diff --git a/src/plugins/wp/tests/wp_acsl/oracle/assigned_initialized_memtyped.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/assigned_initialized_memtyped.res.oracle
index 0b80f09a455e7c134e68840a4d7978c549798dce..5df442f16465ad9fdeec361d5332edca31bb4662 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/assigned_initialized_memtyped.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/assigned_initialized_memtyped.res.oracle
@@ -178,23 +178,7 @@ Prove: true.
Goal Loop assigns 'CHECK' (3/3):
Effect at line 139
-Assume {
- Type: is_sint32(i_1) /\ is_sint32(i).
- (* Heap *)
- Type: (region(G_glob_82) <= 0) /\ (region(pg_0.base) <= 0) /\
- linked(Malloc_0).
- (* Goal *)
- When: !invalid(Malloc_0, shift_sint32(shiftfield_F1_S_a(pg_0), i), 1).
- (* Invariant 'CHECK' *)
- Have: (0 <= i_1) /\ (i_1 <= 10).
- (* Else *)
- Have: 10 <= i_1.
- (* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
- (* Then *)
- Have: i <= 9.
-}
-Prove: (-1) <= i.
+Prove: true.
------------------------------------------------------------
------------------------------------------------------------
@@ -242,22 +226,7 @@ Prove: true.
Goal Loop assigns 'CHECK' (3/3):
Effect at line 115
-Assume {
- Type: is_sint32(i_1) /\ is_sint32(i).
- (* Heap *)
- Type: (region(s.base) <= 0) /\ linked(Malloc_0).
- (* Goal *)
- When: !invalid(Malloc_0, shift_sint32(shiftfield_F1_S_a(s), i), 1).
- (* Invariant *)
- Have: (0 <= i_1) /\ (i_1 <= 10).
- (* Else *)
- Have: 10 <= i_1.
- (* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
- (* Then *)
- Have: i <= 9.
-}
-Prove: (-1) <= i.
+Prove: true.
------------------------------------------------------------
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/assigned_initialized_memvar.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/assigned_initialized_memvar.res.oracle
index 4de0de53912a6e0648a9b3c96317d751d6de734d..1a36e609928f6a30e364d1ed25e3b2c652edf8fd 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/assigned_initialized_memvar.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/assigned_initialized_memvar.res.oracle
@@ -71,6 +71,8 @@ Assume {
(forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) -> (v[i_2]=true)))))).
(* Else *)
Have: 10 <= i.
+ (* Invariant 'CHECK' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 <= 9) -> (v[i_2]=true))).
(* Loop assigns 'CHECK' *)
Have: ((s.F1_S_i) = 0) /\
(forall i_2 : Z. ((i_2 != 0) -> ((i_2 != 2) -> ((i_2 != 4) ->
@@ -153,12 +155,21 @@ Assume {
(forall i_5 : Z. ((0 <= i_5) -> ((i_5 < i_2) -> (v[i_5]=true)))))).
(* Else *)
Have: 10 <= i_2.
+ (* Invariant 'CHECK' *)
+ Have: forall i_5 : Z. ((0 <= i_5) -> ((i_5 <= 9) -> (v[i_5]=true))).
(* Loop assigns 'CHECK' *)
Have: ((s.F1_S_i) = 0) /\
(forall i_5 : Z. ((i_5 != 0) -> ((i_5 != 2) -> ((i_5 != 4) ->
((0 <= i_5) -> ((i_5 <= 9) -> ((s.F1_S_a)[i_5] = v_1[i_5]))))))).
(* Then *)
Have: i_3 <= 9.
+ If i_3 = 0
+ Else {
+ Have: s = s_1.
+ If i_3 = 2
+ Then { Have: s_1 = s_2. }
+ Else { Have: s_1 = s_3. }
+ }
}
Prove: ((i != 0) /\ (i != 2) /\ (i != 4)) \/
(exists i_5 : Z. (i_5 <= i_1) /\ (i_1 <= i_5) /\
@@ -304,6 +315,8 @@ Assume {
(forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) -> (v[i_2]=true)))))).
(* Else *)
Have: 10 <= i_1.
+ (* Invariant 'CHECK' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 <= 9) -> (v[i_2]=true))).
(* Loop assigns 'CHECK' *)
Have: ((s.F1_S_i) = 0) /\
(forall i_2 : Z. ((0 <= i_2) -> ((i_2 <= 9) ->
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/assigns_path.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/assigns_path.res.oracle
index c9a28cfb2ae210a0e5e3161fef820e7c1f8ff088..aeadb33fdec257c54d7d16ee7da53541f3edca10 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/assigns_path.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/assigns_path.res.oracle
@@ -19,12 +19,14 @@ Assume {
(* Goal *)
When: (0 <= i) /\ (i < n).
(* Pre-condition *)
- Have: (0 <= n) /\ (n <= 3).
+ Have: n <= 3.
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (Mint_0[shift_sint32(b, i_2)] = v[i_2]))).
+ Have: 0 <= n.
(* Invariant *)
Have: (0 <= i_1) /\ (i_1 <= n).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
+ (Mint_0[shift_sint32(b, i_2)] = v[i_2]))).
(* Else *)
Have: n <= i_1.
}
@@ -38,12 +40,14 @@ Assume {
(* Heap *)
Type: region(b.base) <= 0.
(* Pre-condition *)
- Have: (0 <= n) /\ (n <= 3).
+ Have: n <= 3.
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (Mint_0[shift_sint32(b, i_1)] = v[i_1]))).
+ Have: 0 <= n.
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (Mint_0[shift_sint32(b, i_1)] = v[i_1]))).
(* Then *)
Have: i < n.
}
@@ -64,14 +68,18 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 <= i).
(* Pre-condition *)
- Have: (0 <= n) /\ (n <= 3).
+ Have: n <= 3.
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (Mint_0[shift_sint32(b, i_2)] = v[i_2]))).
+ Have: 0 <= n.
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (Mint_0[shift_sint32(b, i_2)] = v[i_2]))).
(* Then *)
Have: i < n.
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: v[i <- Mint_0[shift_sint32(b, i)]][i_1] = Mint_0[shift_sint32(b, i_1)].
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/axioms.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/axioms.res.oracle
index 0c033d5c37fae577aebb1c8b28c0890fd146820a..5fd1352b896d217838ce2c61aeb0cc57101a7141 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/axioms.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/axioms.res.oracle
@@ -10,6 +10,7 @@ Goal Post-condition 'P,todo' in 'f':
Let a_1 = shift_sint32(t, a).
Let x = -a.
Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, i - a).
+Let x_1 = 1 + b.
Assume {
Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i).
(* Heap *)
@@ -18,11 +19,13 @@ Assume {
Have: valid_rw(Malloc_0, a_1, 1 + b - a).
(* Pre-condition *)
Have: a <= b.
+ (* Invariant 'Index' *)
+ Have: a <= x_1.
+ (* Invariant 'Index' *)
+ Have: (a <= i) /\ (i <= x_1).
(* Invariant 'Positive' *)
Have: forall i_1 : Z. ((a <= i_1) -> ((i_1 < i) ->
(0 < a_2[shift_sint32(t, i_1)]))).
- (* Invariant 'Index' *)
- Have: (a <= i) /\ (i <= (1 + b)).
(* Else *)
Have: b < i.
}
@@ -34,6 +37,7 @@ Goal Post-condition 'Q' in 'f':
Let a_1 = shift_sint32(t, a).
Let x = -a.
Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, i - a).
+Let x_1 = 1 + b.
Assume {
Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i).
(* Heap *)
@@ -42,11 +46,13 @@ Assume {
Have: valid_rw(Malloc_0, a_1, 1 + b - a).
(* Pre-condition *)
Have: a <= b.
+ (* Invariant 'Index' *)
+ Have: a <= x_1.
+ (* Invariant 'Index' *)
+ Have: (a <= i) /\ (i <= x_1).
(* Invariant 'Positive' *)
Have: forall i_1 : Z. ((a <= i_1) -> ((i_1 < i) ->
(0 < a_2[shift_sint32(t, i_1)]))).
- (* Invariant 'Index' *)
- Have: (a <= i) /\ (i <= (1 + b)).
(* Else *)
Have: b < i.
}
@@ -57,24 +63,27 @@ Prove: P_Q(Malloc_0, a_2, t, a, b).
Goal Preservation of Invariant 'Index' (file tests/wp_acsl/axioms.i, line 30):
Let a_1 = shift_sint32(t, a).
Let x = -a.
-Let x_1 = 1 + i.
+Let x_1 = 1 + b.
+Let x_2 = 1 + i.
Assume {
- Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(x_1).
+ Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(x_2).
(* Heap *)
Type: (region(t.base) <= 0) /\ linked(Malloc_0).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, 1 + b - a).
(* Pre-condition *)
Have: a <= b.
+ (* Invariant 'Index' *)
+ Have: a <= x_1.
+ (* Invariant 'Index' *)
+ Have: (a <= i) /\ (i <= x_1).
(* Invariant 'Positive' *)
Have: forall i_1 : Z. ((a <= i_1) -> ((i_1 < i) ->
(0 < havoc(Mint_undef_0, Mint_0, a_1, i - a)[shift_sint32(t, i_1)]))).
- (* Invariant 'Index' *)
- Have: (a <= i) /\ (i <= (1 + b)).
(* Then *)
Have: i <= b.
}
-Prove: a <= x_1.
+Prove: a <= x_2.
------------------------------------------------------------
@@ -93,11 +102,13 @@ Prove: a <= (1 + b).
------------------------------------------------------------
Goal Preservation of Invariant 'Positive' (file tests/wp_acsl/axioms.i, line 31):
+Let x = 1 + i.
Let a_1 = shift_sint32(t, a).
-Let x = -a.
+Let x_1 = -a.
Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, i - a).
+Let x_2 = 1 + b.
Assume {
- Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(1 + i).
+ Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(x).
(* Heap *)
Type: (region(t.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
@@ -106,13 +117,17 @@ Assume {
Have: valid_rw(Malloc_0, a_1, 1 + b - a).
(* Pre-condition *)
Have: a <= b.
+ (* Invariant 'Index' *)
+ Have: a <= x_2.
+ (* Invariant 'Index' *)
+ Have: (a <= i) /\ (i <= x_2).
(* Invariant 'Positive' *)
Have: forall i_2 : Z. ((a <= i_2) -> ((i_2 < i) ->
(0 < a_2[shift_sint32(t, i_2)]))).
- (* Invariant 'Index' *)
- Have: (a <= i) /\ (i <= (1 + b)).
(* Then *)
Have: i <= b.
+ (* Invariant 'Index' *)
+ Have: a <= x.
}
Prove: 0 < a_2[shift_sint32(t, i) <- 1][shift_sint32(t, i_1)].
@@ -138,33 +153,44 @@ Goal Loop assigns (file tests/wp_acsl/axioms.i, line 32) (3/3):
Effect at line 34
Let a_1 = shift_sint32(t, a).
Let x = -a.
-Let a_2 = shift_sint32(t, i).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, i - a).
+Let a_3 = shift_sint32(t, i).
+Let x_1 = 1 + i.
+Let x_2 = 1 + b.
Assume {
- Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(1 + i).
+ Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(x_1).
(* Heap *)
Type: (region(t.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
- When: !invalid(Malloc_0, a_2, 1).
+ When: !invalid(Malloc_0, a_3, 1).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, 1 + b - a).
(* Pre-condition *)
Have: a <= b.
+ (* Invariant 'Index' *)
+ Have: a <= x_2.
+ (* Invariant 'Index' *)
+ Have: (a <= i) /\ (i <= x_2).
(* Invariant 'Positive' *)
Have: forall i_1 : Z. ((a <= i_1) -> ((i_1 < i) ->
- (0 < havoc(Mint_undef_0, Mint_0, a_1, i - a)[shift_sint32(t, i_1)]))).
- (* Invariant 'Index' *)
- Have: (a <= i) /\ (i <= (1 + b)).
+ (0 < a_2[shift_sint32(t, i_1)]))).
(* Then *)
Have: i <= b.
+ (* Invariant 'Index' *)
+ Have: a <= x_1.
+ (* Invariant 'Positive' *)
+ Have: forall i_1 : Z. ((i_1 <= i) -> ((a <= i_1) ->
+ (0 < a_2[a_3 <- 1][shift_sint32(t, i_1)]))).
}
-Prove: included(a_2, 1, a_1, 1 + i - a).
+Prove: included(a_3, 1, a_1, 1 + i - a).
------------------------------------------------------------
Goal Assigns 'todo' in 'f':
Effect at line 34
+Let x = 1 + b.
Let a_1 = shift_sint32(t, a).
-Let x = -a.
+Let x_1 = -a.
Assume {
Have: a < i.
Have: !invalid(Malloc_0, a_1, i - a).
@@ -175,7 +201,9 @@ Assume {
Have: valid_rw(Malloc_0, a_1, 1 + b - a).
(* Pre-condition *)
Have: a <= b.
+ (* Invariant 'Index' *)
+ Have: a <= x.
}
-Prove: i <= (1 + b).
+Prove: i <= x.
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/chunk_typing.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/chunk_typing.res.oracle
index 9455596589a8251499921bc9d809de03f2277ff9..4a107de7f65b85f4e0234c466cff9d0d699d5508 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/chunk_typing.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/chunk_typing.res.oracle
@@ -7,38 +7,38 @@
------------------------------------------------------------
Goal Post-condition (file tests/wp_acsl/chunk_typing.i, line 15) in 'function':
-Let a = shift_sint8(i8_0, 0).
-Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, 10).
-Let a_2 = shift_uint8(u8_0, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, 10).
-Let a_4 = shift_sint16(i16_0, 0).
-Let a_5 = havoc(Mint_undef_1, Mint_1, a_4, 10).
-Let a_6 = shift_uint16(u16_0, 0).
-Let a_7 = havoc(Mint_undef_2, Mint_2, a_6, 10).
-Let a_8 = shift_sint32(i32_0, 0).
-Let a_9 = havoc(Mint_undef_3, Mint_3, a_8, 10).
-Let a_10 = shift_uint32(u32_0, 0).
-Let a_11 = havoc(Mint_undef_4, Mint_4, a_10, 10).
-Let a_12 = shift_sint64(i64_0, 0).
-Let a_13 = havoc(Mint_undef_5, Mint_5, a_12, 10).
-Let a_14 = shift_uint64(u64_0, 0).
-Let a_15 = havoc(Mint_undef_6, Mint_6, a_14, 10).
-Let a_16 = a_1[shift_sint8(i8_0, i)].
-Let a_17 = a_3[shift_uint8(u8_0, i)].
-Let a_18 = a_5[shift_sint16(i16_0, i)].
-Let a_19 = a_7[shift_uint16(u16_0, i)].
-Let a_20 = a_9[shift_sint32(i32_0, i)].
-Let a_21 = a_11[shift_uint32(u32_0, i)].
-Let a_22 = a_13[shift_sint64(i64_0, i)].
+Let a = shift_uint64(u64_0, 0).
+Let a_1 = havoc(Mint_undef_6, Mint_6, a, 10).
+Let a_2 = shift_sint64(i64_0, 0).
+Let a_3 = havoc(Mint_undef_5, Mint_5, a_2, 10).
+Let a_4 = shift_uint32(u32_0, 0).
+Let a_5 = havoc(Mint_undef_4, Mint_4, a_4, 10).
+Let a_6 = shift_sint32(i32_0, 0).
+Let a_7 = havoc(Mint_undef_3, Mint_3, a_6, 10).
+Let a_8 = shift_uint16(u16_0, 0).
+Let a_9 = havoc(Mint_undef_2, Mint_2, a_8, 10).
+Let a_10 = shift_sint16(i16_0, 0).
+Let a_11 = havoc(Mint_undef_1, Mint_1, a_10, 10).
+Let a_12 = shift_uint8(u8_0, 0).
+Let a_13 = havoc(Mint_undef_0, Mint_0, a_12, 10).
+Let a_14 = shift_sint8(i8_0, 0).
+Let a_15 = havoc(Mchar_undef_0, Mchar_0, a_14, 10).
+Let a_16 = a_15[shift_sint8(i8_0, i)].
+Let a_17 = a_13[shift_uint8(u8_0, i)].
+Let a_18 = a_11[shift_sint16(i16_0, i)].
+Let a_19 = a_9[shift_uint16(u16_0, i)].
+Let a_20 = a_7[shift_sint32(i32_0, i)].
+Let a_21 = a_5[shift_uint32(u32_0, i)].
+Let a_22 = a_3[shift_sint64(i64_0, i)].
Assume {
Type: IsArray_sint8(x) /\ is_sint16_chunk(Mint_1) /\
is_sint32_chunk(Mint_3) /\ is_sint64_chunk(Mint_5) /\
is_sint8_chunk(Mchar_0) /\ is_uint16_chunk(Mint_2) /\
is_uint32_chunk(Mint_4) /\ is_uint64_chunk(Mint_6) /\
- is_uint8_chunk(Mint_0) /\ is_sint32(i_1) /\ is_sint16_chunk(a_5) /\
- is_sint32_chunk(a_9) /\ is_sint64_chunk(a_13) /\ is_sint8_chunk(a_1) /\
- is_uint16_chunk(a_7) /\ is_uint32_chunk(a_11) /\
- is_uint64_chunk(a_15) /\ is_uint8_chunk(a_3).
+ is_uint8_chunk(Mint_0) /\ is_sint32(i_1) /\ is_sint16_chunk(a_11) /\
+ is_sint32_chunk(a_7) /\ is_sint64_chunk(a_3) /\ is_sint8_chunk(a_15) /\
+ is_uint16_chunk(a_9) /\ is_uint32_chunk(a_5) /\ is_uint64_chunk(a_1) /\
+ is_uint8_chunk(a_13).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -50,42 +50,42 @@ Assume {
(* Initializer *)
Init: forall i_2 : Z. ((0 <= i_2) -> ((i_2 <= 9) -> (x[i_2] = 0))).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_4, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a, 10) /\
- valid_rw(Malloc_0, a_6, 10) /\ valid_rw(Malloc_0, a_10, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_2, 10).
+ Have: valid_rw(Malloc_0, a_10, 10) /\ valid_rw(Malloc_0, a_6, 10) /\
+ valid_rw(Malloc_0, a_2, 10) /\ valid_rw(Malloc_0, a_14, 10) /\
+ valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a_4, 10) /\
+ valid_rw(Malloc_0, a, 10) /\ valid_rw(Malloc_0, a_12, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_15[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i_1) /\ (i_1 <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_13[shift_sint64(i64_0, i_2)] = 7))).
+ (a_15[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_11[shift_uint32(u32_0, i_2)] = 6))).
+ (a_13[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_9[shift_sint32(i32_0, i_2)] = 5))).
+ (a_11[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_7[shift_uint16(u16_0, i_2)] = 4))).
+ (a_9[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_5[shift_sint16(i16_0, i_2)] = 3))).
+ (a_7[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_3[shift_uint8(u8_0, i_2)] = 2))).
+ (a_5[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_1[shift_sint8(i8_0, i_2)] = 1))).
+ (a_3[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i_1) /\ (i_1 <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
+ (a_1[shift_uint64(u64_0, i_2)] = 8))).
(* Else *)
Have: 10 <= i_1.
}
Prove: (a_16 = (1 + x[i])) /\ (a_17 = (1 + a_16)) /\ (a_18 = (1 + a_17)) /\
(a_19 = (1 + a_18)) /\ (a_20 = (1 + a_19)) /\ (a_21 = (1 + a_20)) /\
- (a_22 = (1 + a_21)) /\ (a_15[shift_uint64(u64_0, i)] = (1 + a_22)).
+ (a_22 = (1 + a_21)) /\ (a_1[shift_uint64(u64_0, i)] = (1 + a_22)).
------------------------------------------------------------
@@ -98,35 +98,35 @@ Let a_4 = shift_uint16(u16_0, i).
Let a_5 = shift_sint16(i16_0, i).
Let a_6 = shift_uint8(u8_0, i).
Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_0, Mint_0, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_3, Mint_3, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_1, Mint_1, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_4, Mint_4, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_2, Mint_2, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_5, Mint_5, a_22, 10).
+Let a_8 = shift_uint64(u64_0, 0).
+Let a_9 = havoc(Mint_undef_5, Mint_5, a_8, 10).
+Let a_10 = shift_sint64(i64_0, 0).
+Let a_11 = havoc(Mint_undef_2, Mint_2, a_10, 10).
+Let a_12 = shift_uint32(u32_0, 0).
+Let a_13 = havoc(Mint_undef_4, Mint_4, a_12, 10).
+Let a_14 = shift_sint32(i32_0, 0).
+Let a_15 = havoc(Mint_undef_1, Mint_1, a_14, 10).
+Let a_16 = shift_uint16(u16_0, 0).
+Let a_17 = havoc(Mint_undef_3, Mint_3, a_16, 10).
+Let a_18 = shift_sint16(i16_0, 0).
+Let a_19 = havoc(Mint_undef_0, Mint_0, a_18, 10).
+Let a_20 = shift_uint8(u8_0, 0).
+Let a_21 = havoc(Mint_undef_6, Mint_6, a_20, 10).
+Let a_22 = shift_sint8(i8_0, 0).
+Let a_23 = havoc(Mchar_undef_0, Mchar_0, a_22, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_19) /\ is_sint32_chunk(a_15) /\
+ is_sint64_chunk(a_11) /\ is_sint8_chunk(a_23) /\
+ is_uint16_chunk(a_17) /\ is_uint32_chunk(a_13) /\
+ is_uint64_chunk(a_9) /\ is_uint8_chunk(a_21) /\
+ is_sint16_chunk(a_19[a_5 <- 3]) /\ is_sint32_chunk(a_15[a_3 <- 5]) /\
+ is_sint64_chunk(a_11[a_1 <- 7]) /\ is_sint8_chunk(a_23[a_7 <- 1]) /\
+ is_uint16_chunk(a_17[a_4 <- 4]) /\ is_uint32_chunk(a_13[a_2 <- 6]) /\
+ is_uint64_chunk(a_9[a <- 8]) /\ is_uint8_chunk(a_21[a_6 <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -134,36 +134,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_18, 10) /\ valid_rw(Malloc_0, a_14, 10) /\
+ valid_rw(Malloc_0, a_10, 10) /\ valid_rw(Malloc_0, a_22, 10) /\
+ valid_rw(Malloc_0, a_16, 10) /\ valid_rw(Malloc_0, a_12, 10) /\
+ valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a_20, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_23[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_21[shift_sint64(i64_0, i_1)] = 7))).
+ (a_23[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_19[shift_uint32(u32_0, i_1)] = 6))).
+ (a_21[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_17[shift_sint32(i32_0, i_1)] = 5))).
+ (a_19[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_15[shift_uint16(u16_0, i_1)] = 4))).
+ (a_17[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_13[shift_sint16(i16_0, i_1)] = 3))).
+ (a_15[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_11[shift_uint8(u8_0, i_1)] = 2))).
+ (a_13[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_9[shift_sint8(i8_0, i_1)] = 1))).
+ (a_11[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_9[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -203,36 +203,36 @@ Let a_4 = shift_uint16(u16_0, i).
Let a_5 = shift_sint16(i16_0, i).
Let a_6 = shift_uint8(u8_0, i).
Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_0, Mint_0, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_3, Mint_3, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_1, Mint_1, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_4, Mint_4, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_2, Mint_2, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_5, Mint_5, a_22, 10).
-Let a_24 = a_9[a_7 <- 1].
+Let a_8 = shift_uint64(u64_0, 0).
+Let a_9 = havoc(Mint_undef_5, Mint_5, a_8, 10).
+Let a_10 = shift_sint64(i64_0, 0).
+Let a_11 = havoc(Mint_undef_2, Mint_2, a_10, 10).
+Let a_12 = shift_uint32(u32_0, 0).
+Let a_13 = havoc(Mint_undef_4, Mint_4, a_12, 10).
+Let a_14 = shift_sint32(i32_0, 0).
+Let a_15 = havoc(Mint_undef_1, Mint_1, a_14, 10).
+Let a_16 = shift_uint16(u16_0, 0).
+Let a_17 = havoc(Mint_undef_3, Mint_3, a_16, 10).
+Let a_18 = shift_sint16(i16_0, 0).
+Let a_19 = havoc(Mint_undef_0, Mint_0, a_18, 10).
+Let a_20 = shift_uint8(u8_0, 0).
+Let a_21 = havoc(Mint_undef_6, Mint_6, a_20, 10).
+Let a_22 = shift_sint8(i8_0, 0).
+Let a_23 = havoc(Mchar_undef_0, Mchar_0, a_22, 10).
+Let a_24 = a_23[a_7 <- 1].
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_24) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_19) /\ is_sint32_chunk(a_15) /\
+ is_sint64_chunk(a_11) /\ is_sint8_chunk(a_23) /\
+ is_uint16_chunk(a_17) /\ is_uint32_chunk(a_13) /\
+ is_uint64_chunk(a_9) /\ is_uint8_chunk(a_21) /\
+ is_sint16_chunk(a_19[a_5 <- 3]) /\ is_sint32_chunk(a_15[a_3 <- 5]) /\
+ is_sint64_chunk(a_11[a_1 <- 7]) /\ is_sint8_chunk(a_24) /\
+ is_uint16_chunk(a_17[a_4 <- 4]) /\ is_uint32_chunk(a_13[a_2 <- 6]) /\
+ is_uint64_chunk(a_9[a <- 8]) /\ is_uint8_chunk(a_21[a_6 <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -240,38 +240,38 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i).
+ When: (i_1 <= i) /\ (0 <= i_1).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_18, 10) /\ valid_rw(Malloc_0, a_14, 10) /\
+ valid_rw(Malloc_0, a_10, 10) /\ valid_rw(Malloc_0, a_22, 10) /\
+ valid_rw(Malloc_0, a_16, 10) /\ valid_rw(Malloc_0, a_12, 10) /\
+ valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a_20, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_23[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_21[shift_sint64(i64_0, i_2)] = 7))).
+ (a_23[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_19[shift_uint32(u32_0, i_2)] = 6))).
+ (a_21[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_17[shift_sint32(i32_0, i_2)] = 5))).
+ (a_19[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (a_17[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_13[shift_sint16(i16_0, i_2)] = 3))).
+ (a_15[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (a_13[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_9[shift_sint8(i8_0, i_2)] = 1))).
+ (a_11[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_9[shift_uint64(u64_0, i_2)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -292,6 +292,8 @@ Assume {
Have: valid_rw(Malloc_0, a, 1).
(* Assertion 'rte,signed_overflow' *)
Have: i <= 2147483646.
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: a_24[shift_sint8(i8_0, i_1)] = 1.
@@ -303,44 +305,45 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant (file tests/wp_acsl/chunk_typing.i, line 33):
-Let a = shift_uint64(u64_0, i).
-Let a_1 = shift_sint64(i64_0, i).
-Let a_2 = shift_uint32(u32_0, i).
-Let a_3 = shift_sint32(i32_0, i).
-Let a_4 = shift_uint16(u16_0, i).
-Let a_5 = shift_sint16(i16_0, i).
-Let a_6 = shift_uint8(u8_0, i).
-Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_0, Mint_0, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_1, Mint_1, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_4, Mint_4, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_2, Mint_2, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_5, Mint_5, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_3, Mint_3, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_6, Mint_6, a_22, 10).
-Let a_24 = a_11[a_6 <- 2].
+Let a = shift_sint8(i8_0, 0).
+Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, 10).
+Let a_2 = shift_sint8(i8_0, i).
+Let a_3 = a_1[a_2 <- 1].
+Let a_4 = shift_uint64(u64_0, i).
+Let a_5 = shift_sint64(i64_0, i).
+Let a_6 = shift_uint32(u32_0, i).
+Let a_7 = shift_sint32(i32_0, i).
+Let a_8 = shift_uint16(u16_0, i).
+Let a_9 = shift_sint16(i16_0, i).
+Let a_10 = shift_uint8(u8_0, i).
+Let a_11 = shift_uint64(u64_0, 0).
+Let a_12 = havoc(Mint_undef_6, Mint_6, a_11, 10).
+Let a_13 = shift_sint64(i64_0, 0).
+Let a_14 = havoc(Mint_undef_3, Mint_3, a_13, 10).
+Let a_15 = shift_uint32(u32_0, 0).
+Let a_16 = havoc(Mint_undef_5, Mint_5, a_15, 10).
+Let a_17 = shift_sint32(i32_0, 0).
+Let a_18 = havoc(Mint_undef_2, Mint_2, a_17, 10).
+Let a_19 = shift_uint16(u16_0, 0).
+Let a_20 = havoc(Mint_undef_4, Mint_4, a_19, 10).
+Let a_21 = shift_sint16(i16_0, 0).
+Let a_22 = havoc(Mint_undef_1, Mint_1, a_21, 10).
+Let a_23 = shift_uint8(u8_0, 0).
+Let a_24 = havoc(Mint_undef_0, Mint_0, a_23, 10).
+Let a_25 = a_24[a_10 <- 2].
Assume {
Type: is_sint16_chunk(Mint_1) /\ is_sint32_chunk(Mint_2) /\
is_sint64_chunk(Mint_3) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_4) /\ is_uint32_chunk(Mint_5) /\
is_uint64_chunk(Mint_6) /\ is_uint8_chunk(Mint_0) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_24).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_22) /\ is_sint32_chunk(a_18) /\
+ is_sint64_chunk(a_14) /\ is_sint8_chunk(a_1) /\
+ is_uint16_chunk(a_20) /\ is_uint32_chunk(a_16) /\
+ is_uint64_chunk(a_12) /\ is_uint8_chunk(a_24) /\
+ is_sint16_chunk(a_22[a_9 <- 3]) /\ is_sint32_chunk(a_18[a_7 <- 5]) /\
+ is_sint64_chunk(a_14[a_5 <- 7]) /\ is_sint8_chunk(a_3) /\
+ is_uint16_chunk(a_20[a_8 <- 4]) /\ is_uint32_chunk(a_16[a_6 <- 6]) /\
+ is_uint64_chunk(a_12[a_4 <- 8]) /\ is_uint8_chunk(a_25).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -348,60 +351,65 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i).
+ When: (i_1 <= i) /\ (0 <= i_1).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_21, 10) /\ valid_rw(Malloc_0, a_17, 10) /\
+ valid_rw(Malloc_0, a_13, 10) /\ valid_rw(Malloc_0, a, 10) /\
+ valid_rw(Malloc_0, a_19, 10) /\ valid_rw(Malloc_0, a_15, 10) /\
+ valid_rw(Malloc_0, a_11, 10) /\ valid_rw(Malloc_0, a_23, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_23[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_21[shift_sint64(i64_0, i_2)] = 7))).
+ (a_1[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_19[shift_uint32(u32_0, i_2)] = 6))).
+ (a_24[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_17[shift_sint32(i32_0, i_2)] = 5))).
+ (a_22[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (a_20[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_13[shift_sint16(i16_0, i_2)] = 3))).
+ (a_18[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (a_16[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_9[shift_sint8(i8_0, i_2)] = 1))).
+ (a_14[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_12[shift_uint64(u64_0, i_2)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_7, 1).
+ Have: valid_rw(Malloc_0, a_2, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_6, 1).
+ Have: valid_rw(Malloc_0, a_10, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_5, 1).
+ Have: valid_rw(Malloc_0, a_9, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_4, 1).
+ Have: valid_rw(Malloc_0, a_8, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_3, 1).
+ Have: valid_rw(Malloc_0, a_7, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_2, 1).
+ Have: valid_rw(Malloc_0, a_6, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_1, 1).
+ Have: valid_rw(Malloc_0, a_5, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a, 1).
+ Have: valid_rw(Malloc_0, a_4, 1).
(* Assertion 'rte,signed_overflow' *)
Have: i <= 2147483646.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_3[shift_sint8(i8_0, i_2)] = 1))).
}
-Prove: a_24[shift_uint8(u8_0, i_1)] = 2.
+Prove: a_25[shift_uint8(u8_0, i_1)] = 2.
------------------------------------------------------------
@@ -411,44 +419,46 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant (file tests/wp_acsl/chunk_typing.i, line 34):
-Let a = shift_uint64(u64_0, i).
-Let a_1 = shift_sint64(i64_0, i).
-Let a_2 = shift_uint32(u32_0, i).
-Let a_3 = shift_sint32(i32_0, i).
-Let a_4 = shift_uint16(u16_0, i).
-Let a_5 = shift_sint16(i16_0, i).
-Let a_6 = shift_uint8(u8_0, i).
-Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_0, Mint_0, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_3, Mint_3, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_1, Mint_1, a_16, 10).
+Let a = shift_uint8(u8_0, 0).
+Let a_1 = havoc(Mint_undef_6, Mint_6, a, 10).
+Let a_2 = shift_uint8(u8_0, i).
+Let a_3 = a_1[a_2 <- 2].
+Let a_4 = shift_sint8(i8_0, 0).
+Let a_5 = havoc(Mchar_undef_0, Mchar_0, a_4, 10).
+Let a_6 = shift_sint8(i8_0, i).
+Let a_7 = a_5[a_6 <- 1].
+Let a_8 = shift_uint64(u64_0, i).
+Let a_9 = shift_sint64(i64_0, i).
+Let a_10 = shift_uint32(u32_0, i).
+Let a_11 = shift_sint32(i32_0, i).
+Let a_12 = shift_uint16(u16_0, i).
+Let a_13 = shift_sint16(i16_0, i).
+Let a_14 = shift_uint64(u64_0, 0).
+Let a_15 = havoc(Mint_undef_5, Mint_5, a_14, 10).
+Let a_16 = shift_sint64(i64_0, 0).
+Let a_17 = havoc(Mint_undef_2, Mint_2, a_16, 10).
Let a_18 = shift_uint32(u32_0, 0).
Let a_19 = havoc(Mint_undef_4, Mint_4, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_2, Mint_2, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_5, Mint_5, a_22, 10).
-Let a_24 = a_13[a_5 <- 3].
+Let a_20 = shift_sint32(i32_0, 0).
+Let a_21 = havoc(Mint_undef_1, Mint_1, a_20, 10).
+Let a_22 = shift_uint16(u16_0, 0).
+Let a_23 = havoc(Mint_undef_3, Mint_3, a_22, 10).
+Let a_24 = shift_sint16(i16_0, 0).
+Let a_25 = havoc(Mint_undef_0, Mint_0, a_24, 10).
+Let a_26 = a_25[a_13 <- 3].
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_24) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_25) /\ is_sint32_chunk(a_21) /\
+ is_sint64_chunk(a_17) /\ is_sint8_chunk(a_5) /\
+ is_uint16_chunk(a_23) /\ is_uint32_chunk(a_19) /\
+ is_uint64_chunk(a_15) /\ is_uint8_chunk(a_1) /\
+ is_sint16_chunk(a_26) /\ is_sint32_chunk(a_21[a_11 <- 5]) /\
+ is_sint64_chunk(a_17[a_9 <- 7]) /\ is_sint8_chunk(a_7) /\
+ is_uint16_chunk(a_23[a_12 <- 4]) /\ is_uint32_chunk(a_19[a_10 <- 6]) /\
+ is_uint64_chunk(a_15[a_8 <- 8]) /\ is_uint8_chunk(a_3).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -456,60 +466,68 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i).
+ When: (i_1 <= i) /\ (0 <= i_1).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_24, 10) /\ valid_rw(Malloc_0, a_20, 10) /\
+ valid_rw(Malloc_0, a_16, 10) /\ valid_rw(Malloc_0, a_4, 10) /\
+ valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
+ valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_23[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_21[shift_sint64(i64_0, i_2)] = 7))).
+ (a_5[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_19[shift_uint32(u32_0, i_2)] = 6))).
+ (a_1[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_17[shift_sint32(i32_0, i_2)] = 5))).
+ (a_25[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (a_23[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_13[shift_sint16(i16_0, i_2)] = 3))).
+ (a_21[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (a_19[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_9[shift_sint8(i8_0, i_2)] = 1))).
+ (a_17[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_15[shift_uint64(u64_0, i_2)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_7, 1).
- (* Assertion 'rte,mem_access' *)
Have: valid_rw(Malloc_0, a_6, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_5, 1).
+ Have: valid_rw(Malloc_0, a_2, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_4, 1).
+ Have: valid_rw(Malloc_0, a_13, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_3, 1).
+ Have: valid_rw(Malloc_0, a_12, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_2, 1).
+ Have: valid_rw(Malloc_0, a_11, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_1, 1).
+ Have: valid_rw(Malloc_0, a_10, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a, 1).
+ Have: valid_rw(Malloc_0, a_9, 1).
+ (* Assertion 'rte,mem_access' *)
+ Have: valid_rw(Malloc_0, a_8, 1).
(* Assertion 'rte,signed_overflow' *)
Have: i <= 2147483646.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_7[shift_sint8(i8_0, i_2)] = 1))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_3[shift_uint8(u8_0, i_2)] = 2))).
}
-Prove: a_24[shift_sint16(i16_0, i_1)] = 3.
+Prove: a_26[shift_sint16(i16_0, i_1)] = 3.
------------------------------------------------------------
@@ -519,44 +537,47 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant (file tests/wp_acsl/chunk_typing.i, line 35):
-Let a = shift_uint64(u64_0, i).
-Let a_1 = shift_sint64(i64_0, i).
-Let a_2 = shift_uint32(u32_0, i).
-Let a_3 = shift_sint32(i32_0, i).
-Let a_4 = shift_uint16(u16_0, i).
-Let a_5 = shift_sint16(i16_0, i).
+Let a = shift_sint16(i16_0, 0).
+Let a_1 = havoc(Mint_undef_1, Mint_1, a, 10).
+Let a_2 = shift_sint16(i16_0, i).
+Let a_3 = a_1[a_2 <- 3].
+Let a_4 = shift_uint8(u8_0, 0).
+Let a_5 = havoc(Mint_undef_6, Mint_6, a_4, 10).
Let a_6 = shift_uint8(u8_0, i).
-Let a_7 = shift_sint8(i8_0, i).
+Let a_7 = a_5[a_6 <- 2].
Let a_8 = shift_sint8(i8_0, 0).
Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_1, Mint_1, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_0, Mint_0, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_2, Mint_2, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_4, Mint_4, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_3, Mint_3, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_5, Mint_5, a_22, 10).
-Let a_24 = a_15[a_4 <- 4].
+Let a_10 = shift_sint8(i8_0, i).
+Let a_11 = a_9[a_10 <- 1].
+Let a_12 = shift_uint64(u64_0, i).
+Let a_13 = shift_sint64(i64_0, i).
+Let a_14 = shift_uint32(u32_0, i).
+Let a_15 = shift_sint32(i32_0, i).
+Let a_16 = shift_uint16(u16_0, i).
+Let a_17 = shift_uint64(u64_0, 0).
+Let a_18 = havoc(Mint_undef_5, Mint_5, a_17, 10).
+Let a_19 = shift_sint64(i64_0, 0).
+Let a_20 = havoc(Mint_undef_3, Mint_3, a_19, 10).
+Let a_21 = shift_uint32(u32_0, 0).
+Let a_22 = havoc(Mint_undef_4, Mint_4, a_21, 10).
+Let a_23 = shift_sint32(i32_0, 0).
+Let a_24 = havoc(Mint_undef_2, Mint_2, a_23, 10).
+Let a_25 = shift_uint16(u16_0, 0).
+Let a_26 = havoc(Mint_undef_0, Mint_0, a_25, 10).
+Let a_27 = a_26[a_16 <- 4].
Assume {
Type: is_sint16_chunk(Mint_1) /\ is_sint32_chunk(Mint_2) /\
is_sint64_chunk(Mint_3) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_0) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_24) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_1) /\ is_sint32_chunk(a_24) /\
+ is_sint64_chunk(a_20) /\ is_sint8_chunk(a_9) /\
+ is_uint16_chunk(a_26) /\ is_uint32_chunk(a_22) /\
+ is_uint64_chunk(a_18) /\ is_uint8_chunk(a_5) /\ is_sint16_chunk(a_3) /\
+ is_sint32_chunk(a_24[a_15 <- 5]) /\ is_sint64_chunk(a_20[a_13 <- 7]) /\
+ is_sint8_chunk(a_11) /\ is_uint16_chunk(a_27) /\
+ is_uint32_chunk(a_22[a_14 <- 6]) /\ is_uint64_chunk(a_18[a_12 <- 8]) /\
+ is_uint8_chunk(a_7).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -564,60 +585,71 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i).
+ When: (i_1 <= i) /\ (0 <= i_1).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a, 10) /\ valid_rw(Malloc_0, a_23, 10) /\
+ valid_rw(Malloc_0, a_19, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
+ valid_rw(Malloc_0, a_25, 10) /\ valid_rw(Malloc_0, a_21, 10) /\
+ valid_rw(Malloc_0, a_17, 10) /\ valid_rw(Malloc_0, a_4, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_23[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_21[shift_sint64(i64_0, i_2)] = 7))).
+ (a_9[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_19[shift_uint32(u32_0, i_2)] = 6))).
+ (a_5[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_17[shift_sint32(i32_0, i_2)] = 5))).
+ (a_1[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (a_26[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_13[shift_sint16(i16_0, i_2)] = 3))).
+ (a_24[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (a_22[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_9[shift_sint8(i8_0, i_2)] = 1))).
+ (a_20[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_18[shift_uint64(u64_0, i_2)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_7, 1).
+ Have: valid_rw(Malloc_0, a_10, 1).
(* Assertion 'rte,mem_access' *)
Have: valid_rw(Malloc_0, a_6, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_5, 1).
+ Have: valid_rw(Malloc_0, a_2, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_4, 1).
+ Have: valid_rw(Malloc_0, a_16, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_3, 1).
+ Have: valid_rw(Malloc_0, a_15, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_2, 1).
+ Have: valid_rw(Malloc_0, a_14, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_1, 1).
+ Have: valid_rw(Malloc_0, a_13, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a, 1).
+ Have: valid_rw(Malloc_0, a_12, 1).
(* Assertion 'rte,signed_overflow' *)
Have: i <= 2147483646.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_11[shift_sint8(i8_0, i_2)] = 1))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_7[shift_uint8(u8_0, i_2)] = 2))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_3[shift_sint16(i16_0, i_2)] = 3))).
}
-Prove: a_24[shift_uint16(u16_0, i_1)] = 4.
+Prove: a_27[shift_uint16(u16_0, i_1)] = 4.
------------------------------------------------------------
@@ -627,44 +659,48 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant (file tests/wp_acsl/chunk_typing.i, line 36):
-Let a = shift_uint64(u64_0, i).
-Let a_1 = shift_sint64(i64_0, i).
-Let a_2 = shift_uint32(u32_0, i).
-Let a_3 = shift_sint32(i32_0, i).
-Let a_4 = shift_uint16(u16_0, i).
-Let a_5 = shift_sint16(i16_0, i).
-Let a_6 = shift_uint8(u8_0, i).
-Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_1, Mint_1, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_3, Mint_3, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_0, Mint_0, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_4, Mint_4, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_2, Mint_2, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_5, Mint_5, a_22, 10).
-Let a_24 = a_17[a_3 <- 5].
+Let a = shift_uint16(u16_0, 0).
+Let a_1 = havoc(Mint_undef_3, Mint_3, a, 10).
+Let a_2 = shift_uint16(u16_0, i).
+Let a_3 = a_1[a_2 <- 4].
+Let a_4 = shift_sint16(i16_0, 0).
+Let a_5 = havoc(Mint_undef_1, Mint_1, a_4, 10).
+Let a_6 = shift_sint16(i16_0, i).
+Let a_7 = a_5[a_6 <- 3].
+Let a_8 = shift_uint8(u8_0, 0).
+Let a_9 = havoc(Mint_undef_6, Mint_6, a_8, 10).
+Let a_10 = shift_uint8(u8_0, i).
+Let a_11 = a_9[a_10 <- 2].
+Let a_12 = shift_sint8(i8_0, 0).
+Let a_13 = havoc(Mchar_undef_0, Mchar_0, a_12, 10).
+Let a_14 = shift_sint8(i8_0, i).
+Let a_15 = a_13[a_14 <- 1].
+Let a_16 = shift_uint64(u64_0, i).
+Let a_17 = shift_sint64(i64_0, i).
+Let a_18 = shift_uint32(u32_0, i).
+Let a_19 = shift_sint32(i32_0, i).
+Let a_20 = shift_uint64(u64_0, 0).
+Let a_21 = havoc(Mint_undef_5, Mint_5, a_20, 10).
+Let a_22 = shift_sint64(i64_0, 0).
+Let a_23 = havoc(Mint_undef_2, Mint_2, a_22, 10).
+Let a_24 = shift_uint32(u32_0, 0).
+Let a_25 = havoc(Mint_undef_4, Mint_4, a_24, 10).
+Let a_26 = shift_sint32(i32_0, 0).
+Let a_27 = havoc(Mint_undef_0, Mint_0, a_26, 10).
+Let a_28 = a_27[a_19 <- 5].
Assume {
Type: is_sint16_chunk(Mint_1) /\ is_sint32_chunk(Mint_0) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_24) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_5) /\ is_sint32_chunk(a_27) /\
+ is_sint64_chunk(a_23) /\ is_sint8_chunk(a_13) /\
+ is_uint16_chunk(a_1) /\ is_uint32_chunk(a_25) /\
+ is_uint64_chunk(a_21) /\ is_uint8_chunk(a_9) /\ is_sint16_chunk(a_7) /\
+ is_sint32_chunk(a_28) /\ is_sint64_chunk(a_23[a_17 <- 7]) /\
+ is_sint8_chunk(a_15) /\ is_uint16_chunk(a_3) /\
+ is_uint32_chunk(a_25[a_18 <- 6]) /\ is_uint64_chunk(a_21[a_16 <- 8]) /\
+ is_uint8_chunk(a_11).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -672,60 +708,74 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i).
+ When: (i_1 <= i) /\ (0 <= i_1).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_4, 10) /\ valid_rw(Malloc_0, a_26, 10) /\
+ valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_12, 10) /\
+ valid_rw(Malloc_0, a, 10) /\ valid_rw(Malloc_0, a_24, 10) /\
+ valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_23[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_21[shift_sint64(i64_0, i_2)] = 7))).
+ (a_13[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_19[shift_uint32(u32_0, i_2)] = 6))).
+ (a_9[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_17[shift_sint32(i32_0, i_2)] = 5))).
+ (a_5[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (a_1[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_13[shift_sint16(i16_0, i_2)] = 3))).
+ (a_27[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (a_25[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_9[shift_sint8(i8_0, i_2)] = 1))).
+ (a_23[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_21[shift_uint64(u64_0, i_2)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_7, 1).
+ Have: valid_rw(Malloc_0, a_14, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_6, 1).
+ Have: valid_rw(Malloc_0, a_10, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_5, 1).
+ Have: valid_rw(Malloc_0, a_6, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_4, 1).
+ Have: valid_rw(Malloc_0, a_2, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_3, 1).
+ Have: valid_rw(Malloc_0, a_19, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_2, 1).
+ Have: valid_rw(Malloc_0, a_18, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_1, 1).
+ Have: valid_rw(Malloc_0, a_17, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a, 1).
+ Have: valid_rw(Malloc_0, a_16, 1).
(* Assertion 'rte,signed_overflow' *)
Have: i <= 2147483646.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_15[shift_sint8(i8_0, i_2)] = 1))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_7[shift_sint16(i16_0, i_2)] = 3))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_3[shift_uint16(u16_0, i_2)] = 4))).
}
-Prove: a_24[shift_sint32(i32_0, i_1)] = 5.
+Prove: a_28[shift_sint32(i32_0, i_1)] = 5.
------------------------------------------------------------
@@ -735,44 +785,49 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant (file tests/wp_acsl/chunk_typing.i, line 37):
-Let a = shift_uint64(u64_0, i).
-Let a_1 = shift_sint64(i64_0, i).
-Let a_2 = shift_uint32(u32_0, i).
-Let a_3 = shift_sint32(i32_0, i).
-Let a_4 = shift_uint16(u16_0, i).
-Let a_5 = shift_sint16(i16_0, i).
-Let a_6 = shift_uint8(u8_0, i).
-Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_1, Mint_1, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_4, Mint_4, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_2, Mint_2, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_0, Mint_0, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_3, Mint_3, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_5, Mint_5, a_22, 10).
-Let a_24 = a_19[a_2 <- 6].
+Let a = shift_sint32(i32_0, 0).
+Let a_1 = havoc(Mint_undef_2, Mint_2, a, 10).
+Let a_2 = shift_sint32(i32_0, i).
+Let a_3 = a_1[a_2 <- 5].
+Let a_4 = shift_uint16(u16_0, 0).
+Let a_5 = havoc(Mint_undef_4, Mint_4, a_4, 10).
+Let a_6 = shift_uint16(u16_0, i).
+Let a_7 = a_5[a_6 <- 4].
+Let a_8 = shift_sint16(i16_0, 0).
+Let a_9 = havoc(Mint_undef_1, Mint_1, a_8, 10).
+Let a_10 = shift_sint16(i16_0, i).
+Let a_11 = a_9[a_10 <- 3].
+Let a_12 = shift_uint8(u8_0, 0).
+Let a_13 = havoc(Mint_undef_6, Mint_6, a_12, 10).
+Let a_14 = shift_uint8(u8_0, i).
+Let a_15 = a_13[a_14 <- 2].
+Let a_16 = shift_sint8(i8_0, 0).
+Let a_17 = havoc(Mchar_undef_0, Mchar_0, a_16, 10).
+Let a_18 = shift_sint8(i8_0, i).
+Let a_19 = a_17[a_18 <- 1].
+Let a_20 = shift_uint64(u64_0, i).
+Let a_21 = shift_sint64(i64_0, i).
+Let a_22 = shift_uint32(u32_0, i).
+Let a_23 = shift_uint64(u64_0, 0).
+Let a_24 = havoc(Mint_undef_5, Mint_5, a_23, 10).
+Let a_25 = shift_sint64(i64_0, 0).
+Let a_26 = havoc(Mint_undef_3, Mint_3, a_25, 10).
+Let a_27 = shift_uint32(u32_0, 0).
+Let a_28 = havoc(Mint_undef_0, Mint_0, a_27, 10).
+Let a_29 = a_28[a_22 <- 6].
Assume {
Type: is_sint16_chunk(Mint_1) /\ is_sint32_chunk(Mint_2) /\
is_sint64_chunk(Mint_3) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_4) /\ is_uint32_chunk(Mint_0) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_24) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_9) /\ is_sint32_chunk(a_1) /\
+ is_sint64_chunk(a_26) /\ is_sint8_chunk(a_17) /\
+ is_uint16_chunk(a_5) /\ is_uint32_chunk(a_28) /\
+ is_uint64_chunk(a_24) /\ is_uint8_chunk(a_13) /\
+ is_sint16_chunk(a_11) /\ is_sint32_chunk(a_3) /\
+ is_sint64_chunk(a_26[a_21 <- 7]) /\ is_sint8_chunk(a_19) /\
+ is_uint16_chunk(a_7) /\ is_uint32_chunk(a_29) /\
+ is_uint64_chunk(a_24[a_20 <- 8]) /\ is_uint8_chunk(a_15).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -780,60 +835,77 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i).
+ When: (i_1 <= i) /\ (0 <= i_1).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a, 10) /\
+ valid_rw(Malloc_0, a_25, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
+ valid_rw(Malloc_0, a_4, 10) /\ valid_rw(Malloc_0, a_27, 10) /\
+ valid_rw(Malloc_0, a_23, 10) /\ valid_rw(Malloc_0, a_12, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_23[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_21[shift_sint64(i64_0, i_2)] = 7))).
+ (a_17[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_19[shift_uint32(u32_0, i_2)] = 6))).
+ (a_13[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_17[shift_sint32(i32_0, i_2)] = 5))).
+ (a_9[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (a_5[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_13[shift_sint16(i16_0, i_2)] = 3))).
+ (a_1[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (a_28[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_9[shift_sint8(i8_0, i_2)] = 1))).
+ (a_26[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_24[shift_uint64(u64_0, i_2)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_7, 1).
+ Have: valid_rw(Malloc_0, a_18, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_6, 1).
+ Have: valid_rw(Malloc_0, a_14, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_5, 1).
- (* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_4, 1).
+ Have: valid_rw(Malloc_0, a_10, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_3, 1).
+ Have: valid_rw(Malloc_0, a_6, 1).
(* Assertion 'rte,mem_access' *)
Have: valid_rw(Malloc_0, a_2, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_1, 1).
+ Have: valid_rw(Malloc_0, a_22, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a, 1).
+ Have: valid_rw(Malloc_0, a_21, 1).
+ (* Assertion 'rte,mem_access' *)
+ Have: valid_rw(Malloc_0, a_20, 1).
(* Assertion 'rte,signed_overflow' *)
Have: i <= 2147483646.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_19[shift_sint8(i8_0, i_2)] = 1))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_15[shift_uint8(u8_0, i_2)] = 2))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_11[shift_sint16(i16_0, i_2)] = 3))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_7[shift_uint16(u16_0, i_2)] = 4))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_3[shift_sint32(i32_0, i_2)] = 5))).
}
-Prove: a_24[shift_uint32(u32_0, i_1)] = 6.
+Prove: a_29[shift_uint32(u32_0, i_1)] = 6.
------------------------------------------------------------
@@ -843,44 +915,50 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant (file tests/wp_acsl/chunk_typing.i, line 38):
-Let a = shift_uint64(u64_0, i).
-Let a_1 = shift_sint64(i64_0, i).
+Let a = shift_uint32(u32_0, 0).
+Let a_1 = havoc(Mint_undef_4, Mint_4, a, 10).
Let a_2 = shift_uint32(u32_0, i).
-Let a_3 = shift_sint32(i32_0, i).
-Let a_4 = shift_uint16(u16_0, i).
-Let a_5 = shift_sint16(i16_0, i).
-Let a_6 = shift_uint8(u8_0, i).
-Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
+Let a_3 = a_1[a_2 <- 6].
+Let a_4 = shift_sint32(i32_0, 0).
+Let a_5 = havoc(Mint_undef_2, Mint_2, a_4, 10).
+Let a_6 = shift_sint32(i32_0, i).
+Let a_7 = a_5[a_6 <- 5].
+Let a_8 = shift_uint16(u16_0, 0).
+Let a_9 = havoc(Mint_undef_3, Mint_3, a_8, 10).
+Let a_10 = shift_uint16(u16_0, i).
+Let a_11 = a_9[a_10 <- 4].
Let a_12 = shift_sint16(i16_0, 0).
Let a_13 = havoc(Mint_undef_1, Mint_1, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_3, Mint_3, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_2, Mint_2, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_4, Mint_4, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_0, Mint_0, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_5, Mint_5, a_22, 10).
-Let a_24 = a_21[a_1 <- 7].
+Let a_14 = shift_sint16(i16_0, i).
+Let a_15 = a_13[a_14 <- 3].
+Let a_16 = shift_uint8(u8_0, 0).
+Let a_17 = havoc(Mint_undef_6, Mint_6, a_16, 10).
+Let a_18 = shift_uint8(u8_0, i).
+Let a_19 = a_17[a_18 <- 2].
+Let a_20 = shift_sint8(i8_0, 0).
+Let a_21 = havoc(Mchar_undef_0, Mchar_0, a_20, 10).
+Let a_22 = shift_sint8(i8_0, i).
+Let a_23 = a_21[a_22 <- 1].
+Let a_24 = shift_uint64(u64_0, i).
+Let a_25 = shift_sint64(i64_0, i).
+Let a_26 = shift_uint64(u64_0, 0).
+Let a_27 = havoc(Mint_undef_5, Mint_5, a_26, 10).
+Let a_28 = shift_sint64(i64_0, 0).
+Let a_29 = havoc(Mint_undef_0, Mint_0, a_28, 10).
+Let a_30 = a_29[a_25 <- 7].
Assume {
Type: is_sint16_chunk(Mint_1) /\ is_sint32_chunk(Mint_2) /\
is_sint64_chunk(Mint_0) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_24) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_5) /\
+ is_sint64_chunk(a_29) /\ is_sint8_chunk(a_21) /\
+ is_uint16_chunk(a_9) /\ is_uint32_chunk(a_1) /\
+ is_uint64_chunk(a_27) /\ is_uint8_chunk(a_17) /\
+ is_sint16_chunk(a_15) /\ is_sint32_chunk(a_7) /\
+ is_sint64_chunk(a_30) /\ is_sint8_chunk(a_23) /\
+ is_uint16_chunk(a_11) /\ is_uint32_chunk(a_3) /\
+ is_uint64_chunk(a_27[a_24 <- 8]) /\ is_uint8_chunk(a_19).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -888,60 +966,80 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i).
+ When: (i_1 <= i) /\ (0 <= i_1).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_4, 10) /\
+ valid_rw(Malloc_0, a_28, 10) /\ valid_rw(Malloc_0, a_20, 10) /\
+ valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a, 10) /\
+ valid_rw(Malloc_0, a_26, 10) /\ valid_rw(Malloc_0, a_16, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_23[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_21[shift_sint64(i64_0, i_2)] = 7))).
+ (a_21[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_19[shift_uint32(u32_0, i_2)] = 6))).
+ (a_17[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_17[shift_sint32(i32_0, i_2)] = 5))).
+ (a_13[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (a_9[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_13[shift_sint16(i16_0, i_2)] = 3))).
+ (a_5[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (a_1[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_9[shift_sint8(i8_0, i_2)] = 1))).
+ (a_29[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_27[shift_uint64(u64_0, i_2)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_7, 1).
+ Have: valid_rw(Malloc_0, a_22, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_6, 1).
+ Have: valid_rw(Malloc_0, a_18, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_5, 1).
+ Have: valid_rw(Malloc_0, a_14, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_4, 1).
+ Have: valid_rw(Malloc_0, a_10, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_3, 1).
+ Have: valid_rw(Malloc_0, a_6, 1).
(* Assertion 'rte,mem_access' *)
Have: valid_rw(Malloc_0, a_2, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_1, 1).
+ Have: valid_rw(Malloc_0, a_25, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a, 1).
+ Have: valid_rw(Malloc_0, a_24, 1).
(* Assertion 'rte,signed_overflow' *)
Have: i <= 2147483646.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_23[shift_sint8(i8_0, i_2)] = 1))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_19[shift_uint8(u8_0, i_2)] = 2))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_15[shift_sint16(i16_0, i_2)] = 3))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_11[shift_uint16(u16_0, i_2)] = 4))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_7[shift_sint32(i32_0, i_2)] = 5))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_3[shift_uint32(u32_0, i_2)] = 6))).
}
-Prove: a_24[shift_sint64(i64_0, i_1)] = 7.
+Prove: a_30[shift_sint64(i64_0, i_1)] = 7.
------------------------------------------------------------
@@ -951,44 +1049,51 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant (file tests/wp_acsl/chunk_typing.i, line 39):
-Let a = shift_uint64(u64_0, i).
-Let a_1 = shift_sint64(i64_0, i).
-Let a_2 = shift_uint32(u32_0, i).
-Let a_3 = shift_sint32(i32_0, i).
-Let a_4 = shift_uint16(u16_0, i).
-Let a_5 = shift_sint16(i16_0, i).
-Let a_6 = shift_uint8(u8_0, i).
-Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_1, Mint_1, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_4, Mint_4, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_2, Mint_2, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_5, Mint_5, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_3, Mint_3, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_0, Mint_0, a_22, 10).
-Let a_24 = a_23[a <- 8].
+Let a = shift_sint64(i64_0, 0).
+Let a_1 = havoc(Mint_undef_3, Mint_3, a, 10).
+Let a_2 = shift_sint64(i64_0, i).
+Let a_3 = a_1[a_2 <- 7].
+Let a_4 = shift_uint32(u32_0, 0).
+Let a_5 = havoc(Mint_undef_5, Mint_5, a_4, 10).
+Let a_6 = shift_uint32(u32_0, i).
+Let a_7 = a_5[a_6 <- 6].
+Let a_8 = shift_sint32(i32_0, 0).
+Let a_9 = havoc(Mint_undef_2, Mint_2, a_8, 10).
+Let a_10 = shift_sint32(i32_0, i).
+Let a_11 = a_9[a_10 <- 5].
+Let a_12 = shift_uint16(u16_0, 0).
+Let a_13 = havoc(Mint_undef_4, Mint_4, a_12, 10).
+Let a_14 = shift_uint16(u16_0, i).
+Let a_15 = a_13[a_14 <- 4].
+Let a_16 = shift_sint16(i16_0, 0).
+Let a_17 = havoc(Mint_undef_1, Mint_1, a_16, 10).
+Let a_18 = shift_sint16(i16_0, i).
+Let a_19 = a_17[a_18 <- 3].
+Let a_20 = shift_uint8(u8_0, 0).
+Let a_21 = havoc(Mint_undef_6, Mint_6, a_20, 10).
+Let a_22 = shift_uint8(u8_0, i).
+Let a_23 = a_21[a_22 <- 2].
+Let a_24 = shift_sint8(i8_0, 0).
+Let a_25 = havoc(Mchar_undef_0, Mchar_0, a_24, 10).
+Let a_26 = shift_sint8(i8_0, i).
+Let a_27 = a_25[a_26 <- 1].
+Let a_28 = shift_uint64(u64_0, i).
+Let a_29 = shift_uint64(u64_0, 0).
+Let a_30 = havoc(Mint_undef_0, Mint_0, a_29, 10).
+Let a_31 = a_30[a_28 <- 8].
Assume {
Type: is_sint16_chunk(Mint_1) /\ is_sint32_chunk(Mint_2) /\
is_sint64_chunk(Mint_3) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_4) /\ is_uint32_chunk(Mint_5) /\
is_uint64_chunk(Mint_0) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint32(1 + i) /\ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_24) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint32(1 + i) /\ is_sint16_chunk(a_17) /\ is_sint32_chunk(a_9) /\
+ is_sint64_chunk(a_1) /\ is_sint8_chunk(a_25) /\
+ is_uint16_chunk(a_13) /\ is_uint32_chunk(a_5) /\
+ is_uint64_chunk(a_30) /\ is_uint8_chunk(a_21) /\
+ is_sint16_chunk(a_19) /\ is_sint32_chunk(a_11) /\
+ is_sint64_chunk(a_3) /\ is_sint8_chunk(a_27) /\
+ is_uint16_chunk(a_15) /\ is_uint32_chunk(a_7) /\
+ is_uint64_chunk(a_31) /\ is_uint8_chunk(a_23).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -996,60 +1101,83 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i).
+ When: (i_1 <= i) /\ (0 <= i_1).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_16, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
+ valid_rw(Malloc_0, a, 10) /\ valid_rw(Malloc_0, a_24, 10) /\
+ valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_4, 10) /\
+ valid_rw(Malloc_0, a_29, 10) /\ valid_rw(Malloc_0, a_20, 10).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_23[shift_uint64(u64_0, i_2)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_21[shift_sint64(i64_0, i_2)] = 7))).
+ (a_25[shift_sint8(i8_0, i_2)] = 1))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_19[shift_uint32(u32_0, i_2)] = 6))).
+ (a_21[shift_uint8(u8_0, i_2)] = 2))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_17[shift_sint32(i32_0, i_2)] = 5))).
+ (a_17[shift_sint16(i16_0, i_2)] = 3))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (a_13[shift_uint16(u16_0, i_2)] = 4))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_13[shift_sint16(i16_0, i_2)] = 3))).
+ (a_9[shift_sint32(i32_0, i_2)] = 5))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_11[shift_uint8(u8_0, i_2)] = 2))).
+ (a_5[shift_uint32(u32_0, i_2)] = 6))).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_9[shift_sint8(i8_0, i_2)] = 1))).
+ (a_1[shift_sint64(i64_0, i_2)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_30[shift_uint64(u64_0, i_2)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_7, 1).
+ Have: valid_rw(Malloc_0, a_26, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_6, 1).
+ Have: valid_rw(Malloc_0, a_22, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_5, 1).
+ Have: valid_rw(Malloc_0, a_18, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_4, 1).
+ Have: valid_rw(Malloc_0, a_14, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_3, 1).
+ Have: valid_rw(Malloc_0, a_10, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_2, 1).
+ Have: valid_rw(Malloc_0, a_6, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a_1, 1).
+ Have: valid_rw(Malloc_0, a_2, 1).
(* Assertion 'rte,mem_access' *)
- Have: valid_rw(Malloc_0, a, 1).
+ Have: valid_rw(Malloc_0, a_28, 1).
(* Assertion 'rte,signed_overflow' *)
Have: i <= 2147483646.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_27[shift_sint8(i8_0, i_2)] = 1))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_23[shift_uint8(u8_0, i_2)] = 2))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_19[shift_sint16(i16_0, i_2)] = 3))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_15[shift_uint16(u16_0, i_2)] = 4))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_11[shift_sint32(i32_0, i_2)] = 5))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_7[shift_uint32(u32_0, i_2)] = 6))).
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_3[shift_sint64(i64_0, i_2)] = 7))).
}
-Prove: a_24[shift_uint64(u64_0, i_1)] = 8.
+Prove: a_31[shift_uint64(u64_0, i_1)] = 8.
------------------------------------------------------------
@@ -1059,30 +1187,30 @@ Prove: true.
------------------------------------------------------------
Goal Assertion 'rte,mem_access' (file tests/wp_acsl/chunk_typing.i, line 45):
-Let a = shift_sint8(i8_0, 0).
-Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, 10).
-Let a_2 = shift_uint8(u8_0, 0).
-Let a_3 = havoc(Mint_undef_6, Mint_6, a_2, 10).
-Let a_4 = shift_sint16(i16_0, 0).
-Let a_5 = havoc(Mint_undef_0, Mint_0, a_4, 10).
-Let a_6 = shift_uint16(u16_0, 0).
-Let a_7 = havoc(Mint_undef_3, Mint_3, a_6, 10).
-Let a_8 = shift_sint32(i32_0, 0).
-Let a_9 = havoc(Mint_undef_1, Mint_1, a_8, 10).
-Let a_10 = shift_uint32(u32_0, 0).
-Let a_11 = havoc(Mint_undef_4, Mint_4, a_10, 10).
-Let a_12 = shift_sint64(i64_0, 0).
-Let a_13 = havoc(Mint_undef_2, Mint_2, a_12, 10).
-Let a_14 = shift_uint64(u64_0, 0).
-Let a_15 = havoc(Mint_undef_5, Mint_5, a_14, 10).
+Let a = shift_uint64(u64_0, 0).
+Let a_1 = havoc(Mint_undef_5, Mint_5, a, 10).
+Let a_2 = shift_sint64(i64_0, 0).
+Let a_3 = havoc(Mint_undef_2, Mint_2, a_2, 10).
+Let a_4 = shift_uint32(u32_0, 0).
+Let a_5 = havoc(Mint_undef_4, Mint_4, a_4, 10).
+Let a_6 = shift_sint32(i32_0, 0).
+Let a_7 = havoc(Mint_undef_1, Mint_1, a_6, 10).
+Let a_8 = shift_uint16(u16_0, 0).
+Let a_9 = havoc(Mint_undef_3, Mint_3, a_8, 10).
+Let a_10 = shift_sint16(i16_0, 0).
+Let a_11 = havoc(Mint_undef_0, Mint_0, a_10, 10).
+Let a_12 = shift_uint8(u8_0, 0).
+Let a_13 = havoc(Mint_undef_6, Mint_6, a_12, 10).
+Let a_14 = shift_sint8(i8_0, 0).
+Let a_15 = havoc(Mchar_undef_0, Mchar_0, a_14, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_5) /\ is_sint32_chunk(a_9) /\
- is_sint64_chunk(a_13) /\ is_sint8_chunk(a_1) /\ is_uint16_chunk(a_7) /\
- is_uint32_chunk(a_11) /\ is_uint64_chunk(a_15) /\ is_uint8_chunk(a_3).
+ is_sint16_chunk(a_11) /\ is_sint32_chunk(a_7) /\
+ is_sint64_chunk(a_3) /\ is_sint8_chunk(a_15) /\ is_uint16_chunk(a_9) /\
+ is_uint32_chunk(a_5) /\ is_uint64_chunk(a_1) /\ is_uint8_chunk(a_13).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1090,36 +1218,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_4, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a, 10) /\
- valid_rw(Malloc_0, a_6, 10) /\ valid_rw(Malloc_0, a_10, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_2, 10).
+ Have: valid_rw(Malloc_0, a_10, 10) /\ valid_rw(Malloc_0, a_6, 10) /\
+ valid_rw(Malloc_0, a_2, 10) /\ valid_rw(Malloc_0, a_14, 10) /\
+ valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a_4, 10) /\
+ valid_rw(Malloc_0, a, 10) /\ valid_rw(Malloc_0, a_12, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_15[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_13[shift_sint64(i64_0, i_1)] = 7))).
+ (a_15[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_11[shift_uint32(u32_0, i_1)] = 6))).
+ (a_13[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_9[shift_sint32(i32_0, i_1)] = 5))).
+ (a_11[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_7[shift_uint16(u16_0, i_1)] = 4))).
+ (a_9[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_5[shift_sint16(i16_0, i_1)] = 3))).
+ (a_7[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_3[shift_uint8(u8_0, i_1)] = 2))).
+ (a_5[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_1[shift_sint8(i8_0, i_1)] = 1))).
+ (a_3[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_1[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
}
@@ -1129,31 +1257,32 @@ Prove: valid_rw(Malloc_0, shift_sint8(i8_0, i), 1).
Goal Assertion 'rte,mem_access' (file tests/wp_acsl/chunk_typing.i, line 46):
Let a = shift_sint8(i8_0, i).
-Let a_1 = shift_sint8(i8_0, 0).
-Let a_2 = havoc(Mchar_undef_0, Mchar_0, a_1, 10).
-Let a_3 = shift_uint8(u8_0, 0).
-Let a_4 = havoc(Mint_undef_6, Mint_6, a_3, 10).
-Let a_5 = shift_sint16(i16_0, 0).
-Let a_6 = havoc(Mint_undef_0, Mint_0, a_5, 10).
-Let a_7 = shift_uint16(u16_0, 0).
-Let a_8 = havoc(Mint_undef_3, Mint_3, a_7, 10).
-Let a_9 = shift_sint32(i32_0, 0).
-Let a_10 = havoc(Mint_undef_1, Mint_1, a_9, 10).
-Let a_11 = shift_uint32(u32_0, 0).
-Let a_12 = havoc(Mint_undef_4, Mint_4, a_11, 10).
-Let a_13 = shift_sint64(i64_0, 0).
-Let a_14 = havoc(Mint_undef_2, Mint_2, a_13, 10).
-Let a_15 = shift_uint64(u64_0, 0).
-Let a_16 = havoc(Mint_undef_5, Mint_5, a_15, 10).
+Let a_1 = shift_uint64(u64_0, 0).
+Let a_2 = havoc(Mint_undef_5, Mint_5, a_1, 10).
+Let a_3 = shift_sint64(i64_0, 0).
+Let a_4 = havoc(Mint_undef_2, Mint_2, a_3, 10).
+Let a_5 = shift_uint32(u32_0, 0).
+Let a_6 = havoc(Mint_undef_4, Mint_4, a_5, 10).
+Let a_7 = shift_sint32(i32_0, 0).
+Let a_8 = havoc(Mint_undef_1, Mint_1, a_7, 10).
+Let a_9 = shift_uint16(u16_0, 0).
+Let a_10 = havoc(Mint_undef_3, Mint_3, a_9, 10).
+Let a_11 = shift_sint16(i16_0, 0).
+Let a_12 = havoc(Mint_undef_0, Mint_0, a_11, 10).
+Let a_13 = shift_uint8(u8_0, 0).
+Let a_14 = havoc(Mint_undef_6, Mint_6, a_13, 10).
+Let a_15 = shift_sint8(i8_0, 0).
+Let a_16 = havoc(Mchar_undef_0, Mchar_0, a_15, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_6) /\ is_sint32_chunk(a_10) /\
- is_sint64_chunk(a_14) /\ is_sint8_chunk(a_2) /\ is_uint16_chunk(a_8) /\
- is_uint32_chunk(a_12) /\ is_uint64_chunk(a_16) /\
- is_uint8_chunk(a_4) /\ is_sint8_chunk(a_2[a <- 1]).
+ is_sint16_chunk(a_12) /\ is_sint32_chunk(a_8) /\
+ is_sint64_chunk(a_4) /\ is_sint8_chunk(a_16) /\
+ is_uint16_chunk(a_10) /\ is_uint32_chunk(a_6) /\
+ is_uint64_chunk(a_2) /\ is_uint8_chunk(a_14) /\
+ is_sint8_chunk(a_16[a <- 1]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1161,36 +1290,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_5, 10) /\ valid_rw(Malloc_0, a_9, 10) /\
- valid_rw(Malloc_0, a_13, 10) /\ valid_rw(Malloc_0, a_1, 10) /\
- valid_rw(Malloc_0, a_7, 10) /\ valid_rw(Malloc_0, a_11, 10) /\
- valid_rw(Malloc_0, a_15, 10) /\ valid_rw(Malloc_0, a_3, 10).
+ Have: valid_rw(Malloc_0, a_11, 10) /\ valid_rw(Malloc_0, a_7, 10) /\
+ valid_rw(Malloc_0, a_3, 10) /\ valid_rw(Malloc_0, a_15, 10) /\
+ valid_rw(Malloc_0, a_9, 10) /\ valid_rw(Malloc_0, a_5, 10) /\
+ valid_rw(Malloc_0, a_1, 10) /\ valid_rw(Malloc_0, a_13, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_16[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_14[shift_sint64(i64_0, i_1)] = 7))).
+ (a_16[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_12[shift_uint32(u32_0, i_1)] = 6))).
+ (a_14[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_10[shift_sint32(i32_0, i_1)] = 5))).
+ (a_12[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_8[shift_uint16(u16_0, i_1)] = 4))).
+ (a_10[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_6[shift_sint16(i16_0, i_1)] = 3))).
+ (a_8[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_4[shift_uint8(u8_0, i_1)] = 2))).
+ (a_6[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_2[shift_sint8(i8_0, i_1)] = 1))).
+ (a_4[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_2[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -1203,32 +1332,32 @@ Prove: valid_rw(Malloc_0, shift_uint8(u8_0, i), 1).
Goal Assertion 'rte,mem_access' (file tests/wp_acsl/chunk_typing.i, line 47):
Let a = shift_uint8(u8_0, i).
Let a_1 = shift_sint8(i8_0, i).
-Let a_2 = shift_sint8(i8_0, 0).
-Let a_3 = havoc(Mchar_undef_0, Mchar_0, a_2, 10).
-Let a_4 = shift_uint8(u8_0, 0).
-Let a_5 = havoc(Mint_undef_6, Mint_6, a_4, 10).
-Let a_6 = shift_sint16(i16_0, 0).
-Let a_7 = havoc(Mint_undef_0, Mint_0, a_6, 10).
-Let a_8 = shift_uint16(u16_0, 0).
-Let a_9 = havoc(Mint_undef_3, Mint_3, a_8, 10).
-Let a_10 = shift_sint32(i32_0, 0).
-Let a_11 = havoc(Mint_undef_1, Mint_1, a_10, 10).
-Let a_12 = shift_uint32(u32_0, 0).
-Let a_13 = havoc(Mint_undef_4, Mint_4, a_12, 10).
-Let a_14 = shift_sint64(i64_0, 0).
-Let a_15 = havoc(Mint_undef_2, Mint_2, a_14, 10).
-Let a_16 = shift_uint64(u64_0, 0).
-Let a_17 = havoc(Mint_undef_5, Mint_5, a_16, 10).
+Let a_2 = shift_uint64(u64_0, 0).
+Let a_3 = havoc(Mint_undef_5, Mint_5, a_2, 10).
+Let a_4 = shift_sint64(i64_0, 0).
+Let a_5 = havoc(Mint_undef_2, Mint_2, a_4, 10).
+Let a_6 = shift_uint32(u32_0, 0).
+Let a_7 = havoc(Mint_undef_4, Mint_4, a_6, 10).
+Let a_8 = shift_sint32(i32_0, 0).
+Let a_9 = havoc(Mint_undef_1, Mint_1, a_8, 10).
+Let a_10 = shift_uint16(u16_0, 0).
+Let a_11 = havoc(Mint_undef_3, Mint_3, a_10, 10).
+Let a_12 = shift_sint16(i16_0, 0).
+Let a_13 = havoc(Mint_undef_0, Mint_0, a_12, 10).
+Let a_14 = shift_uint8(u8_0, 0).
+Let a_15 = havoc(Mint_undef_6, Mint_6, a_14, 10).
+Let a_16 = shift_sint8(i8_0, 0).
+Let a_17 = havoc(Mchar_undef_0, Mchar_0, a_16, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_7) /\ is_sint32_chunk(a_11) /\
- is_sint64_chunk(a_15) /\ is_sint8_chunk(a_3) /\ is_uint16_chunk(a_9) /\
- is_uint32_chunk(a_13) /\ is_uint64_chunk(a_17) /\
- is_uint8_chunk(a_5) /\ is_sint8_chunk(a_3[a_1 <- 1]) /\
- is_uint8_chunk(a_5[a <- 2]).
+ is_sint16_chunk(a_13) /\ is_sint32_chunk(a_9) /\
+ is_sint64_chunk(a_5) /\ is_sint8_chunk(a_17) /\
+ is_uint16_chunk(a_11) /\ is_uint32_chunk(a_7) /\
+ is_uint64_chunk(a_3) /\ is_uint8_chunk(a_15) /\
+ is_sint8_chunk(a_17[a_1 <- 1]) /\ is_uint8_chunk(a_15[a <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1236,36 +1365,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_6, 10) /\ valid_rw(Malloc_0, a_10, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_2, 10) /\
- valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a_12, 10) /\
- valid_rw(Malloc_0, a_16, 10) /\ valid_rw(Malloc_0, a_4, 10).
+ Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
+ valid_rw(Malloc_0, a_4, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
+ valid_rw(Malloc_0, a_10, 10) /\ valid_rw(Malloc_0, a_6, 10) /\
+ valid_rw(Malloc_0, a_2, 10) /\ valid_rw(Malloc_0, a_14, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_17[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_15[shift_sint64(i64_0, i_1)] = 7))).
+ (a_17[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_13[shift_uint32(u32_0, i_1)] = 6))).
+ (a_15[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_11[shift_sint32(i32_0, i_1)] = 5))).
+ (a_13[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_9[shift_uint16(u16_0, i_1)] = 4))).
+ (a_11[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_7[shift_sint16(i16_0, i_1)] = 3))).
+ (a_9[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_5[shift_uint8(u8_0, i_1)] = 2))).
+ (a_7[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_3[shift_sint8(i8_0, i_1)] = 1))).
+ (a_5[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_3[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -1281,33 +1410,33 @@ Goal Assertion 'rte,mem_access' (file tests/wp_acsl/chunk_typing.i, line 48):
Let a = shift_sint16(i16_0, i).
Let a_1 = shift_uint8(u8_0, i).
Let a_2 = shift_sint8(i8_0, i).
-Let a_3 = shift_sint8(i8_0, 0).
-Let a_4 = havoc(Mchar_undef_0, Mchar_0, a_3, 10).
-Let a_5 = shift_uint8(u8_0, 0).
-Let a_6 = havoc(Mint_undef_6, Mint_6, a_5, 10).
-Let a_7 = shift_sint16(i16_0, 0).
-Let a_8 = havoc(Mint_undef_0, Mint_0, a_7, 10).
-Let a_9 = shift_uint16(u16_0, 0).
-Let a_10 = havoc(Mint_undef_3, Mint_3, a_9, 10).
-Let a_11 = shift_sint32(i32_0, 0).
-Let a_12 = havoc(Mint_undef_1, Mint_1, a_11, 10).
-Let a_13 = shift_uint32(u32_0, 0).
-Let a_14 = havoc(Mint_undef_4, Mint_4, a_13, 10).
-Let a_15 = shift_sint64(i64_0, 0).
-Let a_16 = havoc(Mint_undef_2, Mint_2, a_15, 10).
-Let a_17 = shift_uint64(u64_0, 0).
-Let a_18 = havoc(Mint_undef_5, Mint_5, a_17, 10).
+Let a_3 = shift_uint64(u64_0, 0).
+Let a_4 = havoc(Mint_undef_5, Mint_5, a_3, 10).
+Let a_5 = shift_sint64(i64_0, 0).
+Let a_6 = havoc(Mint_undef_2, Mint_2, a_5, 10).
+Let a_7 = shift_uint32(u32_0, 0).
+Let a_8 = havoc(Mint_undef_4, Mint_4, a_7, 10).
+Let a_9 = shift_sint32(i32_0, 0).
+Let a_10 = havoc(Mint_undef_1, Mint_1, a_9, 10).
+Let a_11 = shift_uint16(u16_0, 0).
+Let a_12 = havoc(Mint_undef_3, Mint_3, a_11, 10).
+Let a_13 = shift_sint16(i16_0, 0).
+Let a_14 = havoc(Mint_undef_0, Mint_0, a_13, 10).
+Let a_15 = shift_uint8(u8_0, 0).
+Let a_16 = havoc(Mint_undef_6, Mint_6, a_15, 10).
+Let a_17 = shift_sint8(i8_0, 0).
+Let a_18 = havoc(Mchar_undef_0, Mchar_0, a_17, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_8) /\ is_sint32_chunk(a_12) /\
- is_sint64_chunk(a_16) /\ is_sint8_chunk(a_4) /\
- is_uint16_chunk(a_10) /\ is_uint32_chunk(a_14) /\
- is_uint64_chunk(a_18) /\ is_uint8_chunk(a_6) /\
- is_sint16_chunk(a_8[a <- 3]) /\ is_sint8_chunk(a_4[a_2 <- 1]) /\
- is_uint8_chunk(a_6[a_1 <- 2]).
+ is_sint16_chunk(a_14) /\ is_sint32_chunk(a_10) /\
+ is_sint64_chunk(a_6) /\ is_sint8_chunk(a_18) /\
+ is_uint16_chunk(a_12) /\ is_uint32_chunk(a_8) /\
+ is_uint64_chunk(a_4) /\ is_uint8_chunk(a_16) /\
+ is_sint16_chunk(a_14[a <- 3]) /\ is_sint8_chunk(a_18[a_2 <- 1]) /\
+ is_uint8_chunk(a_16[a_1 <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1315,36 +1444,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_7, 10) /\ valid_rw(Malloc_0, a_11, 10) /\
- valid_rw(Malloc_0, a_15, 10) /\ valid_rw(Malloc_0, a_3, 10) /\
- valid_rw(Malloc_0, a_9, 10) /\ valid_rw(Malloc_0, a_13, 10) /\
- valid_rw(Malloc_0, a_17, 10) /\ valid_rw(Malloc_0, a_5, 10).
+ Have: valid_rw(Malloc_0, a_13, 10) /\ valid_rw(Malloc_0, a_9, 10) /\
+ valid_rw(Malloc_0, a_5, 10) /\ valid_rw(Malloc_0, a_17, 10) /\
+ valid_rw(Malloc_0, a_11, 10) /\ valid_rw(Malloc_0, a_7, 10) /\
+ valid_rw(Malloc_0, a_3, 10) /\ valid_rw(Malloc_0, a_15, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_18[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_16[shift_sint64(i64_0, i_1)] = 7))).
+ (a_18[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_14[shift_uint32(u32_0, i_1)] = 6))).
+ (a_16[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_12[shift_sint32(i32_0, i_1)] = 5))).
+ (a_14[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_10[shift_uint16(u16_0, i_1)] = 4))).
+ (a_12[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_8[shift_sint16(i16_0, i_1)] = 3))).
+ (a_10[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_6[shift_uint8(u8_0, i_1)] = 2))).
+ (a_8[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_4[shift_sint8(i8_0, i_1)] = 1))).
+ (a_6[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_4[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -1363,33 +1492,33 @@ Let a = shift_uint16(u16_0, i).
Let a_1 = shift_sint16(i16_0, i).
Let a_2 = shift_uint8(u8_0, i).
Let a_3 = shift_sint8(i8_0, i).
-Let a_4 = shift_sint8(i8_0, 0).
-Let a_5 = havoc(Mchar_undef_0, Mchar_0, a_4, 10).
-Let a_6 = shift_uint8(u8_0, 0).
-Let a_7 = havoc(Mint_undef_6, Mint_6, a_6, 10).
-Let a_8 = shift_sint16(i16_0, 0).
-Let a_9 = havoc(Mint_undef_0, Mint_0, a_8, 10).
-Let a_10 = shift_uint16(u16_0, 0).
-Let a_11 = havoc(Mint_undef_3, Mint_3, a_10, 10).
-Let a_12 = shift_sint32(i32_0, 0).
-Let a_13 = havoc(Mint_undef_1, Mint_1, a_12, 10).
-Let a_14 = shift_uint32(u32_0, 0).
-Let a_15 = havoc(Mint_undef_4, Mint_4, a_14, 10).
-Let a_16 = shift_sint64(i64_0, 0).
-Let a_17 = havoc(Mint_undef_2, Mint_2, a_16, 10).
-Let a_18 = shift_uint64(u64_0, 0).
-Let a_19 = havoc(Mint_undef_5, Mint_5, a_18, 10).
+Let a_4 = shift_uint64(u64_0, 0).
+Let a_5 = havoc(Mint_undef_5, Mint_5, a_4, 10).
+Let a_6 = shift_sint64(i64_0, 0).
+Let a_7 = havoc(Mint_undef_2, Mint_2, a_6, 10).
+Let a_8 = shift_uint32(u32_0, 0).
+Let a_9 = havoc(Mint_undef_4, Mint_4, a_8, 10).
+Let a_10 = shift_sint32(i32_0, 0).
+Let a_11 = havoc(Mint_undef_1, Mint_1, a_10, 10).
+Let a_12 = shift_uint16(u16_0, 0).
+Let a_13 = havoc(Mint_undef_3, Mint_3, a_12, 10).
+Let a_14 = shift_sint16(i16_0, 0).
+Let a_15 = havoc(Mint_undef_0, Mint_0, a_14, 10).
+Let a_16 = shift_uint8(u8_0, 0).
+Let a_17 = havoc(Mint_undef_6, Mint_6, a_16, 10).
+Let a_18 = shift_sint8(i8_0, 0).
+Let a_19 = havoc(Mchar_undef_0, Mchar_0, a_18, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_9) /\ is_sint32_chunk(a_13) /\
- is_sint64_chunk(a_17) /\ is_sint8_chunk(a_5) /\
- is_uint16_chunk(a_11) /\ is_uint32_chunk(a_15) /\
- is_uint64_chunk(a_19) /\ is_uint8_chunk(a_7) /\
- is_sint16_chunk(a_9[a_1 <- 3]) /\ is_sint8_chunk(a_5[a_3 <- 1]) /\
- is_uint16_chunk(a_11[a <- 4]) /\ is_uint8_chunk(a_7[a_2 <- 2]).
+ is_sint16_chunk(a_15) /\ is_sint32_chunk(a_11) /\
+ is_sint64_chunk(a_7) /\ is_sint8_chunk(a_19) /\
+ is_uint16_chunk(a_13) /\ is_uint32_chunk(a_9) /\
+ is_uint64_chunk(a_5) /\ is_uint8_chunk(a_17) /\
+ is_sint16_chunk(a_15[a_1 <- 3]) /\ is_sint8_chunk(a_19[a_3 <- 1]) /\
+ is_uint16_chunk(a_13[a <- 4]) /\ is_uint8_chunk(a_17[a_2 <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1397,36 +1526,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a_12, 10) /\
- valid_rw(Malloc_0, a_16, 10) /\ valid_rw(Malloc_0, a_4, 10) /\
- valid_rw(Malloc_0, a_10, 10) /\ valid_rw(Malloc_0, a_14, 10) /\
- valid_rw(Malloc_0, a_18, 10) /\ valid_rw(Malloc_0, a_6, 10).
+ Have: valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_10, 10) /\
+ valid_rw(Malloc_0, a_6, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
+ valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
+ valid_rw(Malloc_0, a_4, 10) /\ valid_rw(Malloc_0, a_16, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_19[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_17[shift_sint64(i64_0, i_1)] = 7))).
+ (a_19[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_15[shift_uint32(u32_0, i_1)] = 6))).
+ (a_17[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_13[shift_sint32(i32_0, i_1)] = 5))).
+ (a_15[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_11[shift_uint16(u16_0, i_1)] = 4))).
+ (a_13[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_9[shift_sint16(i16_0, i_1)] = 3))).
+ (a_11[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_7[shift_uint8(u8_0, i_1)] = 2))).
+ (a_9[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_5[shift_sint8(i8_0, i_1)] = 1))).
+ (a_7[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_5[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -1448,34 +1577,34 @@ Let a_1 = shift_uint16(u16_0, i).
Let a_2 = shift_sint16(i16_0, i).
Let a_3 = shift_uint8(u8_0, i).
Let a_4 = shift_sint8(i8_0, i).
-Let a_5 = shift_sint8(i8_0, 0).
-Let a_6 = havoc(Mchar_undef_0, Mchar_0, a_5, 10).
-Let a_7 = shift_uint8(u8_0, 0).
-Let a_8 = havoc(Mint_undef_6, Mint_6, a_7, 10).
-Let a_9 = shift_sint16(i16_0, 0).
-Let a_10 = havoc(Mint_undef_0, Mint_0, a_9, 10).
-Let a_11 = shift_uint16(u16_0, 0).
-Let a_12 = havoc(Mint_undef_3, Mint_3, a_11, 10).
-Let a_13 = shift_sint32(i32_0, 0).
-Let a_14 = havoc(Mint_undef_1, Mint_1, a_13, 10).
-Let a_15 = shift_uint32(u32_0, 0).
-Let a_16 = havoc(Mint_undef_4, Mint_4, a_15, 10).
-Let a_17 = shift_sint64(i64_0, 0).
-Let a_18 = havoc(Mint_undef_2, Mint_2, a_17, 10).
-Let a_19 = shift_uint64(u64_0, 0).
-Let a_20 = havoc(Mint_undef_5, Mint_5, a_19, 10).
+Let a_5 = shift_uint64(u64_0, 0).
+Let a_6 = havoc(Mint_undef_5, Mint_5, a_5, 10).
+Let a_7 = shift_sint64(i64_0, 0).
+Let a_8 = havoc(Mint_undef_2, Mint_2, a_7, 10).
+Let a_9 = shift_uint32(u32_0, 0).
+Let a_10 = havoc(Mint_undef_4, Mint_4, a_9, 10).
+Let a_11 = shift_sint32(i32_0, 0).
+Let a_12 = havoc(Mint_undef_1, Mint_1, a_11, 10).
+Let a_13 = shift_uint16(u16_0, 0).
+Let a_14 = havoc(Mint_undef_3, Mint_3, a_13, 10).
+Let a_15 = shift_sint16(i16_0, 0).
+Let a_16 = havoc(Mint_undef_0, Mint_0, a_15, 10).
+Let a_17 = shift_uint8(u8_0, 0).
+Let a_18 = havoc(Mint_undef_6, Mint_6, a_17, 10).
+Let a_19 = shift_sint8(i8_0, 0).
+Let a_20 = havoc(Mchar_undef_0, Mchar_0, a_19, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_10) /\ is_sint32_chunk(a_14) /\
- is_sint64_chunk(a_18) /\ is_sint8_chunk(a_6) /\
- is_uint16_chunk(a_12) /\ is_uint32_chunk(a_16) /\
- is_uint64_chunk(a_20) /\ is_uint8_chunk(a_8) /\
- is_sint16_chunk(a_10[a_2 <- 3]) /\ is_sint32_chunk(a_14[a <- 5]) /\
- is_sint8_chunk(a_6[a_4 <- 1]) /\ is_uint16_chunk(a_12[a_1 <- 4]) /\
- is_uint8_chunk(a_8[a_3 <- 2]).
+ is_sint16_chunk(a_16) /\ is_sint32_chunk(a_12) /\
+ is_sint64_chunk(a_8) /\ is_sint8_chunk(a_20) /\
+ is_uint16_chunk(a_14) /\ is_uint32_chunk(a_10) /\
+ is_uint64_chunk(a_6) /\ is_uint8_chunk(a_18) /\
+ is_sint16_chunk(a_16[a_2 <- 3]) /\ is_sint32_chunk(a_12[a <- 5]) /\
+ is_sint8_chunk(a_20[a_4 <- 1]) /\ is_uint16_chunk(a_14[a_1 <- 4]) /\
+ is_uint8_chunk(a_18[a_3 <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1483,36 +1612,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_9, 10) /\ valid_rw(Malloc_0, a_13, 10) /\
- valid_rw(Malloc_0, a_17, 10) /\ valid_rw(Malloc_0, a_5, 10) /\
- valid_rw(Malloc_0, a_11, 10) /\ valid_rw(Malloc_0, a_15, 10) /\
- valid_rw(Malloc_0, a_19, 10) /\ valid_rw(Malloc_0, a_7, 10).
+ Have: valid_rw(Malloc_0, a_15, 10) /\ valid_rw(Malloc_0, a_11, 10) /\
+ valid_rw(Malloc_0, a_7, 10) /\ valid_rw(Malloc_0, a_19, 10) /\
+ valid_rw(Malloc_0, a_13, 10) /\ valid_rw(Malloc_0, a_9, 10) /\
+ valid_rw(Malloc_0, a_5, 10) /\ valid_rw(Malloc_0, a_17, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_20[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_18[shift_sint64(i64_0, i_1)] = 7))).
+ (a_20[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_16[shift_uint32(u32_0, i_1)] = 6))).
+ (a_18[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_14[shift_sint32(i32_0, i_1)] = 5))).
+ (a_16[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_12[shift_uint16(u16_0, i_1)] = 4))).
+ (a_14[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_10[shift_sint16(i16_0, i_1)] = 3))).
+ (a_12[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_8[shift_uint8(u8_0, i_1)] = 2))).
+ (a_10[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_6[shift_sint8(i8_0, i_1)] = 1))).
+ (a_8[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_6[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -1537,34 +1666,34 @@ Let a_2 = shift_uint16(u16_0, i).
Let a_3 = shift_sint16(i16_0, i).
Let a_4 = shift_uint8(u8_0, i).
Let a_5 = shift_sint8(i8_0, i).
-Let a_6 = shift_sint8(i8_0, 0).
-Let a_7 = havoc(Mchar_undef_0, Mchar_0, a_6, 10).
-Let a_8 = shift_uint8(u8_0, 0).
-Let a_9 = havoc(Mint_undef_6, Mint_6, a_8, 10).
-Let a_10 = shift_sint16(i16_0, 0).
-Let a_11 = havoc(Mint_undef_0, Mint_0, a_10, 10).
-Let a_12 = shift_uint16(u16_0, 0).
-Let a_13 = havoc(Mint_undef_3, Mint_3, a_12, 10).
-Let a_14 = shift_sint32(i32_0, 0).
-Let a_15 = havoc(Mint_undef_1, Mint_1, a_14, 10).
-Let a_16 = shift_uint32(u32_0, 0).
-Let a_17 = havoc(Mint_undef_4, Mint_4, a_16, 10).
-Let a_18 = shift_sint64(i64_0, 0).
-Let a_19 = havoc(Mint_undef_2, Mint_2, a_18, 10).
-Let a_20 = shift_uint64(u64_0, 0).
-Let a_21 = havoc(Mint_undef_5, Mint_5, a_20, 10).
+Let a_6 = shift_uint64(u64_0, 0).
+Let a_7 = havoc(Mint_undef_5, Mint_5, a_6, 10).
+Let a_8 = shift_sint64(i64_0, 0).
+Let a_9 = havoc(Mint_undef_2, Mint_2, a_8, 10).
+Let a_10 = shift_uint32(u32_0, 0).
+Let a_11 = havoc(Mint_undef_4, Mint_4, a_10, 10).
+Let a_12 = shift_sint32(i32_0, 0).
+Let a_13 = havoc(Mint_undef_1, Mint_1, a_12, 10).
+Let a_14 = shift_uint16(u16_0, 0).
+Let a_15 = havoc(Mint_undef_3, Mint_3, a_14, 10).
+Let a_16 = shift_sint16(i16_0, 0).
+Let a_17 = havoc(Mint_undef_0, Mint_0, a_16, 10).
+Let a_18 = shift_uint8(u8_0, 0).
+Let a_19 = havoc(Mint_undef_6, Mint_6, a_18, 10).
+Let a_20 = shift_sint8(i8_0, 0).
+Let a_21 = havoc(Mchar_undef_0, Mchar_0, a_20, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_11) /\ is_sint32_chunk(a_15) /\
- is_sint64_chunk(a_19) /\ is_sint8_chunk(a_7) /\
- is_uint16_chunk(a_13) /\ is_uint32_chunk(a_17) /\
- is_uint64_chunk(a_21) /\ is_uint8_chunk(a_9) /\
- is_sint16_chunk(a_11[a_3 <- 3]) /\ is_sint32_chunk(a_15[a_1 <- 5]) /\
- is_sint8_chunk(a_7[a_5 <- 1]) /\ is_uint16_chunk(a_13[a_2 <- 4]) /\
- is_uint32_chunk(a_17[a <- 6]) /\ is_uint8_chunk(a_9[a_4 <- 2]).
+ is_sint16_chunk(a_17) /\ is_sint32_chunk(a_13) /\
+ is_sint64_chunk(a_9) /\ is_sint8_chunk(a_21) /\
+ is_uint16_chunk(a_15) /\ is_uint32_chunk(a_11) /\
+ is_uint64_chunk(a_7) /\ is_uint8_chunk(a_19) /\
+ is_sint16_chunk(a_17[a_3 <- 3]) /\ is_sint32_chunk(a_13[a_1 <- 5]) /\
+ is_sint8_chunk(a_21[a_5 <- 1]) /\ is_uint16_chunk(a_15[a_2 <- 4]) /\
+ is_uint32_chunk(a_11[a <- 6]) /\ is_uint8_chunk(a_19[a_4 <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1572,36 +1701,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_10, 10) /\ valid_rw(Malloc_0, a_14, 10) /\
- valid_rw(Malloc_0, a_18, 10) /\ valid_rw(Malloc_0, a_6, 10) /\
- valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10).
+ Have: valid_rw(Malloc_0, a_16, 10) /\ valid_rw(Malloc_0, a_12, 10) /\
+ valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a_20, 10) /\
+ valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_10, 10) /\
+ valid_rw(Malloc_0, a_6, 10) /\ valid_rw(Malloc_0, a_18, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_21[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_19[shift_sint64(i64_0, i_1)] = 7))).
+ (a_21[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_17[shift_uint32(u32_0, i_1)] = 6))).
+ (a_19[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_15[shift_sint32(i32_0, i_1)] = 5))).
+ (a_17[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_13[shift_uint16(u16_0, i_1)] = 4))).
+ (a_15[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_11[shift_sint16(i16_0, i_1)] = 3))).
+ (a_13[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_9[shift_uint8(u8_0, i_1)] = 2))).
+ (a_11[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_7[shift_sint8(i8_0, i_1)] = 1))).
+ (a_9[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_7[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -1629,35 +1758,35 @@ Let a_3 = shift_uint16(u16_0, i).
Let a_4 = shift_sint16(i16_0, i).
Let a_5 = shift_uint8(u8_0, i).
Let a_6 = shift_sint8(i8_0, i).
-Let a_7 = shift_sint8(i8_0, 0).
-Let a_8 = havoc(Mchar_undef_0, Mchar_0, a_7, 10).
-Let a_9 = shift_uint8(u8_0, 0).
-Let a_10 = havoc(Mint_undef_6, Mint_6, a_9, 10).
-Let a_11 = shift_sint16(i16_0, 0).
-Let a_12 = havoc(Mint_undef_0, Mint_0, a_11, 10).
-Let a_13 = shift_uint16(u16_0, 0).
-Let a_14 = havoc(Mint_undef_3, Mint_3, a_13, 10).
-Let a_15 = shift_sint32(i32_0, 0).
-Let a_16 = havoc(Mint_undef_1, Mint_1, a_15, 10).
-Let a_17 = shift_uint32(u32_0, 0).
-Let a_18 = havoc(Mint_undef_4, Mint_4, a_17, 10).
-Let a_19 = shift_sint64(i64_0, 0).
-Let a_20 = havoc(Mint_undef_2, Mint_2, a_19, 10).
-Let a_21 = shift_uint64(u64_0, 0).
-Let a_22 = havoc(Mint_undef_5, Mint_5, a_21, 10).
+Let a_7 = shift_uint64(u64_0, 0).
+Let a_8 = havoc(Mint_undef_5, Mint_5, a_7, 10).
+Let a_9 = shift_sint64(i64_0, 0).
+Let a_10 = havoc(Mint_undef_2, Mint_2, a_9, 10).
+Let a_11 = shift_uint32(u32_0, 0).
+Let a_12 = havoc(Mint_undef_4, Mint_4, a_11, 10).
+Let a_13 = shift_sint32(i32_0, 0).
+Let a_14 = havoc(Mint_undef_1, Mint_1, a_13, 10).
+Let a_15 = shift_uint16(u16_0, 0).
+Let a_16 = havoc(Mint_undef_3, Mint_3, a_15, 10).
+Let a_17 = shift_sint16(i16_0, 0).
+Let a_18 = havoc(Mint_undef_0, Mint_0, a_17, 10).
+Let a_19 = shift_uint8(u8_0, 0).
+Let a_20 = havoc(Mint_undef_6, Mint_6, a_19, 10).
+Let a_21 = shift_sint8(i8_0, 0).
+Let a_22 = havoc(Mchar_undef_0, Mchar_0, a_21, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_12) /\ is_sint32_chunk(a_16) /\
- is_sint64_chunk(a_20) /\ is_sint8_chunk(a_8) /\
- is_uint16_chunk(a_14) /\ is_uint32_chunk(a_18) /\
- is_uint64_chunk(a_22) /\ is_uint8_chunk(a_10) /\
- is_sint16_chunk(a_12[a_4 <- 3]) /\ is_sint32_chunk(a_16[a_2 <- 5]) /\
- is_sint64_chunk(a_20[a <- 7]) /\ is_sint8_chunk(a_8[a_6 <- 1]) /\
- is_uint16_chunk(a_14[a_3 <- 4]) /\ is_uint32_chunk(a_18[a_1 <- 6]) /\
- is_uint8_chunk(a_10[a_5 <- 2]).
+ is_sint16_chunk(a_18) /\ is_sint32_chunk(a_14) /\
+ is_sint64_chunk(a_10) /\ is_sint8_chunk(a_22) /\
+ is_uint16_chunk(a_16) /\ is_uint32_chunk(a_12) /\
+ is_uint64_chunk(a_8) /\ is_uint8_chunk(a_20) /\
+ is_sint16_chunk(a_18[a_4 <- 3]) /\ is_sint32_chunk(a_14[a_2 <- 5]) /\
+ is_sint64_chunk(a_10[a <- 7]) /\ is_sint8_chunk(a_22[a_6 <- 1]) /\
+ is_uint16_chunk(a_16[a_3 <- 4]) /\ is_uint32_chunk(a_12[a_1 <- 6]) /\
+ is_uint8_chunk(a_20[a_5 <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1665,36 +1794,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_11, 10) /\ valid_rw(Malloc_0, a_15, 10) /\
- valid_rw(Malloc_0, a_19, 10) /\ valid_rw(Malloc_0, a_7, 10) /\
- valid_rw(Malloc_0, a_13, 10) /\ valid_rw(Malloc_0, a_17, 10) /\
- valid_rw(Malloc_0, a_21, 10) /\ valid_rw(Malloc_0, a_9, 10).
+ Have: valid_rw(Malloc_0, a_17, 10) /\ valid_rw(Malloc_0, a_13, 10) /\
+ valid_rw(Malloc_0, a_9, 10) /\ valid_rw(Malloc_0, a_21, 10) /\
+ valid_rw(Malloc_0, a_15, 10) /\ valid_rw(Malloc_0, a_11, 10) /\
+ valid_rw(Malloc_0, a_7, 10) /\ valid_rw(Malloc_0, a_19, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_22[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_20[shift_sint64(i64_0, i_1)] = 7))).
+ (a_22[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_18[shift_uint32(u32_0, i_1)] = 6))).
+ (a_20[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_16[shift_sint32(i32_0, i_1)] = 5))).
+ (a_18[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_14[shift_uint16(u16_0, i_1)] = 4))).
+ (a_16[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_12[shift_sint16(i16_0, i_1)] = 3))).
+ (a_14[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_10[shift_uint8(u8_0, i_1)] = 2))).
+ (a_12[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_8[shift_sint8(i8_0, i_1)] = 1))).
+ (a_10[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_8[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
@@ -1725,35 +1854,35 @@ Let a_4 = shift_uint16(u16_0, i).
Let a_5 = shift_sint16(i16_0, i).
Let a_6 = shift_uint8(u8_0, i).
Let a_7 = shift_sint8(i8_0, i).
-Let a_8 = shift_sint8(i8_0, 0).
-Let a_9 = havoc(Mchar_undef_0, Mchar_0, a_8, 10).
-Let a_10 = shift_uint8(u8_0, 0).
-Let a_11 = havoc(Mint_undef_6, Mint_6, a_10, 10).
-Let a_12 = shift_sint16(i16_0, 0).
-Let a_13 = havoc(Mint_undef_0, Mint_0, a_12, 10).
-Let a_14 = shift_uint16(u16_0, 0).
-Let a_15 = havoc(Mint_undef_3, Mint_3, a_14, 10).
-Let a_16 = shift_sint32(i32_0, 0).
-Let a_17 = havoc(Mint_undef_1, Mint_1, a_16, 10).
-Let a_18 = shift_uint32(u32_0, 0).
-Let a_19 = havoc(Mint_undef_4, Mint_4, a_18, 10).
-Let a_20 = shift_sint64(i64_0, 0).
-Let a_21 = havoc(Mint_undef_2, Mint_2, a_20, 10).
-Let a_22 = shift_uint64(u64_0, 0).
-Let a_23 = havoc(Mint_undef_5, Mint_5, a_22, 10).
+Let a_8 = shift_uint64(u64_0, 0).
+Let a_9 = havoc(Mint_undef_5, Mint_5, a_8, 10).
+Let a_10 = shift_sint64(i64_0, 0).
+Let a_11 = havoc(Mint_undef_2, Mint_2, a_10, 10).
+Let a_12 = shift_uint32(u32_0, 0).
+Let a_13 = havoc(Mint_undef_4, Mint_4, a_12, 10).
+Let a_14 = shift_sint32(i32_0, 0).
+Let a_15 = havoc(Mint_undef_1, Mint_1, a_14, 10).
+Let a_16 = shift_uint16(u16_0, 0).
+Let a_17 = havoc(Mint_undef_3, Mint_3, a_16, 10).
+Let a_18 = shift_sint16(i16_0, 0).
+Let a_19 = havoc(Mint_undef_0, Mint_0, a_18, 10).
+Let a_20 = shift_uint8(u8_0, 0).
+Let a_21 = havoc(Mint_undef_6, Mint_6, a_20, 10).
+Let a_22 = shift_sint8(i8_0, 0).
+Let a_23 = havoc(Mchar_undef_0, Mchar_0, a_22, 10).
Assume {
Type: is_sint16_chunk(Mint_0) /\ is_sint32_chunk(Mint_1) /\
is_sint64_chunk(Mint_2) /\ is_sint8_chunk(Mchar_0) /\
is_uint16_chunk(Mint_3) /\ is_uint32_chunk(Mint_4) /\
is_uint64_chunk(Mint_5) /\ is_uint8_chunk(Mint_6) /\ is_sint32(i) /\
- is_sint16_chunk(a_13) /\ is_sint32_chunk(a_17) /\
- is_sint64_chunk(a_21) /\ is_sint8_chunk(a_9) /\
- is_uint16_chunk(a_15) /\ is_uint32_chunk(a_19) /\
- is_uint64_chunk(a_23) /\ is_uint8_chunk(a_11) /\
- is_sint16_chunk(a_13[a_5 <- 3]) /\ is_sint32_chunk(a_17[a_3 <- 5]) /\
- is_sint64_chunk(a_21[a_1 <- 7]) /\ is_sint8_chunk(a_9[a_7 <- 1]) /\
- is_uint16_chunk(a_15[a_4 <- 4]) /\ is_uint32_chunk(a_19[a_2 <- 6]) /\
- is_uint64_chunk(a_23[a <- 8]) /\ is_uint8_chunk(a_11[a_6 <- 2]).
+ is_sint16_chunk(a_19) /\ is_sint32_chunk(a_15) /\
+ is_sint64_chunk(a_11) /\ is_sint8_chunk(a_23) /\
+ is_uint16_chunk(a_17) /\ is_uint32_chunk(a_13) /\
+ is_uint64_chunk(a_9) /\ is_uint8_chunk(a_21) /\
+ is_sint16_chunk(a_19[a_5 <- 3]) /\ is_sint32_chunk(a_15[a_3 <- 5]) /\
+ is_sint64_chunk(a_11[a_1 <- 7]) /\ is_sint8_chunk(a_23[a_7 <- 1]) /\
+ is_uint16_chunk(a_17[a_4 <- 4]) /\ is_uint32_chunk(a_13[a_2 <- 6]) /\
+ is_uint64_chunk(a_9[a <- 8]) /\ is_uint8_chunk(a_21[a_6 <- 2]).
(* Heap *)
Type: (region(i16_0.base) <= 0) /\ (region(i32_0.base) <= 0) /\
(region(i64_0.base) <= 0) /\ (region(i8_0.base) <= 0) /\
@@ -1761,36 +1890,36 @@ Assume {
(region(u64_0.base) <= 0) /\ (region(u8_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_12, 10) /\ valid_rw(Malloc_0, a_16, 10) /\
- valid_rw(Malloc_0, a_20, 10) /\ valid_rw(Malloc_0, a_8, 10) /\
- valid_rw(Malloc_0, a_14, 10) /\ valid_rw(Malloc_0, a_18, 10) /\
- valid_rw(Malloc_0, a_22, 10) /\ valid_rw(Malloc_0, a_10, 10).
+ Have: valid_rw(Malloc_0, a_18, 10) /\ valid_rw(Malloc_0, a_14, 10) /\
+ valid_rw(Malloc_0, a_10, 10) /\ valid_rw(Malloc_0, a_22, 10) /\
+ valid_rw(Malloc_0, a_16, 10) /\ valid_rw(Malloc_0, a_12, 10) /\
+ valid_rw(Malloc_0, a_8, 10) /\ valid_rw(Malloc_0, a_20, 10).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_23[shift_uint64(u64_0, i_1)] = 8))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_21[shift_sint64(i64_0, i_1)] = 7))).
+ (a_23[shift_sint8(i8_0, i_1)] = 1))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_19[shift_uint32(u32_0, i_1)] = 6))).
+ (a_21[shift_uint8(u8_0, i_1)] = 2))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_17[shift_sint32(i32_0, i_1)] = 5))).
+ (a_19[shift_sint16(i16_0, i_1)] = 3))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_15[shift_uint16(u16_0, i_1)] = 4))).
+ (a_17[shift_uint16(u16_0, i_1)] = 4))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_13[shift_sint16(i16_0, i_1)] = 3))).
+ (a_15[shift_sint32(i32_0, i_1)] = 5))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_11[shift_uint8(u8_0, i_1)] = 2))).
+ (a_13[shift_uint32(u32_0, i_1)] = 6))).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_9[shift_sint8(i8_0, i_1)] = 1))).
+ (a_11[shift_sint64(i64_0, i_1)] = 7))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_9[shift_uint64(u64_0, i_1)] = 8))).
(* Then *)
Have: i <= 9.
(* Assertion 'rte,mem_access' *)
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/looplabels.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/looplabels.res.oracle
index 68d943f582170a3d187c3cb44229cd352dd0d7f1..3186bf3c7ec1ad310419341cf425e0a7d96c8aba 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/looplabels.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/looplabels.res.oracle
@@ -22,9 +22,11 @@ Assume {
(* Pre-condition *)
Have: separated(a_2, n, a_1, n).
(* Invariant *)
- Have: P_IsEqual(havoc(Mint_undef_0, Mint_0, a_1, n), a, b, i).
+ Have: P_IsEqual(Mint_0, a, b, 0).
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: P_IsEqual(havoc(Mint_undef_0, Mint_0, a_1, n), a, b, i).
(* Else *)
Have: n <= i.
}
@@ -48,9 +50,11 @@ Assume {
(* Pre-condition *)
Have: separated(a_2, n, a_1, n).
(* Invariant *)
- Have: P_IsEqual(havoc(Mint_undef_0, Mint_0, a_1, n), a, b, i).
+ Have: P_IsEqual(Mint_0, a, b, 0).
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: P_IsEqual(havoc(Mint_undef_0, Mint_0, a_1, n), a, b, i).
(* Then *)
Have: i < n.
}
@@ -81,11 +85,15 @@ Assume {
(* Pre-condition *)
Have: separated(a_3, n, a_1, n).
(* Invariant *)
- Have: P_IsEqual(a_2, a, b, i).
+ Have: P_IsEqual(Mint_0, a, b, 0).
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: P_IsEqual(a_2, a, b, i).
(* Then *)
Have: i < n.
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: P_IsEqual(a_2[shift_sint32(b, i) <- a_2[shift_sint32(a, i)]], a, b, x).
@@ -119,10 +127,12 @@ Prove: true.
Goal Loop assigns (file tests/wp_acsl/looplabels.i, line 20) (2/2):
Effect at line 23
Let a_1 = shift_sint32(b, 0).
-Let a_2 = shift_sint32(a, 0).
-Let a_3 = shift_sint32(b, i).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, n).
+Let x = i - 1.
+Let a_3 = shift_sint32(b, x).
+Let a_4 = shift_sint32(a, 0).
Assume {
- Type: is_sint32(i) /\ is_sint32(n).
+ Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(x).
(* Heap *)
Type: (region(a.base) <= 0) /\ (region(b.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
@@ -130,17 +140,21 @@ Assume {
(* Pre-condition *)
Have: 0 < n.
(* Pre-condition *)
- Have: valid_rw(Malloc_0, a_2, n).
+ Have: valid_rw(Malloc_0, a_4, n).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
(* Pre-condition *)
- Have: separated(a_2, n, a_1, n).
+ Have: separated(a_4, n, a_1, n).
(* Invariant *)
- Have: P_IsEqual(havoc(Mint_undef_0, Mint_0, a_1, n), a, b, i).
+ Have: P_IsEqual(Mint_0, a, b, 0).
(* Invariant *)
- Have: (0 <= i) /\ (i <= n).
+ Have: (0 < i) /\ (i <= (1 + n)).
+ (* Invariant *)
+ Have: P_IsEqual(a_2, a, b, x).
(* Then *)
- Have: i < n.
+ Have: i <= n.
+ (* Invariant *)
+ Have: P_IsEqual(a_2[a_3 <- a_2[shift_sint32(a, x)]], a, b, i).
}
Prove: included(a_3, 1, a_1, n).
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/postassigns.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/postassigns.res.oracle
index 8abc928d33f1abe77a4033024acc964ece36ba7c..22136a0a98d21d69bd4b70b9cdba4f82276ec267 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/postassigns.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/postassigns.res.oracle
@@ -147,7 +147,7 @@ Prove: true.
Goal Preservation of Invariant (file tests/wp_acsl/postassigns.c, line 38):
Assume {
Type: is_sint32(N) /\ is_sint32(i) /\ is_sint32(1 + i).
- (* Pre-condition *)
+ (* Invariant *)
Have: 0 <= N.
(* Invariant *)
Have: (i <= N) /\ (0 <= i).
@@ -176,19 +176,20 @@ Prove: true.
Goal Loop assigns (file tests/wp_acsl/postassigns.c, line 39) (3/3):
Effect at line 42
-Let a = shift_sint32(p, i).
+Let x = i - 1.
+Let a = shift_sint32(p, x).
Assume {
- Type: is_sint32(N) /\ is_sint32(i).
+ Type: is_sint32(N) /\ is_sint32(i) /\ is_sint32(x).
(* Heap *)
Type: (region(p.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
When: !invalid(Malloc_0, a, 1).
- (* Pre-condition *)
+ (* Invariant *)
Have: 0 <= N.
(* Invariant *)
- Have: (i <= N) /\ (0 <= i).
+ Have: (0 < i) /\ (i <= (1 + N)).
(* Then *)
- Have: i < N.
+ Have: i <= N.
}
Prove: included(a, 1, shift_sint32(p, 0), N).
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/simpl_is_type.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/simpl_is_type.res.oracle
index 178e47f5501761f3b9f4e8f5cb9e23eaee7df9cb..ff14db8d7f6b7063fdfc15f4a7c1e9b2b0b61d97 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/simpl_is_type.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/simpl_is_type.res.oracle
@@ -209,18 +209,18 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 < size_0) /\ is_sint32(i_1).
(* Pre-condition *)
+ Have: 0 < size_0.
+ (* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < size_0) ->
(Mint_0[shift_sint32(t, i_2)] < 0))).
- (* Pre-condition *)
- Have: 0 < size_0.
(* Invariant *)
- Have: forall i_2 : Z. ((i <= i_2) -> ((i_2 < size_0) ->
- (a_1[shift_sint32(t, i_2)] < 0))).
+ Have: (0 <= i) /\ (i <= size_0).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(0 < a_1[shift_sint32(t, i_2)]))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= size_0).
+ Have: forall i_2 : Z. ((i <= i_2) -> ((i_2 < size_0) ->
+ (a_1[shift_sint32(t, i_2)] < 0))).
(* Else *)
Have: size_0 <= i.
}
@@ -235,18 +235,18 @@ Assume {
(* Heap *)
Type: region(t.base) <= 0.
(* Pre-condition *)
+ Have: 0 < size_0.
+ (* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < size_0) ->
(Mint_0[shift_sint32(t, i_1)] < 0))).
- (* Pre-condition *)
- Have: 0 < size_0.
(* Invariant *)
- Have: forall i_1 : Z. ((i <= i_1) -> ((i_1 < size_0) ->
- (a[shift_sint32(t, i_1)] < 0))).
+ Have: (0 <= i) /\ (i <= size_0).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(0 < a[shift_sint32(t, i_1)]))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= size_0).
+ Have: forall i_1 : Z. ((i <= i_1) -> ((i_1 < size_0) ->
+ (a[shift_sint32(t, i_1)] < 0))).
(* Then *)
Have: i < size_0.
}
@@ -271,20 +271,22 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 <= i) /\ is_sint32(i_1).
(* Pre-condition *)
+ Have: 0 < size_0.
+ (* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < size_0) ->
(Mint_0[shift_sint32(t, i_2)] < 0))).
- (* Pre-condition *)
- Have: 0 < size_0.
(* Invariant *)
- Have: forall i_2 : Z. ((i <= i_2) -> ((i_2 < size_0) ->
- (a[shift_sint32(t, i_2)] < 0))).
+ Have: (0 <= i) /\ (i <= size_0).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(0 < a[shift_sint32(t, i_2)]))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= size_0).
+ Have: forall i_2 : Z. ((i <= i_2) -> ((i_2 < size_0) ->
+ (a[shift_sint32(t, i_2)] < 0))).
(* Then *)
Have: i < size_0.
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: 0 < a[a_1 <- -a_2][shift_sint32(t, i_1)].
@@ -299,6 +301,7 @@ Goal Preservation of Invariant (file tests/wp_acsl/simpl_is_type.i, line 24):
Let a = havoc(Mint_undef_0, Mint_0, shift_sint32(t, 0), size_0).
Let a_1 = shift_sint32(t, i).
Let a_2 = a[a_1].
+Let a_3 = a[a_1 <- -a_2].
Assume {
Type: is_sint32(i) /\ is_sint32(size_0) /\ is_sint32(1 + i) /\
is_sint32(a_2).
@@ -307,22 +310,27 @@ Assume {
(* Goal *)
When: (i_1 < size_0) /\ (i < i_1) /\ is_sint32(i_1).
(* Pre-condition *)
+ Have: 0 < size_0.
+ (* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < size_0) ->
(Mint_0[shift_sint32(t, i_2)] < 0))).
- (* Pre-condition *)
- Have: 0 < size_0.
(* Invariant *)
- Have: forall i_2 : Z. ((i <= i_2) -> ((i_2 < size_0) ->
- (a[shift_sint32(t, i_2)] < 0))).
+ Have: (0 <= i) /\ (i <= size_0).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(0 < a[shift_sint32(t, i_2)]))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= size_0).
+ Have: forall i_2 : Z. ((i <= i_2) -> ((i_2 < size_0) ->
+ (a[shift_sint32(t, i_2)] < 0))).
(* Then *)
Have: i < size_0.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (0 < a_3[shift_sint32(t, i_2)]))).
}
-Prove: a[a_1 <- -a_2][shift_sint32(t, i_1)] < 0.
+Prove: a_3[shift_sint32(t, i_1)] < 0.
------------------------------------------------------------
@@ -352,28 +360,37 @@ Goal Loop assigns (file tests/wp_acsl/simpl_is_type.i, line 25) (2/2):
Effect at line 28
Let a = shift_sint32(t, 0).
Let a_1 = havoc(Mint_undef_0, Mint_0, a, size_0).
-Let a_2 = shift_sint32(t, i).
+Let x = i - 1.
+Let a_2 = shift_sint32(t, x).
+Let a_3 = a_1[a_2].
+Let a_4 = a_1[a_2 <- -a_3].
Assume {
- Type: is_sint32(i) /\ is_sint32(size_0).
+ Type: is_sint32(i) /\ is_sint32(size_0) /\ is_sint32(x) /\ is_sint32(a_3).
(* Heap *)
Type: (region(t.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
When: !invalid(Malloc_0, a_2, 1).
(* Pre-condition *)
+ Have: 0 < size_0.
+ (* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < size_0) ->
(Mint_0[shift_sint32(t, i_1)] < 0))).
- (* Pre-condition *)
- Have: 0 < size_0.
(* Invariant *)
- Have: forall i_1 : Z. ((i <= i_1) -> ((i_1 < size_0) ->
- (a_1[shift_sint32(t, i_1)] < 0))).
+ Have: (0 < i) /\ (i <= (1 + size_0)).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (0 < a_1[shift_sint32(t, i_1)]))).
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((2 + i_1) <= i) ->
+ (is_sint32(i_1) -> (0 < a_1[shift_sint32(t, i_1)])))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= size_0).
+ Have: forall i_1 : Z. ((i_1 < size_0) -> ((i <= (1 + i_1)) ->
+ (is_sint32(i_1) -> (a_1[shift_sint32(t, i_1)] < 0)))).
(* Then *)
- Have: i < size_0.
+ Have: i <= size_0.
+ (* Invariant *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (0 < a_4[shift_sint32(t, i_1)]))).
+ (* Invariant *)
+ Have: forall i_1 : Z. ((i <= i_1) -> ((i_1 < size_0) ->
+ (a_4[shift_sint32(t, i_1)] < 0))).
}
Prove: included(a_2, 1, a, size_0).
@@ -391,10 +408,10 @@ Assume {
(* Pre-condition *)
Have: 0 < size_0.
(* Invariant *)
+ Have: (0 <= i) /\ (i <= size_0).
+ (* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(Mint_0[shift_sint32(t, i_1)] != x))).
- (* Invariant *)
- Have: (0 <= i) /\ (i <= size_0).
Have: i < size_0.
}
Prove: exists i_1 : Z. (Mint_0[shift_sint32(t, i_1)] = x) /\ (0 <= i_1) /\
@@ -414,10 +431,10 @@ Assume {
(* Pre-condition *)
Have: 0 < size_0.
(* Invariant *)
+ Have: (0 <= i) /\ (i <= size_0).
+ (* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(Mint_0[shift_sint32(t, i_1)] != x))).
- (* Invariant *)
- Have: (0 <= i) /\ (i <= size_0).
(* Then *)
Have: i < size_0.
(* Else *)
@@ -444,14 +461,16 @@ Assume {
(* Pre-condition *)
Have: 0 < size_0.
(* Invariant *)
+ Have: (0 <= i_1) /\ (i_1 <= size_0).
+ (* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
(Mint_0[shift_sint32(t, i_2)] != x))).
- (* Invariant *)
- Have: (0 <= i_1) /\ (i_1 <= size_0).
(* Then *)
Have: i_1 < size_0.
(* Else *)
Have: x_1 != x.
+ (* Invariant *)
+ Have: (-1) <= i_1.
}
Prove: Mint_0[shift_sint32(t, i)] != x.
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/terminates_variant_option.0.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/terminates_variant_option.0.res.oracle
index 1d76571f54f0b012c92a2247df2716515527d399..1418f3fcdd8197ba7a5fa96a9bab9b485c9680b1 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/terminates_variant_option.0.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/terminates_variant_option.0.res.oracle
@@ -55,6 +55,8 @@ Assume {
Have: ((0 <= c1_0) -> ((cpt_0 <= c1_0) /\ (0 <= cpt_0))).
(* Else *)
Have: 2 <= cpt_0.
+ (* Invariant *)
+ Have: ((0 <= c1_0) -> (cpt_0 <= (1 + c1_0))).
}
Prove: 0 <= cpt_0.
@@ -130,13 +132,15 @@ Prove: true.
Goal Positivity of Loop variant at loop (file tests/wp_acsl/terminates_variant_option.i, line 19):
Let x = Mint_0[p].
Assume {
- Type: is_sint32(v) /\ is_sint32(x).
+ Type: is_sint32(v) /\ is_sint32(x) /\ is_sint32(v - 1).
(* Heap *)
Type: region(p.base) <= 0.
(* Invariant *)
Have: ((0 <= x) -> ((0 <= v) /\ (v <= x))).
(* Then *)
Have: v != 0.
+ (* Invariant *)
+ Have: ((0 <= x) -> ((0 < v) /\ (v <= (1 + x)))).
}
Prove: 0 <= v.
diff --git a/src/plugins/wp/tests/wp_acsl/oracle/terminates_variant_option.1.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle/terminates_variant_option.1.res.oracle
index 09103afc39da2717b28b4744b2012e293889b894..5625b7ca4446516a76a0f92b1bf660d2b2e02d21 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle/terminates_variant_option.1.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle/terminates_variant_option.1.res.oracle
@@ -54,6 +54,8 @@ Assume {
Have: ((0 <= c1_0) -> ((cpt_0 <= c1_0) /\ (0 <= cpt_0))).
(* Else *)
Have: 2 <= cpt_0.
+ (* Invariant *)
+ Have: ((0 <= c1_0) -> (cpt_0 <= (1 + c1_0))).
}
Prove: 0 <= cpt_0.
diff --git a/src/plugins/wp/tests/wp_acsl/oracle_qualif/assigned_initialized_memtyped.res.oracle b/src/plugins/wp/tests/wp_acsl/oracle_qualif/assigned_initialized_memtyped.res.oracle
index db28901d4032a8c3cce0c255267c3c9c147c1a84..3a3c7b36d62b7a0852a23b62c1736adbbd3feab9 100644
--- a/src/plugins/wp/tests/wp_acsl/oracle_qualif/assigned_initialized_memtyped.res.oracle
+++ b/src/plugins/wp/tests/wp_acsl/oracle_qualif/assigned_initialized_memtyped.res.oracle
@@ -33,7 +33,7 @@
[wp] [Alt-Ergo] Goal typed_comp_check_FAILS : Unsuccess
[wp] [Qed] Goal typed_comp_loop_assigns_part1 : Valid
[wp] [Qed] Goal typed_comp_loop_assigns_part2 : Valid
-[wp] [Alt-Ergo] Goal typed_comp_loop_assigns_part3 : Valid
+[wp] [Qed] Goal typed_comp_loop_assigns_part3 : Valid
[wp] [Alt-Ergo] Goal typed_assigned_glob_check_FAILS : Unsuccess
[wp] [Alt-Ergo] Goal typed_assigned_glob_loop_invariant_CHECK_preserved : Valid
[wp] [Qed] Goal typed_assigned_glob_loop_invariant_CHECK_established : Valid
@@ -44,10 +44,10 @@
[wp] [Qed] Goal typed_assigned_glob_loop_assigns_part3 : Valid
[wp] [Qed] Goal typed_assigned_glob_loop_assigns_2_part1 : Valid
[wp] [Qed] Goal typed_assigned_glob_loop_assigns_2_part2 : Valid
-[wp] [Alt-Ergo] Goal typed_assigned_glob_loop_assigns_2_part3 : Valid
+[wp] [Qed] Goal typed_assigned_glob_loop_assigns_2_part3 : Valid
[wp] Proved goals: 33 / 42
- Qed: 27
- Alt-Ergo: 6 (unsuccess: 9)
+ Qed: 29
+ Alt-Ergo: 4 (unsuccess: 9)
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
initialize 4 2 6 100%
@@ -56,6 +56,6 @@
array 3 - 4 75.0%
index 3 - 4 75.0%
descr 4 1 6 83.3%
- comp 2 1 4 75.0%
- assigned_glob 6 2 11 72.7%
+ comp 3 - 4 75.0%
+ assigned_glob 7 1 11 72.7%
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bts/oracle/bts_1462.res.oracle b/src/plugins/wp/tests/wp_bts/oracle/bts_1462.res.oracle
index aa5c4e320017bf051c70668612f5c91e0cea0fe1..48496dc5697b4e27f98576cc40680ad056f49b6c 100644
--- a/src/plugins/wp/tests/wp_bts/oracle/bts_1462.res.oracle
+++ b/src/plugins/wp/tests/wp_bts/oracle/bts_1462.res.oracle
@@ -45,10 +45,10 @@ Assume {
(* Assertion 'for_value' *)
Have: (c = 1) \/ (c <= 0) \/ (2 <= c).
Have: c != 2.
- (* Invariant 'C' *)
- Have: ((c = 0) -> ((i = 0) -> (x = 0))).
(* Invariant 'A_KO' *)
Have: ((i != 0) -> (y_1 = 0)).
+ (* Invariant 'C' *)
+ Have: ((c = 0) -> ((i = 0) -> (x = 0))).
(* Then *)
Have: i <= 9.
If c = 1
diff --git a/src/plugins/wp/tests/wp_bts/oracle/issue_751.res.oracle b/src/plugins/wp/tests/wp_bts/oracle/issue_751.res.oracle
index 14535c7cf0c072d0d5733260c788e4cb80ebb297..79f9827f49f3dc948c36db84ef95aabee8201804 100644
--- a/src/plugins/wp/tests/wp_bts/oracle/issue_751.res.oracle
+++ b/src/plugins/wp/tests/wp_bts/oracle/issue_751.res.oracle
@@ -36,21 +36,22 @@ Prove: true.
Goal Loop assigns (file tests/wp_bts/issue_751.i, line 8) (2/2):
Effect at line 11
Let x = land(3840, R).
-Let x_1 = x / 256.
+Let x_1 = lsr(x, 8).
+Let x_2 = j - 1.
Assume {
- Type: is_sint32(R) /\ is_sint32(j) /\ is_sint32(lsr(x, 8)).
+ Type: is_sint32(R) /\ is_sint32(j) /\ is_sint32(x_2) /\ is_sint32(x_1).
(* Heap *)
Type: (region(Data_0.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
- When: !invalid(Malloc_0, shift_sint32(Data_0, j), 1).
+ When: !invalid(Malloc_0, shift_sint32(Data_0, x_2), 1).
(* Pre-condition *)
Have: (0 < x) /\ (x <= 2303).
(* Invariant 'RANGE' *)
- Have: (0 <= j) /\ (j <= x_1).
+ Have: (0 < j) /\ (j <= (1 + x_1)).
(* Then *)
- Have: j < x_1.
+ Have: j <= (x / 256).
}
-Prove: j <= 7.
+Prove: j <= 8.
------------------------------------------------------------
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bts/oracle/issue_801.res.oracle b/src/plugins/wp/tests/wp_bts/oracle/issue_801.res.oracle
index 0021dc1ad13f35291453f98e675313a297afc67c..4c29b8c3fe1446b6cd46f6cd39cf694bac3c61a6 100644
--- a/src/plugins/wp/tests/wp_bts/oracle/issue_801.res.oracle
+++ b/src/plugins/wp/tests/wp_bts/oracle/issue_801.res.oracle
@@ -33,7 +33,6 @@ Prove: true.
------------------------------------------------------------
Goal Positivity of Loop variant at loop (file tests/wp_bts/issue_801.i, line 14):
-Assume { Type: is_sint32(s). (* Then *) Have: s <= 9. }
-Prove: s <= 10.
+Prove: true.
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_bts/oracle_qualif/issue_801.res.oracle b/src/plugins/wp/tests/wp_bts/oracle_qualif/issue_801.res.oracle
index 455278246bd518ab7843f951f86963da8d6c9ae1..7e3f976defe0c7ff66d631e42588c4fd7d6c1be7 100644
--- a/src/plugins/wp/tests/wp_bts/oracle_qualif/issue_801.res.oracle
+++ b/src/plugins/wp/tests/wp_bts/oracle_qualif/issue_801.res.oracle
@@ -8,11 +8,11 @@
[wp] [Qed] Goal typed_LoopCurrent_loop_invariant_A_established : Valid
[wp] [Qed] Goal typed_LoopCurrent_loop_assigns : Valid
[wp] [Qed] Goal typed_LoopCurrent_loop_variant_decrease : Valid
-[wp] [Alt-Ergo] Goal typed_LoopCurrent_loop_variant_positive : Valid
+[wp] [Qed] Goal typed_LoopCurrent_loop_variant_positive : Valid
[wp] Proved goals: 5 / 6
- Qed: 4
- Alt-Ergo: 1 (unsuccess: 1)
+ Qed: 5
+ Alt-Ergo: 0 (unsuccess: 1)
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
- LoopCurrent 4 1 6 83.3%
+ LoopCurrent 5 - 6 83.3%
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo2_solved.res.oracle b/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo2_solved.res.oracle
index 1780ec5c89a9b45027afa30b5a132043047e4271..879b80915f96682876824638ae66f50de1d06e7e 100644
--- a/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo2_solved.res.oracle
+++ b/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo2_solved.res.oracle
@@ -15,10 +15,10 @@
[wp] [Qed] Goal typed_max_subarray_loop_invariant_4_established : Valid
[wp] [Alt-Ergo] Goal typed_max_subarray_loop_invariant_5_preserved : Valid
[wp] [Alt-Ergo] Goal typed_max_subarray_loop_invariant_5_established : Valid
-[wp] [Alt-Ergo] Goal typed_max_subarray_loop_invariant_6_preserved : Valid
-[wp] [Alt-Ergo] Goal typed_max_subarray_loop_invariant_6_established : Valid
+[wp] [Qed] Goal typed_max_subarray_loop_invariant_6_preserved : Valid
+[wp] [Qed] Goal typed_max_subarray_loop_invariant_6_established : Valid
[wp] [Alt-Ergo] Goal typed_max_subarray_loop_invariant_7_preserved : Valid
-[wp] [Alt-Ergo] Goal typed_max_subarray_loop_invariant_7_established : Valid
+[wp] [Qed] Goal typed_max_subarray_loop_invariant_7_established : Valid
[wp] [Alt-Ergo] Goal typed_max_subarray_loop_invariant_8_preserved : Valid
[wp] [Alt-Ergo] Goal typed_max_subarray_loop_invariant_8_established : Valid
[wp] [Qed] Goal typed_max_subarray_loop_assigns : Valid
@@ -26,11 +26,11 @@
[wp] [Qed] Goal typed_max_subarray_loop_variant_decrease : Valid
[wp] [Qed] Goal typed_max_subarray_loop_variant_positive : Valid
[wp] Proved goals: 22 / 22
- Qed: 9
- Alt-Ergo: 13
+ Qed: 12
+ Alt-Ergo: 10
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
- max_subarray 9 13 22 100%
+ max_subarray 12 10 22 100%
------------------------------------------------------------
[wp] Running WP plugin...
[rte] annotating function max_subarray
@@ -41,5 +41,5 @@
Alt-Ergo: 1
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
- max_subarray 9 14 23 100%
+ max_subarray 12 11 23 100%
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo3_solved.old.res.oracle b/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo3_solved.old.res.oracle
index 174cfa7521504fd213dc75ca4404ea89dddb4faa..b2a42b7d1cd35ff736ed1a09c2d58a256a6c89ee 100644
--- a/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo3_solved.old.res.oracle
+++ b/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo3_solved.old.res.oracle
@@ -18,7 +18,7 @@
[wp] [Qed] Goal typed_ref_equal_elements_loop_invariant_5_established : Valid
[wp] [Alt-Ergo] Goal typed_ref_equal_elements_loop_invariant_6_preserved : Valid
[wp] [Qed] Goal typed_ref_equal_elements_loop_invariant_6_established : Valid
-[wp] [Alt-Ergo] Goal typed_ref_equal_elements_loop_invariant_7_preserved : Valid
+[wp] [Qed] Goal typed_ref_equal_elements_loop_invariant_7_preserved : Valid
[wp] [Qed] Goal typed_ref_equal_elements_loop_invariant_7_established : Valid
[wp] [Alt-Ergo] Goal typed_ref_equal_elements_loop_invariant_8_preserved : Valid
[wp] [Alt-Ergo] Goal typed_ref_equal_elements_loop_invariant_8_established : Valid
@@ -38,11 +38,11 @@
[wp] [Qed] Goal typed_ref_equal_elements_loop_variant_2_decrease : Valid
[wp] [Qed] Goal typed_ref_equal_elements_loop_variant_2_positive : Valid
[wp] Proved goals: 34 / 34
- Qed: 18
- Alt-Ergo: 16
+ Qed: 19
+ Alt-Ergo: 15
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
- equal_elements 18 16 34 100%
+ equal_elements 19 15 34 100%
------------------------------------------------------------
[wp] tests/wp_gallery/frama_c_exo3_solved.old.c:73: Warning:
Memory model hypotheses for function 'equal_elements':
@@ -77,5 +77,5 @@
Alt-Ergo: 5
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
- equal_elements 29 21 50 100%
+ equal_elements 30 20 50 100%
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo3_solved.old.v2.res.oracle b/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo3_solved.old.v2.res.oracle
index cfbc31146758fcdad382bd59ca15be2c53d18327..4a5d3b149207981d5161ab0d99a0760e0e79a0bb 100644
--- a/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo3_solved.old.v2.res.oracle
+++ b/src/plugins/wp/tests/wp_gallery/oracle_qualif/frama_c_exo3_solved.old.v2.res.oracle
@@ -23,7 +23,7 @@
[wp] [Qed] Goal typed_ref_equal_elements_loop_invariant_v1_sound1_established : Valid
[wp] [Alt-Ergo] Goal typed_ref_equal_elements_loop_invariant_v1_sound2_preserved : Valid
[wp] [Alt-Ergo] Goal typed_ref_equal_elements_loop_invariant_v1_sound2_established : Valid
-[wp] [Alt-Ergo] Goal typed_ref_equal_elements_loop_invariant_v1_v2_diff_preserved : Valid
+[wp] [Qed] Goal typed_ref_equal_elements_loop_invariant_v1_v2_diff_preserved : Valid
[wp] [Qed] Goal typed_ref_equal_elements_loop_invariant_v1_v2_diff_established : Valid
[wp] [Alt-Ergo] Goal typed_ref_equal_elements_loop_invariant_v2_sound1_preserved : Valid
[wp] [Qed] Goal typed_ref_equal_elements_loop_invariant_v2_sound1_established : Valid
@@ -39,11 +39,11 @@
[wp] [Qed] Goal typed_ref_equal_elements_loop_variant_2_decrease : Valid
[wp] [Qed] Goal typed_ref_equal_elements_loop_variant_2_positive : Valid
[wp] Proved goals: 35 / 35
- Qed: 17
- Alt-Ergo: 18
+ Qed: 18
+ Alt-Ergo: 17
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
- equal_elements 17 18 35 100%
+ equal_elements 18 17 35 100%
------------------------------------------------------------
[wp] tests/wp_gallery/frama_c_exo3_solved.old.v2.c:56: Warning:
Memory model hypotheses for function 'equal_elements':
@@ -78,5 +78,5 @@
Alt-Ergo: 5
------------------------------------------------------------
Functions WP Alt-Ergo Total Success
- equal_elements 28 23 51 100%
+ equal_elements 29 22 51 100%
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/combined.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/combined.res.oracle
index 232d0259c30a3aec71ca0610cdc0af2b68750042..5fcfd8e1850e59b359e32f7ae2784bf0c86cb183 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/combined.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/combined.res.oracle
@@ -20,11 +20,11 @@ Assume {
(* Assertion *)
Have: (50 <= A) /\ (A <= 100).
(* Invariant *)
+ Have: (0 <= i) /\ (i <= 50).
+ (* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_P(havoc(Mint_undef_0, Mint_0, shift_sint32(t, 0), 50)
[shift_sint32(t, i_1)]))).
- (* Invariant *)
- Have: (0 <= i) /\ (i <= 50).
(* Then *)
Have: i <= 49.
(* Call 'f' *)
@@ -50,14 +50,16 @@ Assume {
(* Assertion *)
Have: (50 <= A) /\ (A <= 100).
(* Invariant *)
+ Have: (0 <= i) /\ (i <= 50).
+ (* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
P_P(a[shift_sint32(t, i_2)]))).
- (* Invariant *)
- Have: (0 <= i) /\ (i <= 50).
(* Then *)
Have: i <= 49.
(* Call 'f' *)
Have: P_P(v).
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: P_P(a[shift_sint32(t, i) <- v][shift_sint32(t, i_1)]).
@@ -77,11 +79,11 @@ Assume {
(* Assertion *)
Have: (50 <= A) /\ (A <= 100).
(* Invariant *)
+ Have: (0 <= i) /\ (i <= 50).
+ (* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_P(havoc(Mint_undef_0, Mint_0, shift_sint32(t, 0), 50)
[shift_sint32(t, i_1)]))).
- (* Invariant *)
- Have: (0 <= i) /\ (i <= 50).
(* Else *)
Have: 50 <= i.
(* Invariant *)
@@ -109,10 +111,10 @@ Assume {
(* Assertion *)
Have: (50 <= A) /\ (A <= 100).
(* Invariant *)
+ Have: (0 <= i_1) /\ (i_1 <= 50).
+ (* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
P_P(a[shift_sint32(t, i_2)]))).
- (* Invariant *)
- Have: (0 <= i_1) /\ (i_1 <= 50).
(* Else *)
Have: 50 <= i_1.
(* Invariant *)
@@ -155,9 +157,10 @@ Prove: true.
Goal Loop assigns (file tests/wp_plugin/combined.c, line 36) (3/3):
Call Result at line 38
-Let a = shift_sint32(t, j).
+Let x = j - 1.
+Let a = shift_sint32(t, x).
Assume {
- Type: is_sint32(A) /\ is_sint32(i) /\ is_sint32(j).
+ Type: is_sint32(A) /\ is_sint32(i) /\ is_sint32(j) /\ is_sint32(x).
(* Heap *)
Type: (region(t.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
@@ -165,17 +168,17 @@ Assume {
(* Assertion *)
Have: (50 <= A) /\ (A <= 100).
(* Invariant *)
+ Have: (0 <= i) /\ (i <= 50).
+ (* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_P(havoc(Mint_undef_0, Mint_0, shift_sint32(t, 0), 50)
[shift_sint32(t, i_1)]))).
- (* Invariant *)
- Have: (0 <= i) /\ (i <= 50).
(* Else *)
Have: 50 <= i.
(* Invariant *)
- Have: (A <= j) /\ (j <= 100).
+ Have: (A < j) /\ (j <= 101).
(* Then *)
- Have: j <= 99.
+ Have: j <= 100.
}
Prove: included(a, 1, shift_sint32(t, A), 100 - A).
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/copy.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/copy.res.oracle
index 0198e43bea60c3a8a1a53b753ea78da52ce375da..f72087e75317557233ac0e847631bf9a6c751344 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/copy.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/copy.res.oracle
@@ -17,14 +17,14 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 < n).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: separated(a_1, n, shift_sint32(b, 0), n).
+ (* Invariant 'Range' *)
+ Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Copy' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_2[shift_sint32(b, i_2)] = a_2[shift_sint32(a, i_2)]))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Else *)
Have: n <= i.
}
@@ -43,14 +43,14 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 <= i).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: separated(a_1, n, shift_sint32(b, 0), n).
+ (* Invariant 'Range' *)
+ Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Copy' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_2[shift_sint32(b, i_2)] = a_2[shift_sint32(a, i_2)]))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
(* Assertion 'A' *)
@@ -59,6 +59,8 @@ Assume {
(* Assertion 'B' *)
Have: forall i_2 : Z. let a_4 = shift_sint32(b, i_2) in ((0 <= i_2) ->
((i_2 < i) -> (a_3[a_4] = a_2[a_4]))).
+ (* Invariant 'Range' *)
+ Have: (-1) <= i.
}
Prove: a_3[shift_sint32(b, i_1)] = a_3[shift_sint32(a, i_1)].
@@ -78,14 +80,14 @@ Assume {
(* Heap *)
Type: (region(a.base) <= 0) /\ (region(b.base) <= 0).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: separated(a_1, n, shift_sint32(b, 0), n).
+ (* Invariant 'Range' *)
+ Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Copy' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(a_2[shift_sint32(b, i_1)] = a_2[shift_sint32(a, i_1)]))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
(* Assertion 'A' *)
@@ -115,14 +117,14 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 < i).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: separated(a_1, n, shift_sint32(b, 0), n).
+ (* Invariant 'Range' *)
+ Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Copy' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_2[shift_sint32(b, i_2)] = a_2[shift_sint32(a, i_2)]))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
}
@@ -142,14 +144,14 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 < i).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: separated(a_1, n, shift_sint32(b, 0), n).
+ (* Invariant 'Range' *)
+ Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Copy' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_2[shift_sint32(b, i_2)] = a_2[shift_sint32(a, i_2)]))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
(* Assertion 'A' *)
@@ -175,31 +177,35 @@ Goal Loop assigns (file tests/wp_plugin/copy.i, line 12) (3/3):
Effect at line 16
Let a_1 = shift_sint32(a, 0).
Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, n).
-Let a_3 = shift_sint32(a, i).
-Let a_4 = a_2[a_3 <- a_2[shift_sint32(b, i)]].
+Let x = i - 1.
+Let a_3 = shift_sint32(a, x).
+Let a_4 = a_2[a_3 <- a_2[shift_sint32(b, x)]].
Assume {
- Type: is_sint32(i) /\ is_sint32(n).
+ Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(x).
(* Heap *)
Type: (region(a.base) <= 0) /\ (region(b.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
When: !invalid(Malloc_0, a_3, 1).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: separated(a_1, n, shift_sint32(b, 0), n).
+ (* Invariant 'Range' *)
+ Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 < i) /\ (i <= (1 + n)).
(* Invariant 'Copy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((2 + i_1) <= i) ->
(a_2[shift_sint32(b, i_1)] = a_2[shift_sint32(a, i_1)]))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
- Have: i < n.
+ Have: i <= n.
(* Assertion 'A' *)
Have: forall i_1 : Z. let a_5 = shift_sint32(a, i_1) in ((0 <= i_1) ->
- ((i_1 < i) -> (a_4[a_5] = a_2[a_5]))).
+ (((2 + i_1) <= i) -> (a_4[a_5] = a_2[a_5]))).
(* Assertion 'B' *)
Have: forall i_1 : Z. let a_5 = shift_sint32(b, i_1) in ((0 <= i_1) ->
- ((i_1 < i) -> (a_4[a_5] = a_2[a_5]))).
+ (((2 + i_1) <= i) -> (a_4[a_5] = a_2[a_5]))).
+ (* Invariant 'Copy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_4[shift_sint32(b, i_1)] = a_4[shift_sint32(a, i_1)]))).
}
Prove: included(a_3, 1, a_1, n).
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/doomed_axioms.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/doomed_axioms.res.oracle
index da669bd36ebf0b30082de682bb0d52b17a6faec3..fed4301277c6759030f49714996ddff47765ad18 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/doomed_axioms.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/doomed_axioms.res.oracle
@@ -9,12 +9,18 @@
Goal Wp_smoke_dead_loop in 'foo' at loop (file tests/wp_plugin/doomed_axioms.i, line 29):
Assume {
Type: is_sint32(n).
- (* Invariant 'C' *)
- Have: P_R(n).
+ (* Invariant 'A' *)
+ Have: P_P(0).
(* Invariant 'B' *)
- Have: P_Q(n).
+ Have: P_Q(0).
+ (* Invariant 'C' *)
+ Have: P_R(0).
(* Invariant 'A' *)
Have: P_P(n).
+ (* Invariant 'B' *)
+ Have: P_Q(n).
+ (* Invariant 'C' *)
+ Have: P_R(n).
}
Prove: false.
@@ -23,12 +29,18 @@ Prove: false.
Goal Wp_smoke_dead_code in 'foo' at instruction (file tests/wp_plugin/doomed_axioms.i, line 30):
Assume {
Type: is_sint32(n) /\ is_sint32(x).
- (* Invariant 'C' *)
- Have: P_R(n).
+ (* Invariant 'A' *)
+ Have: P_P(0).
(* Invariant 'B' *)
- Have: P_Q(n).
+ Have: P_Q(0).
+ (* Invariant 'C' *)
+ Have: P_R(0).
(* Invariant 'A' *)
Have: P_P(n).
+ (* Invariant 'B' *)
+ Have: P_Q(n).
+ (* Invariant 'C' *)
+ Have: P_R(n).
(* Then *)
Have: 0 < x.
}
@@ -39,12 +51,18 @@ Prove: false.
Goal Wp_smoke_dead_code in 'foo' at return (file tests/wp_plugin/doomed_axioms.i, line 32):
Assume {
Type: is_sint32(n) /\ is_sint32(x).
- (* Invariant 'C' *)
- Have: P_R(n).
+ (* Invariant 'A' *)
+ Have: P_P(0).
(* Invariant 'B' *)
- Have: P_Q(n).
+ Have: P_Q(0).
+ (* Invariant 'C' *)
+ Have: P_R(0).
(* Invariant 'A' *)
Have: P_P(n).
+ (* Invariant 'B' *)
+ Have: P_Q(n).
+ (* Invariant 'C' *)
+ Have: P_R(n).
(* Else *)
Have: x <= 0.
}
@@ -56,12 +74,18 @@ Goal Preservation of Invariant 'A' (file tests/wp_plugin/doomed_axioms.i, line 2
Let x_1 = 1 + n.
Assume {
Type: is_sint32(n) /\ is_sint32(x) /\ is_sint32(x_1).
- (* Invariant 'C' *)
- Have: P_R(n).
+ (* Invariant 'A' *)
+ Have: P_P(0).
(* Invariant 'B' *)
- Have: P_Q(n).
+ Have: P_Q(0).
+ (* Invariant 'C' *)
+ Have: P_R(0).
(* Invariant 'A' *)
Have: P_P(n).
+ (* Invariant 'B' *)
+ Have: P_Q(n).
+ (* Invariant 'C' *)
+ Have: P_R(n).
(* Then *)
Have: 0 < x.
}
@@ -78,20 +102,29 @@ Goal Preservation of Invariant 'B' (file tests/wp_plugin/doomed_axioms.i, line 2
Let x_1 = 1 + n.
Assume {
Type: is_sint32(n) /\ is_sint32(x) /\ is_sint32(x_1).
- (* Invariant 'C' *)
- Have: P_R(n).
+ (* Invariant 'A' *)
+ Have: P_P(0).
(* Invariant 'B' *)
- Have: P_Q(n).
+ Have: P_Q(0).
+ (* Invariant 'C' *)
+ Have: P_R(0).
(* Invariant 'A' *)
Have: P_P(n).
+ (* Invariant 'B' *)
+ Have: P_Q(n).
+ (* Invariant 'C' *)
+ Have: P_R(n).
(* Then *)
Have: 0 < x.
+ (* Invariant 'A' *)
+ Have: P_P(x_1).
}
Prove: P_Q(x_1).
------------------------------------------------------------
Goal Establishment of Invariant 'B' (file tests/wp_plugin/doomed_axioms.i, line 25):
+Assume { (* Invariant 'A' *) Have: P_P(0). }
Prove: P_Q(0).
------------------------------------------------------------
@@ -100,20 +133,32 @@ Goal Preservation of Invariant 'C' (file tests/wp_plugin/doomed_axioms.i, line 2
Let x_1 = 1 + n.
Assume {
Type: is_sint32(n) /\ is_sint32(x) /\ is_sint32(x_1).
- (* Invariant 'C' *)
- Have: P_R(n).
+ (* Invariant 'A' *)
+ Have: P_P(0).
(* Invariant 'B' *)
- Have: P_Q(n).
+ Have: P_Q(0).
+ (* Invariant 'C' *)
+ Have: P_R(0).
(* Invariant 'A' *)
Have: P_P(n).
+ (* Invariant 'B' *)
+ Have: P_Q(n).
+ (* Invariant 'C' *)
+ Have: P_R(n).
(* Then *)
Have: 0 < x.
+ (* Invariant 'A' *)
+ Have: P_P(x_1).
+ (* Invariant 'B' *)
+ Have: P_Q(x_1).
}
Prove: P_R(x_1).
------------------------------------------------------------
Goal Establishment of Invariant 'C' (file tests/wp_plugin/doomed_axioms.i, line 26):
+Assume { (* Invariant 'A' *) Have: P_P(0). (* Invariant 'B' *) Have: P_Q(0).
+}
Prove: P_R(0).
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/doomed_loop.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/doomed_loop.res.oracle
index 97103136af1d61d0f9dc62a842e18b5184bc026c..d942b94bb256c930f5dc7f08ca65ec2dabc645bb 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/doomed_loop.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/doomed_loop.res.oracle
@@ -37,7 +37,8 @@ Prove: true.
------------------------------------------------------------
Goal Establishment of Invariant 'B' (file tests/wp_plugin/doomed_loop.i, line 19):
-Prove: !P_P(0).
+Assume { (* Invariant 'A' *) Have: P_P(0). }
+Prove: false.
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/loop.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/loop.res.oracle
index 3c8dd80d4597e2df725575fe65b6684863573335..f7e116db708a6361c596652f4a5ddc21b475d91a 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/loop.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/loop.res.oracle
@@ -10,6 +10,7 @@ Goal Post-condition 'qed_ok' in 'init':
Let a_1 = shift_sint32(t, a).
Let x = -a.
Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, i - a).
+Let x_1 = 1 + b.
Assume {
Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i).
(* Heap *)
@@ -21,10 +22,12 @@ Assume {
(* Pre-condition *)
Have: a <= b.
(* Invariant 'qed_ok' *)
+ Have: a <= x_1.
+ (* Invariant 'qed_ok' *)
+ Have: (a <= i) /\ (i <= x_1).
+ (* Invariant 'qed_ok' *)
Have: forall i_2 : Z. ((a <= i_2) -> ((i_2 < i) ->
(a_2[shift_sint32(t, i_2)] = e))).
- (* Invariant 'qed_ok' *)
- Have: (a <= i) /\ (i <= (1 + b)).
(* Else *)
Have: b < i.
}
@@ -35,9 +38,10 @@ Prove: a_2[shift_sint32(t, i_1)] = e.
Goal Preservation of Invariant 'qed_ok' (file tests/wp_plugin/loop.i, line 12):
Let a_1 = shift_sint32(t, a).
Let x = -a.
-Let x_1 = 1 + i.
+Let x_1 = 1 + b.
+Let x_2 = 1 + i.
Assume {
- Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(x_1).
+ Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(x_2).
(* Heap *)
Type: (region(t.base) <= 0) /\ linked(Malloc_0).
(* Pre-condition *)
@@ -45,14 +49,16 @@ Assume {
(* Pre-condition *)
Have: a <= b.
(* Invariant 'qed_ok' *)
+ Have: a <= x_1.
+ (* Invariant 'qed_ok' *)
+ Have: (a <= i) /\ (i <= x_1).
+ (* Invariant 'qed_ok' *)
Have: forall i_1 : Z. ((a <= i_1) -> ((i_1 < i) ->
(havoc(Mint_undef_0, Mint_0, a_1, i - a)[shift_sint32(t, i_1)] = e))).
- (* Invariant 'qed_ok' *)
- Have: (a <= i) /\ (i <= (1 + b)).
(* Then *)
Have: i <= b.
}
-Prove: a <= x_1.
+Prove: a <= x_2.
------------------------------------------------------------
@@ -71,11 +77,13 @@ Prove: a <= (1 + b).
------------------------------------------------------------
Goal Preservation of Invariant 'qed_ok' (file tests/wp_plugin/loop.i, line 13):
+Let x = 1 + i.
Let a_1 = shift_sint32(t, a).
-Let x = -a.
+Let x_1 = -a.
Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, i - a).
+Let x_2 = 1 + b.
Assume {
- Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(1 + i).
+ Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(x).
(* Heap *)
Type: (region(t.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
@@ -85,12 +93,16 @@ Assume {
(* Pre-condition *)
Have: a <= b.
(* Invariant 'qed_ok' *)
+ Have: a <= x_2.
+ (* Invariant 'qed_ok' *)
+ Have: (a <= i) /\ (i <= x_2).
+ (* Invariant 'qed_ok' *)
Have: forall i_2 : Z. ((a <= i_2) -> ((i_2 < i) ->
(a_2[shift_sint32(t, i_2)] = e))).
- (* Invariant 'qed_ok' *)
- Have: (a <= i) /\ (i <= (1 + b)).
(* Then *)
Have: i <= b.
+ (* Invariant 'qed_ok' *)
+ Have: a <= x.
}
Prove: a_2[shift_sint32(t, i) <- e][shift_sint32(t, i_1)] = e.
@@ -116,33 +128,44 @@ Goal Loop assigns 'qed_ok' (3/3):
Effect at line 16
Let a_1 = shift_sint32(t, a).
Let x = -a.
-Let a_2 = shift_sint32(t, i).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, i - a).
+Let a_3 = shift_sint32(t, i).
+Let x_1 = 1 + i.
+Let x_2 = 1 + b.
Assume {
- Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(1 + i).
+ Type: is_sint32(a) /\ is_sint32(b) /\ is_sint32(i) /\ is_sint32(x_1).
(* Heap *)
Type: (region(t.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
- When: !invalid(Malloc_0, a_2, 1).
+ When: !invalid(Malloc_0, a_3, 1).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, 1 + b - a).
(* Pre-condition *)
Have: a <= b.
(* Invariant 'qed_ok' *)
- Have: forall i_1 : Z. ((a <= i_1) -> ((i_1 < i) ->
- (havoc(Mint_undef_0, Mint_0, a_1, i - a)[shift_sint32(t, i_1)] = e))).
+ Have: a <= x_2.
(* Invariant 'qed_ok' *)
- Have: (a <= i) /\ (i <= (1 + b)).
+ Have: (a <= i) /\ (i <= x_2).
+ (* Invariant 'qed_ok' *)
+ Have: forall i_1 : Z. ((a <= i_1) -> ((i_1 < i) ->
+ (a_2[shift_sint32(t, i_1)] = e))).
(* Then *)
Have: i <= b.
+ (* Invariant 'qed_ok' *)
+ Have: a <= x_1.
+ (* Invariant 'qed_ok' *)
+ Have: forall i_1 : Z. ((i_1 <= i) -> ((a <= i_1) ->
+ (a_2[a_3 <- e][shift_sint32(t, i_1)] = e))).
}
-Prove: included(a_2, 1, a_1, 1 + i - a).
+Prove: included(a_3, 1, a_1, 1 + i - a).
------------------------------------------------------------
Goal Assigns 'qed_ok' in 'init':
Effect at line 15
+Let x = 1 + b.
Let a_1 = shift_sint32(t, a).
-Let x = -a.
+Let x_1 = -a.
Assume {
Have: a < i.
Have: !invalid(Malloc_0, a_1, i - a).
@@ -153,7 +176,9 @@ Assume {
Have: valid_rw(Malloc_0, a_1, 1 + b - a).
(* Pre-condition *)
Have: a <= b.
+ (* Invariant 'qed_ok' *)
+ Have: a <= x.
}
-Prove: i <= (1 + b).
+Prove: i <= x.
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/prenex.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/prenex.res.oracle
index f921ae4ce125d33e1ffdf74c9a30509986096d67..a2177f40d653e5f30547bfc250018cf79c4c837d 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/prenex.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/prenex.res.oracle
@@ -13,22 +13,24 @@ Assume {
(* Heap *)
Type: (region(p.base) <= 0) /\ (region(q.base) <= 0).
(* Pre-condition *)
- Have: (0 <= m) /\ (0 <= n).
+ Have: 0 <= m.
+ (* Invariant 'I' *)
+ Have: 0 <= n.
+ (* Invariant 'I' *)
+ Have: (0 <= i_1) /\ (i_1 <= n).
(* Invariant 'PI' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i_1) -> ((0 <= i_2) ->
((i_2 < m) ->
(Mint_0[shift_sint32(p, i_3)] < Mint_0[shift_sint32(q, i_2)]))))).
- (* Invariant 'I' *)
- Have: (0 <= i_1) /\ (i_1 <= n).
If i_1 < n
Then {
Let x = Mint_0[shift_sint32(p, i)].
Have: (ta_j_0=false).
+ (* Invariant 'J' *)
+ Have: (0 <= j) /\ (j <= m).
(* Invariant 'PJ' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) ->
(x < Mint_0[shift_sint32(q, i_2)]))).
- (* Invariant 'J' *)
- Have: (0 <= j) /\ (j <= m).
(* Then *)
Have: j < m.
Have: i_1 = i.
@@ -51,21 +53,23 @@ Assume {
is_sint32(1 + i).
(* Heap *)
Type: (region(p.base) <= 0) /\ (region(q.base) <= 0).
- (* Pre-condition *)
- Have: (0 <= m) /\ (0 <= n).
+ (* Invariant 'I' *)
+ Have: 0 <= n.
+ (* Invariant 'I' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'PI' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 < m) ->
(Mint_0[shift_sint32(p, i_2)] < Mint_0[shift_sint32(q, i_1)]))))).
- (* Invariant 'I' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
+ (* Invariant 'J' *)
+ Have: 0 <= m.
+ (* Invariant 'J' *)
+ Have: (0 <= j) /\ (j <= m).
(* Invariant 'PJ' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) ->
(Mint_0[shift_sint32(p, i)] < Mint_0[shift_sint32(q, i_1)]))).
- (* Invariant 'J' *)
- Have: (0 <= j) /\ (j <= m).
(* Else *)
Have: m <= j.
}
@@ -86,23 +90,27 @@ Assume {
Type: (region(p.base) <= 0) /\ (region(q.base) <= 0).
(* Goal *)
When: (0 <= i) /\ (0 <= i_1) /\ (i_1 < m) /\ (i <= i_2).
- (* Pre-condition *)
- Have: (0 <= m) /\ (0 <= n).
+ (* Invariant 'I' *)
+ Have: 0 <= n.
+ (* Invariant 'I' *)
+ Have: (0 <= i_2) /\ (i_2 <= n).
(* Invariant 'PI' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i_2) -> ((0 <= i_3) ->
((i_3 < m) ->
(Mint_0[shift_sint32(p, i_4)] < Mint_0[shift_sint32(q, i_3)]))))).
- (* Invariant 'I' *)
- Have: (0 <= i_2) /\ (i_2 <= n).
(* Then *)
Have: i_2 < n.
+ (* Invariant 'J' *)
+ Have: 0 <= m.
+ (* Invariant 'J' *)
+ Have: (0 <= j) /\ (j <= m).
(* Invariant 'PJ' *)
Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) ->
(Mint_0[shift_sint32(p, i_2)] < Mint_0[shift_sint32(q, i_3)]))).
- (* Invariant 'J' *)
- Have: (0 <= j) /\ (j <= m).
(* Else *)
Have: m <= j.
+ (* Invariant 'I' *)
+ Have: (-1) <= i_2.
}
Prove: Mint_0[shift_sint32(p, i)] < Mint_0[shift_sint32(q, i_1)].
@@ -121,21 +129,23 @@ Assume {
is_sint32(1 + j) /\ is_sint32(x) /\ is_sint32(x_1).
(* Heap *)
Type: (region(p.base) <= 0) /\ (region(q.base) <= 0).
- (* Pre-condition *)
- Have: (0 <= m) /\ (0 <= n).
+ (* Invariant 'I' *)
+ Have: 0 <= n.
+ (* Invariant 'I' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'PI' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 < m) ->
(Mint_0[shift_sint32(p, i_2)] < Mint_0[shift_sint32(q, i_1)]))))).
- (* Invariant 'I' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
+ (* Invariant 'J' *)
+ Have: 0 <= m.
+ (* Invariant 'J' *)
+ Have: (0 <= j) /\ (j <= m).
(* Invariant 'PJ' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) ->
(x < Mint_0[shift_sint32(q, i_1)]))).
- (* Invariant 'J' *)
- Have: (0 <= j) /\ (j <= m).
(* Then *)
Have: j < m.
(* Else *)
@@ -160,25 +170,29 @@ Assume {
Type: (region(p.base) <= 0) /\ (region(q.base) <= 0).
(* Goal *)
When: (0 <= i_1) /\ (i_1 <= j).
- (* Pre-condition *)
- Have: (0 <= m) /\ (0 <= n).
+ (* Invariant 'I' *)
+ Have: 0 <= n.
+ (* Invariant 'I' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'PI' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 < m) ->
(Mint_0[shift_sint32(p, i_3)] < Mint_0[shift_sint32(q, i_2)]))))).
- (* Invariant 'I' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
+ (* Invariant 'J' *)
+ Have: 0 <= m.
+ (* Invariant 'J' *)
+ Have: (0 <= j) /\ (j <= m).
(* Invariant 'PJ' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) ->
(x < Mint_0[shift_sint32(q, i_2)]))).
- (* Invariant 'J' *)
- Have: (0 <= j) /\ (j <= m).
(* Then *)
Have: j < m.
(* Else *)
Have: x < x_1.
+ (* Invariant 'J' *)
+ Have: (-1) <= j.
}
Prove: x < Mint_0[shift_sint32(q, i_1)].
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/repeat.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/repeat.res.oracle
index c7250d7a7f3ae9c3f49932ff276435874024b1c0..5ef0fd177d7a00356e6ac6144bd2cda59986de57 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/repeat.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/repeat.res.oracle
@@ -20,13 +20,13 @@ Assume {
(* Heap *)
Type: is_sint32(calls_0).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: L_sequence(calls_0) = nil.
(* Invariant *)
- Have: ([ 1, 2 ] *^ i) = a.
+ Have: 0 <= n.
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: ([ 1, 2 ] *^ i) = a.
(* Then *)
Have: i < n.
(* Call 'f' *)
@@ -53,19 +53,21 @@ Assume {
(* Heap *)
Type: is_sint32(calls_1).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: L_sequence(calls_1) = nil.
(* Invariant *)
- Have: (a_2 *^ i) = a.
+ Have: 0 <= n.
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: (a_2 *^ i) = a.
(* Then *)
Have: i < n.
(* Call 'f' *)
Have: L_sequence(calls_2) = a ^ [ 1 ].
(* Call 'g' *)
Have: L_sequence(calls_3) = a_1.
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: (a_2 *^ x) = a_1.
@@ -128,15 +130,15 @@ Assume {
(* Heap *)
Type: is_sint32(calls_0).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: L_sequence(calls_0) = nil.
(* Call 'f' *)
Have: L_sequence(calls_1) = [ 1 ].
(* Invariant *)
- Have: L_sequence(calls_2) = a_1 ^ [ 1 ].
+ Have: 0 <= n.
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: L_sequence(calls_2) = a_1 ^ [ 1 ].
(* Else *)
Have: n <= i.
(* Call 'g' *)
@@ -153,15 +155,15 @@ Assume {
(* Heap *)
Type: is_sint32(calls_0).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: L_sequence(calls_0) = nil.
(* Call 'f' *)
Have: L_sequence(calls_1) = [ 1 ].
(* Invariant *)
- Have: L_sequence(calls_2) = a ^ [ 1 ].
+ Have: 0 <= n.
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: L_sequence(calls_2) = a ^ [ 1 ].
(* Then *)
Have: i < n.
(* Call 'g' *)
@@ -188,21 +190,23 @@ Assume {
(* Heap *)
Type: is_sint32(calls_0).
(* Pre-condition *)
- Have: 0 <= n.
- (* Pre-condition *)
Have: L_sequence(calls_0) = nil.
(* Call 'f' *)
Have: L_sequence(calls_1) = [ 1 ].
(* Invariant *)
- Have: L_sequence(calls_2) = a_1 ^ [ 1 ].
+ Have: 0 <= n.
(* Invariant *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
+ Have: L_sequence(calls_2) = a_1 ^ [ 1 ].
(* Then *)
Have: i < n.
(* Call 'g' *)
Have: L_sequence(calls_3) = a_2.
(* Call 'f' *)
Have: L_sequence(calls_4) = a_1 ^ [ 1, 2, 1 ].
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: (a *^ x) = a_2.
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/sequence.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/sequence.res.oracle
index 1fd2d32b881e58611c6a586443b88e5c4c5206ba..46d5f7b06e4bd3aa1389809c6b8a1ca722cac760 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/sequence.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/sequence.res.oracle
@@ -23,12 +23,12 @@ Assume {
Have: L_call_obs(call_seq_0) = nil.
(* Call 'f' *)
Have: L_call_obs(call_seq_1) = [ x ].
- (* Invariant 'ok,inv' *)
- Have: L_call_obs(call_seq_2) = [ x ] ^ a.
- (* Invariant 'ok,id_max' *)
- Have: if (0 <= n) then (i <= n) else (i <= 0).
(* Invariant 'ok,id_min' *)
Have: 0 <= i.
+ (* Invariant 'ok,id_max' *)
+ Have: if (0 <= n) then (i <= n) else (i <= 0).
+ (* Invariant 'ok,inv' *)
+ Have: L_call_obs(call_seq_2) = [ x ] ^ a.
(* Else *)
Have: n <= i.
(* Call 'f' *)
@@ -49,16 +49,18 @@ Assume {
Have: L_call_obs(call_seq_0) = nil.
(* Call 'f' *)
Have: L_call_obs(call_seq_1) = [ x ].
- (* Invariant 'ok,inv' *)
- Have: L_call_obs(call_seq_2) = [ x ] ^ a.
- (* Invariant 'ok,id_max' *)
- Have: if (0 <= n) then (i <= n) else (i <= 0).
(* Invariant 'ok,id_min' *)
Have: 0 <= i.
+ (* Invariant 'ok,id_max' *)
+ Have: if (0 <= n) then (i <= n) else (i <= 0).
+ (* Invariant 'ok,inv' *)
+ Have: L_call_obs(call_seq_2) = [ x ] ^ a.
(* Then *)
Have: i < n.
(* Call 'g' *)
Have: L_call_obs(call_seq_3) = [ x ] ^ a ^ [ y ].
+ (* Invariant 'ok,id_min' *)
+ Have: (-1) <= i.
}
Prove: 0 <= n.
@@ -80,12 +82,12 @@ Assume {
Have: L_call_obs(call_seq_0) = nil.
(* Call 'f' *)
Have: L_call_obs(call_seq_1) = [ x ].
- (* Invariant 'ok,inv' *)
- Have: L_call_obs(call_seq_2) = [ x ] ^ a.
- (* Invariant 'ok,id_max' *)
- Have: if (0 <= n) then (i <= n) else (i <= 0).
(* Invariant 'ok,id_min' *)
Have: 0 <= i.
+ (* Invariant 'ok,id_max' *)
+ Have: if (0 <= n) then (i <= n) else (i <= 0).
+ (* Invariant 'ok,inv' *)
+ Have: L_call_obs(call_seq_2) = [ x ] ^ a.
(* Then *)
Have: i < n.
(* Call 'g' *)
@@ -112,16 +114,20 @@ Assume {
Have: L_call_obs(call_seq_0) = nil.
(* Call 'f' *)
Have: L_call_obs(call_seq_1) = [ x ].
- (* Invariant 'ok,inv' *)
- Have: L_call_obs(call_seq_2) = [ x ] ^ a.
- (* Invariant 'ok,id_max' *)
- Have: if (0 <= n) then (i <= n) else (i <= 0).
(* Invariant 'ok,id_min' *)
Have: 0 <= i.
+ (* Invariant 'ok,id_max' *)
+ Have: i <= n.
+ (* Invariant 'ok,inv' *)
+ Have: L_call_obs(call_seq_2) = [ x ] ^ a.
(* Then *)
Have: i < n.
(* Call 'g' *)
Have: L_call_obs(call_seq_3) = [ x ] ^ a ^ [ y ].
+ (* Invariant 'ok,id_min' *)
+ Have: (-1) <= i.
+ (* Invariant 'ok,id_max' *)
+ Have: 0 <= n.
}
Prove: ([ y ] *^ x_1) = a ^ [ y ].
@@ -187,12 +193,12 @@ Assume {
Have: 0 < n.
(* Call 'f' *)
Have: L_call_obs(call_seq_1) = [ x ].
- (* Invariant 'ok,inv' *)
- Have: L_call_obs(call_seq_2) = [ x ] ^ a.
- (* Invariant 'ok,id_max' *)
- Have: i <= n.
(* Invariant 'ok,id_min' *)
Have: 0 <= i.
+ (* Invariant 'ok,id_max' *)
+ Have: i <= n.
+ (* Invariant 'ok,inv' *)
+ Have: L_call_obs(call_seq_2) = [ x ] ^ a.
(* Else *)
Have: n <= i.
(* Call 'f' *)
@@ -223,12 +229,12 @@ Assume {
Have: n <= 0.
(* Call 'f' *)
Have: L_call_obs(call_seq_1) = [ x ].
- (* Invariant 'ok,inv' *)
- Have: L_call_obs(call_seq_2) = [ x ] ^ a.
- (* Invariant 'ok,id_max' *)
- Have: if (0 <= n) then (i <= n) else (i <= 0).
(* Invariant 'ok,id_min' *)
Have: 0 <= i.
+ (* Invariant 'ok,id_max' *)
+ Have: if (0 <= n) then (i <= n) else (i <= 0).
+ (* Invariant 'ok,inv' *)
+ Have: L_call_obs(call_seq_2) = [ x ] ^ a.
(* Else *)
Have: n <= i.
(* Call 'f' *)
@@ -251,12 +257,12 @@ Assume {
Have: n <= 0.
(* Call 'f' *)
Have: L_call_obs(call_seq_1) = [ x ].
- (* Invariant 'ok,inv' *)
- Have: L_call_obs(call_seq_2) = [ x ] ^ a.
- (* Invariant 'ok,id_max' *)
- Have: if (0 <= n) then (i <= n) else (i <= 0).
(* Invariant 'ok,id_min' *)
Have: 0 <= i.
+ (* Invariant 'ok,id_max' *)
+ Have: if (0 <= n) then (i <= n) else (i <= 0).
+ (* Invariant 'ok,inv' *)
+ Have: L_call_obs(call_seq_2) = [ x ] ^ a.
(* Else *)
Have: n <= i.
(* Call 'f' *)
diff --git a/src/plugins/wp/tests/wp_plugin/oracle/string_c.res.oracle b/src/plugins/wp/tests/wp_plugin/oracle/string_c.res.oracle
index 01d8890819150fb8ee3f468e78405a38095a941d..d52d8d297fbc9bc51701761979118292eefad810 100644
--- a/src/plugins/wp/tests/wp_plugin/oracle/string_c.res.oracle
+++ b/src/plugins/wp/tests/wp_plugin/oracle/string_c.res.oracle
@@ -18,10 +18,12 @@ Assume {
(* Pre-condition 'separation' *)
Have: separated(a, n, shift_sint8(src_0, 0), n).
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_1[shift_sint8(src_0, i_1)] = a_1[shift_sint8(dest_0, i_1)]))).
+ Have: 0 <= n.
(* Invariant 'no_eva' *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_1[shift_sint8(src_0, i_1)] = a_1[shift_sint8(dest_0, i_1)]))).
(* Else *)
Have: n <= i.
}
@@ -50,10 +52,12 @@ Assume {
(* Pre-condition 'separation' *)
Have: separated(a, n, shift_sint8(src_0, 0), n).
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_1[shift_sint8(src_0, i_1)] = a_1[shift_sint8(dest_0, i_1)]))).
+ Have: 0 <= n.
(* Invariant 'no_eva' *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_1[shift_sint8(src_0, i_1)] = a_1[shift_sint8(dest_0, i_1)]))).
(* Then *)
Have: i < n.
}
@@ -79,6 +83,7 @@ Prove: 0 <= n.
------------------------------------------------------------
Goal Preservation of Invariant 'no_eva' (file FRAMAC_SHARE/libc/string.c, line 34):
+Let x = to_uint64(1 + i).
Let a = shift_sint8(dest_0, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
Let a_2 = a_1[shift_sint8(dest_0, i) <- a_1[shift_sint8(src_0, i)]].
@@ -88,7 +93,7 @@ Assume {
Type: (region(dest_0.base) <= 0) /\ (region(src_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint64(1 + i)).
+ When: (0 <= i_1) /\ (i_1 < x).
(* Pre-condition 'valid_dest' *)
Have: P_valid_or_empty(Malloc_0, dest_0, n).
(* Pre-condition 'valid_src' *)
@@ -96,12 +101,16 @@ Assume {
(* Pre-condition 'separation' *)
Have: separated(a, n, shift_sint8(src_0, 0), n).
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_1[shift_sint8(src_0, i_2)] = a_1[shift_sint8(dest_0, i_2)]))).
+ Have: 0 <= n.
(* Invariant 'no_eva' *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant 'no_eva' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_1[shift_sint8(src_0, i_2)] = a_1[shift_sint8(dest_0, i_2)]))).
(* Then *)
Have: i < n.
+ (* Invariant 'no_eva' *)
+ Have: x <= n.
}
Prove: a_2[shift_sint8(src_0, i_1)] = a_2[shift_sint8(dest_0, i_1)].
@@ -125,9 +134,11 @@ Prove: true.
Goal Loop assigns (file FRAMAC_SHARE/libc/string.c, line 35) (3/3):
Effect at line 39
+Let x = to_uint64(1 + i).
Let a = shift_sint8(dest_0, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
Let a_2 = shift_sint8(dest_0, i).
+Let a_3 = a_1[a_2 <- a_1[shift_sint8(src_0, i)]].
Assume {
Type: is_uint64(i) /\ is_uint64(n).
(* Heap *)
@@ -142,12 +153,19 @@ Assume {
(* Pre-condition 'separation' *)
Have: separated(a, n, shift_sint8(src_0, 0), n).
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_1[shift_sint8(src_0, i_1)] = a_1[shift_sint8(dest_0, i_1)]))).
+ Have: 0 <= n.
(* Invariant 'no_eva' *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_1[shift_sint8(src_0, i_1)] = a_1[shift_sint8(dest_0, i_1)]))).
(* Then *)
Have: i < n.
+ (* Invariant 'no_eva' *)
+ Have: x <= n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) ->
+ (a_3[shift_sint8(src_0, i_1)] = a_3[shift_sint8(dest_0, i_1)]))).
}
Prove: included(a_2, 1, a, n).
@@ -160,8 +178,10 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file FRAMAC_SHARE/libc/string.c, line 38):
+Let x = to_uint64(1 + i).
Let a = shift_sint8(dest_0, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
+Let a_2 = a_1[shift_sint8(dest_0, i) <- a_1[shift_sint8(src_0, i)]].
Assume {
Type: is_uint64(i) /\ is_uint64(n).
(* Heap *)
@@ -174,14 +194,21 @@ Assume {
(* Pre-condition 'separation' *)
Have: separated(a, n, shift_sint8(src_0, 0), n).
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_1[shift_sint8(src_0, i_1)] = a_1[shift_sint8(dest_0, i_1)]))).
+ Have: 0 <= n.
(* Invariant 'no_eva' *)
Have: (0 <= i) /\ (i <= n).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_1[shift_sint8(src_0, i_1)] = a_1[shift_sint8(dest_0, i_1)]))).
(* Then *)
Have: i < n.
+ (* Invariant 'no_eva' *)
+ Have: x <= n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) ->
+ (a_2[shift_sint8(src_0, i_1)] = a_2[shift_sint8(dest_0, i_1)]))).
}
-Prove: i < to_uint64(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -193,7 +220,7 @@ Prove: true.
Goal Post-condition 'copied_contents' in 'memmove':
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(i_1) /\
- is_uint64(n).
+ is_uint64(i_2) /\ is_uint64(n).
(* Heap *)
Type: (region(dest_0.base) <= 0) /\ (region(src_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
@@ -217,34 +244,44 @@ Assume {
If memoverlap_0 <= 0
Then {
Have: (ta_i_0=false).
+ (* Invariant 'no_eva' *)
+ Have: 0 <= n.
(* Loop assigns ... *)
Have: havoc(Mchar_undef_0, Mchar_0, a, n) = Mchar_1.
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. let a_2 = shift_sint8(src_0, i_2) in
- ((i <= i_2) -> ((i_2 < n) -> (Mchar_1[a_2] = Mchar_0[a_2]))).
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (Mchar_1[shift_sint8(dest_0, i_2)]
- = Mchar_0[shift_sint8(src_0, i_2)]))).
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < i) ->
+ (Mchar_1[shift_sint8(dest_0, i_3)]
+ = Mchar_0[shift_sint8(src_0, i_3)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i <= n).
+ Have: forall i_3 : Z. let a_2 = shift_sint8(src_0, i_3) in
+ ((i <= i_3) -> ((i_3 < n) -> (Mchar_1[a_2] = Mchar_0[a_2]))).
(* Else *)
Have: n <= i.
}
Else {
(* Block In *)
Have: (ta_i_1=false).
+ (* Initializer *)
+ Init: to_uint64(n - 1) = i_2.
+ (* Invariant 'no_eva' *)
+ Have: i_2 < n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_3 : Z. ((i_2 < i_3) -> ((i_3 < n) ->
+ (Mchar_0[shift_sint8(src_0, i_3)]
+ = Mchar_0[shift_sint8(dest_0, i_3)]))).
(* Loop assigns ... *)
Have: havoc(Mchar_undef_1, Mchar_0, a, n) = Mchar_2.
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. let a_2 = shift_sint8(src_0, i_2) in
- ((i_2 <= i_1) -> ((0 <= i_2) -> (Mchar_2[a_2] = Mchar_0[a_2]))).
+ Have: (0 <= i_1) /\ (i_1 < n).
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. ((i_1 < i_2) -> ((i_2 < n) ->
- (Mchar_2[shift_sint8(dest_0, i_2)]
- = Mchar_0[shift_sint8(src_0, i_2)]))).
+ Have: forall i_3 : Z. ((i_1 < i_3) -> ((i_3 < n) ->
+ (Mchar_2[shift_sint8(dest_0, i_3)]
+ = Mchar_0[shift_sint8(src_0, i_3)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i_1) /\ (i_1 < n).
+ Have: forall i_3 : Z. let a_2 = shift_sint8(src_0, i_3) in
+ ((i_3 <= i_1) -> ((0 <= i_3) -> (Mchar_2[a_2] = Mchar_0[a_2]))).
(* Else *)
Have: i_1 <= 0.
Have: Mchar_2[a <- Mchar_2[a_1]] = Mchar_1.
@@ -284,13 +321,15 @@ Assume {
(* Then *)
Have: memoverlap_0 <= 0.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. let a_3 = shift_sint8(src_0, i_1) in ((i <= i_1) ->
- ((i_1 < n) -> (a_1[a_3] = Mchar_0[a_3]))).
+ Have: 0 <= n.
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'no_eva' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(a_1[shift_sint8(dest_0, i_1)] = Mchar_0[shift_sint8(src_0, i_1)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i <= n).
+ Have: forall i_1 : Z. let a_3 = shift_sint8(src_0, i_1) in ((i <= i_1) ->
+ ((i_1 < n) -> (a_1[a_3] = Mchar_0[a_3]))).
(* Then *)
Have: i < n.
}
@@ -325,6 +364,7 @@ Prove: 0 <= n.
------------------------------------------------------------
Goal Preservation of Invariant 'no_eva' (file FRAMAC_SHARE/libc/string.c, line 96):
+Let x = to_uint64(1 + i).
Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
Let a_2 = shift_sint8(s, 0).
@@ -334,7 +374,7 @@ Assume {
Type: (region(d.base) <= 0) /\ (region(s.base) <= 0) /\ linked(Malloc_0) /\
sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint64(1 + i)).
+ When: (0 <= i_1) /\ (i_1 < x).
(* Pre-condition 'valid_dest' *)
Have: P_valid_or_empty(Malloc_0, d, n).
(* Pre-condition 'valid_src' *)
@@ -350,15 +390,19 @@ Assume {
(* Then *)
Have: memoverlap_0 <= 0.
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. let a_3 = shift_sint8(s, i_2) in ((i <= i_2) ->
- ((i_2 < n) -> (a_1[a_3] = Mchar_0[a_3]))).
+ Have: 0 <= n.
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'no_eva' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_1[shift_sint8(d, i_2)] = Mchar_0[shift_sint8(s, i_2)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i <= n).
+ Have: forall i_2 : Z. let a_3 = shift_sint8(s, i_2) in ((i <= i_2) ->
+ ((i_2 < n) -> (a_1[a_3] = Mchar_0[a_3]))).
(* Then *)
Have: i < n.
+ (* Invariant 'no_eva' *)
+ Have: x <= n.
}
Prove: a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]][shift_sint8(d, i_1)] =
Mchar_0[shift_sint8(s, i_1)].
@@ -371,17 +415,19 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'no_eva' (file FRAMAC_SHARE/libc/string.c, line 97):
+Let x = to_uint64(1 + i).
Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
-Let a_2 = shift_sint8(s, 0).
-Let a_3 = shift_sint8(s, i_1).
+Let a_2 = a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]].
+Let a_3 = shift_sint8(s, 0).
+Let a_4 = shift_sint8(s, i_1).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
(* Heap *)
Type: (region(d.base) <= 0) /\ (region(s.base) <= 0) /\ linked(Malloc_0) /\
sconst(Mchar_0).
(* Goal *)
- When: (i_1 < n) /\ (to_uint64(1 + i) <= i_1).
+ When: (i_1 < n) /\ (x <= i_1).
(* Pre-condition 'valid_dest' *)
Have: P_valid_or_empty(Malloc_0, d, n).
(* Pre-condition 'valid_src' *)
@@ -389,25 +435,32 @@ Assume {
(* Else *)
Have: n != 0.
(* Call 'memoverlap' *)
- Have: ((separated(a, n, a_2, n) -> (memoverlap_0 = 0))) /\
+ Have: ((separated(a, n, a_3, n) -> (memoverlap_0 = 0))) /\
((addr_le(d, s) -> (addr_lt(s, shift_sint8(d, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = (-1)))))) /\
+ ((!separated(a, n, a_3, n)) -> (memoverlap_0 = (-1)))))) /\
((addr_lt(s, d) -> (addr_le(d, shift_sint8(s, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = 1))))).
+ ((!separated(a, n, a_3, n)) -> (memoverlap_0 = 1))))).
(* Then *)
Have: memoverlap_0 <= 0.
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. let a_4 = shift_sint8(s, i_2) in ((i <= i_2) ->
- ((i_2 < n) -> (a_1[a_4] = Mchar_0[a_4]))).
+ Have: 0 <= n.
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'no_eva' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_1[shift_sint8(d, i_2)] = Mchar_0[shift_sint8(s, i_2)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i <= n).
+ Have: forall i_2 : Z. let a_5 = shift_sint8(s, i_2) in ((i <= i_2) ->
+ ((i_2 < n) -> (a_1[a_5] = Mchar_0[a_5]))).
(* Then *)
Have: i < n.
+ (* Invariant 'no_eva' *)
+ Have: x <= n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < x) ->
+ (a_2[shift_sint8(d, i_2)] = Mchar_0[shift_sint8(s, i_2)]))).
}
-Prove: a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]][a_3] = Mchar_0[a_3].
+Prove: a_2[a_4] = Mchar_0[a_4].
------------------------------------------------------------
@@ -419,6 +472,7 @@ Prove: true.
Goal Preservation of Invariant 'no_eva' (file FRAMAC_SHARE/libc/string.c, line 107):
Let a = shift_sint8(dest_0, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
+Let x = to_uint64(n - 1).
Let a_2 = shift_sint8(src_0, 0).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
@@ -440,13 +494,18 @@ Assume {
(* Else *)
Have: 0 < memoverlap_0.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. let a_3 = shift_sint8(src_0, i_1) in ((i_1 <= i) ->
- ((0 <= i_1) -> (a_1[a_3] = Mchar_0[a_3]))).
+ Have: x < n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((i_1 < n) -> ((x < i_1) ->
+ (Mchar_0[shift_sint8(src_0, i_1)] = Mchar_0[shift_sint8(dest_0, i_1)]))).
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i < n).
(* Invariant 'no_eva' *)
Have: forall i_1 : Z. ((i < i_1) -> ((i_1 < n) ->
(a_1[shift_sint8(dest_0, i_1)] = Mchar_0[shift_sint8(src_0, i_1)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i < n).
+ Have: forall i_1 : Z. let a_3 = shift_sint8(src_0, i_1) in ((i_1 <= i) ->
+ ((0 <= i_1) -> (a_1[a_3] = Mchar_0[a_3]))).
(* Then *)
Have: 0 < i.
}
@@ -481,8 +540,10 @@ Prove: to_uint64(n - 1) < n.
------------------------------------------------------------
Goal Preservation of Invariant 'no_eva' (file FRAMAC_SHARE/libc/string.c, line 108):
+Let x = to_uint64(i - 1).
Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
+Let x_1 = to_uint64(n - 1).
Let a_2 = shift_sint8(s, 0).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
@@ -490,7 +551,7 @@ Assume {
Type: (region(d.base) <= 0) /\ (region(s.base) <= 0) /\ linked(Malloc_0) /\
sconst(Mchar_0).
(* Goal *)
- When: (i_1 < n) /\ (to_uint64(i - 1) < i_1).
+ When: (i_1 < n) /\ (x < i_1).
(* Pre-condition 'valid_dest' *)
Have: P_valid_or_empty(Malloc_0, d, n).
(* Pre-condition 'valid_src' *)
@@ -506,15 +567,22 @@ Assume {
(* Else *)
Have: 0 < memoverlap_0.
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. let a_3 = shift_sint8(s, i_2) in ((i_2 <= i) ->
- ((0 <= i_2) -> (a_1[a_3] = Mchar_0[a_3]))).
+ Have: x_1 < n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_2 : Z. ((i_2 < n) -> ((x_1 < i_2) ->
+ (Mchar_0[shift_sint8(s, i_2)] = Mchar_0[shift_sint8(d, i_2)]))).
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i < n).
(* Invariant 'no_eva' *)
Have: forall i_2 : Z. ((i < i_2) -> ((i_2 < n) ->
(a_1[shift_sint8(d, i_2)] = Mchar_0[shift_sint8(s, i_2)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i < n).
+ Have: forall i_2 : Z. let a_3 = shift_sint8(s, i_2) in ((i_2 <= i) ->
+ ((0 <= i_2) -> (a_1[a_3] = Mchar_0[a_3]))).
(* Then *)
Have: 0 < i.
+ (* Invariant 'no_eva' *)
+ Have: x < n.
}
Prove: a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]][shift_sint8(d, i_1)] =
Mchar_0[shift_sint8(s, i_1)].
@@ -522,6 +590,7 @@ Prove: a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]][shift_sint8(d, i_1)] =
------------------------------------------------------------
Goal Establishment of Invariant 'no_eva' (file FRAMAC_SHARE/libc/string.c, line 108):
+Let x = to_uint64(n - 1).
Let a = shift_sint8(dest_0, 0).
Let a_1 = shift_sint8(src_0, 0).
Assume {
@@ -530,7 +599,7 @@ Assume {
Type: (region(dest_0.base) <= 0) /\ (region(src_0.base) <= 0) /\
linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (i < n) /\ (to_uint64(n - 1) < i).
+ When: (i < n) /\ (x < i).
(* Pre-condition 'valid_dest' *)
Have: P_valid_or_empty(Malloc_0, dest_0, n).
(* Pre-condition 'valid_src' *)
@@ -545,23 +614,28 @@ Assume {
((!separated(a, n, a_1, n)) -> (memoverlap_0 = 1))))).
(* Else *)
Have: 0 < memoverlap_0.
+ (* Invariant 'no_eva' *)
+ Have: x < n.
}
Prove: Mchar_0[shift_sint8(src_0, i)] = Mchar_0[shift_sint8(dest_0, i)].
------------------------------------------------------------
Goal Preservation of Invariant 'no_eva' (file FRAMAC_SHARE/libc/string.c, line 109):
+Let x = to_uint64(i - 1).
Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
-Let a_2 = shift_sint8(s, 0).
-Let a_3 = shift_sint8(s, i_1).
+Let a_2 = a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]].
+Let x_1 = to_uint64(n - 1).
+Let a_3 = shift_sint8(s, 0).
+Let a_4 = shift_sint8(s, i_1).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
(* Heap *)
Type: (region(d.base) <= 0) /\ (region(s.base) <= 0) /\ linked(Malloc_0) /\
sconst(Mchar_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= to_uint64(i - 1)).
+ When: (0 <= i_1) /\ (i_1 <= x).
(* Pre-condition 'valid_dest' *)
Have: P_valid_or_empty(Malloc_0, d, n).
(* Pre-condition 'valid_src' *)
@@ -569,25 +643,35 @@ Assume {
(* Else *)
Have: n != 0.
(* Call 'memoverlap' *)
- Have: ((separated(a, n, a_2, n) -> (memoverlap_0 = 0))) /\
+ Have: ((separated(a, n, a_3, n) -> (memoverlap_0 = 0))) /\
((addr_le(d, s) -> (addr_lt(s, shift_sint8(d, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = (-1)))))) /\
+ ((!separated(a, n, a_3, n)) -> (memoverlap_0 = (-1)))))) /\
((addr_lt(s, d) -> (addr_le(d, shift_sint8(s, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = 1))))).
+ ((!separated(a, n, a_3, n)) -> (memoverlap_0 = 1))))).
(* Else *)
Have: 0 < memoverlap_0.
(* Invariant 'no_eva' *)
- Have: forall i_2 : Z. let a_4 = shift_sint8(s, i_2) in ((i_2 <= i) ->
- ((0 <= i_2) -> (a_1[a_4] = Mchar_0[a_4]))).
+ Have: x_1 < n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_2 : Z. ((i_2 < n) -> ((x_1 < i_2) ->
+ (Mchar_0[shift_sint8(s, i_2)] = Mchar_0[shift_sint8(d, i_2)]))).
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i < n).
(* Invariant 'no_eva' *)
Have: forall i_2 : Z. ((i < i_2) -> ((i_2 < n) ->
(a_1[shift_sint8(d, i_2)] = Mchar_0[shift_sint8(s, i_2)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i < n).
+ Have: forall i_2 : Z. let a_5 = shift_sint8(s, i_2) in ((i_2 <= i) ->
+ ((0 <= i_2) -> (a_1[a_5] = Mchar_0[a_5]))).
(* Then *)
Have: 0 < i.
+ (* Invariant 'no_eva' *)
+ Have: x < n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_2 : Z. ((i_2 < n) -> ((x < i_2) ->
+ (a_2[shift_sint8(d, i_2)] = Mchar_0[shift_sint8(s, i_2)]))).
}
-Prove: a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]][a_3] = Mchar_0[a_3].
+Prove: a_2[a_4] = Mchar_0[a_4].
------------------------------------------------------------
@@ -609,43 +693,55 @@ Prove: true.
Goal Loop assigns (file FRAMAC_SHARE/libc/string.c, line 98) (3/3):
Effect at line 102
+Let x = to_uint64(1 + i).
Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
-Let a_2 = shift_sint8(src_0, 0).
-Let a_3 = shift_sint8(d, i).
+Let a_2 = shift_sint8(d, i).
+Let a_3 = a_1[a_2 <- a_1[shift_sint8(s, i)]].
+Let a_4 = shift_sint8(s, 0).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
(* Heap *)
- Type: (region(d.base) <= 0) /\ (region(src_0.base) <= 0) /\
- linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(d.base) <= 0) /\ (region(s.base) <= 0) /\ linked(Malloc_0) /\
+ sconst(Mchar_0).
(* Goal *)
- When: !invalid(Malloc_0, a_3, 1).
+ When: !invalid(Malloc_0, a_2, 1).
(* Pre-condition 'valid_dest' *)
Have: P_valid_or_empty(Malloc_0, d, n).
(* Pre-condition 'valid_src' *)
- Have: P_valid_read_or_empty(Malloc_0, src_0, n).
+ Have: P_valid_read_or_empty(Malloc_0, s, n).
(* Else *)
Have: n != 0.
(* Call 'memoverlap' *)
- Have: ((separated(a, n, a_2, n) -> (memoverlap_0 = 0))) /\
- ((addr_le(d, src_0) -> (addr_lt(src_0, shift_sint8(d, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = (-1)))))) /\
- ((addr_lt(src_0, d) -> (addr_le(d, shift_sint8(src_0, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = 1))))).
+ Have: ((separated(a, n, a_4, n) -> (memoverlap_0 = 0))) /\
+ ((addr_le(d, s) -> (addr_lt(s, shift_sint8(d, n)) ->
+ ((!separated(a, n, a_4, n)) -> (memoverlap_0 = (-1)))))) /\
+ ((addr_lt(s, d) -> (addr_le(d, shift_sint8(s, n)) ->
+ ((!separated(a, n, a_4, n)) -> (memoverlap_0 = 1))))).
(* Then *)
Have: memoverlap_0 <= 0.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. let a_4 = shift_sint8(src_0, i_1) in ((i <= i_1) ->
- ((i_1 < n) -> (a_1[a_4] = Mchar_0[a_4]))).
+ Have: 0 <= n.
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'no_eva' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_1[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(src_0, i_1)]))).
+ (a_1[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(s, i_1)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i <= n).
+ Have: forall i_1 : Z. let a_5 = shift_sint8(s, i_1) in ((i <= i_1) ->
+ ((i_1 < n) -> (a_1[a_5] = Mchar_0[a_5]))).
(* Then *)
Have: i < n.
+ (* Invariant 'no_eva' *)
+ Have: x <= n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) ->
+ (a_3[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(s, i_1)]))).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. let a_5 = shift_sint8(s, i_1) in ((i_1 < n) ->
+ ((x <= i_1) -> (a_3[a_5] = Mchar_0[a_5]))).
}
-Prove: included(a_3, 1, a, n).
+Prove: included(a_2, 1, a, n).
------------------------------------------------------------
@@ -662,43 +758,59 @@ Prove: true.
Goal Loop assigns (file FRAMAC_SHARE/libc/string.c, line 110) (3/3):
Effect at line 114
+Let x = to_uint64(i - 1).
Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
-Let a_2 = shift_sint8(src_0, 0).
-Let a_3 = shift_sint8(d, i).
+Let a_2 = shift_sint8(d, i).
+Let a_3 = a_1[a_2 <- a_1[shift_sint8(s, i)]].
+Let x_1 = to_uint64(n - 1).
+Let a_4 = shift_sint8(s, 0).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
(* Heap *)
- Type: (region(d.base) <= 0) /\ (region(src_0.base) <= 0) /\
- linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(d.base) <= 0) /\ (region(s.base) <= 0) /\ linked(Malloc_0) /\
+ sconst(Mchar_0).
(* Goal *)
- When: !invalid(Malloc_0, a_3, 1).
+ When: !invalid(Malloc_0, a_2, 1).
(* Pre-condition 'valid_dest' *)
Have: P_valid_or_empty(Malloc_0, d, n).
(* Pre-condition 'valid_src' *)
- Have: P_valid_read_or_empty(Malloc_0, src_0, n).
+ Have: P_valid_read_or_empty(Malloc_0, s, n).
(* Else *)
Have: n != 0.
(* Call 'memoverlap' *)
- Have: ((separated(a, n, a_2, n) -> (memoverlap_0 = 0))) /\
- ((addr_le(d, src_0) -> (addr_lt(src_0, shift_sint8(d, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = (-1)))))) /\
- ((addr_lt(src_0, d) -> (addr_le(d, shift_sint8(src_0, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = 1))))).
+ Have: ((separated(a, n, a_4, n) -> (memoverlap_0 = 0))) /\
+ ((addr_le(d, s) -> (addr_lt(s, shift_sint8(d, n)) ->
+ ((!separated(a, n, a_4, n)) -> (memoverlap_0 = (-1)))))) /\
+ ((addr_lt(s, d) -> (addr_le(d, shift_sint8(s, n)) ->
+ ((!separated(a, n, a_4, n)) -> (memoverlap_0 = 1))))).
(* Else *)
Have: 0 < memoverlap_0.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. let a_4 = shift_sint8(src_0, i_1) in ((i_1 <= i) ->
- ((0 <= i_1) -> (a_1[a_4] = Mchar_0[a_4]))).
+ Have: x_1 < n.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. ((i < i_1) -> ((i_1 < n) ->
- (a_1[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(src_0, i_1)]))).
+ Have: forall i_1 : Z. ((i_1 < n) -> ((x_1 < i_1) ->
+ (Mchar_0[shift_sint8(s, i_1)] = Mchar_0[shift_sint8(d, i_1)]))).
(* Invariant 'no_eva' *)
Have: (0 <= i) /\ (i < n).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((i < i_1) -> ((i_1 < n) ->
+ (a_1[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(s, i_1)]))).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. let a_5 = shift_sint8(s, i_1) in ((i_1 <= i) ->
+ ((0 <= i_1) -> (a_1[a_5] = Mchar_0[a_5]))).
(* Then *)
Have: 0 < i.
+ (* Invariant 'no_eva' *)
+ Have: x < n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((i_1 < n) -> ((x < i_1) ->
+ (a_3[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(s, i_1)]))).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. let a_5 = shift_sint8(s, i_1) in ((0 <= i_1) ->
+ ((i_1 <= x) -> (a_3[a_5] = Mchar_0[a_5]))).
}
-Prove: included(a_3, 1, a, n).
+Prove: included(a_2, 1, a, n).
------------------------------------------------------------
@@ -740,6 +852,7 @@ Goal Assigns (file FRAMAC_SHARE/libc/string.h, line 122) in 'memmove' (6/7):
Effect at line 115
Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
+Let x = to_uint64(n - 1).
Let a_2 = shift_sint8(src_0, 0).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
@@ -763,13 +876,18 @@ Assume {
(* Else *)
Have: 0 < memoverlap_0.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. let a_3 = shift_sint8(src_0, i_1) in ((i_1 <= i) ->
- ((0 <= i_1) -> (a_1[a_3] = Mchar_0[a_3]))).
+ Have: x < n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((i_1 < n) -> ((x < i_1) ->
+ (Mchar_0[shift_sint8(src_0, i_1)] = Mchar_0[shift_sint8(d, i_1)]))).
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i < n).
(* Invariant 'no_eva' *)
Have: forall i_1 : Z. ((i < i_1) -> ((i_1 < n) ->
(a_1[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(src_0, i_1)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i < n).
+ Have: forall i_1 : Z. let a_3 = shift_sint8(src_0, i_1) in ((i_1 <= i) ->
+ ((0 <= i_1) -> (a_1[a_3] = Mchar_0[a_3]))).
(* Else *)
Have: i <= 0.
}
@@ -784,40 +902,52 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file FRAMAC_SHARE/libc/string.c, line 101):
-Let a = shift_sint8(dest_0, 0).
+Let x = to_uint64(1 + i).
+Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
-Let a_2 = shift_sint8(src_0, 0).
+Let a_2 = a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]].
+Let a_3 = shift_sint8(s, 0).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
(* Heap *)
- Type: (region(dest_0.base) <= 0) /\ (region(src_0.base) <= 0) /\
- linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(d.base) <= 0) /\ (region(s.base) <= 0) /\ linked(Malloc_0) /\
+ sconst(Mchar_0).
(* Pre-condition 'valid_dest' *)
- Have: P_valid_or_empty(Malloc_0, dest_0, n).
+ Have: P_valid_or_empty(Malloc_0, d, n).
(* Pre-condition 'valid_src' *)
- Have: P_valid_read_or_empty(Malloc_0, src_0, n).
+ Have: P_valid_read_or_empty(Malloc_0, s, n).
(* Else *)
Have: n != 0.
(* Call 'memoverlap' *)
- Have: ((separated(a, n, a_2, n) -> (memoverlap_0 = 0))) /\
- ((addr_le(dest_0, src_0) -> (addr_lt(src_0, shift_sint8(dest_0, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = (-1)))))) /\
- ((addr_lt(src_0, dest_0) -> (addr_le(dest_0, shift_sint8(src_0, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = 1))))).
+ Have: ((separated(a, n, a_3, n) -> (memoverlap_0 = 0))) /\
+ ((addr_le(d, s) -> (addr_lt(s, shift_sint8(d, n)) ->
+ ((!separated(a, n, a_3, n)) -> (memoverlap_0 = (-1)))))) /\
+ ((addr_lt(s, d) -> (addr_le(d, shift_sint8(s, n)) ->
+ ((!separated(a, n, a_3, n)) -> (memoverlap_0 = 1))))).
(* Then *)
Have: memoverlap_0 <= 0.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. let a_3 = shift_sint8(src_0, i_1) in ((i <= i_1) ->
- ((i_1 < n) -> (a_1[a_3] = Mchar_0[a_3]))).
+ Have: 0 <= n.
+ (* Invariant 'no_eva' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'no_eva' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_1[shift_sint8(dest_0, i_1)] = Mchar_0[shift_sint8(src_0, i_1)]))).
+ (a_1[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(s, i_1)]))).
(* Invariant 'no_eva' *)
- Have: (0 <= i) /\ (i <= n).
+ Have: forall i_1 : Z. let a_4 = shift_sint8(s, i_1) in ((i <= i_1) ->
+ ((i_1 < n) -> (a_1[a_4] = Mchar_0[a_4]))).
(* Then *)
Have: i < n.
+ (* Invariant 'no_eva' *)
+ Have: x <= n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) ->
+ (a_2[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(s, i_1)]))).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. let a_4 = shift_sint8(s, i_1) in ((i_1 < n) ->
+ ((x <= i_1) -> (a_2[a_4] = Mchar_0[a_4]))).
}
-Prove: i < to_uint64(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -827,40 +957,56 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file FRAMAC_SHARE/libc/string.c, line 113):
-Let a = shift_sint8(dest_0, 0).
+Let x = to_uint64(i - 1).
+Let a = shift_sint8(d, 0).
Let a_1 = havoc(Mchar_undef_0, Mchar_0, a, n).
-Let a_2 = shift_sint8(src_0, 0).
+Let a_2 = a_1[shift_sint8(d, i) <- a_1[shift_sint8(s, i)]].
+Let x_1 = to_uint64(n - 1).
+Let a_3 = shift_sint8(s, 0).
Assume {
Type: is_sint32(memoverlap_0) /\ is_uint64(i) /\ is_uint64(n).
(* Heap *)
- Type: (region(dest_0.base) <= 0) /\ (region(src_0.base) <= 0) /\
- linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(d.base) <= 0) /\ (region(s.base) <= 0) /\ linked(Malloc_0) /\
+ sconst(Mchar_0).
(* Pre-condition 'valid_dest' *)
- Have: P_valid_or_empty(Malloc_0, dest_0, n).
+ Have: P_valid_or_empty(Malloc_0, d, n).
(* Pre-condition 'valid_src' *)
- Have: P_valid_read_or_empty(Malloc_0, src_0, n).
+ Have: P_valid_read_or_empty(Malloc_0, s, n).
(* Else *)
Have: n != 0.
(* Call 'memoverlap' *)
- Have: ((separated(a, n, a_2, n) -> (memoverlap_0 = 0))) /\
- ((addr_le(dest_0, src_0) -> (addr_lt(src_0, shift_sint8(dest_0, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = (-1)))))) /\
- ((addr_lt(src_0, dest_0) -> (addr_le(dest_0, shift_sint8(src_0, n)) ->
- ((!separated(a, n, a_2, n)) -> (memoverlap_0 = 1))))).
+ Have: ((separated(a, n, a_3, n) -> (memoverlap_0 = 0))) /\
+ ((addr_le(d, s) -> (addr_lt(s, shift_sint8(d, n)) ->
+ ((!separated(a, n, a_3, n)) -> (memoverlap_0 = (-1)))))) /\
+ ((addr_lt(s, d) -> (addr_le(d, shift_sint8(s, n)) ->
+ ((!separated(a, n, a_3, n)) -> (memoverlap_0 = 1))))).
(* Else *)
Have: 0 < memoverlap_0.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. let a_3 = shift_sint8(src_0, i_1) in ((i_1 <= i) ->
- ((0 <= i_1) -> (a_1[a_3] = Mchar_0[a_3]))).
+ Have: x_1 < n.
(* Invariant 'no_eva' *)
- Have: forall i_1 : Z. ((i < i_1) -> ((i_1 < n) ->
- (a_1[shift_sint8(dest_0, i_1)] = Mchar_0[shift_sint8(src_0, i_1)]))).
+ Have: forall i_1 : Z. ((i_1 < n) -> ((x_1 < i_1) ->
+ (Mchar_0[shift_sint8(s, i_1)] = Mchar_0[shift_sint8(d, i_1)]))).
(* Invariant 'no_eva' *)
Have: (0 <= i) /\ (i < n).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((i < i_1) -> ((i_1 < n) ->
+ (a_1[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(s, i_1)]))).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. let a_4 = shift_sint8(s, i_1) in ((i_1 <= i) ->
+ ((0 <= i_1) -> (a_1[a_4] = Mchar_0[a_4]))).
(* Then *)
Have: 0 < i.
+ (* Invariant 'no_eva' *)
+ Have: x < n.
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. ((i_1 < n) -> ((x < i_1) ->
+ (a_2[shift_sint8(d, i_1)] = Mchar_0[shift_sint8(s, i_1)]))).
+ (* Invariant 'no_eva' *)
+ Have: forall i_1 : Z. let a_4 = shift_sint8(s, i_1) in ((0 <= i_1) ->
+ ((i_1 <= x) -> (a_2[a_4] = Mchar_0[a_4]))).
}
-Prove: to_uint64(i - 1) < i.
+Prove: x < i.
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_plugin/region_to_coq.script b/src/plugins/wp/tests/wp_plugin/region_to_coq.script
index 975ea9f72afde75a92fee1218e0788e4e3c6c0cc..ec805f70b549129917db4df73cf1b8a5a297c2f2 100644
--- a/src/plugins/wp/tests/wp_plugin/region_to_coq.script
+++ b/src/plugins/wp/tests/wp_plugin/region_to_coq.script
@@ -18,19 +18,19 @@ Qed.
Goal typed_copy_loop_invariant_preserved.
Hint copy,preserved.
Proof.
- intros.
- assert (Hi_1: (1+i_1 <= i)%Z) by omega.
+ intros i n Li Ui Ln _ Hi Hn.
+ Require Import Lia.
+ assert (Hi_1: (1+i <= n)%Z) by lia.
unfold is_uint32, to_uint32.
unfold to_range.
- intros.
rewrite Z.add_0_l.
repeat rewrite Z.sub_0_r.
- unfold is_uint32 in H2.
- assert (Bs: (1 + i_1 = 4294967296)%Z \/ (1 + i_1 < 4294967296)%Z) by omega.
- inversion Bs.
- - rewrite <- H4.
- rewrite Z_mod_same ; omega.
- - rewrite Z.mod_small ; omega.
+ unfold is_uint32 in Hi.
+ assert (Bs: (1 + i = 4294967296)%Z \/ (1 + i < 4294967296)%Z) by lia.
+ inversion_clear Bs as [ Eq | Lower ].
+ - rewrite <- Eq.
+ rewrite Z_mod_same ; lia.
+ - rewrite Z.mod_small ; lia.
Qed.
diff --git a/src/plugins/wp/tests/wp_typed/oracle/user_init.0.res.oracle b/src/plugins/wp/tests/wp_typed/oracle/user_init.0.res.oracle
index 22ca444e6a537298516bfc57f628ad0aaa4ab32c..3a2d8b0e8f0645ba40be2de76a0807021175621c 100644
--- a/src/plugins/wp/tests/wp_typed/oracle/user_init.0.res.oracle
+++ b/src/plugins/wp/tests/wp_typed/oracle/user_init.0.res.oracle
@@ -21,13 +21,13 @@ Assume {
When: (0 <= i_1) /\ (i_1 < n) /\ is_sint32(i_1).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
- (* Pre-condition *)
+ (* Invariant 'Range' *)
Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Partial' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(havoc(Mint_undef_0, Mint_0, a_1, n)[shift_sint32(a, i_2)] = v))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Else *)
Have: n <= i.
}
@@ -43,18 +43,20 @@ Assume {
(* Heap *)
Type: (region(a.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i) /\ is_sint32(i_1).
+ When: (i_1 <= i) /\ (0 <= i_1) /\ is_sint32(i_1).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
- (* Pre-condition *)
+ (* Invariant 'Range' *)
Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Partial' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_2[shift_sint32(a, i_2)] = v))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
+ (* Invariant 'Range' *)
+ Have: (-1) <= i.
}
Prove: a_2[shift_sint32(a, i) <- v][shift_sint32(a, i_1)] = v.
@@ -73,13 +75,13 @@ Assume {
Type: (region(a.base) <= 0) /\ linked(Malloc_0).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
- (* Pre-condition *)
+ (* Invariant 'Range' *)
Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Partial' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(havoc(Mint_undef_0, Mint_0, a_1, n)[shift_sint32(a, i_1)] = v))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
}
@@ -106,26 +108,31 @@ Prove: true.
Goal Loop assigns 'Zone' (3/3):
Effect at line 20
Let a_1 = shift_sint32(a, 0).
-Let a_2 = shift_sint32(a, i).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, n).
+Let x = i - 1.
+Let a_3 = shift_sint32(a, x).
Assume {
- Type: is_sint32(i) /\ is_sint32(n).
+ Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(x).
(* Heap *)
Type: (region(a.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
- When: !invalid(Malloc_0, a_2, 1).
+ When: !invalid(Malloc_0, a_3, 1).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
- (* Pre-condition *)
+ (* Invariant 'Range' *)
Have: 0 <= n.
- (* Invariant 'Partial' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (havoc(Mint_undef_0, Mint_0, a_1, n)[shift_sint32(a, i_1)] = v))).
(* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
+ Have: (0 < i) /\ (i <= (1 + n)).
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((2 + i_1) <= i) ->
+ (is_sint32(i_1) -> (a_2[shift_sint32(a, i_1)] = v)))).
(* Then *)
- Have: i < n.
+ Have: i <= n.
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_2[a_3 <- v][shift_sint32(a, i_1)] = v))).
}
-Prove: included(a_2, 1, a_1, n).
+Prove: included(a_3, 1, a_1, n).
------------------------------------------------------------
@@ -153,10 +160,10 @@ Assume {
Type: is_uint32(i_1).
(* Goal *)
When: (0 <= i) /\ (i <= 9).
- (* Invariant 'Partial' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) -> (t1_0[i_2] = v))).
(* Invariant 'Range' *)
Have: (0 <= i_1) /\ (i_1 <= 10).
+ (* Invariant 'Partial' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) -> (t1_0[i_2] = v))).
(* Else *)
Have: 10 <= i_1.
}
@@ -165,16 +172,19 @@ Prove: t1_0[i] = v.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial' (file tests/wp_typed/user_init.i, line 32):
+Let x = to_uint32(1 + i).
Assume {
Type: is_uint32(i).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint32(1 + i)).
- (* Invariant 'Partial' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) -> (t1_0[i_2] = v))).
+ When: (0 <= i_1) /\ (i_1 < x).
(* Invariant 'Range' *)
Have: (0 <= i) /\ (i <= 10).
+ (* Invariant 'Partial' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) -> (t1_0[i_2] = v))).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range' *)
+ Have: x <= 10.
}
Prove: t1_0[i <- v][i_1] = v.
@@ -188,10 +198,10 @@ Prove: true.
Goal Preservation of Invariant 'Range' (file tests/wp_typed/user_init.i, line 31):
Assume {
Type: is_uint32(i).
- (* Invariant 'Partial' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) -> (t1_0[i_1] = v))).
(* Invariant 'Range' *)
Have: (0 <= i) /\ (i <= 10).
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) -> (t1_0[i_1] = v))).
(* Then *)
Have: i <= 9.
}
@@ -222,16 +232,22 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 35):
+Let x = to_uint32(1 + i).
Assume {
Type: is_uint32(i).
- (* Invariant 'Partial' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) -> (t1_0[i_1] = v))).
(* Invariant 'Range' *)
Have: (0 <= i) /\ (i <= 10).
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) -> (t1_0[i_1] = v))).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) ->
+ (t1_0[i <- v][i_1] = v))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -255,12 +271,12 @@ Assume {
((i_3 <= 19) ->
(shift_sint32(shift_A20_sint32(a, i_4), i_3) != a_1)))))) ->
(Mint_1[a_1] = Mint_0[a_1])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i_2) -> ((0 <= i_3) ->
((i_3 <= 19) ->
(Mint_0[shift_sint32(shift_A20_sint32(a, i_4), i_3)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Else *)
Have: 10 <= i_2.
}
@@ -274,6 +290,7 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial' (file tests/wp_typed/user_init.i, line 136):
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
Let a_2 = shift_sint32(a_1, 0).
@@ -281,24 +298,26 @@ Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Goal *)
- When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < to_uint32(1 + i)) /\ (i_2 <= 19).
+ When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < x) /\ (i_2 <= 19).
(* Loop assigns 'lack,Zone' *)
Have: forall a_4 : addr.
((forall i_4,i_3 : Z. ((0 <= i_4) -> ((0 <= i_3) -> ((i_4 <= 9) ->
((i_3 <= 19) ->
(shift_sint32(shift_A20_sint32(a, i_4), i_3) != a_4)))))) ->
(Mint_1[a_4] = Mint_0[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) ->
(Mint_0[shift_sint32(shift_A20_sint32(a, i_4), i_3)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) ->
(a_3[shift_sint32(a_1, i_3)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
}
Prove: a_3[shift_sint32(shift_A20_sint32(a, i_1), i_2)] = Mint_undef_0[a_2].
@@ -320,12 +339,12 @@ Assume {
((i_1 <= 19) ->
(shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_2)))))) ->
(Mint_0[a_2] = Mint_1[a_2])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
@@ -354,8 +373,11 @@ Prove: true.
Goal Loop assigns 'lack,Zone' (2/3):
Effect at line 139
+Let x = to_uint32(1 + i_2).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i_2).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i_2) /\ is_sint32(v).
(* Goal *)
@@ -363,23 +385,28 @@ Assume {
(0 <= i_1) /\ (i_3 <= 9) /\ (i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19) /\
(i_6 <= 19) /\ (i_1 <= 19).
(* Loop assigns 'lack,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 <= 9) ->
((i_7 <= 19) ->
- (shift_sint32(shift_A20_sint32(a, i_8), i_7) != a_2)))))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_8), i_7) != a_4)))))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_8), i_7)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Call 'init' *)
Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_7)] = v))).
+ (a_3[shift_sint32(a_1, i_7)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 < x) ->
+ ((i_7 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_8), i_7)] = Mint_undef_0[a_2]))))).
}
Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
(i <= i_8) /\ (0 <= i_7) /\ (i_1 <= i_7) /\ (i_8 <= 9) /\ (i_7 <= 19).
@@ -388,28 +415,36 @@ Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
Goal Loop assigns 'lack,Zone' (3/3):
Call Effect at line 140
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Goal *)
When: (0 <= i) /\ (0 <= i_1) /\ (i <= 9) /\ (i_1 <= 19).
(* Loop assigns 'lack,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_3,i_2 : Z. ((0 <= i_3) -> ((0 <= i_2) -> ((i_3 <= 9) ->
((i_2 <= 19) ->
- (shift_sint32(shift_A20_sint32(a, i_3), i_2) != a_2)))))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_3), i_2) != a_4)))))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: i <= 10.
(* Invariant 'Partial' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_3), i_2)] = v))))).
- (* Invariant 'Range' *)
- Have: i <= 10.
(* Call 'init' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_2)] = v))).
+ (a_3[shift_sint32(a_1, i_2)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((0 <= i_2) -> ((i_3 < x) ->
+ ((i_2 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_3), i_2)] = Mint_undef_0[a_2]))))).
}
Prove: exists i_3,i_2 : Z. (i_3 <= i) /\ (i_2 <= i_1) /\ (0 <= i_3) /\
(i <= i_3) /\ (0 <= i_2) /\ (i_1 <= i_2) /\ (i_3 <= 9) /\ (i_2 <= 19).
@@ -483,30 +518,38 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 139):
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Loop assigns 'lack,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 <= 9) ->
((i_1 <= 19) ->
- (shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_2)))))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_4)))))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_1)] = v))).
+ (a_3[shift_sint32(a_1, i_1)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 < x) ->
+ ((i_1 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = Mint_undef_0[a_2]))))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -541,12 +584,12 @@ Assume {
((forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 <= 9) ->
(shift_sint32(shift_A20_sint32(a, i_4), i_3) != a_1)))) ->
(Mint_1[a_1] = Mint_0[a_1])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i_2) -> ((0 <= i_3) ->
((i_3 <= 19) ->
(Mint_0[shift_sint32(shift_A20_sint32(a, i_4), i_3)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Else *)
Have: 10 <= i_2.
}
@@ -560,6 +603,7 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial' (file tests/wp_typed/user_init.i, line 154):
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
Let a_2 = shift_sint32(a_1, 0).
@@ -567,23 +611,25 @@ Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Goal *)
- When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < to_uint32(1 + i)) /\ (i_2 <= 19).
+ When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < x) /\ (i_2 <= 19).
(* Loop assigns 'tactic,Zone' *)
Have: forall a_4 : addr.
((forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 <= 9) ->
(shift_sint32(shift_A20_sint32(a, i_4), i_3) != a_4)))) ->
(Mint_1[a_4] = Mint_0[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) ->
(Mint_0[shift_sint32(shift_A20_sint32(a, i_4), i_3)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) ->
(a_3[shift_sint32(a_1, i_3)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
}
Prove: a_3[shift_sint32(shift_A20_sint32(a, i_1), i_2)] = Mint_undef_0[a_2].
@@ -604,12 +650,12 @@ Assume {
((forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 <= 9) ->
(shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_2)))) ->
(Mint_0[a_2] = Mint_1[a_2])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
@@ -638,30 +684,38 @@ Prove: true.
Goal Loop assigns 'tactic,Zone' (2/3):
Effect at line 157
+Let x = to_uint32(1 + i_2).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i_2).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i_2) /\ is_sint32(v).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
(* Loop assigns 'tactic,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 <= 9) ->
- (shift_sint32(shift_A20_sint32(a, i_7), i_6) != a_2)))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_7), i_6) != a_4)))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_7), i_6)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Call 'init' *)
Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_6)] = v))).
+ (a_3[shift_sint32(a_1, i_6)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((0 <= i_6) -> ((i_7 < x) ->
+ ((i_6 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_7), i_6)] = Mint_undef_0[a_2]))))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -670,27 +724,35 @@ Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
Goal Loop assigns 'tactic,Zone' (3/3):
Call Effect at line 158
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Goal *)
When: (0 <= i) /\ (0 <= i_1) /\ (i <= 9) /\ (i_1 <= 19).
(* Loop assigns 'tactic,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 <= 9) ->
- (shift_sint32(shift_A20_sint32(a, i_3), i_2) != a_2)))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_3), i_2) != a_4)))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: i <= 10.
(* Invariant 'Partial' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_3), i_2)] = v))))).
- (* Invariant 'Range' *)
- Have: i <= 10.
(* Call 'init' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_2)] = v))).
+ (a_3[shift_sint32(a_1, i_2)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((0 <= i_2) -> ((i_3 < x) ->
+ ((i_2 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_3), i_2)] = Mint_undef_0[a_2]))))).
}
Prove: exists i_3,i_2 : Z. (i_3 <= i) /\ (i_2 <= i_1) /\ (0 <= i_3) /\
(i <= i_3) /\ (i_1 <= i_2) /\ (i_3 <= 9).
@@ -758,29 +820,37 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 157):
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Loop assigns 'tactic,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 <= 9) ->
- (shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_2)))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_4)))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_1)] = v))).
+ (a_3[shift_sint32(a_1, i_1)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 < x) ->
+ ((i_1 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = Mint_undef_0[a_2]))))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -824,23 +894,24 @@ Prove: t2_0[i][i_1] = v.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_i' (file tests/wp_typed/user_init.i, line 48):
+Let x = to_uint32(1 + i).
Let m = t2_0[i].
Assume {
Type: is_uint32(i).
(* Heap *)
Type: IsArray_d2_sint32(t2_1).
(* Goal *)
- When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < to_uint32(1 + i)) /\ (i_2 <= 19).
+ When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < x) /\ (i_2 <= 19).
(* Loop assigns 'lack,Zone_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((0 <= i_3) -> ((i_4 <= 9) ->
((i_3 <= 19) ->
(((i_4 < 0) \/ (i_3 < 0) \/ (10 <= i_4) \/ (20 <= i_3)) ->
(t2_1[i_4][i_3] = t2_2[i_4][i_3])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_2[i_4][i_3] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -848,11 +919,13 @@ Assume {
((i_3 <= 19) ->
(((i_4 < 0) \/ (i_3 < 0) \/ (10 <= i_4) \/ (20 <= i_3)) ->
(t2_2[i_4][i_3] = t2_0[i_4][i_3])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) -> (m[i_3] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_2[i_4][i_3] = t2_0[i_4][i_3]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) -> (m[i_3] = v))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
}
Prove: m[0] = t2_0[i_1][i_2].
@@ -873,11 +946,11 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -885,11 +958,11 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_2[i][i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_2[i][i_1] = v))).
}
Prove: to_uint32(1 + i) <= 10.
@@ -901,23 +974,24 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_j' (file tests/wp_typed/user_init.i, line 54):
+Let x = to_uint32(1 + j).
Let m = t2_0[i].
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Heap *)
Type: IsArray_d2_sint32(t2_1).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint32(1 + j)).
+ When: (0 <= i_1) /\ (i_1 < x).
(* Loop assigns 'lack,Zone_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((0 <= i_2) -> ((i_3 <= 9) ->
((i_2 <= 19) ->
(((i_3 < 0) \/ (i_2 < 0) \/ (10 <= i_3) \/ (20 <= i_2)) ->
(t2_1[i_3][i_2] = t2_2[i_3][i_2])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) -> (t2_2[i_3][i_2] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -925,15 +999,17 @@ Assume {
((i_2 <= 19) ->
(((i_3 < 0) \/ (i_2 < 0) \/ (10 <= i_3) \/ (20 <= i_2)) ->
(t2_0[i_3][i_2] = t2_2[i_3][i_2])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) -> (m[i_2] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) -> (t2_0[i_3][i_2] = t2_2[i_3][i_2]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) -> (m[i_2] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
}
Prove: m[j <- v][i_1] = v.
@@ -945,7 +1021,9 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Previous_i' (file tests/wp_typed/user_init.i, line 55):
+Let x = to_uint32(1 + j).
Let m = t2_0[i].
+Let m_1 = m[j <- v].
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Heap *)
@@ -957,11 +1035,11 @@ Assume {
((i_3 <= 19) ->
(((i_4 < 0) \/ (i_3 < 0) \/ (10 <= i_4) \/ (20 <= i_3)) ->
(t2_2[i_4][i_3] = t2_1[i_4][i_3])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_1[i_4][i_3] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -969,17 +1047,21 @@ Assume {
((i_3 <= 19) ->
(((i_4 < 0) \/ (i_3 < 0) \/ (10 <= i_4) \/ (20 <= i_3)) ->
(t2_0[i_4][i_3] = t2_1[i_4][i_3])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) -> (m[i_3] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_0[i_4][i_3] = t2_1[i_4][i_3]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) -> (m[i_3] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < x) -> (m_1[i_3] = v))).
}
-Prove: t2_0[i <- m[j <- v]][i_1][i_2] = t2_1[i_1][i_2].
+Prove: t2_0[i <- m_1][i_1][i_2] = t2_1[i_1][i_2].
------------------------------------------------------------
@@ -998,11 +1080,11 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -1010,13 +1092,13 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_2[i][i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_2[i][i_1] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
}
@@ -1046,6 +1128,8 @@ Prove: true.
Goal Loop assigns 'lack,Zone_i' (2/3):
Effect at line 51
+Let x = to_uint32(1 + i_2).
+Let m = t2_2[i_2].
Assume {
Type: is_uint32(i_2).
(* Heap *)
@@ -1059,24 +1143,28 @@ Assume {
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
(t2_0[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) -> (t2_1[i_8][i_7] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Loop assigns 'lack,Zone_j' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 <= 9) ->
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
- (t2_2[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (t2_1[i_8][i_7] = t2_2[i_8][i_7])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) -> (m[i_7] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
- ((i_7 <= 19) -> (t2_2[i_8][i_7] = t2_1[i_8][i_7]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) ->
- (t2_2[i_2][i_7] = v))).
+ ((i_7 <= 19) -> (t2_1[i_8][i_7] = t2_2[i_8][i_7]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 < x) ->
+ ((i_7 <= 19) -> (t2_2[i_8][i_7] = m[0]))))).
}
Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
(i <= i_8) /\ (0 <= i_7) /\ (i_1 <= i_7) /\ (i_8 <= 9) /\ (i_7 <= 19).
@@ -1085,6 +1173,8 @@ Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
Goal Loop assigns 'lack,Zone_i' (3/3):
Effect at line 58
+Let x = to_uint32(1 + i_2).
+Let m = t2_2[i_2].
Assume {
Type: is_uint32(i_2).
(* Heap *)
@@ -1098,24 +1188,28 @@ Assume {
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
(t2_0[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) -> (t2_1[i_8][i_7] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Loop assigns 'lack,Zone_j' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 <= 9) ->
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
- (t2_2[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (t2_1[i_8][i_7] = t2_2[i_8][i_7])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) -> (m[i_7] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
- ((i_7 <= 19) -> (t2_2[i_8][i_7] = t2_1[i_8][i_7]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) ->
- (t2_2[i_2][i_7] = v))).
+ ((i_7 <= 19) -> (t2_1[i_8][i_7] = t2_2[i_8][i_7]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 < x) ->
+ ((i_7 <= 19) -> (t2_2[i_8][i_7] = m[0]))))).
}
Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
(i <= i_8) /\ (0 <= i_7) /\ (i_1 <= i_7) /\ (i_8 <= 9) /\ (i_7 <= 19).
@@ -1129,6 +1223,9 @@ Prove: true.
Goal Loop assigns 'lack,Zone_j' (2/3):
Effect at line 58
+Let m = t2_2[i_2].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i_2) /\ is_uint32(j).
(* Heap *)
@@ -1142,11 +1239,11 @@ Assume {
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
(t2_0[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) -> (t2_1[i_8][i_7] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -1154,15 +1251,22 @@ Assume {
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
(t2_2[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 < j) -> (m[i_7] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) -> (t2_2[i_8][i_7] = t2_1[i_8][i_7]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 < j) -> (t2_2[i_2][i_7] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 < x) -> (m_1[i_7] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
+ ((i_7 <= 19) -> (t2_2[i_2 <- m_1][i_8][i_7] = t2_1[i_8][i_7]))))).
}
Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
(i <= i_8) /\ (0 <= i_7) /\ (i_1 <= i_7) /\ (i_8 <= 9) /\ (i_7 <= 19).
@@ -1171,6 +1275,9 @@ Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
Goal Loop assigns 'lack,Zone_j' (3/3):
Effect at line 59
+Let m = t2_2[i].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Heap *)
@@ -1182,23 +1289,30 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: i <= 10.
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: i <= 10.
(* Loop assigns 'lack,Zone_j' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 <= 9) ->
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_j' *)
+ Have: j <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_2[i][i_1] = v))).
(* Invariant 'Range_j' *)
- Have: j <= 20.
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) -> (m_1[i_1] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
+ ((i_1 <= 19) -> (t2_2[i <- m_1][i_2][i_1] = t2_1[i_2][i_1]))))).
}
Prove: exists i_2,i_1 : Z. (i_2 <= i) /\ (0 <= i_2) /\ (i <= i_2) /\
(0 <= i_1) /\ (j <= i_1) /\ (i_1 <= j) /\ (i_2 <= 9) /\ (i_1 <= 19).
@@ -1236,6 +1350,8 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 51):
+Let x = to_uint32(1 + i).
+Let m = t2_2[i].
Assume {
Type: is_uint32(i).
(* Heap *)
@@ -1245,25 +1361,30 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 <= 9) ->
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
- (t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (t2_1[i_2][i_1] = t2_2[i_2][i_1])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
- ((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_2[i][i_1] = v))).
+ ((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_2[i_2][i_1]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 < x) ->
+ ((i_1 <= 19) -> (t2_2[i_2][i_1] = m[0]))))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -1273,6 +1394,9 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 58):
+Let m = t2_2[i].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Heap *)
@@ -1282,11 +1406,11 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -1294,17 +1418,24 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_2[i][i_1] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) -> (m_1[i_1] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
+ ((i_1 <= 19) -> (t2_2[i <- m_1][i_2][i_1] = t2_1[i_2][i_1]))))).
}
-Prove: j < to_uint32(1 + j).
+Prove: j < x.
------------------------------------------------------------
@@ -1329,23 +1460,26 @@ Prove: t2_0[i][i_1] = v.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_i' (file tests/wp_typed/user_init.i, line 77):
+Let x = to_uint32(1 + i).
Let m = t2_0[i].
Assume {
Type: is_uint32(i).
(* Goal *)
- When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < to_uint32(1 + i)) /\ (i_2 <= 19).
+ When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < x) /\ (i_2 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_1[i_4][i_3] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) -> (m[i_3] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_1[i_4][i_3] = t2_0[i_4][i_3]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) -> (m[i_3] = v))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
}
Prove: m[0] = t2_0[i_1][i_2].
@@ -1359,18 +1493,18 @@ Prove: true.
Goal Preservation of Invariant 'Range_i' (file tests/wp_typed/user_init.i, line 76):
Assume {
Type: is_uint32(i).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_1[i][i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_1[i][i_1] = v))).
}
Prove: to_uint32(1 + i) <= 10.
@@ -1382,27 +1516,30 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_j' (file tests/wp_typed/user_init.i, line 83):
+Let x = to_uint32(1 + j).
Let m = t2_0[i].
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint32(1 + j)).
+ When: (0 <= i_1) /\ (i_1 < x).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) -> (t2_1[i_3][i_2] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) -> (m[i_2] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) -> (t2_0[i_3][i_2] = t2_1[i_3][i_2]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) -> (m[i_2] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
}
Prove: m[j <- v][i_1] = v.
@@ -1414,29 +1551,35 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Previous_i' (file tests/wp_typed/user_init.i, line 84):
+Let x = to_uint32(1 + j).
Let m = t2_0[i].
+Let m_1 = m[j <- v].
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Goal *)
When: (0 <= i_1) /\ (i_1 < i) /\ (0 <= i_2) /\ (i_2 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_1[i_4][i_3] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) -> (m[i_3] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_0[i_4][i_3] = t2_1[i_4][i_3]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) -> (m[i_3] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < x) -> (m_1[i_3] = v))).
}
-Prove: t2_0[i <- m[j <- v]][i_1][i_2] = t2_1[i_1][i_2].
+Prove: t2_0[i <- m_1][i_1][i_2] = t2_1[i_1][i_2].
------------------------------------------------------------
@@ -1448,20 +1591,20 @@ Prove: true.
Goal Preservation of Invariant 'Range_j' (file tests/wp_typed/user_init.i, line 82):
Assume {
Type: is_uint32(i) /\ is_uint32(j).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_1[i][i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_1[i][i_1] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
}
@@ -1491,24 +1634,30 @@ Prove: true.
Goal Loop assigns 'tactic,Zone_i' (2/3):
Effect at line 80
+Let x = to_uint32(1 + i_2).
+Let m = t2_1[i_2].
Assume {
Type: is_uint32(i_2).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) -> (t2_0[i_7][i_6] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) -> (m[i_6] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
- ((i_6 <= 19) -> (t2_1[i_7][i_6] = t2_0[i_7][i_6]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) ->
- (t2_1[i_2][i_6] = v))).
+ ((i_6 <= 19) -> (t2_0[i_7][i_6] = t2_1[i_7][i_6]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((0 <= i_6) -> ((i_7 < x) ->
+ ((i_6 <= 19) -> (t2_1[i_7][i_6] = m[0]))))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -1517,24 +1666,30 @@ Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
Goal Loop assigns 'tactic,Zone_i' (3/3):
Effect at line 87
+Let x = to_uint32(1 + i_2).
+Let m = t2_1[i_2].
Assume {
Type: is_uint32(i_2).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) -> (t2_0[i_7][i_6] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) -> (m[i_6] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
- ((i_6 <= 19) -> (t2_1[i_7][i_6] = t2_0[i_7][i_6]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) ->
- (t2_1[i_2][i_6] = v))).
+ ((i_6 <= 19) -> (t2_0[i_7][i_6] = t2_1[i_7][i_6]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((0 <= i_6) -> ((i_7 < x) ->
+ ((i_6 <= 19) -> (t2_1[i_7][i_6] = m[0]))))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -1548,27 +1703,37 @@ Prove: true.
Goal Loop assigns 'tactic,Zone_j' (2/3):
Effect at line 87
+Let m = t2_1[i_2].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i_2) /\ is_uint32(j).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) -> (t2_0[i_7][i_6] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < j) -> (m[i_6] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) -> (t2_1[i_7][i_6] = t2_0[i_7][i_6]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < j) -> (t2_1[i_2][i_6] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < x) -> (m_1[i_6] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
+ ((i_6 <= 19) -> (t2_1[i_2 <- m_1][i_7][i_6] = t2_0[i_7][i_6]))))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -1577,22 +1742,32 @@ Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
Goal Loop assigns 'tactic,Zone_j' (3/3):
Effect at line 88
+Let m = t2_1[i].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Goal *)
When: (0 <= i) /\ (0 <= j) /\ (i <= 9) /\ (j <= 19).
+ (* Invariant 'Range_i' *)
+ Have: i <= 10.
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: i <= 10.
+ (* Invariant 'Range_j' *)
+ Have: j <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_1[i][i_1] = v))).
(* Invariant 'Range_j' *)
- Have: j <= 20.
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) -> (m_1[i_1] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
+ ((i_1 <= 19) -> (t2_1[i <- m_1][i_2][i_1] = t2_0[i_2][i_1]))))).
}
Prove: exists i_2,i_1 : Z. (i_2 <= i) /\ (0 <= i_2) /\ (i <= i_2) /\
(j <= i_1) /\ (i_1 <= j) /\ (i_2 <= 9).
@@ -1621,22 +1796,29 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 80):
+Let x = to_uint32(1 + i).
+Let m = t2_1[i].
Assume {
Type: is_uint32(i).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
- ((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_1[i][i_1] = v))).
+ ((i_1 <= 19) -> (t2_0[i_2][i_1] = t2_1[i_2][i_1]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 < x) ->
+ ((i_1 <= 19) -> (t2_1[i_2][i_1] = m[0]))))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -1646,26 +1828,36 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 87):
+Let m = t2_1[i].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i) /\ is_uint32(j).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_1[i][i_1] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) -> (m_1[i_1] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
+ ((i_1 <= 19) -> (t2_1[i <- m_1][i_2][i_1] = t2_0[i_2][i_1]))))).
}
-Prove: j < to_uint32(1 + j).
+Prove: j < x.
------------------------------------------------------------
@@ -1691,20 +1883,26 @@ Prove: P_MemSet20(t2_0[i], 20, v).
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_i' (file tests/wp_typed/user_init.i, line 108):
+Let x = to_uint32(1 + i).
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i]).
+ IsArray_sint32(m).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint32(1 + i)).
+ When: (0 <= i_1) /\ (i_1 < x).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
P_MemSet20(t2_0[i_2], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
+ (* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
}
Prove: P_MemSet20(t2_0[i <- v][i_1], 20, v_1).
@@ -1716,17 +1914,20 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Range_i' (file tests/wp_typed/user_init.i, line 107):
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i]).
+ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
+ (* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
}
Prove: to_uint32(1 + i) <= 10.
@@ -1739,25 +1940,31 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_j' (file tests/wp_typed/user_init.i, line 114):
-Let m = v[j <- v_1].
+Let x = to_uint32(1 + j).
+Let m = t2_0[i].
+Let m_1 = v[j <- v_1].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_uint32(j) /\
- is_sint32(v_1) /\ IsArray_sint32(t2_0[i]) /\ IsArray_sint32(m).
+ is_sint32(v_1) /\ IsArray_sint32(m) /\ IsArray_sint32(m_1).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
- Have: P_MemSet20(v, j, v_1).
+ Have: P_MemSet20(m, 0, v_1).
(* Invariant 'Range_j' *)
Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(v, j, v_1).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
}
-Prove: P_MemSet20(m, to_uint32(1 + j), v_1).
+Prove: P_MemSet20(m_1, x, v_1).
------------------------------------------------------------
@@ -1765,11 +1972,11 @@ Goal Establishment of Invariant 'Partial_j' (file tests/wp_typed/user_init.i, li
Let m = t2_0[i].
Assume {
Type: is_uint32(i) /\ is_sint32(v) /\ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
}
@@ -1778,20 +1985,23 @@ Prove: P_MemSet20(m, 0, v).
------------------------------------------------------------
Goal Preservation of Invariant 'Range_j' (file tests/wp_typed/user_init.i, line 113):
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_uint32(j) /\
- is_sint32(v_1) /\ IsArray_sint32(t2_0[i]).
+ is_sint32(v_1) /\ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
- Have: P_MemSet20(v, j, v_1).
+ Have: P_MemSet20(m, 0, v_1).
(* Invariant 'Range_j' *)
Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(v, j, v_1).
(* Then *)
Have: j <= 19.
}
@@ -1821,21 +2031,30 @@ Prove: true.
Goal Loop assigns 'tactic,Zone_i' (2/3):
Effect at line 111
+Let x = to_uint32(1 + i_2).
+Let m = t2_0[i_2].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i_2) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i_2]).
+ IsArray_sint32(m).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < i_2) ->
P_MemSet20(t2_0[i_6], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
+ (* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < x) ->
+ P_MemSet20(t2_0[i_2 <- v][i_6], 20, v_1))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -1844,18 +2063,27 @@ Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
Goal Loop assigns 'tactic,Zone_i' (3/3):
Effect at line 117
+Let x = to_uint32(1 + i).
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i]).
+ IsArray_sint32(m).
(* Goal *)
When: (0 <= i) /\ (0 <= i_1) /\ (i <= 9) /\ (i_1 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: i <= 10.
(* Invariant 'Partial_i' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
P_MemSet20(t2_0[i_2], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: i <= 10.
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
(* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < x) ->
+ P_MemSet20(t2_0[i <- v][i_2], 20, v_1))).
}
Prove: exists i_3,i_2 : Z. (i_3 <= i) /\ (i_2 <= i_1) /\ (0 <= i_3) /\
(i <= i_3) /\ (i_1 <= i_2) /\ (i_3 <= 9).
@@ -1895,20 +2123,29 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 111):
+Let x = to_uint32(1 + i).
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i]).
+ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
+ (* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) ->
+ P_MemSet20(t2_0[i <- v][i_1], 20, v_1))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -1918,24 +2155,33 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 117):
+Let m = v[j <- v_1].
+Let x = to_uint32(1 + j).
+Let m_1 = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_uint32(j) /\
- is_sint32(v_1) /\ IsArray_sint32(t2_0[i]).
+ is_sint32(v_1) /\ IsArray_sint32(m_1) /\ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
- Have: P_MemSet20(v, j, v_1).
+ Have: P_MemSet20(m_1, 0, v_1).
(* Invariant 'Range_j' *)
Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(v, j, v_1).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, x, v_1).
}
-Prove: j < to_uint32(1 + j).
+Prove: j < x.
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_typed/oracle/user_init.1.res.oracle b/src/plugins/wp/tests/wp_typed/oracle/user_init.1.res.oracle
index e1a3e723628fe25622cc96dc7c7b8c5d6a5e0cfb..20aaf5bdedf2232ff1e19edbf757434971402be0 100644
--- a/src/plugins/wp/tests/wp_typed/oracle/user_init.1.res.oracle
+++ b/src/plugins/wp/tests/wp_typed/oracle/user_init.1.res.oracle
@@ -21,13 +21,13 @@ Assume {
When: (0 <= i_1) /\ (i_1 < n) /\ is_sint32(i_1).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
- (* Pre-condition *)
+ (* Invariant 'Range' *)
Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Partial' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(havoc(Mint_undef_0, Mint_0, a_1, n)[shift_sint32(a, i_2)] = v))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Else *)
Have: n <= i.
}
@@ -43,18 +43,20 @@ Assume {
(* Heap *)
Type: (region(a.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 <= i) /\ is_sint32(i_1).
+ When: (i_1 <= i) /\ (0 <= i_1) /\ is_sint32(i_1).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
- (* Pre-condition *)
+ (* Invariant 'Range' *)
Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Partial' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_2[shift_sint32(a, i_2)] = v))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
+ (* Invariant 'Range' *)
+ Have: (-1) <= i.
}
Prove: a_2[shift_sint32(a, i) <- v][shift_sint32(a, i_1)] = v.
@@ -73,13 +75,13 @@ Assume {
Type: (region(a.base) <= 0) /\ linked(Malloc_0).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
- (* Pre-condition *)
+ (* Invariant 'Range' *)
Have: 0 <= n.
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= n).
(* Invariant 'Partial' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(havoc(Mint_undef_0, Mint_0, a_1, n)[shift_sint32(a, i_1)] = v))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
}
@@ -106,26 +108,31 @@ Prove: true.
Goal Loop assigns 'Zone' (3/3):
Effect at line 20
Let a_1 = shift_sint32(a, 0).
-Let a_2 = shift_sint32(a, i).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, n).
+Let x = i - 1.
+Let a_3 = shift_sint32(a, x).
Assume {
- Type: is_sint32(i) /\ is_sint32(n).
+ Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(x).
(* Heap *)
Type: (region(a.base) <= 0) /\ linked(Malloc_0).
(* Goal *)
- When: !invalid(Malloc_0, a_2, 1).
+ When: !invalid(Malloc_0, a_3, 1).
(* Pre-condition *)
Have: valid_rw(Malloc_0, a_1, n).
- (* Pre-condition *)
+ (* Invariant 'Range' *)
Have: 0 <= n.
- (* Invariant 'Partial' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (havoc(Mint_undef_0, Mint_0, a_1, n)[shift_sint32(a, i_1)] = v))).
(* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= n).
+ Have: (0 < i) /\ (i <= (1 + n)).
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((2 + i_1) <= i) ->
+ (is_sint32(i_1) -> (a_2[shift_sint32(a, i_1)] = v)))).
(* Then *)
- Have: i < n.
+ Have: i <= n.
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_2[a_3 <- v][shift_sint32(a, i_1)] = v))).
}
-Prove: included(a_2, 1, a_1, n).
+Prove: included(a_3, 1, a_1, n).
------------------------------------------------------------
@@ -153,10 +160,10 @@ Assume {
Type: is_uint32(i_1).
(* Goal *)
When: (0 <= i) /\ (i <= 9).
- (* Invariant 'Partial' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) -> (t1_0[i_2] = v))).
(* Invariant 'Range' *)
Have: (0 <= i_1) /\ (i_1 <= 10).
+ (* Invariant 'Partial' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) -> (t1_0[i_2] = v))).
(* Else *)
Have: 10 <= i_1.
}
@@ -165,16 +172,19 @@ Prove: t1_0[i] = v.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial' (file tests/wp_typed/user_init.i, line 32):
+Let x = to_uint32(1 + i).
Assume {
Type: is_uint32(i).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint32(1 + i)).
- (* Invariant 'Partial' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) -> (t1_0[i_2] = v))).
+ When: (0 <= i_1) /\ (i_1 < x).
(* Invariant 'Range' *)
Have: (0 <= i) /\ (i <= 10).
+ (* Invariant 'Partial' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) -> (t1_0[i_2] = v))).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range' *)
+ Have: x <= 10.
}
Prove: t1_0[i <- v][i_1] = v.
@@ -188,10 +198,10 @@ Prove: true.
Goal Preservation of Invariant 'Range' (file tests/wp_typed/user_init.i, line 31):
Assume {
Type: is_uint32(i).
- (* Invariant 'Partial' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) -> (t1_0[i_1] = v))).
(* Invariant 'Range' *)
Have: (0 <= i) /\ (i <= 10).
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) -> (t1_0[i_1] = v))).
(* Then *)
Have: i <= 9.
}
@@ -222,16 +232,22 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 35):
+Let x = to_uint32(1 + i).
Assume {
Type: is_uint32(i).
- (* Invariant 'Partial' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) -> (t1_0[i_1] = v))).
(* Invariant 'Range' *)
Have: (0 <= i) /\ (i <= 10).
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) -> (t1_0[i_1] = v))).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) ->
+ (t1_0[i <- v][i_1] = v))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -255,12 +271,12 @@ Assume {
((i_3 <= 19) ->
(shift_sint32(shift_A20_sint32(a, i_4), i_3) != a_1)))))) ->
(Mint_1[a_1] = Mint_0[a_1])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i_2) -> ((0 <= i_3) ->
((i_3 <= 19) ->
(Mint_0[shift_sint32(shift_A20_sint32(a, i_4), i_3)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Else *)
Have: 10 <= i_2.
}
@@ -274,6 +290,7 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial' (file tests/wp_typed/user_init.i, line 136):
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
Let a_2 = shift_sint32(a_1, 0).
@@ -281,24 +298,26 @@ Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Goal *)
- When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < to_uint32(1 + i)) /\ (i_2 <= 19).
+ When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < x) /\ (i_2 <= 19).
(* Loop assigns 'lack,Zone' *)
Have: forall a_4 : addr.
((forall i_4,i_3 : Z. ((0 <= i_4) -> ((0 <= i_3) -> ((i_4 <= 9) ->
((i_3 <= 19) ->
(shift_sint32(shift_A20_sint32(a, i_4), i_3) != a_4)))))) ->
(Mint_1[a_4] = Mint_0[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) ->
(Mint_0[shift_sint32(shift_A20_sint32(a, i_4), i_3)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) ->
(a_3[shift_sint32(a_1, i_3)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
}
Prove: a_3[shift_sint32(shift_A20_sint32(a, i_1), i_2)] = Mint_undef_0[a_2].
@@ -320,12 +339,12 @@ Assume {
((i_1 <= 19) ->
(shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_2)))))) ->
(Mint_0[a_2] = Mint_1[a_2])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
@@ -354,8 +373,11 @@ Prove: true.
Goal Loop assigns 'lack,Zone' (2/3):
Effect at line 139
+Let x = to_uint32(1 + i_2).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i_2).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i_2) /\ is_sint32(v).
(* Goal *)
@@ -363,23 +385,28 @@ Assume {
(0 <= i_1) /\ (i_3 <= 9) /\ (i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19) /\
(i_6 <= 19) /\ (i_1 <= 19).
(* Loop assigns 'lack,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 <= 9) ->
((i_7 <= 19) ->
- (shift_sint32(shift_A20_sint32(a, i_8), i_7) != a_2)))))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_8), i_7) != a_4)))))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_8), i_7)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Call 'init' *)
Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_7)] = v))).
+ (a_3[shift_sint32(a_1, i_7)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 < x) ->
+ ((i_7 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_8), i_7)] = Mint_undef_0[a_2]))))).
}
Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
(i <= i_8) /\ (0 <= i_7) /\ (i_1 <= i_7) /\ (i_8 <= 9) /\ (i_7 <= 19).
@@ -388,28 +415,36 @@ Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
Goal Loop assigns 'lack,Zone' (3/3):
Call Effect at line 140
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Goal *)
When: (0 <= i) /\ (0 <= i_1) /\ (i <= 9) /\ (i_1 <= 19).
(* Loop assigns 'lack,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_3,i_2 : Z. ((0 <= i_3) -> ((0 <= i_2) -> ((i_3 <= 9) ->
((i_2 <= 19) ->
- (shift_sint32(shift_A20_sint32(a, i_3), i_2) != a_2)))))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_3), i_2) != a_4)))))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: i <= 10.
(* Invariant 'Partial' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_3), i_2)] = v))))).
- (* Invariant 'Range' *)
- Have: i <= 10.
(* Call 'init' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_2)] = v))).
+ (a_3[shift_sint32(a_1, i_2)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((0 <= i_2) -> ((i_3 < x) ->
+ ((i_2 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_3), i_2)] = Mint_undef_0[a_2]))))).
}
Prove: exists i_3,i_2 : Z. (i_3 <= i) /\ (i_2 <= i_1) /\ (0 <= i_3) /\
(i <= i_3) /\ (0 <= i_2) /\ (i_1 <= i_2) /\ (i_3 <= 9) /\ (i_2 <= 19).
@@ -483,30 +518,38 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 139):
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Loop assigns 'lack,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 <= 9) ->
((i_1 <= 19) ->
- (shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_2)))))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_4)))))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_1)] = v))).
+ (a_3[shift_sint32(a_1, i_1)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 < x) ->
+ ((i_1 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = Mint_undef_0[a_2]))))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -541,12 +584,12 @@ Assume {
((forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 <= 9) ->
(shift_sint32(shift_A20_sint32(a, i_4), i_3) != a_1)))) ->
(Mint_1[a_1] = Mint_0[a_1])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i_2) -> ((0 <= i_3) ->
((i_3 <= 19) ->
(Mint_0[shift_sint32(shift_A20_sint32(a, i_4), i_3)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Else *)
Have: 10 <= i_2.
}
@@ -560,6 +603,7 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial' (file tests/wp_typed/user_init.i, line 154):
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
Let a_2 = shift_sint32(a_1, 0).
@@ -567,23 +611,25 @@ Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Goal *)
- When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < to_uint32(1 + i)) /\ (i_2 <= 19).
+ When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < x) /\ (i_2 <= 19).
(* Loop assigns 'tactic,Zone' *)
Have: forall a_4 : addr.
((forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 <= 9) ->
(shift_sint32(shift_A20_sint32(a, i_4), i_3) != a_4)))) ->
(Mint_1[a_4] = Mint_0[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) ->
(Mint_0[shift_sint32(shift_A20_sint32(a, i_4), i_3)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) ->
(a_3[shift_sint32(a_1, i_3)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
}
Prove: a_3[shift_sint32(shift_A20_sint32(a, i_1), i_2)] = Mint_undef_0[a_2].
@@ -604,12 +650,12 @@ Assume {
((forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 <= 9) ->
(shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_2)))) ->
(Mint_0[a_2] = Mint_1[a_2])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
@@ -638,30 +684,38 @@ Prove: true.
Goal Loop assigns 'tactic,Zone' (2/3):
Effect at line 157
+Let x = to_uint32(1 + i_2).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i_2).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i_2) /\ is_sint32(v).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
(* Loop assigns 'tactic,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 <= 9) ->
- (shift_sint32(shift_A20_sint32(a, i_7), i_6) != a_2)))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_7), i_6) != a_4)))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_7), i_6)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Call 'init' *)
Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_6)] = v))).
+ (a_3[shift_sint32(a_1, i_6)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((0 <= i_6) -> ((i_7 < x) ->
+ ((i_6 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_7), i_6)] = Mint_undef_0[a_2]))))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -670,27 +724,35 @@ Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
Goal Loop assigns 'tactic,Zone' (3/3):
Call Effect at line 158
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Goal *)
When: (0 <= i) /\ (0 <= i_1) /\ (i <= 9) /\ (i_1 <= 19).
(* Loop assigns 'tactic,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 <= 9) ->
- (shift_sint32(shift_A20_sint32(a, i_3), i_2) != a_2)))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_3), i_2) != a_4)))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: i <= 10.
(* Invariant 'Partial' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_3), i_2)] = v))))).
- (* Invariant 'Range' *)
- Have: i <= 10.
(* Call 'init' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_2)] = v))).
+ (a_3[shift_sint32(a_1, i_2)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((0 <= i_2) -> ((i_3 < x) ->
+ ((i_2 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_3), i_2)] = Mint_undef_0[a_2]))))).
}
Prove: exists i_3,i_2 : Z. (i_3 <= i) /\ (i_2 <= i_1) /\ (0 <= i_3) /\
(i <= i_3) /\ (i_1 <= i_2) /\ (i_3 <= 9).
@@ -758,29 +820,37 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 157):
+Let x = to_uint32(1 + i).
Let a = global(G_t2_52).
Let a_1 = shift_A20_sint32(a, i).
+Let a_2 = shift_sint32(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_1, a_2, 20).
Assume {
Type: is_uint32(i) /\ is_sint32(v).
(* Loop assigns 'tactic,Zone' *)
- Have: forall a_2 : addr.
+ Have: forall a_4 : addr.
((forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 <= 9) ->
- (shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_2)))) ->
- (Mint_0[a_2] = Mint_1[a_2])).
+ (shift_sint32(shift_A20_sint32(a, i_2), i_1) != a_4)))) ->
+ (Mint_0[a_4] = Mint_1[a_4])).
+ (* Invariant 'Range' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) ->
(Mint_1[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = v))))).
- (* Invariant 'Range' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Call 'init' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) ->
- (havoc(Mint_undef_0, Mint_1, shift_sint32(a_1, 0), 20)
- [shift_sint32(a_1, i_1)] = v))).
+ (a_3[shift_sint32(a_1, i_1)] = v))).
+ (* Invariant 'Range' *)
+ Have: x <= 10.
+ (* Invariant 'Partial' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 < x) ->
+ ((i_1 <= 19) ->
+ (a_3[shift_sint32(shift_A20_sint32(a, i_2), i_1)] = Mint_undef_0[a_2]))))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -824,23 +894,24 @@ Prove: t2_0[i][i_1] = v.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_i' (file tests/wp_typed/user_init.i, line 48):
+Let x = to_uint32(1 + i).
Let m = t2_0[i].
Assume {
Type: is_uint32(i).
(* Heap *)
Type: IsArray_d2_sint32(t2_1).
(* Goal *)
- When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < to_uint32(1 + i)) /\ (i_2 <= 19).
+ When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < x) /\ (i_2 <= 19).
(* Loop assigns 'lack,Zone_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((0 <= i_3) -> ((i_4 <= 9) ->
((i_3 <= 19) ->
(((i_4 < 0) \/ (i_3 < 0) \/ (10 <= i_4) \/ (20 <= i_3)) ->
(t2_1[i_4][i_3] = t2_2[i_4][i_3])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_2[i_4][i_3] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -848,11 +919,13 @@ Assume {
((i_3 <= 19) ->
(((i_4 < 0) \/ (i_3 < 0) \/ (10 <= i_4) \/ (20 <= i_3)) ->
(t2_2[i_4][i_3] = t2_0[i_4][i_3])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) -> (m[i_3] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_2[i_4][i_3] = t2_0[i_4][i_3]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) -> (m[i_3] = v))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
}
Prove: m[0] = t2_0[i_1][i_2].
@@ -873,11 +946,11 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -885,11 +958,11 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_2[i][i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_2[i][i_1] = v))).
}
Prove: to_uint32(1 + i) <= 10.
@@ -901,23 +974,24 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_j' (file tests/wp_typed/user_init.i, line 54):
+Let x = to_uint32(1 + j).
Let m = t2_0[i].
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Heap *)
Type: IsArray_d2_sint32(t2_1).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint32(1 + j)).
+ When: (0 <= i_1) /\ (i_1 < x).
(* Loop assigns 'lack,Zone_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((0 <= i_2) -> ((i_3 <= 9) ->
((i_2 <= 19) ->
(((i_3 < 0) \/ (i_2 < 0) \/ (10 <= i_3) \/ (20 <= i_2)) ->
(t2_1[i_3][i_2] = t2_2[i_3][i_2])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) -> (t2_2[i_3][i_2] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -925,15 +999,17 @@ Assume {
((i_2 <= 19) ->
(((i_3 < 0) \/ (i_2 < 0) \/ (10 <= i_3) \/ (20 <= i_2)) ->
(t2_0[i_3][i_2] = t2_2[i_3][i_2])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) -> (m[i_2] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) -> (t2_0[i_3][i_2] = t2_2[i_3][i_2]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) -> (m[i_2] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
}
Prove: m[j <- v][i_1] = v.
@@ -945,7 +1021,9 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Previous_i' (file tests/wp_typed/user_init.i, line 55):
+Let x = to_uint32(1 + j).
Let m = t2_0[i].
+Let m_1 = m[j <- v].
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Heap *)
@@ -957,11 +1035,11 @@ Assume {
((i_3 <= 19) ->
(((i_4 < 0) \/ (i_3 < 0) \/ (10 <= i_4) \/ (20 <= i_3)) ->
(t2_2[i_4][i_3] = t2_1[i_4][i_3])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_1[i_4][i_3] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -969,17 +1047,21 @@ Assume {
((i_3 <= 19) ->
(((i_4 < 0) \/ (i_3 < 0) \/ (10 <= i_4) \/ (20 <= i_3)) ->
(t2_0[i_4][i_3] = t2_1[i_4][i_3])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) -> (m[i_3] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_0[i_4][i_3] = t2_1[i_4][i_3]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) -> (m[i_3] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < x) -> (m_1[i_3] = v))).
}
-Prove: t2_0[i <- m[j <- v]][i_1][i_2] = t2_1[i_1][i_2].
+Prove: t2_0[i <- m_1][i_1][i_2] = t2_1[i_1][i_2].
------------------------------------------------------------
@@ -998,11 +1080,11 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -1010,13 +1092,13 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_2[i][i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_2[i][i_1] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
}
@@ -1046,6 +1128,8 @@ Prove: true.
Goal Loop assigns 'lack,Zone_i' (2/3):
Effect at line 51
+Let x = to_uint32(1 + i_2).
+Let m = t2_2[i_2].
Assume {
Type: is_uint32(i_2).
(* Heap *)
@@ -1059,24 +1143,28 @@ Assume {
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
(t2_0[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) -> (t2_1[i_8][i_7] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Loop assigns 'lack,Zone_j' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 <= 9) ->
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
- (t2_2[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (t2_1[i_8][i_7] = t2_2[i_8][i_7])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) -> (m[i_7] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
- ((i_7 <= 19) -> (t2_2[i_8][i_7] = t2_1[i_8][i_7]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) ->
- (t2_2[i_2][i_7] = v))).
+ ((i_7 <= 19) -> (t2_1[i_8][i_7] = t2_2[i_8][i_7]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 < x) ->
+ ((i_7 <= 19) -> (t2_2[i_8][i_7] = m[0]))))).
}
Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
(i <= i_8) /\ (0 <= i_7) /\ (i_1 <= i_7) /\ (i_8 <= 9) /\ (i_7 <= 19).
@@ -1085,6 +1173,8 @@ Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
Goal Loop assigns 'lack,Zone_i' (3/3):
Effect at line 58
+Let x = to_uint32(1 + i_2).
+Let m = t2_2[i_2].
Assume {
Type: is_uint32(i_2).
(* Heap *)
@@ -1098,24 +1188,28 @@ Assume {
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
(t2_0[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) -> (t2_1[i_8][i_7] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Loop assigns 'lack,Zone_j' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 <= 9) ->
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
- (t2_2[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (t2_1[i_8][i_7] = t2_2[i_8][i_7])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) -> (m[i_7] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
- ((i_7 <= 19) -> (t2_2[i_8][i_7] = t2_1[i_8][i_7]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 <= 19) ->
- (t2_2[i_2][i_7] = v))).
+ ((i_7 <= 19) -> (t2_1[i_8][i_7] = t2_2[i_8][i_7]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((0 <= i_7) -> ((i_8 < x) ->
+ ((i_7 <= 19) -> (t2_2[i_8][i_7] = m[0]))))).
}
Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
(i <= i_8) /\ (0 <= i_7) /\ (i_1 <= i_7) /\ (i_8 <= 9) /\ (i_7 <= 19).
@@ -1129,6 +1223,9 @@ Prove: true.
Goal Loop assigns 'lack,Zone_j' (2/3):
Effect at line 58
+Let m = t2_2[i_2].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i_2) /\ is_uint32(j).
(* Heap *)
@@ -1142,11 +1239,11 @@ Assume {
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
(t2_0[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) -> (t2_1[i_8][i_7] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -1154,15 +1251,22 @@ Assume {
((i_7 <= 19) ->
(((i_8 < 0) \/ (i_7 < 0) \/ (10 <= i_8) \/ (20 <= i_7)) ->
(t2_2[i_8][i_7] = t2_1[i_8][i_7])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 < j) -> (m[i_7] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
((i_7 <= 19) -> (t2_2[i_8][i_7] = t2_1[i_8][i_7]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 < j) -> (t2_2[i_2][i_7] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_7 : Z. ((0 <= i_7) -> ((i_7 < x) -> (m_1[i_7] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_8,i_7 : Z. ((0 <= i_8) -> ((i_8 < i_2) -> ((0 <= i_7) ->
+ ((i_7 <= 19) -> (t2_2[i_2 <- m_1][i_8][i_7] = t2_1[i_8][i_7]))))).
}
Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
(i <= i_8) /\ (0 <= i_7) /\ (i_1 <= i_7) /\ (i_8 <= 9) /\ (i_7 <= 19).
@@ -1171,6 +1275,9 @@ Prove: exists i_8,i_7 : Z. (i_8 <= i) /\ (i_7 <= i_1) /\ (0 <= i_8) /\
Goal Loop assigns 'lack,Zone_j' (3/3):
Effect at line 59
+Let m = t2_2[i].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Heap *)
@@ -1182,23 +1289,30 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: i <= 10.
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: i <= 10.
(* Loop assigns 'lack,Zone_j' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 <= 9) ->
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_j' *)
+ Have: j <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_2[i][i_1] = v))).
(* Invariant 'Range_j' *)
- Have: j <= 20.
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) -> (m_1[i_1] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
+ ((i_1 <= 19) -> (t2_2[i <- m_1][i_2][i_1] = t2_1[i_2][i_1]))))).
}
Prove: exists i_2,i_1 : Z. (i_2 <= i) /\ (0 <= i_2) /\ (i <= i_2) /\
(0 <= i_1) /\ (j <= i_1) /\ (i_1 <= j) /\ (i_2 <= 9) /\ (i_1 <= 19).
@@ -1236,6 +1350,8 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 51):
+Let x = to_uint32(1 + i).
+Let m = t2_2[i].
Assume {
Type: is_uint32(i).
(* Heap *)
@@ -1245,25 +1361,30 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 <= 9) ->
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
- (t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (t2_1[i_2][i_1] = t2_2[i_2][i_1])))))).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
- ((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_2[i][i_1] = v))).
+ ((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_2[i_2][i_1]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 < x) ->
+ ((i_1 <= 19) -> (t2_2[i_2][i_1] = m[0]))))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -1273,6 +1394,9 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 58):
+Let m = t2_2[i].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Heap *)
@@ -1282,11 +1406,11 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_0[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Loop assigns 'lack,Zone_j' *)
@@ -1294,17 +1418,24 @@ Assume {
((i_1 <= 19) ->
(((i_2 < 0) \/ (i_1 < 0) \/ (10 <= i_2) \/ (20 <= i_1)) ->
(t2_2[i_2][i_1] = t2_1[i_2][i_1])))))).
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_2[i_2][i_1] = t2_1[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_2[i][i_1] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) -> (m_1[i_1] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
+ ((i_1 <= 19) -> (t2_2[i <- m_1][i_2][i_1] = t2_1[i_2][i_1]))))).
}
-Prove: j < to_uint32(1 + j).
+Prove: j < x.
------------------------------------------------------------
@@ -1329,23 +1460,26 @@ Prove: t2_0[i][i_1] = v.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_i' (file tests/wp_typed/user_init.i, line 77):
+Let x = to_uint32(1 + i).
Let m = t2_0[i].
Assume {
Type: is_uint32(i).
(* Goal *)
- When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < to_uint32(1 + i)) /\ (i_2 <= 19).
+ When: (0 <= i_1) /\ (0 <= i_2) /\ (i_1 < x) /\ (i_2 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_1[i_4][i_3] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) -> (m[i_3] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_1[i_4][i_3] = t2_0[i_4][i_3]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 <= 19) -> (m[i_3] = v))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
}
Prove: m[0] = t2_0[i_1][i_2].
@@ -1359,18 +1493,18 @@ Prove: true.
Goal Preservation of Invariant 'Range_i' (file tests/wp_typed/user_init.i, line 76):
Assume {
Type: is_uint32(i).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_1[i][i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_1[i][i_1] = v))).
}
Prove: to_uint32(1 + i) <= 10.
@@ -1382,27 +1516,30 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_j' (file tests/wp_typed/user_init.i, line 83):
+Let x = to_uint32(1 + j).
Let m = t2_0[i].
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint32(1 + j)).
+ When: (0 <= i_1) /\ (i_1 < x).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) -> (t2_1[i_3][i_2] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) -> (m[i_2] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_3,i_2 : Z. ((0 <= i_3) -> ((i_3 < i) -> ((0 <= i_2) ->
((i_2 <= 19) -> (t2_0[i_3][i_2] = t2_1[i_3][i_2]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < j) -> (m[i_2] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
}
Prove: m[j <- v][i_1] = v.
@@ -1414,29 +1551,35 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Previous_i' (file tests/wp_typed/user_init.i, line 84):
+Let x = to_uint32(1 + j).
Let m = t2_0[i].
+Let m_1 = m[j <- v].
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Goal *)
When: (0 <= i_1) /\ (i_1 < i) /\ (0 <= i_2) /\ (i_2 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_1[i_4][i_3] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) -> (m[i_3] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_4,i_3 : Z. ((0 <= i_4) -> ((i_4 < i) -> ((0 <= i_3) ->
((i_3 <= 19) -> (t2_0[i_4][i_3] = t2_1[i_4][i_3]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < j) -> (m[i_3] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> ((i_3 < x) -> (m_1[i_3] = v))).
}
-Prove: t2_0[i <- m[j <- v]][i_1][i_2] = t2_1[i_1][i_2].
+Prove: t2_0[i <- m_1][i_1][i_2] = t2_1[i_1][i_2].
------------------------------------------------------------
@@ -1448,20 +1591,20 @@ Prove: true.
Goal Preservation of Invariant 'Range_j' (file tests/wp_typed/user_init.i, line 82):
Assume {
Type: is_uint32(i) /\ is_uint32(j).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_1[i][i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_1[i][i_1] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
}
@@ -1491,24 +1634,30 @@ Prove: true.
Goal Loop assigns 'tactic,Zone_i' (2/3):
Effect at line 80
+Let x = to_uint32(1 + i_2).
+Let m = t2_1[i_2].
Assume {
Type: is_uint32(i_2).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) -> (t2_0[i_7][i_6] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) -> (m[i_6] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
- ((i_6 <= 19) -> (t2_1[i_7][i_6] = t2_0[i_7][i_6]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) ->
- (t2_1[i_2][i_6] = v))).
+ ((i_6 <= 19) -> (t2_0[i_7][i_6] = t2_1[i_7][i_6]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((0 <= i_6) -> ((i_7 < x) ->
+ ((i_6 <= 19) -> (t2_1[i_7][i_6] = m[0]))))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -1517,24 +1666,30 @@ Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
Goal Loop assigns 'tactic,Zone_i' (3/3):
Effect at line 87
+Let x = to_uint32(1 + i_2).
+Let m = t2_1[i_2].
Assume {
Type: is_uint32(i_2).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) -> (t2_0[i_7][i_6] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) -> (m[i_6] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
- ((i_6 <= 19) -> (t2_1[i_7][i_6] = t2_0[i_7][i_6]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 <= 19) ->
- (t2_1[i_2][i_6] = v))).
+ ((i_6 <= 19) -> (t2_0[i_7][i_6] = t2_1[i_7][i_6]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((0 <= i_6) -> ((i_7 < x) ->
+ ((i_6 <= 19) -> (t2_1[i_7][i_6] = m[0]))))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -1548,27 +1703,37 @@ Prove: true.
Goal Loop assigns 'tactic,Zone_j' (2/3):
Effect at line 87
+Let m = t2_1[i_2].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i_2) /\ is_uint32(j).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) -> (t2_0[i_7][i_6] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < j) -> (m[i_6] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
((i_6 <= 19) -> (t2_1[i_7][i_6] = t2_0[i_7][i_6]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < j) -> (t2_1[i_2][i_6] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < x) -> (m_1[i_6] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_7,i_6 : Z. ((0 <= i_7) -> ((i_7 < i_2) -> ((0 <= i_6) ->
+ ((i_6 <= 19) -> (t2_1[i_2 <- m_1][i_7][i_6] = t2_0[i_7][i_6]))))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -1577,22 +1742,32 @@ Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
Goal Loop assigns 'tactic,Zone_j' (3/3):
Effect at line 88
+Let m = t2_1[i].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i) /\ is_uint32(j).
(* Goal *)
When: (0 <= i) /\ (0 <= j) /\ (i <= 9) /\ (j <= 19).
+ (* Invariant 'Range_i' *)
+ Have: i <= 10.
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: i <= 10.
+ (* Invariant 'Range_j' *)
+ Have: j <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_1[i][i_1] = v))).
(* Invariant 'Range_j' *)
- Have: j <= 20.
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) -> (m_1[i_1] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
+ ((i_1 <= 19) -> (t2_1[i <- m_1][i_2][i_1] = t2_0[i_2][i_1]))))).
}
Prove: exists i_2,i_1 : Z. (i_2 <= i) /\ (0 <= i_2) /\ (i <= i_2) /\
(j <= i_1) /\ (i_1 <= j) /\ (i_2 <= 9).
@@ -1621,22 +1796,29 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 80):
+Let x = to_uint32(1 + i).
+Let m = t2_1[i].
Assume {
Type: is_uint32(i).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
- ((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 <= 19) -> (t2_1[i][i_1] = v))).
+ ((i_1 <= 19) -> (t2_0[i_2][i_1] = t2_1[i_2][i_1]))))).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((0 <= i_1) -> ((i_2 < x) ->
+ ((i_1 <= 19) -> (t2_1[i_2][i_1] = m[0]))))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -1646,26 +1828,36 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 87):
+Let m = t2_1[i].
+Let m_1 = m[j <- v].
+Let x = to_uint32(1 + j).
Assume {
Type: is_uint32(i) /\ is_uint32(j).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_0[i_2][i_1] = v))))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
+ (* Invariant 'Range_j' *)
+ Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (m[i_1] = v))).
(* Invariant 'Previous_i' *)
Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
((i_1 <= 19) -> (t2_1[i_2][i_1] = t2_0[i_2][i_1]))))).
- (* Invariant 'Partial_j' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < j) -> (t2_1[i][i_1] = v))).
- (* Invariant 'Range_j' *)
- Have: (0 <= j) /\ (j <= 20).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) -> (m_1[i_1] = v))).
+ (* Invariant 'Previous_i' *)
+ Have: forall i_2,i_1 : Z. ((0 <= i_2) -> ((i_2 < i) -> ((0 <= i_1) ->
+ ((i_1 <= 19) -> (t2_1[i <- m_1][i_2][i_1] = t2_0[i_2][i_1]))))).
}
-Prove: j < to_uint32(1 + j).
+Prove: j < x.
------------------------------------------------------------
@@ -1691,20 +1883,26 @@ Prove: P_MemSet20(t2_0[i], 20, v).
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_i' (file tests/wp_typed/user_init.i, line 108):
+Let x = to_uint32(1 + i).
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i]).
+ IsArray_sint32(m).
(* Goal *)
- When: (0 <= i_1) /\ (i_1 < to_uint32(1 + i)).
+ When: (0 <= i_1) /\ (i_1 < x).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
P_MemSet20(t2_0[i_2], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
+ (* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
}
Prove: P_MemSet20(t2_0[i <- v][i_1], 20, v_1).
@@ -1716,17 +1914,20 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Range_i' (file tests/wp_typed/user_init.i, line 107):
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i]).
+ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
+ (* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
}
Prove: to_uint32(1 + i) <= 10.
@@ -1739,25 +1940,31 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'Partial_j' (file tests/wp_typed/user_init.i, line 114):
-Let m = v[j <- v_1].
+Let x = to_uint32(1 + j).
+Let m = t2_0[i].
+Let m_1 = v[j <- v_1].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_uint32(j) /\
- is_sint32(v_1) /\ IsArray_sint32(t2_0[i]) /\ IsArray_sint32(m).
+ is_sint32(v_1) /\ IsArray_sint32(m) /\ IsArray_sint32(m_1).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
- Have: P_MemSet20(v, j, v_1).
+ Have: P_MemSet20(m, 0, v_1).
(* Invariant 'Range_j' *)
Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(v, j, v_1).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
}
-Prove: P_MemSet20(m, to_uint32(1 + j), v_1).
+Prove: P_MemSet20(m_1, x, v_1).
------------------------------------------------------------
@@ -1765,11 +1972,11 @@ Goal Establishment of Invariant 'Partial_j' (file tests/wp_typed/user_init.i, li
Let m = t2_0[i].
Assume {
Type: is_uint32(i) /\ is_sint32(v) /\ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
}
@@ -1778,20 +1985,23 @@ Prove: P_MemSet20(m, 0, v).
------------------------------------------------------------
Goal Preservation of Invariant 'Range_j' (file tests/wp_typed/user_init.i, line 113):
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_uint32(j) /\
- is_sint32(v_1) /\ IsArray_sint32(t2_0[i]).
+ is_sint32(v_1) /\ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
- Have: P_MemSet20(v, j, v_1).
+ Have: P_MemSet20(m, 0, v_1).
(* Invariant 'Range_j' *)
Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(v, j, v_1).
(* Then *)
Have: j <= 19.
}
@@ -1821,21 +2031,30 @@ Prove: true.
Goal Loop assigns 'tactic,Zone_i' (2/3):
Effect at line 111
+Let x = to_uint32(1 + i_2).
+Let m = t2_0[i_2].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i_2) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i_2]).
+ IsArray_sint32(m).
(* Goal *)
When: (0 <= i_3) /\ (0 <= i_4) /\ (0 <= i_5) /\ (0 <= i) /\ (i_3 <= 9) /\
(i_5 <= 9) /\ (i <= 9) /\ (i_4 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i_2) /\ (i_2 <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < i_2) ->
P_MemSet20(t2_0[i_6], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i_2) /\ (i_2 <= 10).
(* Then *)
Have: i_2 <= 9.
(* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
+ (* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_6 : Z. ((0 <= i_6) -> ((i_6 < x) ->
+ P_MemSet20(t2_0[i_2 <- v][i_6], 20, v_1))).
}
Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
(i <= i_7) /\ (i_1 <= i_6) /\ (i_7 <= 9).
@@ -1844,18 +2063,27 @@ Prove: exists i_7,i_6 : Z. (i_7 <= i) /\ (i_6 <= i_1) /\ (0 <= i_7) /\
Goal Loop assigns 'tactic,Zone_i' (3/3):
Effect at line 117
+Let x = to_uint32(1 + i).
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i]).
+ IsArray_sint32(m).
(* Goal *)
When: (0 <= i) /\ (0 <= i_1) /\ (i <= 9) /\ (i_1 <= 19).
+ (* Invariant 'Range_i' *)
+ Have: i <= 10.
(* Invariant 'Partial_i' *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
P_MemSet20(t2_0[i_2], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: i <= 10.
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
(* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < x) ->
+ P_MemSet20(t2_0[i <- v][i_2], 20, v_1))).
}
Prove: exists i_3,i_2 : Z. (i_3 <= i) /\ (i_2 <= i_1) /\ (0 <= i_3) /\
(i <= i_3) /\ (i_1 <= i_2) /\ (i_3 <= 9).
@@ -1895,20 +2123,29 @@ Prove: exists i_5,i_4 : Z. (i_5 <= i) /\ (i_4 <= i_1) /\ (0 <= i_5) /\
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 111):
+Let x = to_uint32(1 + i).
+Let m = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_sint32(v_1) /\
- IsArray_sint32(t2_0[i]).
+ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, 0, v_1).
+ (* Invariant 'Partial_j' *)
Have: P_MemSet20(v, 20, v_1).
+ (* Invariant 'Range_i' *)
+ Have: x <= 10.
+ (* Invariant 'Partial_i' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < x) ->
+ P_MemSet20(t2_0[i <- v][i_1], 20, v_1))).
}
-Prove: i < to_uint32(1 + i).
+Prove: i < x.
------------------------------------------------------------
@@ -1918,24 +2155,33 @@ Prove: true.
------------------------------------------------------------
Goal Decreasing of Loop variant at loop (file tests/wp_typed/user_init.i, line 117):
+Let m = v[j <- v_1].
+Let x = to_uint32(1 + j).
+Let m_1 = t2_0[i].
Assume {
Type: IsArray_sint32(v) /\ is_uint32(i) /\ is_uint32(j) /\
- is_sint32(v_1) /\ IsArray_sint32(t2_0[i]).
+ is_sint32(v_1) /\ IsArray_sint32(m_1) /\ IsArray_sint32(m).
+ (* Invariant 'Range_i' *)
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant 'Partial_i' *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
P_MemSet20(t2_0[i_1], 20, v_1))).
- (* Invariant 'Range_i' *)
- Have: (0 <= i) /\ (i <= 10).
(* Then *)
Have: i <= 9.
(* Invariant 'Partial_j' *)
- Have: P_MemSet20(v, j, v_1).
+ Have: P_MemSet20(m_1, 0, v_1).
(* Invariant 'Range_j' *)
Have: (0 <= j) /\ (j <= 20).
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(v, j, v_1).
(* Then *)
Have: j <= 19.
+ (* Invariant 'Range_j' *)
+ Have: x <= 20.
+ (* Invariant 'Partial_j' *)
+ Have: P_MemSet20(m, x, v_1).
}
-Prove: j < to_uint32(1 + j).
+Prove: j < x.
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_typed/oracle/user_rec.0.res.oracle b/src/plugins/wp/tests/wp_typed/oracle/user_rec.0.res.oracle
index 48d804d0c823fef23c125984780eaed6cc1ce3b8..13654bda662e5cff82b8d1969988bfad67631339 100644
--- a/src/plugins/wp/tests/wp_typed/oracle/user_rec.0.res.oracle
+++ b/src/plugins/wp/tests/wp_typed/oracle/user_rec.0.res.oracle
@@ -29,9 +29,13 @@ Assume {
Then { Have: F1_0 = 1. }
Else {
(* Invariant *)
- Have: L_fact(i - 1) = F1_0.
+ Have: 0 < n.
+ (* Invariant *)
+ Have: L_fact(1) = 1.
(* Invariant *)
Have: (2 <= i) /\ (i <= (1 + n)).
+ (* Invariant *)
+ Have: L_fact(i - 1) = F1_0.
(* Else *)
Have: n < i.
}
@@ -47,6 +51,10 @@ Assume {
(* Else *)
Have: 2 <= n.
(* Invariant *)
+ Have: 0 < n.
+ (* Invariant *)
+ Have: L_fact(1) = 1.
+ (* Invariant *)
Have: (2 <= i) /\ (i <= (1 + n)).
(* Then *)
Have: i <= n.
@@ -70,16 +78,28 @@ Assume {
(* Else *)
Have: 2 <= n.
(* Invariant *)
+ Have: 0 < n.
+ (* Invariant *)
+ Have: L_fact(1) = 1.
+ (* Invariant *)
Have: (2 <= i) /\ (i <= (1 + n)).
(* Then *)
Have: i <= n.
+ (* Invariant *)
+ Have: 0 < i.
}
Prove: x_1 = L_fact(i).
------------------------------------------------------------
Goal Establishment of Invariant (file tests/wp_typed/user_rec.i, line 16):
-Assume { Type: is_sint32(n). (* Else *) Have: 2 <= n. }
+Assume {
+ Type: is_sint32(n).
+ (* Else *)
+ Have: 2 <= n.
+ (* Invariant *)
+ Have: 0 < n.
+}
Prove: L_fact(1) = 1.
------------------------------------------------------------
@@ -95,10 +115,14 @@ Prove: true.
Goal Post-condition (file tests/wp_typed/user_rec.i, line 23) in 'F2':
Assume {
Type: is_sint32(F2_0) /\ is_sint32(i) /\ is_sint32(n).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'PART' *)
- Have: if (n <= 1) then (F2_0 = 1) else (L_fact(i - 1) = F2_0).
+ Have: (L_fact(1) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (i = 2) else ((2 <= i) /\ (i <= (1 + n))).
+ (* Invariant 'PART' *)
+ Have: if (n <= 1) then (F2_0 = 1) else (L_fact(i - 1) = F2_0).
(* Else *)
Have: n < i.
}
@@ -111,19 +135,29 @@ Let x = i * p.
Assume {
Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(p) /\ is_sint32(1 + i) /\
is_sint32(x).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'PART' *)
- Have: if (n <= 1) then (p = 1) else (L_fact(i - 1) = p).
+ Have: (L_fact(1) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (i = 2) else ((2 <= i) /\ (i <= (1 + n))).
+ (* Invariant 'PART' *)
+ Have: if (n <= 1) then (p = 1) else (L_fact(i - 1) = p).
(* Then *)
Have: i <= n.
+ (* Invariant 'RANGE' *)
+ Have: if (n <= 1) then (i = 1) else (0 < i).
}
Prove: if (n <= 1) then (x = 1) else (x = L_fact(i)).
------------------------------------------------------------
Goal Establishment of Invariant 'PART' (file tests/wp_typed/user_rec.i, line 29):
-Assume { Type: is_sint32(n). }
+Assume {
+ Type: is_sint32(n).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
+}
Prove: (L_fact(1) = 1) \/ (n <= 1).
------------------------------------------------------------
@@ -131,10 +165,14 @@ Prove: (L_fact(1) = 1) \/ (n <= 1).
Goal Preservation of Invariant 'RANGE' (file tests/wp_typed/user_rec.i, line 28):
Assume {
Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(p) /\ is_sint32(1 + i).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'PART' *)
- Have: if (n <= 1) then (p = 1) else (L_fact(i - 1) = p).
+ Have: (L_fact(1) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (i = 2) else ((2 <= i) /\ (i <= (1 + n))).
+ (* Invariant 'PART' *)
+ Have: if (n <= 1) then (p = 1) else (L_fact(i - 1) = p).
(* Then *)
Have: i <= n.
}
@@ -160,10 +198,14 @@ Goal Post-condition (file tests/wp_typed/user_rec.i, line 36) in 'F4':
Let x = L_fact(n).
Assume {
Type: is_sint32(F4_0) /\ is_sint32(n) /\ is_sint32(n_1).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'NEVER' *)
- Have: if (n <= 1) then (F4_0 = 1) else ((x / L_fact(n_1)) = F4_0).
+ Have: ((x / x) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (n_1 = n) else ((0 < n_1) /\ (n_1 <= n)).
+ (* Invariant 'NEVER' *)
+ Have: if (n <= 1) then (F4_0 = 1) else ((x / L_fact(n_1)) = F4_0).
(* Else *)
Have: n_1 <= 1.
}
@@ -172,41 +214,58 @@ Prove: x = F4_0.
------------------------------------------------------------
Goal Preservation of Invariant 'NEVER' (file tests/wp_typed/user_rec.i, line 42):
-Let x = L_fact(n).
-Let x_1 = n_1 - 1.
-Let x_2 = n_1 * p.
+Let x = 1 + n.
+Let x_1 = L_fact(n).
+Let x_2 = n_1 - 1.
+Let x_3 = n_1 * p.
Assume {
- Type: is_sint32(n) /\ is_sint32(n_1) /\ is_sint32(p) /\ is_sint32(x_1) /\
- is_sint32(x_2).
+ Type: is_sint32(n) /\ is_sint32(n_1) /\ is_sint32(p) /\ is_sint32(x_2) /\
+ is_sint32(x_3).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'NEVER' *)
- Have: if (n <= 1) then (p = 1) else ((x / L_fact(n_1)) = p).
+ Have: ((x_1 / x_1) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (n_1 = n) else ((0 < n_1) /\ (n_1 <= n)).
+ (* Invariant 'NEVER' *)
+ Have: if (n <= 1) then (p = 1) else ((x_1 / L_fact(n_1)) = p).
(* Then *)
Have: 2 <= n_1.
+ (* Invariant 'RANGE' *)
+ Have: if (n <= 1) then (x = n_1) else (n_1 <= x).
}
-Prove: if (n <= 1) then (x_2 = 1) else ((x / L_fact(x_1)) = x_2).
+Prove: if (n <= 1) then (x_3 = 1) else ((x_1 / L_fact(x_2)) = x_3).
------------------------------------------------------------
Goal Establishment of Invariant 'NEVER' (file tests/wp_typed/user_rec.i, line 42):
-Let x = L_fact(n). Assume { Type: is_sint32(n). }
+Let x = L_fact(n).
+Assume {
+ Type: is_sint32(n).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
+}
Prove: ((x / x) = 1) \/ (n <= 1).
------------------------------------------------------------
Goal Preservation of Invariant 'RANGE' (file tests/wp_typed/user_rec.i, line 41):
-Let x = 1 + n.
+Let x = L_fact(n).
+Let x_1 = 1 + n.
Assume {
Type: is_sint32(n) /\ is_sint32(n_1) /\ is_sint32(p) /\ is_sint32(n_1 - 1).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'NEVER' *)
- Have: if (n <= 1) then (p = 1) else ((L_fact(n) / L_fact(n_1)) = p).
+ Have: ((x / x) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (n_1 = n) else ((0 < n_1) /\ (n_1 <= n)).
+ (* Invariant 'NEVER' *)
+ Have: if (n <= 1) then (p = 1) else ((x / L_fact(n_1)) = p).
(* Then *)
Have: 2 <= n_1.
}
-Prove: if (n <= 1) then (x = n_1) else (n_1 <= x).
+Prove: if (n <= 1) then (x_1 = n_1) else (n_1 <= x_1).
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_typed/oracle/user_rec.1.res.oracle b/src/plugins/wp/tests/wp_typed/oracle/user_rec.1.res.oracle
index 7ee8668e53c9d73b825da70fa28b6ab9fe06994d..f9941a0cd6fe3a766c5334ff77b0992b3bf8e800 100644
--- a/src/plugins/wp/tests/wp_typed/oracle/user_rec.1.res.oracle
+++ b/src/plugins/wp/tests/wp_typed/oracle/user_rec.1.res.oracle
@@ -29,9 +29,13 @@ Assume {
Then { Have: F1_0 = 1. }
Else {
(* Invariant *)
- Have: L_fact(i - 1) = F1_0.
+ Have: 0 < n.
+ (* Invariant *)
+ Have: L_fact(1) = 1.
(* Invariant *)
Have: (2 <= i) /\ (i <= (1 + n)).
+ (* Invariant *)
+ Have: L_fact(i - 1) = F1_0.
(* Else *)
Have: n < i.
}
@@ -47,6 +51,10 @@ Assume {
(* Else *)
Have: 2 <= n.
(* Invariant *)
+ Have: 0 < n.
+ (* Invariant *)
+ Have: L_fact(1) = 1.
+ (* Invariant *)
Have: (2 <= i) /\ (i <= (1 + n)).
(* Then *)
Have: i <= n.
@@ -70,16 +78,28 @@ Assume {
(* Else *)
Have: 2 <= n.
(* Invariant *)
+ Have: 0 < n.
+ (* Invariant *)
+ Have: L_fact(1) = 1.
+ (* Invariant *)
Have: (2 <= i) /\ (i <= (1 + n)).
(* Then *)
Have: i <= n.
+ (* Invariant *)
+ Have: 0 < i.
}
Prove: x_1 = L_fact(i).
------------------------------------------------------------
Goal Establishment of Invariant (file tests/wp_typed/user_rec.i, line 16):
-Assume { Type: is_sint32(n). (* Else *) Have: 2 <= n. }
+Assume {
+ Type: is_sint32(n).
+ (* Else *)
+ Have: 2 <= n.
+ (* Invariant *)
+ Have: 0 < n.
+}
Prove: L_fact(1) = 1.
------------------------------------------------------------
@@ -95,10 +115,14 @@ Prove: true.
Goal Post-condition (file tests/wp_typed/user_rec.i, line 23) in 'F2':
Assume {
Type: is_sint32(F2_0) /\ is_sint32(i) /\ is_sint32(n).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'PART' *)
- Have: if (n <= 1) then (F2_0 = 1) else (L_fact(i - 1) = F2_0).
+ Have: (L_fact(1) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (i = 2) else ((2 <= i) /\ (i <= (1 + n))).
+ (* Invariant 'PART' *)
+ Have: if (n <= 1) then (F2_0 = 1) else (L_fact(i - 1) = F2_0).
(* Else *)
Have: n < i.
}
@@ -111,19 +135,29 @@ Let x = i * p.
Assume {
Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(p) /\ is_sint32(1 + i) /\
is_sint32(x).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'PART' *)
- Have: if (n <= 1) then (p = 1) else (L_fact(i - 1) = p).
+ Have: (L_fact(1) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (i = 2) else ((2 <= i) /\ (i <= (1 + n))).
+ (* Invariant 'PART' *)
+ Have: if (n <= 1) then (p = 1) else (L_fact(i - 1) = p).
(* Then *)
Have: i <= n.
+ (* Invariant 'RANGE' *)
+ Have: if (n <= 1) then (i = 1) else (0 < i).
}
Prove: if (n <= 1) then (x = 1) else (x = L_fact(i)).
------------------------------------------------------------
Goal Establishment of Invariant 'PART' (file tests/wp_typed/user_rec.i, line 29):
-Assume { Type: is_sint32(n). }
+Assume {
+ Type: is_sint32(n).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
+}
Prove: (L_fact(1) = 1) \/ (n <= 1).
------------------------------------------------------------
@@ -131,10 +165,14 @@ Prove: (L_fact(1) = 1) \/ (n <= 1).
Goal Preservation of Invariant 'RANGE' (file tests/wp_typed/user_rec.i, line 28):
Assume {
Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(p) /\ is_sint32(1 + i).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'PART' *)
- Have: if (n <= 1) then (p = 1) else (L_fact(i - 1) = p).
+ Have: (L_fact(1) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (i = 2) else ((2 <= i) /\ (i <= (1 + n))).
+ (* Invariant 'PART' *)
+ Have: if (n <= 1) then (p = 1) else (L_fact(i - 1) = p).
(* Then *)
Have: i <= n.
}
@@ -160,10 +198,14 @@ Goal Post-condition (file tests/wp_typed/user_rec.i, line 36) in 'F4':
Let x = L_fact(n).
Assume {
Type: is_sint32(F4_0) /\ is_sint32(n) /\ is_sint32(n_1).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'NEVER' *)
- Have: if (n <= 1) then (F4_0 = 1) else ((x / L_fact(n_1)) = F4_0).
+ Have: ((x / x) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (n_1 = n) else ((0 < n_1) /\ (n_1 <= n)).
+ (* Invariant 'NEVER' *)
+ Have: if (n <= 1) then (F4_0 = 1) else ((x / L_fact(n_1)) = F4_0).
(* Else *)
Have: n_1 <= 1.
}
@@ -172,41 +214,58 @@ Prove: x = F4_0.
------------------------------------------------------------
Goal Preservation of Invariant 'NEVER' (file tests/wp_typed/user_rec.i, line 42):
-Let x = L_fact(n).
-Let x_1 = n_1 - 1.
-Let x_2 = n_1 * p.
+Let x = 1 + n.
+Let x_1 = L_fact(n).
+Let x_2 = n_1 - 1.
+Let x_3 = n_1 * p.
Assume {
- Type: is_sint32(n) /\ is_sint32(n_1) /\ is_sint32(p) /\ is_sint32(x_1) /\
- is_sint32(x_2).
+ Type: is_sint32(n) /\ is_sint32(n_1) /\ is_sint32(p) /\ is_sint32(x_2) /\
+ is_sint32(x_3).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'NEVER' *)
- Have: if (n <= 1) then (p = 1) else ((x / L_fact(n_1)) = p).
+ Have: ((x_1 / x_1) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (n_1 = n) else ((0 < n_1) /\ (n_1 <= n)).
+ (* Invariant 'NEVER' *)
+ Have: if (n <= 1) then (p = 1) else ((x_1 / L_fact(n_1)) = p).
(* Then *)
Have: 2 <= n_1.
+ (* Invariant 'RANGE' *)
+ Have: if (n <= 1) then (x = n_1) else (n_1 <= x).
}
-Prove: if (n <= 1) then (x_2 = 1) else ((x / L_fact(x_1)) = x_2).
+Prove: if (n <= 1) then (x_3 = 1) else ((x_1 / L_fact(x_2)) = x_3).
------------------------------------------------------------
Goal Establishment of Invariant 'NEVER' (file tests/wp_typed/user_rec.i, line 42):
-Let x = L_fact(n). Assume { Type: is_sint32(n). }
+Let x = L_fact(n).
+Assume {
+ Type: is_sint32(n).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
+}
Prove: ((x / x) = 1) \/ (n <= 1).
------------------------------------------------------------
Goal Preservation of Invariant 'RANGE' (file tests/wp_typed/user_rec.i, line 41):
-Let x = 1 + n.
+Let x = L_fact(n).
+Let x_1 = 1 + n.
Assume {
Type: is_sint32(n) /\ is_sint32(n_1) /\ is_sint32(p) /\ is_sint32(n_1 - 1).
+ (* Invariant 'RANGE' *)
+ Have: (0 < n) \/ (n <= 1).
(* Invariant 'NEVER' *)
- Have: if (n <= 1) then (p = 1) else ((L_fact(n) / L_fact(n_1)) = p).
+ Have: ((x / x) = 1) \/ (n <= 1).
(* Invariant 'RANGE' *)
Have: if (n <= 1) then (n_1 = n) else ((0 < n_1) /\ (n_1 <= n)).
+ (* Invariant 'NEVER' *)
+ Have: if (n <= 1) then (p = 1) else ((x / L_fact(n_1)) = p).
(* Then *)
Have: 2 <= n_1.
}
-Prove: if (n <= 1) then (x = n_1) else (n_1 <= x).
+Prove: if (n <= 1) then (x_1 = n_1) else (n_1 <= x_1).
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_typed/oracle/user_string.0.res.oracle b/src/plugins/wp/tests/wp_typed/oracle/user_string.0.res.oracle
index f6ac9a650aea8ed15b1ca16eb05f2209f1930beb..b4064b7e456bf12587e7955b68599430469ffddc 100644
--- a/src/plugins/wp/tests/wp_typed/oracle/user_string.0.res.oracle
+++ b/src/plugins/wp/tests/wp_typed/oracle/user_string.0.res.oracle
@@ -23,8 +23,8 @@ Prove: true.
Goal Preservation of Invariant 'RANGE' (file tests/wp_typed/user_string.i, line 29):
Let x = Mchar_0[ss_0].
-Let x_1 = s.base.
Let a = shift_sint8(s, L_Length(Mchar_0, s)).
+Let x_1 = s.base.
Let a_1 = shift_sint8(ss_0, 1).
Assume {
Type: is_sint8(x).
@@ -34,13 +34,15 @@ Assume {
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_1).
- (* Invariant 'ZERO' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + s.offset) < ss_0.offset) ->
- (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Invariant 'RANGE' *)
- Have: addr_le(s, ss_0) /\ addr_le(ss_0, a).
+ Have: addr_le(s, s) /\ addr_le(s, a).
(* Invariant 'BASE' *)
Have: ss_0.base = x_1.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, ss_0) /\ addr_le(ss_0, a).
+ (* Invariant 'ZERO' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + s.offset) < ss_0.offset) ->
+ (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Then *)
Have: x != 0.
}
@@ -62,30 +64,35 @@ Prove: addr_le(s, s) /\ addr_le(s, shift_sint8(s, L_Length(Mchar_0, s))).
------------------------------------------------------------
Goal Preservation of Invariant 'ZERO' (file tests/wp_typed/user_string.i, line 30):
+Let a = shift_sint8(ss_0, 1).
+Let a_1 = shift_sint8(s, L_Length(Mchar_0, s)).
Let x = Mchar_0[ss_0].
-Let x_1 = s.base.
-Let x_2 = s.offset.
-Let x_3 = ss_0.offset.
+Let x_1 = s.offset.
+Let x_2 = ss_0.offset.
+Let x_3 = s.base.
Assume {
Type: is_sint8(x).
(* Heap *)
- Type: (region(x_1) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(x_3) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i) /\ ((i + x_2) <= x_3).
+ When: (0 <= i) /\ ((i + x_1) <= x_2).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_1).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_2).
- (* Invariant 'ZERO' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> (((i_3 + x_2) < x_3) ->
- (Mchar_0[shift_sint8(s, i_3)] != 0))).
(* Invariant 'RANGE' *)
- Have: addr_le(s, ss_0) /\
- addr_le(ss_0, shift_sint8(s, L_Length(Mchar_0, s))).
+ Have: addr_le(s, s) /\ addr_le(s, a_1).
(* Invariant 'BASE' *)
- Have: ss_0.base = x_1.
+ Have: ss_0.base = x_3.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, ss_0) /\ addr_le(ss_0, a_1).
+ (* Invariant 'ZERO' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> (((i_3 + x_1) < x_2) ->
+ (Mchar_0[shift_sint8(s, i_3)] != 0))).
(* Then *)
Have: x != 0.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, a) /\ addr_le(a, a_1).
}
Prove: Mchar_0[shift_sint8(s, i)] != 0.
@@ -97,28 +104,30 @@ Prove: true.
------------------------------------------------------------
Goal Assertion 'END' (file tests/wp_typed/user_string.i, line 37):
-Let x = s.base.
-Let x_1 = s.offset.
-Let x_2 = ss_0.offset.
+Let x = s.offset.
+Let x_1 = ss_0.offset.
+Let a = shift_sint8(s, L_Length(Mchar_0, s)).
+Let x_2 = s.base.
Assume {
(* Heap *)
- Type: (region(x) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(x_2) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_1).
- (* Invariant 'ZERO' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x_1) < x_2) ->
- (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Invariant 'RANGE' *)
- Have: addr_le(s, ss_0) /\
- addr_le(ss_0, shift_sint8(s, L_Length(Mchar_0, s))).
+ Have: addr_le(s, s) /\ addr_le(s, a).
(* Invariant 'BASE' *)
- Have: ss_0.base = x.
+ Have: ss_0.base = x_2.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, ss_0) /\ addr_le(ss_0, a).
+ (* Invariant 'ZERO' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x) < x_1) ->
+ (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Else *)
Have: Mchar_0[ss_0] = 0.
}
-Prove: P_Length_of_str_is(Malloc_0, Mchar_0, s, x_2 - x_1).
+Prove: P_Length_of_str_is(Malloc_0, Mchar_0, s, x_1 - x).
------------------------------------------------------------
@@ -145,29 +154,38 @@ Prove: true.
------------------------------------------------------------
Goal Positivity of Loop variant at loop (file tests/wp_typed/user_string.i, line 34):
-Let x = Mchar_0[ss_0].
-Let x_1 = s.base.
+Let x = s.offset.
+Let x_1 = ss_0.offset.
+Let a = shift_sint8(ss_0, 1).
Let x_2 = L_Length(Mchar_0, s).
-Let x_3 = s.offset.
-Let x_4 = ss_0.offset.
+Let a_1 = shift_sint8(s, x_2).
+Let x_3 = Mchar_0[ss_0].
+Let x_4 = s.base.
Assume {
- Type: is_sint8(x).
+ Type: is_sint8(x_3).
(* Heap *)
- Type: (region(x_1) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(x_4) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_1).
- (* Invariant 'ZERO' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x_3) < x_4) ->
- (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Invariant 'RANGE' *)
- Have: addr_le(s, ss_0) /\ addr_le(ss_0, shift_sint8(s, x_2)).
+ Have: addr_le(s, s) /\ addr_le(s, a_1).
(* Invariant 'BASE' *)
- Have: ss_0.base = x_1.
+ Have: ss_0.base = x_4.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, ss_0) /\ addr_le(ss_0, a_1).
+ (* Invariant 'ZERO' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x) < x_1) ->
+ (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Then *)
- Have: x != 0.
+ Have: x_3 != 0.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, a) /\ addr_le(a, a_1).
+ (* Invariant 'ZERO' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x) <= x_1) ->
+ (Mchar_0[shift_sint8(s, i_2)] != 0))).
}
-Prove: x_4 <= (x_3 + x_2).
+Prove: x_1 <= (x + x_2).
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_typed/oracle/user_string.1.res.oracle b/src/plugins/wp/tests/wp_typed/oracle/user_string.1.res.oracle
index b0256f00b0c4d77b72ad77ee1e2fd7ab3bb14df3..eebd87021afbb6c20969ed937a9d851eae92ae54 100644
--- a/src/plugins/wp/tests/wp_typed/oracle/user_string.1.res.oracle
+++ b/src/plugins/wp/tests/wp_typed/oracle/user_string.1.res.oracle
@@ -23,8 +23,8 @@ Prove: true.
Goal Preservation of Invariant 'RANGE' (file tests/wp_typed/user_string.i, line 29):
Let x = Mchar_0[ss_0].
-Let x_1 = s.base.
Let a = shift_sint8(s, L_Length(Mchar_0, s)).
+Let x_1 = s.base.
Let a_1 = shift_sint8(ss_0, 1).
Assume {
Type: is_sint8(x).
@@ -34,13 +34,15 @@ Assume {
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_1).
- (* Invariant 'ZERO' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + s.offset) < ss_0.offset) ->
- (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Invariant 'RANGE' *)
- Have: addr_le(s, ss_0) /\ addr_le(ss_0, a).
+ Have: addr_le(s, s) /\ addr_le(s, a).
(* Invariant 'BASE' *)
Have: ss_0.base = x_1.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, ss_0) /\ addr_le(ss_0, a).
+ (* Invariant 'ZERO' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + s.offset) < ss_0.offset) ->
+ (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Then *)
Have: x != 0.
}
@@ -62,30 +64,35 @@ Prove: addr_le(s, s) /\ addr_le(s, shift_sint8(s, L_Length(Mchar_0, s))).
------------------------------------------------------------
Goal Preservation of Invariant 'ZERO' (file tests/wp_typed/user_string.i, line 30):
+Let a = shift_sint8(ss_0, 1).
+Let a_1 = shift_sint8(s, L_Length(Mchar_0, s)).
Let x = Mchar_0[ss_0].
-Let x_1 = s.base.
-Let x_2 = s.offset.
-Let x_3 = ss_0.offset.
+Let x_1 = s.offset.
+Let x_2 = ss_0.offset.
+Let x_3 = s.base.
Assume {
Type: is_sint8(x).
(* Heap *)
- Type: (region(x_1) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(x_3) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
(* Goal *)
- When: (0 <= i) /\ ((i + x_2) <= x_3).
+ When: (0 <= i) /\ ((i + x_1) <= x_2).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_1).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_2).
- (* Invariant 'ZERO' *)
- Have: forall i_3 : Z. ((0 <= i_3) -> (((i_3 + x_2) < x_3) ->
- (Mchar_0[shift_sint8(s, i_3)] != 0))).
(* Invariant 'RANGE' *)
- Have: addr_le(s, ss_0) /\
- addr_le(ss_0, shift_sint8(s, L_Length(Mchar_0, s))).
+ Have: addr_le(s, s) /\ addr_le(s, a_1).
(* Invariant 'BASE' *)
- Have: ss_0.base = x_1.
+ Have: ss_0.base = x_3.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, ss_0) /\ addr_le(ss_0, a_1).
+ (* Invariant 'ZERO' *)
+ Have: forall i_3 : Z. ((0 <= i_3) -> (((i_3 + x_1) < x_2) ->
+ (Mchar_0[shift_sint8(s, i_3)] != 0))).
(* Then *)
Have: x != 0.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, a) /\ addr_le(a, a_1).
}
Prove: Mchar_0[shift_sint8(s, i)] != 0.
@@ -97,28 +104,30 @@ Prove: true.
------------------------------------------------------------
Goal Assertion 'END' (file tests/wp_typed/user_string.i, line 37):
-Let x = s.base.
-Let x_1 = s.offset.
-Let x_2 = ss_0.offset.
+Let x = s.offset.
+Let x_1 = ss_0.offset.
+Let a = shift_sint8(s, L_Length(Mchar_0, s)).
+Let x_2 = s.base.
Assume {
(* Heap *)
- Type: (region(x) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(x_2) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_1).
- (* Invariant 'ZERO' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x_1) < x_2) ->
- (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Invariant 'RANGE' *)
- Have: addr_le(s, ss_0) /\
- addr_le(ss_0, shift_sint8(s, L_Length(Mchar_0, s))).
+ Have: addr_le(s, s) /\ addr_le(s, a).
(* Invariant 'BASE' *)
- Have: ss_0.base = x.
+ Have: ss_0.base = x_2.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, ss_0) /\ addr_le(ss_0, a).
+ (* Invariant 'ZERO' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x) < x_1) ->
+ (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Else *)
Have: Mchar_0[ss_0] = 0.
}
-Prove: P_Length_of_str_is(Malloc_0, Mchar_0, s, x_2 - x_1).
+Prove: P_Length_of_str_is(Malloc_0, Mchar_0, s, x_1 - x).
------------------------------------------------------------
@@ -145,29 +154,38 @@ Prove: true.
------------------------------------------------------------
Goal Positivity of Loop variant at loop (file tests/wp_typed/user_string.i, line 34):
-Let x = Mchar_0[ss_0].
-Let x_1 = s.base.
+Let x = s.offset.
+Let x_1 = ss_0.offset.
+Let a = shift_sint8(ss_0, 1).
Let x_2 = L_Length(Mchar_0, s).
-Let x_3 = s.offset.
-Let x_4 = ss_0.offset.
+Let a_1 = shift_sint8(s, x_2).
+Let x_3 = Mchar_0[ss_0].
+Let x_4 = s.base.
Assume {
- Type: is_sint8(x).
+ Type: is_sint8(x_3).
(* Heap *)
- Type: (region(x_1) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
+ Type: (region(x_4) <= 0) /\ linked(Malloc_0) /\ sconst(Mchar_0).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i).
(* Pre-condition *)
Have: P_Length_of_str_is(Malloc_0, Mchar_0, s, i_1).
- (* Invariant 'ZERO' *)
- Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x_3) < x_4) ->
- (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Invariant 'RANGE' *)
- Have: addr_le(s, ss_0) /\ addr_le(ss_0, shift_sint8(s, x_2)).
+ Have: addr_le(s, s) /\ addr_le(s, a_1).
(* Invariant 'BASE' *)
- Have: ss_0.base = x_1.
+ Have: ss_0.base = x_4.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, ss_0) /\ addr_le(ss_0, a_1).
+ (* Invariant 'ZERO' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x) < x_1) ->
+ (Mchar_0[shift_sint8(s, i_2)] != 0))).
(* Then *)
- Have: x != 0.
+ Have: x_3 != 0.
+ (* Invariant 'RANGE' *)
+ Have: addr_le(s, a) /\ addr_le(a, a_1).
+ (* Invariant 'ZERO' *)
+ Have: forall i_2 : Z. ((0 <= i_2) -> (((i_2 + x) <= x_1) ->
+ (Mchar_0[shift_sint8(s, i_2)] != 0))).
}
-Prove: x_4 <= (x_3 + x_2).
+Prove: x_1 <= (x + x_2).
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_assigns_exit_part2.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_assigns_exit_part2.json
index a187150cc649f2fe0559e01565b0547de2fada18..aa52fbebd0ceb26b098784cbb877f8bdadb051e6 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_assigns_exit_part2.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_assigns_exit_part2.json
@@ -1,6 +1,6 @@
[ { "header": "Split", "tactic": "Wp.split", "params": {},
"select": { "select": "clause-goal",
- "target": "exists i_0,i_1:int.\n(i_0<=i_136) /\\ (i_1<=i_137) /\\ (0<=i_0) /\\ (i_136<=i_0) /\\ (i_137<=i_1)\n/\\ (i_0<=9)",
+ "target": "exists i_0,i_1:int.\n(i_0<=i_138) /\\ (i_1<=i_139) /\\ (0<=i_0) /\\ (i_138<=i_0) /\\ (i_139<=i_1)\n/\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
"verdict": "valid", "time": 0.0088,
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_assigns_normal_part2.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_assigns_normal_part2.json
index a187150cc649f2fe0559e01565b0547de2fada18..aa52fbebd0ceb26b098784cbb877f8bdadb051e6 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_assigns_normal_part2.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_assigns_normal_part2.json
@@ -1,6 +1,6 @@
[ { "header": "Split", "tactic": "Wp.split", "params": {},
"select": { "select": "clause-goal",
- "target": "exists i_0,i_1:int.\n(i_0<=i_136) /\\ (i_1<=i_137) /\\ (0<=i_0) /\\ (i_136<=i_0) /\\ (i_137<=i_1)\n/\\ (i_0<=9)",
+ "target": "exists i_0,i_1:int.\n(i_0<=i_138) /\\ (i_1<=i_139) /\\ (0<=i_0) /\\ (i_138<=i_0) /\\ (i_139<=i_1)\n/\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
"verdict": "valid", "time": 0.0088,
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_loop_assigns_part2.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_loop_assigns_part2.json
index baf7c5bf62b542aa313b0d746286e799b93e67b8..820cbd3fc5e4f803e38f914bb981e386dfc27b4a 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_loop_assigns_part2.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_loop_assigns_part2.json
@@ -3,8 +3,8 @@
"target": "exists i_0,i_1:int.\n(i_0<=i_9) /\\ (i_1<=i_10) /\\ (0<=i_0) /\\ (i_9<=i_0) /\\ (i_10<=i_1)\n/\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0279,
- "steps": 41 } ],
+ "verdict": "valid", "time": 0.0124,
+ "steps": 43 } ],
"Goal 2/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.021,
- "steps": 41 } ] } } ]
+ "verdict": "valid", "time": 0.0121,
+ "steps": 43 } ] } } ]
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_loop_assigns_part3.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_loop_assigns_part3.json
index cae89d2a942aa4f3f67bfeab7a4b6962d46fc0a4..abaf79ffd0a939aaa9f4c60806bc8f8890d897a9 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_loop_assigns_part3.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_bis_v2_loop_assigns_part3.json
@@ -1,10 +1,10 @@
[ { "header": "Split", "tactic": "Wp.split", "params": {},
"select": { "select": "clause-goal",
- "target": "exists i_1,i_2:int.\n(i_1<=i_0) /\\ (i_2<=i_3) /\\ (0<=i_1) /\\ (i_0<=i_1) /\\ (i_3<=i_2) /\\ (i_1<=9)",
+ "target": "exists i_0,i_2:int.\n(i_0<=i_1) /\\ (i_2<=i_3) /\\ (0<=i_0) /\\ (i_1<=i_0) /\\ (i_3<=i_2) /\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.009,
- "steps": 29 } ],
+ "verdict": "valid", "time": 0.0074,
+ "steps": 31 } ],
"Goal 2/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0131,
- "steps": 29 } ] } } ]
+ "verdict": "valid", "time": 0.0078,
+ "steps": 31 } ] } } ]
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_assigns_part2.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_assigns_part2.json
index 2ee61e01ef268896d390d325575ef4051af1088e..a158cb35d7024c69250c2c6f61b9f41654bcb56a 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_assigns_part2.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_assigns_part2.json
@@ -1,6 +1,6 @@
[ { "header": "Split", "tactic": "Wp.split", "params": {},
"select": { "select": "clause-goal",
- "target": "exists i_0,i_1:int.\n(i_0<=i_156) /\\ (i_1<=i_157) /\\ (0<=i_0) /\\ (i_156<=i_0) /\\ (i_157<=i_1)\n/\\ (i_0<=9)",
+ "target": "exists i_0,i_1:int.\n(i_0<=i_158) /\\ (i_1<=i_159) /\\ (0<=i_0) /\\ (i_158<=i_0) /\\ (i_159<=i_1)\n/\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
"verdict": "valid", "time": 0.011,
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_2_part2.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_2_part2.json
index 6a684ed4e4fa19eaae36dd09d3b7717df0c65a0e..18643516046a339dee16a82e44473e2dc722f1ac 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_2_part2.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_2_part2.json
@@ -3,8 +3,8 @@
"target": "exists i_0,i_1:int.\n(i_0<=i_13) /\\ (i_1<=i_14) /\\ (0<=i_0) /\\ (i_13<=i_0) /\\ (i_14<=i_1)\n/\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0202,
- "steps": 40 } ],
+ "verdict": "valid", "time": 0.0099,
+ "steps": 42 } ],
"Goal 2/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0177,
- "steps": 40 } ] } } ]
+ "verdict": "valid", "time": 0.0124,
+ "steps": 42 } ] } } ]
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_2_part3.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_2_part3.json
index 578ffb9958aef6bacf33cb5680b0ecbafe0f5efe..522d6695a5bb42790b4084770155336d47a74f8e 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_2_part3.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_2_part3.json
@@ -1,10 +1,10 @@
[ { "header": "Split", "tactic": "Wp.split", "params": {},
"select": { "select": "clause-goal",
- "target": "exists i_0,i_2:int.\n(i_0<=i_1) /\\ (0<=i_0) /\\ (i_1<=i_0) /\\ (j_0<=i_2) /\\ (i_2<=j_0) /\\ (i_0<=9)",
+ "target": "exists i_0,i_2:int.\n(i_0<=i_1) /\\ (0<=i_0) /\\ (i_1<=i_0) /\\ (j_1<=i_2) /\\ (i_2<=j_1) /\\ (i_0<=9)",
"pattern": "\\E$i0$i$j$j9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0143,
- "steps": 24 } ],
+ "verdict": "valid", "time": 0.0094,
+ "steps": 26 } ],
"Goal 2/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0146,
- "steps": 24 } ] } } ]
+ "verdict": "valid", "time": 0.0101,
+ "steps": 26 } ] } } ]
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_part2.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_part2.json
index 72b93b5526df3a049e39f88a0d1809d9e3ec6941..71531584b1405a92d8ecee2ed8fe30b8fd988d3f 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_part2.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_part2.json
@@ -3,8 +3,8 @@
"target": "exists i_0,i_1:int.\n(i_0<=i_21) /\\ (i_1<=i_22) /\\ (0<=i_0) /\\ (i_21<=i_0) /\\ (i_22<=i_1)\n/\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.016,
- "steps": 33 } ],
+ "verdict": "valid", "time": 0.0098,
+ "steps": 35 } ],
"Goal 2/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0161,
- "steps": 33 } ] } } ]
+ "verdict": "valid", "time": 0.0048,
+ "steps": 35 } ] } } ]
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_part3.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_part3.json
index 09755e2c851424c8871e943d93a05b0253bf1db9..0528b3f539e087d7ffe5b4a4a6ebc4bbce7590eb 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_part3.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v2_loop_assigns_part3.json
@@ -3,8 +3,8 @@
"target": "exists i_0,i_1:int.\n(i_0<=i_8) /\\ (i_1<=i_9) /\\ (0<=i_0) /\\ (i_8<=i_0) /\\ (i_9<=i_1) /\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.016,
- "steps": 33 } ],
+ "verdict": "valid", "time": 0.0098,
+ "steps": 35 } ],
"Goal 2/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0161,
- "steps": 33 } ] } } ]
+ "verdict": "valid", "time": 0.0048,
+ "steps": 35 } ] } } ]
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_assigns_part2.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_assigns_part2.json
index cb380dd3e39f3d5b41787e5481e2eb7b62264873..aa273fd1e8bb18e8fc52a27351743fe17f464122 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_assigns_part2.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_assigns_part2.json
@@ -1,6 +1,6 @@
[ { "header": "Split", "tactic": "Wp.split", "params": {},
"select": { "select": "clause-goal",
- "target": "exists i_0,i_1:int.\n(i_0<=i_148) /\\ (i_1<=i_149) /\\ (0<=i_0) /\\ (i_148<=i_0) /\\ (i_149<=i_1)\n/\\ (i_0<=9)",
+ "target": "exists i_0,i_1:int.\n(i_0<=i_149) /\\ (i_1<=i_150) /\\ (0<=i_0) /\\ (i_149<=i_0) /\\ (i_150<=i_1)\n/\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
"verdict": "valid", "time": 0.011,
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_loop_assigns_part2.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_loop_assigns_part2.json
index 706eac2712b2643fdff1c6caaea6ca9725f711ad..3b3491906df49d091101db28c4d58660fed8180a 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_loop_assigns_part2.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_loop_assigns_part2.json
@@ -3,8 +3,8 @@
"target": "exists i_0,i_1:int.\n(i_0<=i_13) /\\ (i_1<=i_14) /\\ (0<=i_0) /\\ (i_13<=i_0) /\\ (i_14<=i_1)\n/\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0209,
- "steps": 39 } ],
+ "verdict": "valid", "time": 0.0139,
+ "steps": 45 } ],
"Goal 2/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0184,
- "steps": 39 } ] } } ]
+ "verdict": "valid", "time": 0.0127,
+ "steps": 45 } ] } } ]
diff --git a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_loop_assigns_part3.json b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_loop_assigns_part3.json
index d035bcd5046d5abb9450a6bd66795f980f87369f..c31beeea1dd2a6726bca67f972e4aebb07a292c7 100644
--- a/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_loop_assigns_part3.json
+++ b/src/plugins/wp/tests/wp_typed/oracle_qualif/user_init.1.session/script/init_t2_v3_loop_assigns_part3.json
@@ -3,8 +3,8 @@
"target": "exists i_0,i_1:int.\n(i_0<=i_4) /\\ (i_1<=i_6) /\\ (0<=i_0) /\\ (i_4<=i_0) /\\ (i_6<=i_1) /\\ (i_0<=9)",
"pattern": "\\E$i$i0$i$i9" },
"children": { "Goal 1/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0146,
- "steps": 27 } ],
+ "verdict": "valid", "time": 0.0169,
+ "steps": 33 } ],
"Goal 2/2": [ { "prover": "Alt-Ergo:2.2.0",
- "verdict": "valid", "time": 0.0143,
- "steps": 27 } ] } } ]
+ "verdict": "valid", "time": 0.0081,
+ "steps": 33 } ] } } ]
diff --git a/src/plugins/wp/tests/wp_usage/oracle/caveat2.res.oracle b/src/plugins/wp/tests/wp_usage/oracle/caveat2.res.oracle
index e5407bbcb4c8cf4efe72f5628e6a2a6edd6cdb67..486046a75d95dd31ea6983a70226967d14b556bf 100644
--- a/src/plugins/wp/tests/wp_usage/oracle/caveat2.res.oracle
+++ b/src/plugins/wp/tests/wp_usage/oracle/caveat2.res.oracle
@@ -22,15 +22,17 @@ Assume {
(* Goal *)
When: (0 <= i) /\ (i < n).
(* Pre-condition *)
- Have: (0 <= n) /\ (n <= 3).
+ Have: n <= 3.
Have: ({ Init_p_0 with Init_F1_S_n = true }) = Init_p_0.
+ (* Invariant *)
+ Have: 0 <= n.
(* Loop assigns ... *)
Have: ({ Init_p_0 with Init_F1_S_a = v_1 }) = Init_p_0.
(* Invariant *)
+ Have: (0 <= i_1) /\ (i_1 <= n).
+ (* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
(Mint_0[shift_sint32(a, i_2)] = v[i_2]))).
- (* Invariant *)
- Have: (0 <= i_1) /\ (i_1 <= n).
(* Else *)
Have: n <= i_1.
}
@@ -42,15 +44,17 @@ Goal Preservation of Invariant (file tests/wp_usage/caveat2.i, line 21):
Assume {
Type: is_sint32(i) /\ is_sint32(n) /\ is_sint32(1 + i).
(* Pre-condition *)
- Have: (0 <= n) /\ (n <= 3).
+ Have: n <= 3.
Have: ({ Init_p_0 with Init_F1_S_n = true }) = Init_p_0.
+ (* Invariant *)
+ Have: 0 <= n.
(* Loop assigns ... *)
Have: ({ Init_p_0 with Init_F1_S_a = v }) = Init_p_0.
(* Invariant *)
+ Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(Mint_0[shift_sint32(global(G_b_26), i_1)] = v_1[i_1]))).
- (* Invariant *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
}
@@ -70,17 +74,21 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 <= i).
(* Pre-condition *)
- Have: (0 <= n) /\ (n <= 3).
+ Have: n <= 3.
Have: ({ Init_p_0 with Init_F1_S_n = true }) = Init_p_0.
+ (* Invariant *)
+ Have: 0 <= n.
(* Loop assigns ... *)
Have: ({ Init_p_0 with Init_F1_S_a = v_1 }) = Init_p_0.
(* Invariant *)
+ Have: (0 <= i) /\ (i <= n).
+ (* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(Mint_0[shift_sint32(a, i_2)] = v[i_2]))).
- (* Invariant *)
- Have: (0 <= i) /\ (i <= n).
(* Then *)
Have: i < n.
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: v[i <- Mint_0[shift_sint32(a, i)]][i_1] = Mint_0[shift_sint32(a, i_1)].
diff --git a/src/plugins/wp/tests/wp_usage/oracle/caveat_range.res.oracle b/src/plugins/wp/tests/wp_usage/oracle/caveat_range.res.oracle
index ed2e13b489691f40aaf2bad6e32707de396479f7..1d87f4750391556230fd7dcb7018245a44713b6f 100644
--- a/src/plugins/wp/tests/wp_usage/oracle/caveat_range.res.oracle
+++ b/src/plugins/wp/tests/wp_usage/oracle/caveat_range.res.oracle
@@ -14,13 +14,13 @@ Assume {
(* Goal *)
When: (0 <= i) /\ (i <= 9).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_2))] = 2))).
+ Have: (0 <= i_1) /\ (i_1 <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
(a_1[shiftfield_F1_S_f(shift_S1_S(a, i_2))] = 1))).
(* Invariant *)
- Have: (0 <= i_1) /\ (i_1 <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
+ (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_2))] = 2))).
(* Else *)
Have: 10 <= i_1.
}
@@ -36,13 +36,13 @@ Assume {
(* Goal *)
When: (0 <= i) /\ (i <= 9).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
- (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_2))] = 2))).
+ Have: (0 <= i_1) /\ (i_1 <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
(a_1[shiftfield_F1_S_f(shift_S1_S(a, i_2))] = 1))).
(* Invariant *)
- Have: (0 <= i_1) /\ (i_1 <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i_1) ->
+ (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_2))] = 2))).
(* Else *)
Have: 10 <= i_1.
}
@@ -56,13 +56,13 @@ Let a_1 = havoc(Mint_undef_0, Mint_0, shift_S1_S(a, 0), 20).
Assume {
Type: is_sint32(i) /\ is_sint32(1 + i).
(* Invariant *)
- Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
- (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_1))] = 2))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
(a_1[shiftfield_F1_S_f(shift_S1_S(a, i_1))] = 1))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_1 : Z. ((0 <= i_1) -> ((i_1 < i) ->
+ (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_1))] = 2))).
(* Then *)
Have: i <= 9.
}
@@ -83,15 +83,17 @@ Assume {
(* Goal *)
When: (0 <= i_1) /\ (i_1 <= i).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_2))] = 2))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_1[shiftfield_F1_S_f(shift_S1_S(a, i_2))] = 1))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_2))] = 2))).
(* Then *)
Have: i <= 9.
+ (* Invariant *)
+ Have: (-1) <= i.
}
Prove: a_1[shiftfield_F1_S_f(shift_S1_S(a, i)) <- 1]
[shiftfield_F1_S_f(shift_S1_S(a, i_1))] = 1.
@@ -107,22 +109,28 @@ Goal Preservation of Invariant (file tests/wp_usage/caveat_range.i, line 21):
Let a = global(G_p_22).
Let a_1 = havoc(Mint_undef_0, Mint_0, shift_S1_S(a, 0), 20).
Let a_2 = shift_S1_S(a, i).
+Let a_3 = a_1[shiftfield_F1_S_f(a_2) <- 1].
Assume {
Type: is_sint32(i) /\ is_sint32(1 + i).
(* Goal *)
When: (0 <= i_1) /\ (i_1 <= i).
(* Invariant *)
- Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
- (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_2))] = 2))).
+ Have: (0 <= i) /\ (i <= 10).
(* Invariant *)
Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
(a_1[shiftfield_F1_S_f(shift_S1_S(a, i_2))] = 1))).
(* Invariant *)
- Have: (0 <= i) /\ (i <= 10).
+ Have: forall i_2 : Z. ((0 <= i_2) -> ((i_2 < i) ->
+ (a_1[shiftfield_F1_S_g(shift_S1_S(a, i_2))] = 2))).
(* Then *)
Have: i <= 9.
+ (* Invariant *)
+ Have: (-1) <= i.
+ (* Invariant *)
+ Have: forall i_2 : Z. ((i_2 <= i) -> ((0 <= i_2) ->
+ (a_3[shiftfield_F1_S_f(shift_S1_S(a, i_2))] = 1))).
}
-Prove: a_1[shiftfield_F1_S_f(a_2) <- 1][shiftfield_F1_S_g(a_2) <- 2]
+Prove: a_3[shiftfield_F1_S_g(a_2) <- 2]
[shiftfield_F1_S_g(shift_S1_S(a, i_1))] = 2.
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_usage/oracle/issue-189-bis.0.res.oracle b/src/plugins/wp/tests/wp_usage/oracle/issue-189-bis.0.res.oracle
index f5e6746b9b82b0a337df477dc3fd35f1053fd278..3d4ea749002b687906322345b288b9470ab18698 100644
--- a/src/plugins/wp/tests/wp_usage/oracle/issue-189-bis.0.res.oracle
+++ b/src/plugins/wp/tests/wp_usage/oracle/issue-189-bis.0.res.oracle
@@ -7,11 +7,11 @@
------------------------------------------------------------
Goal Post-condition 'memcpy' in 'memcpy_alias_vars':
-Let a = Mptr_0[global(P_src_24)].
-Let a_1 = Mptr_0[global(P_dst_25)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_0).
-Let a_4 = shift_uint8(a, 0).
+Let a = Mptr_0[global(P_dst_25)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_0).
+Let a_3 = Mptr_0[global(P_src_24)].
+Let a_4 = shift_uint8(a_3, 0).
Assume {
Type: is_sint32(len_0) /\ is_sint32(len_1).
(* Heap *)
@@ -19,34 +19,34 @@ Assume {
(* Goal *)
When: (0 <= i) /\ ((2 + i) <= len_0).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_0).
+ Have: valid_rw(Malloc_0, a_1, len_0).
(* Pre-condition 'read_access' *)
Have: valid_rd(Malloc_0, a_4, len_0).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_0, a_4, len_0).
- (* Invariant 'cpy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
- (a_3[shift_uint8(a, i_1)] = a_3[shift_uint8(a_1, i_1)]))).
- (* Invariant 'dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(v, len_1).
- (* Invariant 'src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(v_1, len_1).
+ Have: separated(a_1, len_0, a_4, len_0).
(* Invariant 'len' *)
Have: len_1 <= len_0.
+ (* Invariant 'src' *)
+ Have: shift_uint8(a_3, len_0) = shift_uint8(v, len_1).
+ (* Invariant 'dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(v_1, len_1).
+ (* Invariant 'cpy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
+ (a_2[shift_uint8(a_3, i_1)] = a_2[shift_uint8(a, i_1)]))).
(* Else *)
Have: len_1 <= 0.
}
-Prove: a_3[shift_uint8(a_1, i)] = Mint_0[shift_uint8(a, i)].
+Prove: a_2[shift_uint8(a, i)] = Mint_0[shift_uint8(a_3, i)].
------------------------------------------------------------
Goal Post-condition 'unmodified' in 'memcpy_alias_vars':
-Let a = Mptr_0[global(P_src_24)].
-Let a_1 = Mptr_0[global(P_dst_25)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_0).
-Let a_4 = shift_uint8(a, 0).
-Let a_5 = shift_uint8(a, i).
+Let a = Mptr_0[global(P_dst_25)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_0).
+Let a_3 = Mptr_0[global(P_src_24)].
+Let a_4 = shift_uint8(a_3, 0).
+Let a_5 = shift_uint8(a_3, i).
Assume {
Type: is_sint32(len_0) /\ is_sint32(len_1).
(* Heap *)
@@ -54,34 +54,34 @@ Assume {
(* Goal *)
When: (0 <= i) /\ ((2 + i) <= len_0).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_0).
+ Have: valid_rw(Malloc_0, a_1, len_0).
(* Pre-condition 'read_access' *)
Have: valid_rd(Malloc_0, a_4, len_0).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_0, a_4, len_0).
- (* Invariant 'cpy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
- (a_3[shift_uint8(a, i_1)] = a_3[shift_uint8(a_1, i_1)]))).
- (* Invariant 'dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(v, len_1).
- (* Invariant 'src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(v_1, len_1).
+ Have: separated(a_1, len_0, a_4, len_0).
(* Invariant 'len' *)
Have: len_1 <= len_0.
+ (* Invariant 'src' *)
+ Have: shift_uint8(a_3, len_0) = shift_uint8(v, len_1).
+ (* Invariant 'dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(v_1, len_1).
+ (* Invariant 'cpy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
+ (a_2[shift_uint8(a_3, i_1)] = a_2[shift_uint8(a, i_1)]))).
(* Else *)
Have: len_1 <= 0.
}
-Prove: a_3[a_5] = Mint_0[a_5].
+Prove: a_2[a_5] = Mint_0[a_5].
------------------------------------------------------------
Goal Preservation of Invariant 'cpy' (file tests/wp_usage/issue-189-bis.i, line 27):
-Let a = Mptr_0[global(P_src_24)].
-Let a_1 = Mptr_0[global(P_dst_25)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_0).
-Let a_4 = shift_uint8(a, 0).
-Let a_5 = a_3[v <- a_3[v_1]].
+Let a = Mptr_0[global(P_dst_25)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_0).
+Let a_3 = Mptr_0[global(P_src_24)].
+Let a_4 = shift_uint8(a_3, 0).
+Let a_5 = a_2[v <- a_2[v_1]].
Assume {
Type: is_sint32(len_0) /\ is_sint32(len_1) /\ is_sint32(len_1 - 1).
(* Heap *)
@@ -89,24 +89,26 @@ Assume {
(* Goal *)
When: (0 <= i) /\ ((i + len_1) <= len_0).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_0).
+ Have: valid_rw(Malloc_0, a_1, len_0).
(* Pre-condition 'read_access' *)
Have: valid_rd(Malloc_0, a_4, len_0).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_0, a_4, len_0).
- (* Invariant 'cpy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
- (a_3[shift_uint8(a, i_1)] = a_3[shift_uint8(a_1, i_1)]))).
- (* Invariant 'dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(v, len_1).
- (* Invariant 'src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(v_1, len_1).
+ Have: separated(a_1, len_0, a_4, len_0).
(* Invariant 'len' *)
Have: len_1 <= len_0.
+ (* Invariant 'src' *)
+ Have: shift_uint8(a_3, len_0) = shift_uint8(v_1, len_1).
+ (* Invariant 'dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(v, len_1).
+ (* Invariant 'cpy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
+ (a_2[shift_uint8(a_3, i_1)] = a_2[shift_uint8(a, i_1)]))).
(* Then *)
Have: 0 < len_1.
+ (* Invariant 'len' *)
+ Have: len_1 <= (1 + len_0).
}
-Prove: a_5[shift_uint8(a, i)] = a_5[shift_uint8(a_1, i)].
+Prove: a_5[shift_uint8(a_3, i)] = a_5[shift_uint8(a, i)].
------------------------------------------------------------
@@ -126,30 +128,30 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'len' (file tests/wp_usage/issue-189-bis.i, line 23):
-Let a = Mptr_0[global(P_src_24)].
-Let a_1 = Mptr_0[global(P_dst_25)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_1).
-Let a_4 = shift_uint8(a, 0).
+Let a = Mptr_0[global(P_dst_25)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_1).
+Let a_3 = Mptr_0[global(P_src_24)].
+Let a_4 = shift_uint8(a_3, 0).
Assume {
Type: is_sint32(len_1) /\ is_sint32(len_0) /\ is_sint32(len_0 - 1).
(* Heap *)
Type: framed(Mptr_0) /\ linked(Malloc_0).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_1).
+ Have: valid_rw(Malloc_0, a_1, len_1).
(* Pre-condition 'read_access' *)
Have: valid_rd(Malloc_0, a_4, len_1).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_1, a_4, len_1).
- (* Invariant 'cpy' *)
- Have: forall i : Z. ((0 <= i) -> (((len_0 + i) < len_1) ->
- (a_3[shift_uint8(a, i)] = a_3[shift_uint8(a_1, i)]))).
- (* Invariant 'dst' *)
- Have: shift_uint8(a_1, len_1) = shift_uint8(v, len_0).
- (* Invariant 'src' *)
- Have: shift_uint8(a, len_1) = shift_uint8(v_1, len_0).
+ Have: separated(a_1, len_1, a_4, len_1).
(* Invariant 'len' *)
Have: len_0 <= len_1.
+ (* Invariant 'src' *)
+ Have: shift_uint8(a_3, len_1) = shift_uint8(v, len_0).
+ (* Invariant 'dst' *)
+ Have: shift_uint8(a, len_1) = shift_uint8(v_1, len_0).
+ (* Invariant 'cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_0 + i) < len_1) ->
+ (a_2[shift_uint8(a_3, i)] = a_2[shift_uint8(a, i)]))).
(* Then *)
Have: 0 < len_0.
}
@@ -191,38 +193,44 @@ Prove: true.
Goal Loop assigns (file tests/wp_usage/issue-189-bis.i, line 26) (4/4):
Effect at line 32
-Let a = global(P_src_24).
+Let a = global(P_dst_25).
Let a_1 = Mptr_0[a].
-Let a_2 = global(P_dst_25).
-Let a_3 = Mptr_0[a_2].
-Let a_4 = shift_uint8(a_3, 0).
-Let a_5 = havoc(Mint_undef_0, Mint_0, a_4, len_0).
-Let a_6 = shift_uint8(a_1, 0).
+Let a_2 = shift_uint8(a_1, 0).
+Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_0).
+Let a_4 = a_3[v <- a_3[v_1]].
+Let a_5 = global(P_src_24).
+Let a_6 = Mptr_0[a_5].
+Let a_7 = shift_uint8(a_6, 0).
Assume {
- Type: is_sint32(len_0) /\ is_sint32(len_1).
+ Type: is_sint32(len_0) /\ is_sint32(len_1) /\ is_sint32(len_1 - 1).
(* Heap *)
Type: framed(Mptr_0) /\ linked(Malloc_0).
(* Goal *)
When: !invalid(Malloc_0[P_src_24 <- 1][P_dst_25 <- 1], v, 1).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_4, len_0).
+ Have: valid_rw(Malloc_0, a_2, len_0).
(* Pre-condition 'read_access' *)
- Have: valid_rd(Malloc_0, a_6, len_0).
+ Have: valid_rd(Malloc_0, a_7, len_0).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_4, len_0, a_6, len_0).
- (* Invariant 'cpy' *)
- Have: forall i : Z. ((0 <= i) -> (((len_1 + i) < len_0) ->
- (a_5[shift_uint8(a_1, i)] = a_5[shift_uint8(a_3, i)]))).
- (* Invariant 'dst' *)
- Have: shift_uint8(a_3, len_0) = shift_uint8(v, len_1).
- (* Invariant 'src' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(v_1, len_1).
+ Have: separated(a_2, len_0, a_7, len_0).
(* Invariant 'len' *)
Have: len_1 <= len_0.
+ (* Invariant 'src' *)
+ Have: shift_uint8(a_6, len_0) = shift_uint8(v_1, len_1).
+ (* Invariant 'dst' *)
+ Have: shift_uint8(a_1, len_0) = shift_uint8(v, len_1).
+ (* Invariant 'cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_1 + i) < len_0) ->
+ (a_3[shift_uint8(a_6, i)] = a_3[shift_uint8(a_1, i)]))).
(* Then *)
Have: 0 < len_1.
+ (* Invariant 'len' *)
+ Have: len_1 <= (1 + len_0).
+ (* Invariant 'cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_1 + i) <= len_0) ->
+ (a_4[shift_uint8(a_6, i)] = a_4[shift_uint8(a_1, i)]))).
}
-Prove: (a_2 = v) \/ (a = v) \/ included(v, 1, a_4, len_0).
+Prove: (a = v) \/ (a_5 = v) \/ included(v, 1, a_2, len_0).
------------------------------------------------------------
@@ -236,11 +244,11 @@ Prove: true.
------------------------------------------------------------
Goal Post-condition 'memcpy,ok' in 'memcpy_context_vars':
-Let a = Mptr_0[global(P_src_47)].
-Let a_1 = Mptr_0[global(P_dst_48)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_0).
-Let a_4 = shift_uint8(a, 0).
+Let a = Mptr_0[global(P_dst_48)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_0).
+Let a_3 = Mptr_0[global(P_src_47)].
+Let a_4 = shift_uint8(a_3, 0).
Assume {
Type: is_sint32(len_0) /\ is_sint32(len_1).
(* Heap *)
@@ -248,34 +256,34 @@ Assume {
(* Goal *)
When: (0 <= i) /\ ((2 + i) <= len_0).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_0).
+ Have: valid_rw(Malloc_0, a_1, len_0).
(* Pre-condition 'read_access' *)
Have: valid_rd(Malloc_0, a_4, len_0).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_0, a_4, len_0).
- (* Invariant 'ok,cpy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
- (a_3[shift_uint8(a, i_1)] = a_3[shift_uint8(a_1, i_1)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(dst2_0, len_1).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(src2_0, len_1).
+ Have: separated(a_1, len_0, a_4, len_0).
(* Invariant 'ok,len' *)
Have: len_1 <= len_0.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_3, len_0) = shift_uint8(src2_0, len_1).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(dst2_0, len_1).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
+ (a_2[shift_uint8(a_3, i_1)] = a_2[shift_uint8(a, i_1)]))).
(* Else *)
Have: len_1 <= 0.
}
-Prove: a_3[shift_uint8(a_1, i)] = Mint_0[shift_uint8(a, i)].
+Prove: a_2[shift_uint8(a, i)] = Mint_0[shift_uint8(a_3, i)].
------------------------------------------------------------
Goal Post-condition 'unmodified,ok' in 'memcpy_context_vars':
-Let a = Mptr_0[global(P_src_47)].
-Let a_1 = Mptr_0[global(P_dst_48)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_0).
-Let a_4 = shift_uint8(a, 0).
-Let a_5 = shift_uint8(a, i).
+Let a = Mptr_0[global(P_dst_48)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_0).
+Let a_3 = Mptr_0[global(P_src_47)].
+Let a_4 = shift_uint8(a_3, 0).
+Let a_5 = shift_uint8(a_3, i).
Assume {
Type: is_sint32(len_0) /\ is_sint32(len_1).
(* Heap *)
@@ -283,34 +291,34 @@ Assume {
(* Goal *)
When: (0 <= i) /\ ((2 + i) <= len_0).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_0).
+ Have: valid_rw(Malloc_0, a_1, len_0).
(* Pre-condition 'read_access' *)
Have: valid_rd(Malloc_0, a_4, len_0).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_0, a_4, len_0).
- (* Invariant 'ok,cpy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
- (a_3[shift_uint8(a, i_1)] = a_3[shift_uint8(a_1, i_1)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(dst2_0, len_1).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(src2_0, len_1).
+ Have: separated(a_1, len_0, a_4, len_0).
(* Invariant 'ok,len' *)
Have: len_1 <= len_0.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_3, len_0) = shift_uint8(src2_0, len_1).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(dst2_0, len_1).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
+ (a_2[shift_uint8(a_3, i_1)] = a_2[shift_uint8(a, i_1)]))).
(* Else *)
Have: len_1 <= 0.
}
-Prove: a_3[a_5] = Mint_0[a_5].
+Prove: a_2[a_5] = Mint_0[a_5].
------------------------------------------------------------
Goal Preservation of Invariant 'ok,cpy' (file tests/wp_usage/issue-189-bis.i, line 55):
-Let a = Mptr_0[global(P_src_47)].
-Let a_1 = Mptr_0[global(P_dst_48)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_0).
-Let a_4 = shift_uint8(a, 0).
-Let a_5 = a_3[dst2_0 <- a_3[src2_0]].
+Let a = Mptr_0[global(P_dst_48)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_0).
+Let a_3 = Mptr_0[global(P_src_47)].
+Let a_4 = shift_uint8(a_3, 0).
+Let a_5 = a_2[dst2_0 <- a_2[src2_0]].
Assume {
Type: is_sint32(len_0) /\ is_sint32(len_1) /\ is_sint32(len_1 - 1).
(* Heap *)
@@ -318,24 +326,26 @@ Assume {
(* Goal *)
When: (0 <= i) /\ ((i + len_1) <= len_0).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_0).
+ Have: valid_rw(Malloc_0, a_1, len_0).
(* Pre-condition 'read_access' *)
Have: valid_rd(Malloc_0, a_4, len_0).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_0, a_4, len_0).
- (* Invariant 'ok,cpy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
- (a_3[shift_uint8(a, i_1)] = a_3[shift_uint8(a_1, i_1)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(dst2_0, len_1).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(src2_0, len_1).
+ Have: separated(a_1, len_0, a_4, len_0).
(* Invariant 'ok,len' *)
Have: len_1 <= len_0.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_3, len_0) = shift_uint8(src2_0, len_1).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(dst2_0, len_1).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
+ (a_2[shift_uint8(a_3, i_1)] = a_2[shift_uint8(a, i_1)]))).
(* Then *)
Have: 0 < len_1.
+ (* Invariant 'ok,len' *)
+ Have: len_1 <= (1 + len_0).
}
-Prove: a_5[shift_uint8(a, i)] = a_5[shift_uint8(a_1, i)].
+Prove: a_5[shift_uint8(a_3, i)] = a_5[shift_uint8(a, i)].
------------------------------------------------------------
@@ -355,30 +365,30 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'ok,len' (file tests/wp_usage/issue-189-bis.i, line 51):
-Let a = Mptr_0[global(P_src_47)].
-Let a_1 = Mptr_0[global(P_dst_48)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_1).
-Let a_4 = shift_uint8(a, 0).
+Let a = Mptr_0[global(P_dst_48)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_1).
+Let a_3 = Mptr_0[global(P_src_47)].
+Let a_4 = shift_uint8(a_3, 0).
Assume {
Type: is_sint32(len_1) /\ is_sint32(len_0) /\ is_sint32(len_0 - 1).
(* Heap *)
Type: framed(Mptr_0) /\ linked(Malloc_0).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_1).
+ Have: valid_rw(Malloc_0, a_1, len_1).
(* Pre-condition 'read_access' *)
Have: valid_rd(Malloc_0, a_4, len_1).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_1, a_4, len_1).
- (* Invariant 'ok,cpy' *)
- Have: forall i : Z. ((0 <= i) -> (((len_0 + i) < len_1) ->
- (a_3[shift_uint8(a, i)] = a_3[shift_uint8(a_1, i)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_1) = shift_uint8(dst2_0, len_0).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_1) = shift_uint8(src2_0, len_0).
+ Have: separated(a_1, len_1, a_4, len_1).
(* Invariant 'ok,len' *)
Have: len_0 <= len_1.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_3, len_1) = shift_uint8(src2_0, len_0).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_1) = shift_uint8(dst2_0, len_0).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_0 + i) < len_1) ->
+ (a_2[shift_uint8(a_3, i)] = a_2[shift_uint8(a, i)]))).
(* Then *)
Have: 0 < len_0.
}
@@ -420,36 +430,42 @@ Prove: true.
Goal Loop assigns (file tests/wp_usage/issue-189-bis.i, line 54) (4/4):
Effect at line 60
-Let a = Mptr_0[global(P_src_47)].
-Let a_1 = Mptr_0[global(P_dst_48)].
-Let a_2 = shift_uint8(a_1, 0).
-Let a_3 = havoc(Mint_undef_0, Mint_0, a_2, len_0).
-Let a_4 = shift_uint8(a, 0).
+Let a = Mptr_0[global(P_dst_48)].
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_0).
+Let a_3 = a_2[tmp_0 <- a_2[src2_0]].
+Let a_4 = Mptr_0[global(P_src_47)].
+Let a_5 = shift_uint8(a_4, 0).
Assume {
- Type: is_sint32(len_0) /\ is_sint32(len_1).
+ Type: is_sint32(len_0) /\ is_sint32(len_1) /\ is_sint32(len_1 - 1).
(* Heap *)
Type: framed(Mptr_0) /\ linked(Malloc_0).
(* Goal *)
When: !invalid(Malloc_0[P_src_47 <- 1][P_dst_48 <- 1], tmp_0, 1).
(* Pre-condition 'write_access' *)
- Have: valid_rw(Malloc_0, a_2, len_0).
+ Have: valid_rw(Malloc_0, a_1, len_0).
(* Pre-condition 'read_access' *)
- Have: valid_rd(Malloc_0, a_4, len_0).
+ Have: valid_rd(Malloc_0, a_5, len_0).
(* Pre-condition 'unaliasing' *)
- Have: separated(a_2, len_0, a_4, len_0).
- (* Invariant 'ok,cpy' *)
- Have: forall i : Z. ((0 <= i) -> (((len_1 + i) < len_0) ->
- (a_3[shift_uint8(a, i)] = a_3[shift_uint8(a_1, i)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(tmp_0, len_1).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(src2_0, len_1).
+ Have: separated(a_1, len_0, a_5, len_0).
(* Invariant 'ok,len' *)
Have: len_1 <= len_0.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_4, len_0) = shift_uint8(src2_0, len_1).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(tmp_0, len_1).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_1 + i) < len_0) ->
+ (a_2[shift_uint8(a_4, i)] = a_2[shift_uint8(a, i)]))).
(* Then *)
Have: 0 < len_1.
+ (* Invariant 'ok,len' *)
+ Have: len_1 <= (1 + len_0).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_1 + i) <= len_0) ->
+ (a_3[shift_uint8(a_4, i)] = a_3[shift_uint8(a, i)]))).
}
-Prove: included(tmp_0, 1, a_2, len_0).
+Prove: included(tmp_0, 1, a_1, len_0).
------------------------------------------------------------
diff --git a/src/plugins/wp/tests/wp_usage/oracle/issue-189-bis.1.res.oracle b/src/plugins/wp/tests/wp_usage/oracle/issue-189-bis.1.res.oracle
index 34ca97dda06b736d3e49cb0a7c787fca2ce32e30..a33ddb69c93825da6e494fdb99f61e7fa614ab1d 100644
--- a/src/plugins/wp/tests/wp_usage/oracle/issue-189-bis.1.res.oracle
+++ b/src/plugins/wp/tests/wp_usage/oracle/issue-189-bis.1.res.oracle
@@ -4,28 +4,28 @@
[wp] Warning: Missing RTE guards
Goal Post-condition 'memcpy,ok' in 'memcpy_context_vars':
-Let a = global(G_src_47).
-Let a_1 = global(G_dst_48).
-Let a_2 = havoc(Mint_undef_0, Mint_0, shift_uint8(a_1, 0), len_0).
+Let a = global(G_dst_48).
+Let a_1 = havoc(Mint_undef_0, Mint_0, shift_uint8(a, 0), len_0).
+Let a_2 = global(G_src_47).
Assume {
Type: is_sint32(len_0) /\ is_sint32(len_1).
(* Goal *)
When: (0 <= i) /\ ((2 + i) <= len_0).
(* Pre-condition 'write_access' *)
Have: ((0 < len_0) -> (len_0 <= 1)).
- (* Invariant 'ok,cpy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
- (a_2[shift_uint8(a_1, i_1)] = Mint_0[shift_uint8(a, i_1)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(dst2_0, len_1).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(src2_0, len_1).
(* Invariant 'ok,len' *)
Have: len_1 <= len_0.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_2, len_0) = shift_uint8(src2_0, len_1).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(dst2_0, len_1).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
+ (a_1[shift_uint8(a, i_1)] = Mint_0[shift_uint8(a_2, i_1)]))).
(* Else *)
Have: len_1 <= 0.
}
-Prove: a_2[shift_uint8(a_1, i)] = Mint_0[shift_uint8(a, i)].
+Prove: a_1[shift_uint8(a, i)] = Mint_0[shift_uint8(a_2, i)].
------------------------------------------------------------
@@ -35,29 +35,31 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'ok,cpy' (file tests/wp_usage/issue-189-bis.i, line 55):
-Let a = global(G_src_47).
-Let a_1 = global(G_dst_48).
-Let a_2 = havoc(Mint_undef_0, Mint_0, shift_uint8(a_1, 0), len_0).
-Let a_3 = a_2[dst2_0 <- a_2[src2_0]].
+Let a = global(G_dst_48).
+Let a_1 = havoc(Mint_undef_0, Mint_0, shift_uint8(a, 0), len_0).
+Let a_2 = global(G_src_47).
+Let a_3 = a_1[dst2_0 <- a_1[src2_0]].
Assume {
Type: is_sint32(len_0) /\ is_sint32(len_1) /\ is_sint32(len_1 - 1).
(* Goal *)
When: (0 <= i) /\ ((i + len_1) <= len_0).
(* Pre-condition 'write_access' *)
Have: ((0 < len_0) -> (len_0 <= 1)).
- (* Invariant 'ok,cpy' *)
- Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
- (a_2[shift_uint8(a_1, i_1)] = Mint_0[shift_uint8(a, i_1)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(dst2_0, len_1).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(src2_0, len_1).
(* Invariant 'ok,len' *)
Have: len_1 <= len_0.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_2, len_0) = shift_uint8(src2_0, len_1).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(dst2_0, len_1).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i_1 : Z. ((0 <= i_1) -> (((len_1 + i_1) < len_0) ->
+ (a_1[shift_uint8(a, i_1)] = Mint_0[shift_uint8(a_2, i_1)]))).
(* Then *)
Have: 0 < len_1.
+ (* Invariant 'ok,len' *)
+ Have: len_1 <= (1 + len_0).
}
-Prove: a_3[shift_uint8(a, i)] = a_3[shift_uint8(a_1, i)].
+Prove: a_3[shift_uint8(a_2, i)] = a_3[shift_uint8(a, i)].
------------------------------------------------------------
@@ -77,22 +79,22 @@ Prove: true.
------------------------------------------------------------
Goal Preservation of Invariant 'ok,len' (file tests/wp_usage/issue-189-bis.i, line 51):
-Let a = global(G_src_47).
-Let a_1 = global(G_dst_48).
+Let a = global(G_dst_48).
+Let a_1 = global(G_src_47).
Assume {
Type: is_sint32(len_1) /\ is_sint32(len_0) /\ is_sint32(len_0 - 1).
(* Pre-condition 'write_access' *)
Have: ((0 < len_1) -> (len_1 <= 1)).
- (* Invariant 'ok,cpy' *)
- Have: forall i : Z. ((0 <= i) -> (((len_0 + i) < len_1) ->
- (havoc(Mint_undef_0, Mint_0, shift_uint8(a_1, 0), len_1)
- [shift_uint8(a_1, i)] = Mint_0[shift_uint8(a, i)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_1) = shift_uint8(dst2_0, len_0).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_1) = shift_uint8(src2_0, len_0).
(* Invariant 'ok,len' *)
Have: len_0 <= len_1.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_1, len_1) = shift_uint8(src2_0, len_0).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_1) = shift_uint8(dst2_0, len_0).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_0 + i) < len_1) ->
+ (havoc(Mint_undef_0, Mint_0, shift_uint8(a, 0), len_1)
+ [shift_uint8(a, i)] = Mint_0[shift_uint8(a_1, i)]))).
(* Then *)
Have: 0 < len_0.
}
@@ -134,31 +136,37 @@ Prove: true.
Goal Loop assigns (file tests/wp_usage/issue-189-bis.i, line 54) (4/4):
Effect at line 60
-Let a = global(G_src_47).
-Let a_1 = global(G_dst_48).
-Let a_2 = shift_uint8(a_1, 0).
+Let a = global(G_dst_48).
+Let a_1 = shift_uint8(a, 0).
+Let a_2 = havoc(Mint_undef_0, Mint_0, a_1, len_0).
+Let a_3 = a_2[tmp_0 <- a_2[src2_0]].
+Let a_4 = global(G_src_47).
Assume {
- Type: is_sint32(len_0) /\ is_sint32(len_1).
+ Type: is_sint32(len_0) /\ is_sint32(len_1) /\ is_sint32(len_1 - 1).
(* Heap *)
Type: linked(Malloc_0).
(* Goal *)
When: !invalid(Malloc_0, tmp_0, 1).
(* Pre-condition 'write_access' *)
Have: ((0 < len_0) -> (len_0 <= 1)).
- (* Invariant 'ok,cpy' *)
- Have: forall i : Z. ((0 <= i) -> (((len_1 + i) < len_0) ->
- (havoc(Mint_undef_0, Mint_0, a_2, len_0)[shift_uint8(a_1, i)] =
- Mint_0[shift_uint8(a, i)]))).
- (* Invariant 'ok,dst' *)
- Have: shift_uint8(a_1, len_0) = shift_uint8(tmp_0, len_1).
- (* Invariant 'ok,src' *)
- Have: shift_uint8(a, len_0) = shift_uint8(src2_0, len_1).
(* Invariant 'ok,len' *)
Have: len_1 <= len_0.
+ (* Invariant 'ok,src' *)
+ Have: shift_uint8(a_4, len_0) = shift_uint8(src2_0, len_1).
+ (* Invariant 'ok,dst' *)
+ Have: shift_uint8(a, len_0) = shift_uint8(tmp_0, len_1).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_1 + i) < len_0) ->
+ (a_2[shift_uint8(a, i)] = Mint_0[shift_uint8(a_4, i)]))).
(* Then *)
Have: 0 < len_1.
+ (* Invariant 'ok,len' *)
+ Have: len_1 <= (1 + len_0).
+ (* Invariant 'ok,cpy' *)
+ Have: forall i : Z. ((0 <= i) -> (((len_1 + i) <= len_0) ->
+ (a_3[shift_uint8(a_4, i)] = a_3[shift_uint8(a, i)]))).
}
-Prove: included(tmp_0, 1, a_2, len_0).
+Prove: included(tmp_0, 1, a_1, len_0).
------------------------------------------------------------