer.
    (forall l:'a1 pset.
      (forall a:int.
        (forall b:int [not_in_pset(p, pset_range(l, a, b))].
          (not_in_pset(p, pset_range(l, a, b)) ->
           (forall p1:'a1 pointer.
             ((not not_in_pset(p1, l)) ->
              (forall i:int.
                (((a <= i) and (i <= b)) -> (shift(p1, i) <> p))))))))))

axiom pset_range_left_intro:
  (forall p:'a1 pointer.
    (forall l:'a1 pset.
      (forall a:int [not_in_pset(p, pset_range_left(l, a))].
        ((forall p1:'a1 pointer.
           (not_in_pset(p1, l) or
            (forall i:int. ((i <= a) -> (p <> shift(p1, i)))))) ->
         not_in_pset(p, pset_range_left(l, a))))))

axiom pset_range_left_elim:
  (forall p:'a1 pointer.
    (forall l:'a1 pset.
      (forall a:int [not_in_pset(p, pset_range_left(l, a))].
        (not_in_pset(p, pset_range_left(l, a)) ->
         (forall p1:'a1 pointer.
           ((not not_in_pset(p1, l)) ->
            (forall i:int. ((i <= a) -> (shift(p1, i) <> p)))))))))

axiom pset_range_right_intro:
  (forall p:'a1 pointer.
    (forall l:'a1 pset.
      (forall a:int [not_in_pset(p, pset_range_right(l, a))].
        ((forall p1:'a1 pointer.
           (not_in_pset(p1, l) or
            (forall i:int. ((a <= i) -> (p <> shift(p1, i)))))) ->
         not_in_pset(p, pset_range_right(l, a))))))

axiom pset_range_right_elim:
  (forall p:'a1 pointer.
    (forall l:'a1 pset.
      (forall a:int [not_in_pset(p, pset_range_right(l, a))].
        (not_in_pset(p, pset_range_right(l, a)) ->
         (forall p1:'a1 pointer.
           ((not not_in_pset(p1, l)) ->
            (forall i:int. ((a <= i) -> (shift(p1, i) <> p)))))))))

axiom pset_acc_all_intro:
  (forall p:'a1 pointer.
    (forall l:'a2 pset.
      (forall m:('a1 pointer, 'a2) memory [not_in_pset(p, pset_acc_all(l,
        m))].
        ((forall p1:'a2 pointer.
           ((not not_in_pset(p1, l)) ->
            (forall i:int. (p <> acc(m, shift(p1, i)))))) ->
         not_in_pset(p, pset_acc_all(l, m))))))

axiom pset_acc_all_elim:
  (forall p:'a1 pointer.
    (forall l:'a2 pset.
      (forall m:('a1 pointer, 'a2) memory [not_in_pset(p, pset_acc_all(l,
        m))].
        (not_in_pset(p, pset_acc_all(l, m)) ->
         (forall p1:'a2 pointer.
           ((not not_in_pset(p1, l)) ->
            (forall i:int. (acc(m, shift(p1, i)) <> p))))))))

axiom pset_acc_range_intro:
  (forall p:'a1 pointer.
    (forall l:'a2 pset.
      (forall m:('a1 pointer, 'a2) memory.
        (forall a:int.
          (forall b:int [not_in_pset(p, pset_acc_range(l, m, a, b))].
            ((forall p1:'a2 pointer.
               ((not not_in_pset(p1, l)) ->
                (forall i:int.
                  (((a <= i) and (i <= b)) -> (p <> acc(m, shift(p1, i))))))) ->
             not_in_pset(p, pset_acc_range(l, m, a, b))))))))

axiom pset_acc_range_elim:
  (forall p:'a1 pointer.
    (forall l:'a2 pset.
      (forall m:('a1 pointer, 'a2) memory.
        (forall a:int.
          (forall b:int.
            (not_in_pset(p, pset_acc_range(l, m, a, b)) ->
             (forall p1:'a2 pointer.
               ((not not_in_pset(p1, l)) ->
                (forall i:int.
                  (((a <= i) and (i <= b)) -> (acc(m, shift(p1, i)) <> p)))))))))))

axiom pset_acc_range_left_intro:
  (forall p:'a1 pointer.
    (forall l:'a2 pset.
      (forall m:('a1 pointer, 'a2) memory.
        (forall a:int [not_in_pset(p, pset_acc_range_left(l, m, a))].
          ((forall p1:'a2 pointer.
             ((not not_in_pset(p1, l)) ->
              (forall i:int. ((i <= a) -> (p <> acc(m, shift(p1, i))))))) ->
           not_in_pset(p, pset_acc_range_left(l, m, a)))))))

axiom pset_acc_range_left_elim:
  (forall p:'a1 pointer.
    (forall l:'a2 pset.
      (forall m:('a1 pointer, 'a2) memory.
        (forall a:int [not_in_pset(p, pset_acc_range_left(l, m, a))].
          (not_in_pset(p, pset_acc_range_left(l, m, a)) ->
           (forall p1:'a2 pointer.
             ((not not_in_pset(p1, l)) ->
              (forall i:int. ((i <= a) -> (acc(m, shift(p1, i)) <> p))))))))))

axiom pset_acc_range_right_intro:
  (forall p:'a1 pointer.
    (forall l:'a2 pset.
      (forall m:('a1 pointer, 'a2) memory.
        (forall a:int [not_in_pset(p, pset_acc_range_right(l, m, a))].
          ((forall p1:'a2 pointer.
             ((not not_in_pset(p1, l)) ->
              (forall i:int. ((a <= i) -> (p <> acc(m, shift(p1, i))))))) ->
           not_in_pset(p, pset_acc_range_right(l, m, a)))))))

axiom pset_acc_range_right_elim:
  (forall p:'a1 pointer.
    (forall l:'a2 pset.
      (forall m:('a1 pointer, 'a2) memory.
        (forall a:int [not_in_pset(p, pset_acc_range_right(l, m, a))].
          (not_in_pset(p, pset_acc_range_right(l, m, a)) ->
           (forall p1:'a2 pointer.
             ((not not_in_pset(p1, l)) ->
              (forall i:int. ((a <= i) -> (acc(m, shift(p1, i)) <> p))))))))))

axiom not_assigns_trans:
  (forall a:alloc_table.
    (forall l:'a1 pset.
      (forall m1:('a2, 'a1) memory.
        (forall m2:('a2, 'a1) memory.
          (forall m3:('a2, 'a1) memory.
            (not_assigns(a, m1, m2, l) ->
             (not_assigns(a, m2, m3, l) -> not_assigns(a, m1, m3, l))))))))

axiom not_assigns_refl:
  (forall a:alloc_table.
    (forall l:'a1 pset.
      (forall m:('a2, 'a1) memory. not_assigns(a, m, m, l))))

predicate valid_acc(m1: ('a1 pointer, 'a2) memory) =
  (forall p:'a2 pointer.
    (forall a:alloc_table. (valid(a, p) -> valid(a, acc(m1, p)))))

predicate valid_acc_range(m1: ('a1 pointer, 'a2) memory, size: int) =
  (forall p:'a2 pointer.
    (forall a:alloc_table.
      (valid(a, p) -> valid_range(a, acc(m1, p), 0, (size - 1)))))

axiom valid_acc_range_valid:
  (forall m1:('a1 pointer, 'a2) memory.
    (forall size:int.
      (forall p:'a2 pointer.
        (forall a:alloc_table.
          (valid_acc_range(m1, size) -> (valid(a, p) -> valid(a, acc(m1, p))))))))

predicate separation1(m1: ('a1 pointer, 'a2) memory, m2: ('a1 pointer,
  'a2) memory) =
  (forall p:'a2 pointer.
    (forall a:alloc_table.
      (valid(a, p) -> (base_addr(acc(m1, p)) <> base_addr(acc(m2, p))))))

predicate separation1_range1(m1: ('a1 pointer, 'a2) memory, m2: ('a1 pointer,
  'a2) memory, size: int) =
  (forall p:'a2 pointer.
    (forall a:alloc_table.
      (valid(a, p) ->
       (forall i1:int.
         (forall i2:int.
           (((0 <= i1) and (i1 < size)) ->
            (((0 <= i2) and (i2 < size)) -> (base_addr(acc(m1, shift(p,
             i1))) <> base_addr(acc(m2, shift(p, i2)))))))))))

predicate separation1_range(m: ('a1 pointer, 'a2) memory, size: int) =
  (forall p:'a2 pointer.
    (forall a:alloc_table.
      (valid(a, p) ->
       (forall i1:int.
         (((0 <= i1) and (i1 < size)) -> (base_addr(acc(m, shift(p,
          i1))) <> base_addr(acc(m, p))))))))

predicate separation2(m1: ('a1 pointer, 'a2) memory, m2: ('a1 pointer,
  'a2) memory) =
  (forall p1:'a2 pointer.
    (forall p2:'a2 pointer.
      ((p1 <> p2) -> (base_addr(acc(m1, p1)) <> base_addr(acc(m2, p2))))))

predicate separation2_range1(m1: ('a1 pointer, 'a2) memory, m2: ('a1 pointer,
  'a2) memory, size: int) =
  (forall p:'a2 pointer.
    (forall q:'a2 pointer.
      (forall a:alloc_table.
        (forall i:int.
          (((0 <= i) and (i < size)) -> (base_addr(acc(m1, shift(p,
           i))) <> base_addr(acc(m2, q))))))))

logic on_heap : alloc_table, 'a1 pointer -> prop

logic on_stack : alloc_table, 'a1 pointer -> prop

logic fresh : alloc_table, 'a1 pointer -> prop

axiom fresh_not_valid:
  (forall a:alloc_table.
    (forall p:'a1 pointer. (fresh(a, p) -> (not valid(a, p)))))

axiom fresh_not_valid_shift:
  (forall a:alloc_table.
    (forall p:'a1 pointer.
      (fresh(a, p) -> (forall i:int. (not valid(a, shift(p, i)))))))

logic alloc_extends : alloc_table, alloc_table -> prop

axiom alloc_extends_valid:
  (forall a1:alloc_table.
    (forall a2:alloc_table.
      (alloc_extends(a1, a2) ->
       (forall q:'a1 pointer. (valid(a1, q) -> valid(a2, q))))))

axiom alloc_extends_valid_index:
  (forall a1:alloc_table.
    (forall a2:alloc_table.
      (alloc_extends(a1, a2) ->
       (forall q:'a1 pointer.
         (forall i:int. (valid_index(a1, q, i) -> valid_index(a2, q, i)))))))

axiom alloc_extends_valid_range:
  (forall a1:alloc_table.
    (forall a2:alloc_table.
      (alloc_extends(a1, a2) ->
       (forall q:'a1 pointer.
         (forall i:int.
           (forall j:int.
             (valid_range(a1, q, i, j) -> valid_range(a2, q, i, j))))))))

axiom alloc_extends_refl: (forall a:alloc_table. alloc_extends(a, a))

axiom alloc_extends_trans:
  (forall a1:alloc_table.
    (forall a2:alloc_table.
      (forall a3:alloc_table [alloc_extends(a1, a2), alloc_extends(a2, a3)].
        (alloc_extends(a1, a2) ->
         (alloc_extends(a2, a3) -> alloc_extends(a1, a3))))))

logic free_stack : alloc_table, alloc_table, alloc_table -> prop

axiom free_stack_heap:
  (forall a1:alloc_table.
    (forall a2:alloc_table.
      (forall a3:alloc_table.
        (free_stack(a1, a2, a3) ->
         (forall p:'a1 pointer.
           (valid(a2, p) -> (on_heap(a2, p) -> valid(a3, p))))))))

axiom free_stack_stack:
  (forall a1:alloc_table.
    (forall a2:alloc_table.
      (forall a3:alloc_table.
        (free_stack(a1, a2, a3) ->
         (forall p:'a1 pointer.
           (valid(a1, p) -> (on_stack(a1, p) -> valid(a3, p))))))))

logic null : 'a1 pointer

axiom null_not_valid: (forall a:alloc_table. (not valid(a, null)))

type a_0

type a_1

type a_2

goal main_impl_po_1:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall mutable_x:int.
  forall p:int.
  (p <> 0) ->
  (mutable_x <> 0)

goal main_impl_po_2:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall g:int.
  forall mutable_x:int.
  forall p:int.
  (p <> 0) ->
  (mutable_x <> 0) ->
  forall result:int.
  (result = (g / mutable_x)) ->
  forall result0:a_2 pointer.
  (result0 = shift(a, p)) ->
  valid(alloc, result0)

goal main_impl_po_3:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  forall i:int.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall g:int.
  forall intM_a_2:(int,
  a_2) memory.
  forall mutable_x:int.
  forall o:int.
  forall p:int.
  (p <> 0) ->
  (mutable_x <> 0) ->
  forall result:int.
  (result = (g / mutable_x)) ->
  forall result0:a_2 pointer.
  (result0 = shift(a, p)) ->
  valid(alloc, result0) ->
  forall result1:int.
  (result1 = acc(intM_a_2, result0)) ->
  (o = 0) ->
  forall g0:int.
  (g0 = (((result * p) + (result1 * i)) + (2 * 1))) ->
  (g0 <> 0) ->
  forall mutable_x0:int.
  (mutable_x0 = ((p * 2) - 1)) ->
  forall p0:int.
  (p0 = (p - 1)) ->
  forall result2:a_2 pointer.
  (result2 = shift(a, p)) ->
  (mutable_x0 <> 0)

goal main_impl_po_4:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  forall i:int.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall g:int.
  forall intM_a_2:(int,
  a_2) memory.
  forall mutable_x:int.
  forall o:int.
  forall p:int.
  (p <> 0) ->
  (mutable_x <> 0) ->
  forall result:int.
  (result = (g / mutable_x)) ->
  forall result0:a_2 pointer.
  (result0 = shift(a, p)) ->
  valid(alloc, result0) ->
  forall result1:int.
  (result1 = acc(intM_a_2, result0)) ->
  (o = 0) ->
  forall g0:int.
  (g0 = (((result * p) + (result1 * i)) + (2 * 1))) ->
  (g0 <> 0) ->
  forall mutable_x0:int.
  (mutable_x0 = ((p * 2) - 1)) ->
  forall p0:int.
  (p0 = (p - 1)) ->
  forall result2:a_2 pointer.
  (result2 = shift(a, p)) ->
  (mutable_x0 <> 0) ->
  forall result3:int.
  (result3 = (g0 % mutable_x0)) ->
  valid(alloc, result2)

goal main_impl_po_5:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  forall i:int.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall g:int.
  forall intM_a_2:(int,
  a_2) memory.
  forall mutable_x:int.
  forall o:int.
  forall p:int.
  (p <> 0) ->
  (mutable_x <> 0) ->
  forall result:int.
  (result = (g / mutable_x)) ->
  forall result0:a_2 pointer.
  (result0 = shift(a, p)) ->
  valid(alloc, result0) ->
  forall result1:int.
  (result1 = acc(intM_a_2, result0)) ->
  (o <> 0) ->
  forall g0:int.
  (g0 = (((result * p) + (result1 * i)) + (2 * 0))) ->
  (g0 <> 0) ->
  forall mutable_x0:int.
  (mutable_x0 = ((p * 2) - 1)) ->
  forall p0:int.
  (p0 = (p - 1)) ->
  forall result2:a_2 pointer.
  (result2 = shift(a, p)) ->
  (mutable_x0 <> 0)

goal main_impl_po_6:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  forall i:int.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall g:int.
  forall intM_a_2:(int,
  a_2) memory.
  forall mutable_x:int.
  forall o:int.
  forall p:int.
  (p <> 0) ->
  (mutable_x <> 0) ->
  forall result:int.
  (result = (g / mutable_x)) ->
  forall result0:a_2 pointer.
  (result0 = shift(a, p)) ->
  valid(alloc, result0) ->
  forall result1:int.
  (result1 = acc(intM_a_2, result0)) ->
  (o <> 0) ->
  forall g0:int.
  (g0 = (((result * p) + (result1 * i)) + (2 * 0))) ->
  (g0 <> 0) ->
  forall mutable_x0:int.
  (mutable_x0 = ((p * 2) - 1)) ->
  forall p0:int.
  (p0 = (p - 1)) ->
  forall result2:a_2 pointer.
  (result2 = shift(a, p)) ->
  (mutable_x0 <> 0) ->
  forall result3:int.
  (result3 = (g0 % mutable_x0)) ->
  valid(alloc, result2)

goal main_impl_po_7:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  forall i:int.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall p:int.
  (p = 0) ->
  (i <> 0)

goal main_impl_po_8:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  forall i:int.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall g:int.
  forall p:int.
  (p = 0) ->
  (i <> 0) ->
  forall result:int.
  (result = (g / i)) ->
  forall p0:int.
  (p0 = i) ->
  (i <> 0) ->
  forall result0:int.
  (result0 = (g % i)) ->
  forall o0:int.
  (o0 = result0) ->
  (bw_xor(53, o0) <> 0) ->
  forall mutable_x0:int.
  (mutable_x0 = ((p0 * 2) - 1)) ->
  forall p1:int.
  (p1 = (p0 - 1)) ->
  forall result1:a_2 pointer.
  (result1 = shift(a, p0)) ->
  (mutable_x0 <> 0)

goal main_impl_po_9:
  forall a:a_2 pointer.
  forall alloc:alloc_table.
  forall i:int.
  ("CADUCEUS_1": valid_range(alloc, a, 0, 10000)) ->
  forall g:int.
  forall p:int.
  (p = 0) ->
  (i <> 0) ->
  forall result:int.
  (result = (g / i)) ->
  forall p0:int.
  (p0 = i) ->
  (i <> 0) ->
  forall result0:int.
  (result0 = (g % i)) ->
  forall o0:int.
  (o0 = result0) ->
  (bw_xor(53, o0) <> 0) ->
  forall mutable_x0:int.
  (mutable_x0 = ((p0 * 2) - 1)) ->
  forall p1:int.
  (p1 = (p0 - 1)) ->
  forall result1:a_2 pointer.
  (result1 = shift(a, p0)) ->
  (mutable_x0 <> 0) ->
  forall result2:int.
  (result2 = (g % mutable_x0)) ->
  valid(alloc, result1)