diff --git a/creusot-std/src/cell/permcell.rs b/creusot-std/src/cell/permcell.rs index 592f622bd4..72634355ee 100644 --- a/creusot-std/src/cell/permcell.rs +++ b/creusot-std/src/cell/permcell.rs @@ -4,13 +4,13 @@ //! track of the logical value. use crate::{ - ghost::perm::{Container, Perm, SendPerm, SyncPerm}, + ghost::{ + NotObjective, + perm::{Perm, PermTarget}, + }, prelude::*, }; -use core::cell::UnsafeCell; - -#[cfg(not(feature = "std"))] -use alloc::boxed::Box; +use core::{cell::UnsafeCell, marker::PhantomData}; /// Cell with ghost permissions /// @@ -26,8 +26,9 @@ use alloc::boxed::Box; #[opaque] pub struct PermCell(UnsafeCell); -impl Container for PermCell { +impl PermTarget for PermCell { type Value = T; + type PermPayload = (NotObjective, PhantomData); } #[trusted] @@ -35,11 +36,6 @@ unsafe impl Send for PermCell {} #[trusted] unsafe impl Sync for PermCell {} -#[trusted] -impl SendPerm for PermCell {} -#[trusted] -impl SyncPerm for PermCell {} - impl Invariant for Perm> { #[logic(open, prophetic, inline)] #[creusot::trusted_trivial_if_param_trivial] @@ -54,7 +50,7 @@ impl PermCell { #[check(terminates)] #[ensures(result.0 == *result.1.ward())] #[ensures((*result.1)@ == value)] - pub fn new(value: T) -> (Self, Ghost>>>) { + pub fn new(value: T) -> (Self, Ghost>>) { let this = Self(UnsafeCell::new(value)); let perm = Ghost::conjure(); (this, perm) @@ -107,7 +103,7 @@ impl PermCell { #[check(terminates)] #[requires(self == *perm.ward())] #[ensures(result == perm@)] - pub fn into_inner(self, perm: Ghost>>>) -> T { + pub fn into_inner(self, perm: Ghost>>) -> T { let _ = perm; self.0.into_inner() } diff --git a/creusot-std/src/ghost.rs b/creusot-std/src/ghost.rs index a736af0d84..4f0b0e4048 100644 --- a/creusot-std/src/ghost.rs +++ b/creusot-std/src/ghost.rs @@ -24,7 +24,7 @@ mod shared; pub use self::{ fn_ghost::{FnGhost, FnGhostWrapper}, - perm::Container, + perm::PermTarget, shared::GhostShared, }; @@ -300,4 +300,4 @@ define_objective! {} /// /// This negative implementation primarily targets `Perm>` and /// `Perm<*const T>`. -pub(crate) struct NotObjective {} +pub struct NotObjective {} diff --git a/creusot-std/src/ghost/invariant.rs b/creusot-std/src/ghost/invariant.rs index 703e71529b..a65db2e96b 100644 --- a/creusot-std/src/ghost/invariant.rs +++ b/creusot-std/src/ghost/invariant.rs @@ -40,7 +40,7 @@ //! } //! } //! -//! struct PermCellNAInv(Box>>); +//! struct PermCellNAInv(Perm>); //! impl Protocol for PermCellNAInv { //! type Public = Id; //! diff --git a/creusot-std/src/ghost/perm.rs b/creusot-std/src/ghost/perm.rs index d4f5aab0e6..4dd6d2cdc4 100644 --- a/creusot-std/src/ghost/perm.rs +++ b/creusot-std/src/ghost/perm.rs @@ -1,13 +1,13 @@ //! Generic permissions for accessing memory pointed to by pointers or within an interior mutable //! type. +use crate::prelude::*; #[cfg(creusot)] use crate::resolve::structural_resolve; -use crate::{ghost::NotObjective, prelude::*}; -use core::marker::PhantomData; -pub trait Container { +pub trait PermTarget { type Value: ?Sized; + type PermPayload: ?Sized; #[logic(open, inline)] fn is_disjoint(&self, _self_val: &Self::Value, other: &Self, _other_val: &Self::Value) -> bool { @@ -15,11 +15,6 @@ pub trait Container { } } -#[trusted] -pub trait SendPerm: Container {} -#[trusted] -pub trait SyncPerm: Container {} - /// Token that represents the ownership of the contents of a container object. The container is /// either an interior mutable type (e.g., `Perm` or atomic types) or a raw pointer. /// @@ -66,18 +61,9 @@ pub trait SyncPerm: Container {} /// Certain facts about the layout and alignment of pointers can be made available /// through the type invariant of [`crate::std::ptr::PtrLive`] by calling [`Perm::live`]. #[opaque] -pub struct Perm( - NotObjective, - #[allow(unused)] *mut (), - #[allow(unused)] [PhantomData], -); - -#[trusted] -unsafe impl Send for Perm {} -#[trusted] -unsafe impl Sync for Perm {} +pub struct Perm(#[allow(unused)] C::PermPayload); -impl Perm { +impl Perm { /// Returns the underlying container that is managed by this permission. #[logic(opaque)] pub fn ward<'a>(self) -> &'a C { @@ -99,7 +85,7 @@ impl Perm { pub fn disjoint_lemma(&mut self, other: &Self) {} } -impl Resolve for Perm { +impl Resolve for Perm { #[logic(open, prophetic, inline)] #[creusot::trusted_trivial_if_param_trivial] fn resolve(self) -> bool { @@ -114,7 +100,7 @@ impl Resolve for Perm { fn resolve_coherence(self) {} } -impl> View for Perm { +impl> View for Perm { type ViewTy = C::Value; #[logic(open, inline)] diff --git a/creusot-std/src/lib.rs b/creusot-std/src/lib.rs index 0602e015a7..61cf8de016 100644 --- a/creusot-std/src/lib.rs +++ b/creusot-std/src/lib.rs @@ -45,10 +45,8 @@ //! //! 7. [`prelude`][mod@prelude]: What you should import before doing anything with Creusot #![cfg_attr(feature = "nightly", allow(incomplete_features, internal_features))] -#![cfg_attr( - feature = "nightly", - feature(step_trait, allocator_api, unboxed_closures, tuple_trait, edition_panic) -)] +#![cfg_attr(feature = "nightly", feature(step_trait, unboxed_closures, tuple_trait, edition_panic))] +#![cfg_attr(all(feature = "nightly", feature = "std"), feature(allocator_api))] #![cfg_attr( creusot, feature( diff --git a/creusot-std/src/std.rs b/creusot-std/src/std.rs index 89194215d5..5fbdd37e2e 100644 --- a/creusot-std/src/std.rs +++ b/creusot-std/src/std.rs @@ -2,7 +2,6 @@ mod array; mod bool; mod borrow; -mod boxed; pub mod cell; pub mod char; pub mod clone; @@ -20,13 +19,11 @@ pub mod option; pub mod panicking; pub mod ptr; pub mod range; -pub mod rc; pub mod result; pub mod slice; pub mod string; pub mod time; mod tuples; -pub mod vec; // Every std-dependent part of the Creusot Standard Library must be disabled when // compiling with [no_std]. @@ -36,15 +33,17 @@ pub mod collections { pub mod hash_map; pub mod hash_set; } - +#[cfg(feature = "std")] +mod boxed; #[cfg(feature = "std")] pub mod deque; - #[cfg(feature = "std")] pub mod io; - +#[cfg(feature = "std")] +pub mod rc; #[cfg(feature = "std")] pub mod sync; - #[cfg(feature = "std")] pub mod thread; +#[cfg(feature = "std")] +pub mod vec; diff --git a/creusot-std/src/std/boxed.rs b/creusot-std/src/std/boxed.rs index 952215b29c..ee497d78aa 100644 --- a/creusot-std/src/std/boxed.rs +++ b/creusot-std/src/std/boxed.rs @@ -2,13 +2,10 @@ use crate::resolve::structural_resolve; use crate::{invariant::*, prelude::*}; #[cfg(feature = "nightly")] -use core::alloc::Allocator; - -#[cfg(not(feature = "std"))] -use alloc::boxed::Box; +use std::alloc::Allocator; #[cfg(creusot)] -use core::ops::{Deref, DerefMut}; +use std::ops::{Deref, DerefMut}; #[cfg(feature = "nightly")] impl DeepModel for Box { diff --git a/creusot-std/src/std/convert.rs b/creusot-std/src/std/convert.rs index e63133e034..7bd1fc3349 100644 --- a/creusot-std/src/std/convert.rs +++ b/creusot-std/src/std/convert.rs @@ -1,8 +1,6 @@ use crate::prelude::*; #[cfg(all(creusot, feature = "std"))] -use alloc::alloc::Allocator; -#[cfg(all(creusot, not(feature = "std")))] -use alloc::boxed::Box; +use std::alloc::Allocator; extern_spec! { mod core { @@ -37,7 +35,10 @@ extern_spec! { #[ensures(result == Some(x))] fn from(x: T) -> Self; } +} +#[cfg(feature = "std")] +extern_spec! { impl From for Box { #[check(ghost)] #[ensures(*result == x)] @@ -71,10 +72,7 @@ extern_spec! { Box::new(s) } } -} -#[cfg(feature = "std")] -extern_spec! { impl From<&[T]> for Vec { // FIXME: inherit ghost/terminates from clone diff --git a/creusot-std/src/std/deque.rs b/creusot-std/src/std/deque.rs index 62bea79aef..47b9ab602a 100644 --- a/creusot-std/src/std/deque.rs +++ b/creusot-std/src/std/deque.rs @@ -5,7 +5,7 @@ use crate::prelude::*; use crate::{invariant::inv, resolve::structural_resolve}; #[cfg(feature = "nightly")] -use core::alloc::Allocator; +use std::alloc::Allocator; #[cfg(feature = "nightly")] use std::collections::VecDeque; use std::collections::vec_deque::Iter; diff --git a/creusot-std/src/std/ptr.rs b/creusot-std/src/std/ptr.rs index bde4ac8972..3770e63e03 100644 --- a/creusot-std/src/std/ptr.rs +++ b/creusot-std/src/std/ptr.rs @@ -4,16 +4,16 @@ pub use self::nonnull::NonNullExt; #[cfg(creusot)] use crate::std::mem::{align_of_logic, size_of_logic, size_of_val_logic}; use crate::{ - ghost::perm::{Container, Perm}, + ghost::{ + NotObjective, + perm::{Perm, PermTarget}, + }, prelude::*, }; use core::marker::PhantomData; #[cfg(creusot)] use core::ptr::Pointee; -#[cfg(not(feature = "std"))] -use alloc::boxed::Box; - /// Metadata of a pointer in logic. /// /// [`std::ptr::metadata`] in logic. @@ -519,8 +519,9 @@ extern_spec! { } } -impl Container for *const T { +impl PermTarget for *const T { type Value = T; + type PermPayload = (NotObjective, PhantomData, [bool]); #[logic(open, inline)] fn is_disjoint(&self, self_val: &T, other: &Self, other_val: &T) -> bool { @@ -547,6 +548,7 @@ impl Perm<*const T> { /// cell initialized with `v`. #[check(terminates)] // can overflow the number of available pointer adresses #[ensures(*result.1.ward() == result.0 && *result.1.val() == v)] + #[cfg(feature = "std")] pub fn new(v: T) -> (*mut T, Ghost>>) where T: Sized, @@ -559,6 +561,7 @@ impl Perm<*const T> { #[check(terminates)] // can overflow the number of available pointer adresses #[ensures(*result.1.ward() == result.0 && *result.1.val() == *val)] #[erasure(Box::into_raw)] + #[cfg(feature = "std")] pub fn from_box(val: Box) -> (*mut T, Ghost>>) { (Box::into_raw(val), Ghost::conjure()) } @@ -676,6 +679,7 @@ impl Perm<*const T> { #[ensures(*result == *own.val())] #[allow(unused_variables)] #[erasure(Box::from_raw)] + #[cfg(feature = "std")] pub unsafe fn to_box(ptr: *mut T, own: Ghost>>) -> Box { unsafe { Box::from_raw(ptr) } } @@ -690,6 +694,7 @@ impl Perm<*const T> { /// [type documentation](Perm). #[check(terminates)] #[requires(ptr as *const T == *own.ward())] + #[cfg(feature = "std")] pub unsafe fn drop(ptr: *mut T, own: Ghost>>) { let _ = unsafe { Self::to_box(ptr, own) }; } diff --git a/creusot-std/src/std/rc.rs b/creusot-std/src/std/rc.rs index c58cad731c..1510332cab 100644 --- a/creusot-std/src/std/rc.rs +++ b/creusot-std/src/std/rc.rs @@ -1,11 +1,11 @@ use crate::prelude::*; #[cfg(creusot)] use crate::std::ptr::PointerExt as _; -use alloc::rc::Rc; -#[cfg(feature = "nightly")] -use alloc::{alloc::Allocator, boxed::Box}; #[cfg(creusot)] -use core::ops::Deref; +use std::ops::Deref; +use std::rc::Rc; +#[cfg(feature = "nightly")] +use std::{alloc::Allocator, boxed::Box}; /// Extension trait for [`Rc`]. pub trait RcExt { diff --git a/creusot-std/src/std/slice.rs b/creusot-std/src/std/slice.rs index fd037d3251..0a8ba278ef 100644 --- a/creusot-std/src/std/slice.rs +++ b/creusot-std/src/std/slice.rs @@ -1,14 +1,14 @@ #[cfg(creusot)] use crate::resolve::structural_resolve; use crate::{ghost::perm::Perm, invariant::*, logic::ops::IndexLogic, prelude::*}; -#[cfg(all(creusot, feature = "std"))] -use core::alloc::Allocator; #[cfg(creusot)] use core::ops::{Index, IndexMut}; use core::{ ops::{Range, RangeFrom, RangeFull, RangeInclusive, RangeTo, RangeToInclusive}, slice::*, }; +#[cfg(all(creusot, feature = "std"))] +use std::alloc::Allocator; impl Invariant for [T] { #[logic(open, prophetic)] diff --git a/creusot-std/src/std/sync.rs b/creusot-std/src/std/sync.rs index fb4d4542da..2124d6bae1 100644 --- a/creusot-std/src/std/sync.rs +++ b/creusot-std/src/std/sync.rs @@ -5,10 +5,10 @@ use std::sync::Arc; use crate::std::ptr::PointerExt as _; #[cfg(creusot)] -use core::ops::Deref; +use std::ops::Deref; #[cfg(feature = "nightly")] -use core::alloc::Allocator; +use std::alloc::Allocator; pub mod atomic; #[cfg(feature = "sc-drf")] @@ -28,6 +28,7 @@ pub trait ArcExt { #[logic] fn as_ptr_logic(self) -> *const Self::Pointee; } + #[cfg(feature = "nightly")] impl ArcExt for Arc { type Pointee = T; diff --git a/creusot-std/src/std/sync/atomic.rs b/creusot-std/src/std/sync/atomic.rs index e448a676ac..02a51b9ec7 100644 --- a/creusot-std/src/std/sync/atomic.rs +++ b/creusot-std/src/std/sync/atomic.rs @@ -1,10 +1,7 @@ -#[cfg(creusot)] -use crate::ghost::Objective; - use crate::{ ghost::{ - Container, FnGhost, - perm::{Perm, SendPerm, SyncPerm}, + FnGhost, + perm::{Perm, PermTarget}, }, logic::FMap, prelude::*, @@ -56,17 +53,9 @@ macro_rules! impl_atomic { #[doc = concat!("Creusot wrapper around [`std::sync::atomic::", stringify!($atomic_type), "`].")] pub struct $atomic_type $(< $T >)?(::std::sync::atomic::$atomic_type $(< $T >)?); - #[trusted] - impl $(< $T >)? SendPerm for $atomic_type $(< $T >)? {} - #[trusted] - impl $(< $T >)? SyncPerm for $atomic_type $(< $T >)? {} - - #[cfg(creusot)] - #[trusted] - impl $(< $T >)? Objective for Perm<$atomic_type $(< $T >)?> {} - - impl $(< $T >)? Container for $atomic_type $(< $T >)? { + impl $(< $T >)? PermTarget for $atomic_type $(< $T >)? { type Value = FMap; + type PermPayload = (); } impl $(< $T >)? HasTimestamp for $atomic_type $(< $T >)? { @@ -89,7 +78,7 @@ macro_rules! impl_atomic { #[trusted] #[check(terminates)] #[allow(unused_variables)] - pub fn new(val: $type, sync_view: Ghost<&mut SyncView>) -> (Self, Ghost)?>>>) { + pub fn new(val: $type, sync_view: Ghost<&mut SyncView>) -> (Self, Ghost)?>>) { (Self(std::sync::atomic::$atomic_type::new(val)), Ghost::conjure()) } @@ -104,7 +93,7 @@ macro_rules! impl_atomic { #[inline(always)] #[trusted] #[allow(unused_variables)] - pub fn into_inner(self, own: Ghost)?>>>, sync_view: Ghost<&mut SyncView>) -> ($type, Ghost) { + pub fn into_inner(self, own: Ghost)?>>, sync_view: Ghost<&mut SyncView>) -> ($type, Ghost) { (self.0.into_inner(), Ghost::conjure()) } diff --git a/creusot-std/src/std/sync/atomic_sc.rs b/creusot-std/src/std/sync/atomic_sc.rs index 67e3d7bcdc..3efe7f1368 100644 --- a/creusot-std/src/std/sync/atomic_sc.rs +++ b/creusot-std/src/std/sync/atomic_sc.rs @@ -1,8 +1,5 @@ use crate::{ - ghost::{ - Container, FnGhost, - perm::{Perm, SendPerm, SyncPerm}, - }, + ghost::{FnGhost, PermTarget, perm::Perm}, prelude::*, std::sync::{ atomic::{Ordering, Ordering::Ordering as _}, @@ -17,22 +14,18 @@ macro_rules! impl_atomic { #[doc = concat!("Creusot wrapper around [`std::sync::atomic::", stringify!($atomic_type), "`].")] pub struct $atomic_type $(< $T >)?(::std::sync::atomic::$atomic_type $(< $T >)?); - impl $(< $T >)? Container for $atomic_type $(< $T >)? { + impl $(< $T >)? PermTarget for $atomic_type $(< $T >)? { type Value = $type; + type PermPayload = (); } - #[trusted] - impl $(< $T >)? SendPerm for $atomic_type $(< $T >)? {} - #[trusted] - impl $(< $T >)? SyncPerm for $atomic_type $(< $T >)? {} - impl $(< $T >)? $atomic_type $(< $T >)? { #[ensures(*result.1.val() == val)] #[ensures(*result.1.ward() == result.0)] #[inline(always)] #[trusted] #[check(terminates)] - pub fn new(val: $type) -> (Self, Ghost)?>>>) { + pub fn new(val: $type) -> (Self, Ghost)?>>) { (Self(::std::sync::atomic::$atomic_type::new(val)), Ghost::conjure()) } @@ -42,7 +35,7 @@ macro_rules! impl_atomic { #[inline(always)] #[trusted] #[allow(unused_variables)] - pub fn into_inner(self, own: Ghost)?>>>) -> $type { + pub fn into_inner(self, own: Ghost)?>>) -> $type { self.0.into_inner() } diff --git a/creusot-std/src/std/sync/committer.rs b/creusot-std/src/std/sync/committer.rs index 6ad9d1b71b..177efc3e4d 100644 --- a/creusot-std/src/std/sync/committer.rs +++ b/creusot-std/src/std/sync/committer.rs @@ -1,5 +1,5 @@ use crate::{ - ghost::{Container, perm::Perm}, + ghost::{PermTarget, perm::Perm}, logic::FMap, prelude::*, std::sync::{ @@ -16,9 +16,9 @@ use core::marker::PhantomData; // This trick is correct for SC accesses under SC-DRF, and for Rel/Acq/Rlx and Rlx accesses, but // perhaps not for C20's SC accesses. #[opaque] -pub struct Committer, T, Load, Store>(PhantomData<(C, T, Load, Store)>); +pub struct Committer, T, Load, Store>(PhantomData<(C, T, Load, Store)>); -impl, T, Load, Store> Committer { +impl, T, Load, Store> Committer { /// Identity of the committer /// /// This is used so that we can only use the committer with the right [`AtomicOwn`]. @@ -64,7 +64,7 @@ impl, T, Load, Store> Committer { impl Committer where - C: Container> + HasTimestamp, + C: PermTarget> + HasTimestamp, { /// 'Shoot' the committer /// @@ -85,7 +85,7 @@ where impl Committer where - C: Container> + HasTimestamp, + C: PermTarget> + HasTimestamp, { /// 'Shoot' the committer /// @@ -109,7 +109,7 @@ where impl Committer where - C: Container, + C: PermTarget, { /// 'Shoot' the committer /// @@ -127,7 +127,7 @@ where impl Committer where - C: Container> + HasTimestamp, + C: PermTarget> + HasTimestamp, { /// 'Shoot' the committer (Relaxed) /// @@ -157,7 +157,7 @@ where impl Committer where - C: Container> + HasTimestamp, + C: PermTarget> + HasTimestamp, { /// 'Shoot' the committer /// @@ -182,7 +182,7 @@ where impl Committer where - C: Container, + C: PermTarget, { /// 'Shoot' the committer /// diff --git a/creusot-std/src/std/vec.rs b/creusot-std/src/std/vec.rs index bcc4c55838..c47b4f28bf 100644 --- a/creusot-std/src/std/vec.rs +++ b/creusot-std/src/std/vec.rs @@ -1,13 +1,11 @@ #[cfg(creusot)] use crate::{invariant::inv, resolve::structural_resolve, std::slice::SliceIndexSpec}; use crate::{logic::ops::IndexLogic, prelude::*}; -#[cfg(all(creusot, not(feature = "std")))] -use alloc::boxed::Box; -use alloc::vec::*; #[cfg(feature = "nightly")] -use core::alloc::Allocator; +use std::alloc::Allocator; #[cfg(creusot)] -use core::ops::{Deref, DerefMut, Index, IndexMut}; +use std::ops::{Deref, DerefMut, Index, IndexMut}; +use std::vec::*; #[cfg(feature = "nightly")] impl View for Vec { diff --git a/examples/message_passing/relacq.coma b/examples/message_passing/relacq.coma index 5d97967169..587d4cef6a 100644 --- a/examples/message_passing/relacq.coma +++ b/examples/message_passing/relacq.coma @@ -23,14 +23,14 @@ module M_message_passing type t_Perm_AtomicBool - type tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } + type tup2_AtomicBool_Ghost_Perm_AtomicBool = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } predicate inv_AtomicBool (_1: t_AtomicBool) - predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) = + predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Perm_AtomicBool) = inv_AtomicBool _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool type t_FMap_Int_tup2_bool_SyncView @@ -142,10 +142,10 @@ module M_message_passing function ward_AtomicBool (self: t_Perm_AtomicBool) : t_AtomicBool - let rec new'0 (val': bool) (sync_view: MutBorrow.t t_SyncView) - (return (x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global)) = any - [ return (result: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global result) + let rec new'0 (val': bool) (sync_view: MutBorrow.t t_SyncView) (return (x: tup2_AtomicBool_Ghost_Perm_AtomicBool)) = + any + [ return (result: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Perm_AtomicBool result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicBool result.f1 = singleton_Int (get_timestamp_AtomicBool result.f0 (fin_Ghost_refmut_SyncView sync_view)) { f0'0 = val'; f1'0 = sync_view.current }) @@ -156,7 +156,7 @@ module M_message_passing type t_Perm_PermCell_i32 - type tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = { f0'1: t_PermCell_i32; f1'1: t_Perm_PermCell_i32 } + type tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = { f0'1: t_PermCell_i32; f1'1: t_Perm_PermCell_i32 } function ward_PermCell_i32 (self: t_Perm_PermCell_i32) : t_PermCell_i32 @@ -166,16 +166,11 @@ module M_message_passing meta "rewrite_def" function view_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Perm_PermCell_i32) : Int32.t = - view_Perm_PermCell_i32 self - - meta "rewrite_def" function view_Box_Perm_PermCell_i32_Global - - let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> + let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32)) = any + [ return (result: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> {[@stop_split] [@expl:new_i32 ensures] ([@stop_split] [@expl:new ensures #0] result.f0'1 = ward_PermCell_i32 result.f1'1) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_i32_Global result.f1'1 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_i32 result.f1'1 = value)} (! return {result}) ] type t_Excl_unit = { f0'2: () } @@ -192,15 +187,15 @@ module M_message_passing [ return (result: t_Resource_Excl_unit) -> {[@stop_split] [@expl:alloc ensures] view_Resource_Excl_unit result = r} (! return {result}) ] - let rec into_inner_Box_Perm_AtomicBool_Global (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any + let rec into_inner_Perm_AtomicBool (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any [ return (result: t_Perm_AtomicBool) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - type t_AtView_Box_Perm_PermCell_i32_Global + type t_AtView_Perm_PermCell_i32 type t_State = | NotWrittenYet - | Synchronisation t_AtView_Box_Perm_PermCell_i32_Global t_Resource_Excl_unit + | Synchronisation t_AtView_Perm_PermCell_i32 t_Resource_Excl_unit | Readable t_Resource_Excl_unit t_Resource_Excl_unit | Invalid @@ -215,14 +210,14 @@ module M_message_passing state: t_State; public_data: tup3_PermCell_i32_Id_Id } - predicate inv_AtView_Box_Perm_PermCell_i32_Global (_1: t_AtView_Box_Perm_PermCell_i32_Global) + predicate inv_AtView_Perm_PermCell_i32 (_1: t_AtView_Perm_PermCell_i32) predicate inv_State (_1: t_State) axiom inv_axiom [@rewrite]: forall x: t_State [inv_State x]. inv_State x = match x with | NotWrittenYet -> true - | Synchronisation f0'4 f1'2 -> inv_AtView_Box_Perm_PermCell_i32_Global f0'4 + | Synchronisation f0'4 f1'2 -> inv_AtView_Perm_PermCell_i32 f0'4 | Readable f0'4 f1'2 -> true | Invalid -> true end @@ -253,9 +248,9 @@ module M_message_passing type t_AtomicInvariant_MessagePassingAtomicInv - function val_Box_Perm_PermCell_i32_Global (self: t_AtView_Box_Perm_PermCell_i32_Global) : t_Perm_PermCell_i32 + function val_Perm_PermCell_i32 (self: t_AtView_Perm_PermCell_i32) : t_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global'0 (self: t_AtView_Box_Perm_PermCell_i32_Global) : t_SyncView + function view_Perm_PermCell_i32'0 (self: t_AtView_Perm_PermCell_i32) : t_SyncView predicate protocol_MessagePassingAtomicInv [@inline:trivial] (self: t_MessagePassingAtomicInv) = let {f0'3 = perm; f1'3 = excl_write; f2'3 = excl_read} = self.public_data in match self.state with @@ -267,9 +262,9 @@ module M_message_passing /\ (forall t: int. match get_Int (val_AtomicBool self.atomic_own) t with | Some {f0'0 = b; f1'0 = view} -> not b \/ b - /\ perm = ward_PermCell_i32 (val_Box_Perm_PermCell_i32_Global data_own) - /\ Int32.to_int (val_PermCell_i32 (val_Box_Perm_PermCell_i32_Global data_own)) = 1 - /\ le_log_SyncView (view_Box_Perm_PermCell_i32_Global'0 data_own) view + /\ perm = ward_PermCell_i32 (val_Perm_PermCell_i32 data_own) + /\ Int32.to_int (val_PermCell_i32 (val_Perm_PermCell_i32 data_own)) = 1 + /\ le_log_SyncView (view_Perm_PermCell_i32'0 data_own) view | None -> true end) | Readable tok_write tok_read -> excl_write = id_Excl_unit tok_write /\ excl_read = id_Excl_unit tok_read @@ -332,16 +327,11 @@ module M_message_passing let rec new_Resource_Excl_unit (x: t_Resource_Excl_unit) (return (x'0: t_Resource_Excl_unit)) = any [ return (result: t_Resource_Excl_unit) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - let rec deref_mut_Ghost_Box_Perm_PermCell_i32_Global (self: MutBorrow.t t_Perm_PermCell_i32) + let rec deref_mut_Ghost_Perm_PermCell_i32 (self: MutBorrow.t t_Perm_PermCell_i32) (return (x: MutBorrow.t t_Perm_PermCell_i32)) = any [ return (result: MutBorrow.t t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - predicate resolve_refmut_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_i32_Global - predicate resolve_refmut_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = _1.final = _1.current @@ -396,47 +386,43 @@ module M_message_passing c1'2: t_Resource_Excl_unit; c2'2: MutBorrow.t t_Committer_AtomicBool_bool_None_Release } - let rec into_inner_Box_Perm_PermCell_i32_Global (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any + let rec into_inner_Perm_PermCell_i32 (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - let rec new_Box_Perm_PermCell_i32_Global (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any + let rec new_Perm_PermCell_i32 (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - type tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global = { - f0'5: t_SyncView; - f1'5: t_AtView_Box_Perm_PermCell_i32_Global } + type tup2_SyncView_AtView_Perm_PermCell_i32 = { f0'5: t_SyncView; f1'5: t_AtView_Perm_PermCell_i32 } - predicate inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - inv_AtView_Box_Perm_PermCell_i32_Global _1.f1'5 + predicate inv_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: tup2_SyncView_AtView_Perm_PermCell_i32) = + inv_AtView_Perm_PermCell_i32 _1.f1'5 - meta "rewrite_def" predicate inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_tup2_SyncView_AtView_Perm_PermCell_i32 - predicate invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global self + predicate invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (self: tup2_SyncView_AtView_Perm_PermCell_i32) = + inv_tup2_SyncView_AtView_Perm_PermCell_i32 self - meta "rewrite_def" predicate invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 - predicate inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global _1 + predicate inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: tup2_SyncView_AtView_Perm_PermCell_i32) = + invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 _1 - meta "rewrite_def" predicate inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 - let rec new_Box_Perm_PermCell_i32_Global'0 (val': t_Perm_PermCell_i32) - (return (x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:new_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:new result type invariant] inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global result) - /\ ([@stop_split] [@expl:new ensures] result.f0'5 = view_Box_Perm_PermCell_i32_Global'0 result.f1'5 - /\ val_Box_Perm_PermCell_i32_Global result.f1'5 = val')} + let rec new_Perm_PermCell_i32'0 (val': t_Perm_PermCell_i32) (return (x: tup2_SyncView_AtView_Perm_PermCell_i32)) = any + [ return (result: tup2_SyncView_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:new_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:new result type invariant] inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 result) + /\ ([@stop_split] [@expl:new ensures] result.f0'5 = view_Perm_PermCell_i32'0 result.f1'5 + /\ val_Perm_PermCell_i32 result.f1'5 = val')} (! return {result}) ] - let rec into_inner_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global - (self: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) - (return (x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:into_inner 'self' type invariant] inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global self} + let rec into_inner_tup2_SyncView_AtView_Perm_PermCell_i32 (self: tup2_SyncView_AtView_Perm_PermCell_i32) + (return (x: tup2_SyncView_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:into_inner 'self' type invariant] inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 self} any - [ return (result: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:into_inner_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:into_inner result type invariant] inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: tup2_SyncView_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:into_inner_tup2_SyncView_AtView_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:into_inner result type invariant] inv_tup2_SyncView_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:into_inner ensures] result = self)} (! return {result}) ] @@ -448,9 +434,9 @@ module M_message_passing end} any) ] - let rec elim_Synchronisation (_x: t_State) - (return (f0'6: t_AtView_Box_Perm_PermCell_i32_Global) (f1'2: t_Resource_Excl_unit)) = any - [ _k (f0'6: t_AtView_Box_Perm_PermCell_i32_Global) (f1'2: t_Resource_Excl_unit) -> {Synchronisation f0'6 f1'2 = _x} + let rec elim_Synchronisation (_x: t_State) (return (f0'6: t_AtView_Perm_PermCell_i32) (f1'2: t_Resource_Excl_unit)) = + any + [ _k (f0'6: t_AtView_Perm_PermCell_i32) (f1'2: t_Resource_Excl_unit) -> {Synchronisation f0'6 f1'2 = _x} (! return {f0'6} {f1'2}) | _chk -> (! {[@expl:elim Synchronisation] match _x with | Synchronisation _ _ -> true @@ -486,14 +472,14 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Resource_Excl_unit - predicate resolve_AtView_Box_Perm_PermCell_i32_Global (_1: t_AtView_Box_Perm_PermCell_i32_Global) + predicate resolve_AtView_Perm_PermCell_i32 (_1: t_AtView_Perm_PermCell_i32) predicate resolve_State (_1: t_State) axiom resolve_axiom [@rewrite]: forall x: t_State [resolve_State x]. resolve_State x = match x with | NotWrittenYet -> true - | Synchronisation x0 x1 -> resolve_AtView_Box_Perm_PermCell_i32_Global x0 + | Synchronisation x0 x1 -> resolve_AtView_Perm_PermCell_i32 x0 | Readable x0 x1 -> true | Invalid -> true end @@ -541,10 +527,9 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_SyncView - predicate resolve_refmut_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicBool [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicBool predicate invariant_refmut_MessagePassingAtomicInv [@inline:trivial] (self: MutBorrow.t t_MessagePassingAtomicInv) = inv_MessagePassingAtomicInv self.current /\ inv_MessagePassingAtomicInv self.final @@ -570,19 +555,17 @@ module M_message_passing {[@stop_split] [@expl:closure 'inv' type invariant] inv_refmut_MessagePassingAtomicInv inv} bb0 [ bb0 = s0 - [ s0 = into_inner_Box_Perm_PermCell_i32_Global {self.c0'2} (fun (_x: t_Perm_PermCell_i32) -> [ &_8 <- _x ] s1) - | s1 = new_Box_Perm_PermCell_i32_Global {_8} (fun (_x: t_Perm_PermCell_i32) -> [ &_7 <- _x ] s2) - | s2 = new_Box_Perm_PermCell_i32_Global'0 {_7} - (fun (_x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> [ &_6 <- _x ] s3) - | s3 = into_inner_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global {_6} - (fun (_x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> [ &_5 <- _x ] s4) + [ s0 = into_inner_Perm_PermCell_i32 {self.c0'2} (fun (_x: t_Perm_PermCell_i32) -> [ &_8 <- _x ] s1) + | s1 = new_Perm_PermCell_i32 {_8} (fun (_x: t_Perm_PermCell_i32) -> [ &_7 <- _x ] s2) + | s2 = new_Perm_PermCell_i32'0 {_7} (fun (_x: tup2_SyncView_AtView_Perm_PermCell_i32) -> [ &_6 <- _x ] s3) + | s3 = into_inner_tup2_SyncView_AtView_Perm_PermCell_i32 {_6} + (fun (_x: tup2_SyncView_AtView_Perm_PermCell_i32) -> [ &_5 <- _x ] s4) | s4 = [ &sync_view <- _5.f0'5 ] s5 | s5 = [ &at_view <- _5.f1'5 ] s6 | s6 = [ &_11 <- inv.current.state ] s7 | s7 = any [ br0 -> {_11 = NotWrittenYet} (! bb13) - | br1 (x0: t_AtView_Box_Perm_PermCell_i32_Global) (x1: t_Resource_Excl_unit) -> {_11 = Synchronisation x0 x1} - (! bb8) + | br1 (x0: t_AtView_Perm_PermCell_i32) (x1: t_Resource_Excl_unit) -> {_11 = Synchronisation x0 x1} (! bb8) | br2 (x0: t_Resource_Excl_unit) (x1: t_Resource_Excl_unit) -> {_11 = Readable x0 x1} (! bb7) | br3 -> {_11 = Invalid} (! bb13) ] ] | bb7 = s0 @@ -590,7 +573,7 @@ module M_message_passing | s1 = bb9 ] | bb8 = s0 [ s0 = elim_Synchronisation {_11} - (fun (r0: t_AtView_Box_Perm_PermCell_i32_Global) (r1: t_Resource_Excl_unit) -> [ &excl_state <- r1 ] s1) + (fun (r0: t_AtView_Perm_PermCell_i32) (r1: t_Resource_Excl_unit) -> [ &excl_state <- r1 ] s1) | s1 = bb9 ] | bb9 = s0 [ s0 = MutBorrow.borrow_mut {self.c1'2} @@ -626,7 +609,7 @@ module M_message_passing (fun (_bor: MutBorrow.t t_SyncView) -> [ &_27 <- _bor ] [ &_28 <- { _28 with current = _bor.final } ] s10) | s10 = shoot_store_AtomicBool {_24} {_25} {_27} (fun (_x: ()) -> [ &_23 <- _x ] s11) | s11 = -{resolve_refmut_SyncView _28}- s12 - | s12 = -{resolve_refmut_Box_Perm_AtomicBool_Global _26}- s13 + | s12 = -{resolve_refmut_Perm_AtomicBool _26}- s13 | s13 = s14 [ _ck -> (! {[@expl:type invariant] inv_refmut_MessagePassingAtomicInv inv} any) ] | s14 = -{resolve_refmut_MessagePassingAtomicInv inv}- s15 | s15 = -{match self with @@ -639,9 +622,9 @@ module M_message_passing | & self: closure0'2 = self | & inv: MutBorrow.t t_MessagePassingAtomicInv = inv | & sync_view: t_SyncView = Any.any_l () - | & at_view: t_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _5: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _6: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & at_view: t_AtView_Perm_PermCell_i32 = Any.any_l () + | & _5: tup2_SyncView_AtView_Perm_PermCell_i32 = Any.any_l () + | & _6: tup2_SyncView_AtView_Perm_PermCell_i32 = Any.any_l () | & _7: t_Perm_PermCell_i32 = Any.any_l () | & _8: t_Perm_PermCell_i32 = Any.any_l () | & _11: t_State = Any.any_l () @@ -818,15 +801,14 @@ module M_message_passing | s3 = MutBorrow.borrow_mut {self.c2'0} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_15 <- _bor ] [ &self <- { self with c2'0 = _bor.final } ] s4) - | s4 = deref_mut_Ghost_Box_Perm_PermCell_i32_Global {_15} - (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_14 <- _x ] s5) + | s4 = deref_mut_Ghost_Perm_PermCell_i32 {_15} (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_14 <- _x ] s5) | s5 = MutBorrow.borrow_final {_14.current} {MutBorrow.get_id _14} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_13 <- _bor ] [ &_14 <- { _14 with current = _bor.final } ] s6) | s6 = MutBorrow.borrow_final {_13.current} {MutBorrow.get_id _13} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_12 <- _bor ] [ &_13 <- { _13 with current = _bor.final } ] s7) - | s7 = -{resolve_refmut_Box_Perm_PermCell_i32_Global _14}- s8 + | s7 = -{resolve_refmut_Perm_PermCell_i32 _14}- s8 | s8 = -{resolve_refmut_Perm_PermCell_i32 _13}- s9 | s9 = MutBorrow.borrow_final {_12.current} {MutBorrow.get_id _12} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> @@ -922,18 +904,17 @@ module M_message_passing [ return (result: t_Option_Resource_Excl_unit) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - type t_Option_Box_Perm_PermCell_i32_Global = None'2 | Some'2 t_Perm_PermCell_i32 + type t_Option_Perm_PermCell_i32 = None'2 | Some'2 t_Perm_PermCell_i32 - let rec new_Option_Box_Perm_PermCell_i32_Global (x: t_Option_Box_Perm_PermCell_i32_Global) - (return (x'0: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:new ensures] result = x} + let rec new_Option_Perm_PermCell_i32 (x: t_Option_Perm_PermCell_i32) (return (x'0: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] type closure4 = { c0'4: t_AtomicInvariant_MessagePassingAtomicInv; c1'4: MutBorrow.t t_Tokens; c2'4: MutBorrow.t t_Option_Resource_Excl_unit; - c3'4: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global } + c3'4: MutBorrow.t t_Option_Perm_PermCell_i32 } let rec deref_mut_Ghost_Tokens (self: MutBorrow.t t_Tokens) (return (x: MutBorrow.t t_Tokens)) = any [ return (result: MutBorrow.t t_Tokens) -> {[@stop_split] [@expl:deref_mut ensures] result = self} @@ -951,7 +932,7 @@ module M_message_passing type closure0'3 = { c0'5: t_Committer_AtomicBool_bool_Acquire_None; c1'5: MutBorrow.t t_Option_Resource_Excl_unit; - c2'5: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global } + c2'5: MutBorrow.t t_Option_Perm_PermCell_i32 } let rec into_ghost_bool (self: bool) (return (x: bool)) = any [ return (result: bool) -> {[@stop_split] [@expl:into_ghost ensures] result = self} (! return {result}) ] @@ -1053,19 +1034,18 @@ module M_message_passing [ return (result: t_Resource_Excl_unit) -> {[@stop_split] [@expl:unwrap ensures] Some'1 result = self_} (! return {result}) ] - let rec sync_Box_Perm_PermCell_i32_Global (self: t_AtView_Box_Perm_PermCell_i32_Global) (sync_view: t_SyncView) + let rec sync_Perm_PermCell_i32 (self: t_AtView_Perm_PermCell_i32) (sync_view: t_SyncView) (return (x: t_Perm_PermCell_i32)) = - {[@stop_split] [@expl:sync_Box_Perm_PermCell_i32_Global requires] ([@stop_split] [@expl:sync 'self' type invariant] inv_AtView_Box_Perm_PermCell_i32_Global self) - /\ ([@stop_split] [@expl:sync requires] le_log_SyncView (view_Box_Perm_PermCell_i32_Global'0 self) sync_view)} + {[@stop_split] [@expl:sync_Perm_PermCell_i32 requires] ([@stop_split] [@expl:sync 'self' type invariant] inv_AtView_Perm_PermCell_i32 self) + /\ ([@stop_split] [@expl:sync requires] le_log_SyncView (view_Perm_PermCell_i32'0 self) sync_view)} any - [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:sync ensures] result - = val_Box_Perm_PermCell_i32_Global self} + [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:sync ensures] result = val_Perm_PermCell_i32 self} (! return {result}) ] - predicate resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) = + predicate resolve_refmut_Ghost_Option_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Option_Perm_PermCell_i32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Perm_PermCell_i32 predicate resolve_refmut_Ghost_Option_Resource_Excl_unit [@inline:trivial] (_1: MutBorrow.t t_Option_Resource_Excl_unit) = _1.final = _1.current @@ -1073,8 +1053,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Resource_Excl_unit predicate resolve_closure0 [@inline:trivial] (_1: closure0'3) = - resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global _1.c2'5 - /\ resolve_refmut_Ghost_Option_Resource_Excl_unit _1.c1'5 + resolve_refmut_Ghost_Option_Perm_PermCell_i32 _1.c2'5 /\ resolve_refmut_Ghost_Option_Resource_Excl_unit _1.c1'5 meta "rewrite_def" predicate resolve_closure0 @@ -1095,8 +1074,7 @@ module M_message_passing [ s0 = [ &_13 <- inv.current.state ] s1 | s1 = any [ br0 -> {_13 = NotWrittenYet} (! bb13) - | br1 (x0: t_AtView_Box_Perm_PermCell_i32_Global) (x1: t_Resource_Excl_unit) -> {_13 = Synchronisation x0 x1} - (! bb13) + | br1 (x0: t_AtView_Perm_PermCell_i32) (x1: t_Resource_Excl_unit) -> {_13 = Synchronisation x0 x1} (! bb13) | br2 (x0: t_Resource_Excl_unit) (x1: t_Resource_Excl_unit) -> {_13 = Readable x0 x1} (! bb8) | br3 -> {_13 = Invalid} (! bb13) ] ] | bb8 = s0 @@ -1149,19 +1127,18 @@ module M_message_passing | s15 = -{resolve_State _38}- s16 | s16 = any [ br0 -> {_38 = NotWrittenYet} (! bb20) - | br1 (x0: t_AtView_Box_Perm_PermCell_i32_Global) (x1: t_Resource_Excl_unit) -> {_38 = Synchronisation x0 x1} - (! bb19) + | br1 (x0: t_AtView_Perm_PermCell_i32) (x1: t_Resource_Excl_unit) -> {_38 = Synchronisation x0 x1} (! bb19) | br2 (x0: t_Resource_Excl_unit) (x1: t_Resource_Excl_unit) -> {_38 = Readable x0 x1} (! bb20) | br3 -> {_38 = Invalid} (! bb20) ] ] | bb20 = s0 [ s0 = s1 [ _ck -> (! {[@expl:type invariant] match _38 with - | Synchronisation x _ -> inv_AtView_Box_Perm_PermCell_i32_Global x + | Synchronisation x _ -> inv_AtView_Perm_PermCell_i32 x | _ -> true end} any) ] | s1 = -{match _38 with - | Synchronisation x _ -> resolve_AtView_Box_Perm_PermCell_i32_Global x + | Synchronisation x _ -> resolve_AtView_Perm_PermCell_i32 x | _ -> true end}- s2 @@ -1171,9 +1148,9 @@ module M_message_passing | s5 = {false} any ] | bb19 = s0 [ s0 = elim_Synchronisation {_38} - (fun (r0: t_AtView_Box_Perm_PermCell_i32_Global) (r1: t_Resource_Excl_unit) -> [ &at_view <- r0 ] s1) + (fun (r0: t_AtView_Perm_PermCell_i32) (r1: t_Resource_Excl_unit) -> [ &at_view <- r0 ] s1) | s1 = elim_Synchronisation {_38} - (fun (r0: t_AtView_Box_Perm_PermCell_i32_Global) (r1: t_Resource_Excl_unit) -> [ &tok_write <- r1 ] s2) + (fun (r0: t_AtView_Perm_PermCell_i32) (r1: t_Resource_Excl_unit) -> [ &tok_write <- r1 ] s2) | s2 = MutBorrow.borrow_mut {self.current.c1'5.current} (fun (_bor: MutBorrow.t t_Option_Resource_Excl_unit) -> [ &_49 <- _bor ] @@ -1193,11 +1170,9 @@ module M_message_passing | s11 = [ &inv <- { inv with current = { inv.current with state = _43 } } ] s12 | s12 = s13 [ _ck -> (! {[@expl:type invariant] inv_refmut_MessagePassingAtomicInv inv} any) ] | s13 = -{resolve_refmut_MessagePassingAtomicInv inv}- s14 - | s14 = sync_Box_Perm_PermCell_i32_Global {at_view} {sync_view} - (fun (_x: t_Perm_PermCell_i32) -> [ &_52 <- _x ] s15) + | s14 = sync_Perm_PermCell_i32 {at_view} {sync_view} (fun (_x: t_Perm_PermCell_i32) -> [ &_52 <- _x ] s15) | s15 = [ &_51 <- Some'2 _52 ] s16 - | s16 = new_Option_Box_Perm_PermCell_i32_Global {_51} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_50 <- _x ] s17) + | s16 = new_Option_Perm_PermCell_i32 {_51} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_50 <- _x ] s17) | s17 = [ &self <- { self with current = { self.current with c2'5 = { self.current.c2'5 with current = _50 } } } ] s18 | s18 = -{resolve_refmut_closure0 self}- s19 @@ -1228,7 +1203,7 @@ module M_message_passing | & _31: t_Perm_AtomicBool = Any.any_l () | & _32: MutBorrow.t t_SyncView = Any.any_l () | & _33: MutBorrow.t t_SyncView = Any.any_l () - | & at_view: t_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & at_view: t_AtView_Perm_PermCell_i32 = Any.any_l () | & tok_write: t_Resource_Excl_unit = Any.any_l () | & _38: t_State = Any.any_l () | & _39: MutBorrow.t t_State = Any.any_l () @@ -1240,8 +1215,8 @@ module M_message_passing | & _47: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () | & _48: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () | & _49: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () - | & _50: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _51: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _50: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _51: t_Option_Perm_PermCell_i32 = Any.any_l () | & _52: t_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure0 self.current self.final} return {result} ] @@ -1337,7 +1312,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Tokens predicate resolve_closure4 [@inline:trivial] (_1: closure4) = - resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global _1.c3'4 + resolve_refmut_Ghost_Option_Perm_PermCell_i32 _1.c3'4 /\ resolve_refmut_Ghost_Option_Resource_Excl_unit _1.c2'4 /\ resolve_refmut_Ghost_Tokens _1.c1'4 meta "rewrite_def" predicate resolve_closure4 @@ -1368,8 +1343,8 @@ module M_message_passing [ &_13 <- _bor ] [ &self <- { self with current = { self.current with c2'4 = { self.current.c2'4 with current = _bor.final } } } ] s6) - | s6 = MutBorrow.borrow_mut {self.current.c3'4.current} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> + | s6 = MutBorrow.borrow_mut {self.current.c3'4.current} + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_14 <- _bor ] [ &self <- { self with current = { self.current with c3'4 = { self.current.c3'4 with current = _bor.final } } } ] s7) @@ -1390,7 +1365,7 @@ module M_message_passing | & _10: t_FnGhostWrapper_closure0'1 = Any.any_l () | & _11: closure0'3 = Any.any_l () | & _13: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () - | & _14: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _14: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure4 self.current self.final} return {result} ] @@ -1471,24 +1446,24 @@ module M_message_passing /\ val_load_AtomicBool'0 c = result /\ postcondition_once_FnGhostWrapper_closure4 f c ()} (! return {result}) ] - let rec deref_Ghost_Option_Box_Perm_PermCell_i32_Global (self: t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:deref ensures] result = self} + let rec deref_Ghost_Option_Perm_PermCell_i32 (self: t_Option_Perm_PermCell_i32) + (return (x: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] - type t_Option_ref_Box_Perm_PermCell_i32_Global = None'4 | Some'4 t_Perm_PermCell_i32 + type t_Option_ref_Perm_PermCell_i32 = None'4 | Some'4 t_Perm_PermCell_i32 - let rec as_ref_Box_Perm_PermCell_i32_Global (self_: t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_ref_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_ref_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:as_ref_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:as_ref ensures #0] self_ - = None'2 -> result = None'4) + let rec as_ref_Perm_PermCell_i32 (self_: t_Option_Perm_PermCell_i32) (return (x: t_Option_ref_Perm_PermCell_i32)) = + any + [ return (result: t_Option_ref_Perm_PermCell_i32) -> + {[@stop_split] [@expl:as_ref_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:as_ref ensures #0] self_ = None'2 + -> result = None'4) /\ ([@stop_split] [@expl:as_ref ensures #1] self_ = None'2 \/ (exists r: t_Perm_PermCell_i32. result = Some'4 r /\ self_ = Some'2 r))} (! return {result}) ] - let rec unwrap_ref_Box_Perm_PermCell_i32_Global (self_: t_Option_ref_Box_Perm_PermCell_i32_Global) - (return (x: t_Perm_PermCell_i32)) = {[@stop_split] [@expl:unwrap requires] self_ <> None'4} + let rec unwrap_ref_Perm_PermCell_i32 (self_: t_Option_ref_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = + {[@stop_split] [@expl:unwrap requires] self_ <> None'4} any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:unwrap ensures] Some'4 result = self_} (! return {result}) ] @@ -1516,8 +1491,7 @@ module M_message_passing | s2 = new_Option_Resource_Excl_unit {_4} (fun (_x: t_Option_Resource_Excl_unit) -> [ &excl <- _x ] s3) | s3 = [ &excl_snap <- excl ] s4 | s4 = [ &_11 <- None'2 ] s5 - | s5 = new_Option_Box_Perm_PermCell_i32_Global {_11} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &data_own <- _x ] s6) + | s5 = new_Option_Perm_PermCell_i32 {_11} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &data_own <- _x ] s6) | s6 = bb5 ] | bb5 = bb5 [ bb5 = {[@expl:loop invariant #0] excl = excl_snap} @@ -1527,20 +1501,17 @@ module M_message_passing (fun (_bor: MutBorrow.t t_Tokens) -> [ &_26 <- _bor ] [ &tokens <- _bor.final ] s1) | s1 = MutBorrow.borrow_mut {excl} (fun (_bor: MutBorrow.t t_Option_Resource_Excl_unit) -> [ &_27 <- _bor ] [ &excl <- _bor.final ] s2) - | s2 = MutBorrow.borrow_mut {data_own} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> - [ &_28 <- _bor ] [ &data_own <- _bor.final ] s3) + | s2 = MutBorrow.borrow_mut {data_own} + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_28 <- _bor ] [ &data_own <- _bor.final ] s3) | s3 = [ &_24 <- { c0'4 = self.c2'3; c1'4 = _26; c2'4 = _27; c3'4 = _28 } ] s4 | s4 = __new_closure4 {_24} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_23 <- _x ] s5) | s5 = new_FnGhostWrapper_closure4 {_23} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_22 <- _x ] s6) | s6 = load_FnGhostWrapper_closure4 {self.c1'3} {_22} (fun (_x: bool) -> [ &_20 <- _x ] s7) | s7 = any [ br0 -> {_20 = false} (! bb5) | br1 -> {_20} (! bb10) ] ] ] | bb10 = s0 - [ s0 = deref_Ghost_Option_Box_Perm_PermCell_i32_Global {data_own} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_37 <- _x ] s1) - | s1 = as_ref_Box_Perm_PermCell_i32_Global {_37} - (fun (_x: t_Option_ref_Box_Perm_PermCell_i32_Global) -> [ &_35 <- _x ] s2) - | s2 = unwrap_ref_Box_Perm_PermCell_i32_Global {_35} (fun (_x: t_Perm_PermCell_i32) -> [ &_34 <- _x ] s3) + [ s0 = deref_Ghost_Option_Perm_PermCell_i32 {data_own} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_37 <- _x ] s1) + | s1 = as_ref_Perm_PermCell_i32 {_37} (fun (_x: t_Option_ref_Perm_PermCell_i32) -> [ &_35 <- _x ] s2) + | s2 = unwrap_ref_Perm_PermCell_i32 {_35} (fun (_x: t_Perm_PermCell_i32) -> [ &_34 <- _x ] s3) | s3 = new_ref_Perm_PermCell_i32 {_34} (fun (_x: t_Perm_PermCell_i32) -> [ &_32 <- _x ] s4) | s4 = get_i32 {self.c3'3} {_32} (fun (_x: Int32.t) -> [ &res <- _x ] s5) | s5 = {[@expl:assertion] res = (1: Int32.t)} s6 @@ -1552,20 +1523,20 @@ module M_message_passing | & _4: t_Option_Resource_Excl_unit = Any.any_l () | & _5: t_Resource_Excl_unit = Any.any_l () | & excl_snap: t_Option_Resource_Excl_unit = Any.any_l () - | & data_own: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _11: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & data_own: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _11: t_Option_Perm_PermCell_i32 = Any.any_l () | & _20: bool = Any.any_l () | & _22: t_FnGhostWrapper_closure4 = Any.any_l () | & _23: t_FnGhostWrapper_closure4 = Any.any_l () | & _24: closure4 = Any.any_l () | & _26: MutBorrow.t t_Tokens = Any.any_l () | & _27: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () - | & _28: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _28: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () | & res: Int32.t = Any.any_l () | & _32: t_Perm_PermCell_i32 = Any.any_l () | & _34: t_Perm_PermCell_i32 = Any.any_l () - | & _35: t_Option_ref_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _37: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] [ return (result: ()) -> return {result} ] + | & _35: t_Option_ref_Perm_PermCell_i32 = Any.any_l () + | & _37: t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> return {result} ] meta "rewrite_def" predicate closure1'pre @@ -1684,15 +1655,15 @@ module M_message_passing | s1 = MutBorrow.borrow_mut {_6} (fun (_bor: MutBorrow.t t_SyncView) -> [ &_5 <- _bor ] [ &_6 <- _bor.final ] s2) | s2 = borrow_mut_SyncView {_5} (fun (_x: MutBorrow.t t_SyncView) -> [ &_4 <- _x ] s3) - | s3 = new'0 {false} {_4} (fun (_x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> [ &_3 <- _x ] s4) + | s3 = new'0 {false} {_4} (fun (_x: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> [ &_3 <- _x ] s4) | s4 = [ &atomic <- _3.f0 ] s5 | s5 = [ &atomic_own'0 <- _3.f1 ] s6 - | s6 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> [ &_9 <- _x ] s7) + | s6 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> [ &_9 <- _x ] s7) | s7 = [ &data <- _9.f0'1 ] s8 | s8 = [ &data_own <- _9.f1'1 ] s9 | s9 = alloc_Excl_unit {{ f0'2 = () }} (fun (_x: t_Resource_Excl_unit) -> [ &excl_write <- _x ] s10) | s10 = alloc_Excl_unit {{ f0'2 = () }} (fun (_x: t_Resource_Excl_unit) -> [ &excl_read <- _x ] s11) - | s11 = into_inner_Box_Perm_AtomicBool_Global {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_19 <- _x ] s12) + | s11 = into_inner_Perm_AtomicBool {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_19 <- _x ] s12) | s12 = [ &_21 <- NotWrittenYet ] s13 | s13 = [ &_18 <- { atomic_own = _19; state = _21; @@ -1710,13 +1681,13 @@ module M_message_passing [ & _ret: () = Any.any_l () | & atomic: t_AtomicBool = Any.any_l () | & atomic_own'0: t_Perm_AtomicBool = Any.any_l () - | & _3: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = Any.any_l () + | & _3: tup2_AtomicBool_Ghost_Perm_AtomicBool = Any.any_l () | & _4: MutBorrow.t t_SyncView = Any.any_l () | & _5: MutBorrow.t t_SyncView = Any.any_l () | & _6: t_SyncView = Any.any_l () | & data: t_PermCell_i32 = Any.any_l () | & data_own: t_Perm_PermCell_i32 = Any.any_l () - | & _9: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _9: tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = Any.any_l () | & excl_write: t_Resource_Excl_unit = Any.any_l () | & excl_read: t_Resource_Excl_unit = Any.any_l () | & inv: t_AtomicInvariant_MessagePassingAtomicInv = Any.any_l () diff --git a/examples/message_passing/relacq.rs b/examples/message_passing/relacq.rs index 33a6c257dc..ded9b48638 100644 --- a/examples/message_passing/relacq.rs +++ b/examples/message_passing/relacq.rs @@ -24,14 +24,14 @@ use creusot_std::{ declare_namespace! { MESSAGE_PASSING } struct MessagePassingAtomicInv { - atomic_own: Box>, + atomic_own: Perm, state: State, public_data: Snapshot<(PermCell, Id, Id)>, } enum State { NotWrittenYet, - Synchronisation(AtView>>>, Resource>), + Synchronisation(AtView>>, Resource>), Readable(Resource>, Resource>), Invalid, } @@ -88,7 +88,7 @@ pub fn message_passing() { let t1 = s.spawn(move |tokens: Ghost| { let mut excl = ghost!(excl_write.into_inner()); - unsafe { *data.borrow_mut(ghost!(&mut **data_own)) = 1 } + unsafe { *data.borrow_mut(ghost!(&mut *data_own)) = 1 } atomic.store( true, diff --git a/examples/message_passing/relacq/proof.json b/examples/message_passing/relacq/proof.json index 1bac32a577..5103b4dc96 100644 --- a/examples/message_passing/relacq/proof.json +++ b/examples/message_passing/relacq/proof.json @@ -6,68 +6,65 @@ "vc___new_closure0'0": { "prover": "alt-ergo", "time": 0.022 }, "vc___new_closure0'1": { "prover": "alt-ergo", "time": 0.03 }, "vc___new_closure4": { "prover": "alt-ergo", "time": 0.034 }, - "vc_alloc_Excl_unit": { "prover": "alt-ergo", "time": 0.038 }, - "vc_as_mut_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.018 }, - "vc_as_ref_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.034 - }, + "vc_alloc_Excl_unit": { "prover": "alt-ergo", "time": 0.094 }, + "vc_as_mut_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.041 }, + "vc_as_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.061 }, "vc_borrow_AtomicInvariant_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.026 + "time": 0.059 }, "vc_borrow_mut_SyncView": { "prover": "alt-ergo", "time": 0.023 }, - "vc_borrow_mut_i32": { "prover": "alt-ergo", "time": 0.021 }, + "vc_borrow_mut_i32": { "prover": "alt-ergo", "time": 0.062 }, "vc_closure0": { "prover": "alt-ergo", "time": 0.022 }, "vc_closure0'0": { "prover": "alt-ergo", "time": 0.023 }, - "vc_closure0'1": { "prover": "alt-ergo", "time": 0.02 }, + "vc_closure0'1": { "prover": "alt-ergo", "time": 0.041 }, "vc_closure0'2": { "prover": "alt-ergo", "time": 0.023 }, "vc_closure0'3": { "prover": "alt-ergo", "time": 0.043 }, "vc_closure1": { "prover": "alt-ergo", "time": 0.035 }, "vc_closure4": { "prover": "alt-ergo", "time": 0.036 }, - "vc_deref_Ghost_Option_Box_Perm_PermCell_i32_Global": { + "vc_deref_Ghost_Option_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.029 + "time": 0.061 }, - "vc_deref_Ghost_SyncView": { "prover": "alt-ergo", "time": 0.019 }, - "vc_deref_Ghost_bool": { "prover": "alt-ergo", "time": 0.023 }, + "vc_deref_Ghost_SyncView": { "prover": "alt-ergo", "time": 0.046 }, + "vc_deref_Ghost_bool": { "prover": "alt-ergo", "time": 0.046 }, "vc_deref_Ghost_ref_AtomicInvariant_MessagePassingAtomicInv": { "prover": "alt-ergo", "time": 0.029 }, - "vc_deref_mut_Ghost_Box_Perm_PermCell_i32_Global": { + "vc_deref_mut_Ghost_Option_Resource_Excl_unit": { "prover": "alt-ergo", - "time": 0.035 + "time": 0.046 }, - "vc_deref_mut_Ghost_Option_Resource_Excl_unit": { + "vc_deref_mut_Ghost_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.023 + "time": 0.042 }, "vc_deref_mut_Ghost_Resource_Excl_unit": { "prover": "alt-ergo", - "time": 0.03 + "time": 0.063 }, - "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.019 }, - "vc_elim_Readable": { "prover": "alt-ergo", "time": 0.03 }, - "vc_elim_Synchronisation": { "prover": "alt-ergo", "time": 0.03 }, + "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.038 }, + "vc_elim_Readable": { "prover": "alt-ergo", "time": 0.063 }, + "vc_elim_Synchronisation": { "prover": "alt-ergo", "time": 0.063 }, "vc_get_i32": { "prover": "alt-ergo", "time": 0.034 }, - "vc_into_ghost_bool": { "prover": "alt-ergo", "time": 0.023 }, - "vc_into_inner_Box_Perm_AtomicBool_Global": { + "vc_into_ghost_bool": { "prover": "alt-ergo", "time": 0.046 }, + "vc_into_inner_Perm_AtomicBool": { "prover": "alt-ergo", - "time": 0.038 + "time": 0.094 }, - "vc_into_inner_Box_Perm_PermCell_i32_Global": { + "vc_into_inner_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.029 + "time": 0.077 }, "vc_into_inner_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.035 }, "vc_into_inner_Tokens": { "prover": "alt-ergo", "time": 0.029 }, - "vc_into_inner_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global": { + "vc_into_inner_tup2_SyncView_AtView_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.03 + "time": 0.063 }, "vc_join_unwrap_ScopedJoinHandle_unit": { "prover": "alt-ergo", @@ -126,7 +123,7 @@ ] }, { "prover": "alt-ergo", "time": 0.056 }, - { "prover": "alt-ergo", "time": 0.046 }, + { "prover": "alt-ergo", "time": 0.093 }, { "prover": "alt-ergo", "time": 0.053 }, { "prover": "alt-ergo", "time": 0.045 }, { "prover": "alt-ergo", "time": 0.035 } @@ -140,15 +137,7 @@ ] }, "vc_new": { "prover": "alt-ergo", "time": 0.023 }, - "vc_new'0": { "prover": "alt-ergo", "time": 0.016 }, - "vc_new_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.029 - }, - "vc_new_Box_Perm_PermCell_i32_Global'0": { - "prover": "alt-ergo", - "time": 0.03 - }, + "vc_new'0": { "prover": "alt-ergo", "time": 0.037 }, "vc_new_FnGhostWrapper_closure0": { "prover": "alt-ergo", "time": 0.022 @@ -159,20 +148,22 @@ }, "vc_new_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.017 + "time": 0.078 }, "vc_new_MessagePassingAtomicInv'0": { "prover": "alt-ergo", "time": 0.036 }, - "vc_new_Option_Box_Perm_PermCell_i32_Global": { + "vc_new_Option_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.02 + "time": 0.051 }, "vc_new_Option_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.022 }, + "vc_new_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.077 }, + "vc_new_Perm_PermCell_i32'0": { "prover": "alt-ergo", "time": 0.063 }, "vc_new_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.035 }, "vc_new_i32": { "prover": "alt-ergo", "time": 0.039 }, "vc_new_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.034 }, @@ -186,32 +177,29 @@ }, "vc_open_MessagePassingAtomicInv'0": { "prover": "alt-ergo", - "time": 0.024 + "time": 0.053 }, - "vc_reborrow": { "prover": "alt-ergo", "time": 0.019 }, - "vc_replace_State": { "prover": "alt-ergo", "time": 0.021 }, + "vc_reborrow": { "prover": "alt-ergo", "time": 0.038 }, + "vc_replace_State": { "prover": "alt-ergo", "time": 0.042 }, "vc_scope_closure0": { "prover": "alt-ergo", "time": 0.031 }, - "vc_shoot_load_AtomicBool": { "prover": "alt-ergo", "time": 0.022 }, + "vc_shoot_load_AtomicBool": { "prover": "alt-ergo", "time": 0.044 }, "vc_shoot_store_AtomicBool": { "prover": "alt-ergo", "time": 0.029 }, - "vc_spawn_closure0": { "prover": "alt-ergo", "time": 0.02 }, + "vc_spawn_closure0": { "prover": "alt-ergo", "time": 0.04 }, "vc_spawn_closure1": { "prover": "alt-ergo", "time": 0.067 }, "vc_store_FnGhostWrapper_closure0": { "prover": "alt-ergo", - "time": 0.016 + "time": 0.042 }, - "vc_sync_Box_Perm_PermCell_i32_Global": { + "vc_sync_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.044 }, + "vc_take_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.044 }, + "vc_unwrap_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.044 }, + "vc_unwrap_ref_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.022 - }, - "vc_take_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.022 }, - "vc_unwrap_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.022 }, - "vc_unwrap_ref_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.034 + "time": 0.061 }, "vc_unwrap_refmut_Resource_Excl_unit": { "prover": "alt-ergo", - "time": 0.018 + "time": 0.041 }, "vc_valid_op_lemma_Excl_unit": { "prover": "alt-ergo", "time": 0.026 } } diff --git a/examples/message_passing/relacq_options.coma b/examples/message_passing/relacq_options.coma index b0c0ebe610..507ad12aca 100644 --- a/examples/message_passing/relacq_options.coma +++ b/examples/message_passing/relacq_options.coma @@ -23,14 +23,14 @@ module M_message_passing type t_Perm_AtomicBool - type tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } + type tup2_AtomicBool_Ghost_Perm_AtomicBool = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } predicate inv_AtomicBool (_1: t_AtomicBool) - predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) = + predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Perm_AtomicBool) = inv_AtomicBool _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool type t_FMap_Int_tup2_bool_SyncView @@ -142,10 +142,10 @@ module M_message_passing function ward_AtomicBool (self: t_Perm_AtomicBool) : t_AtomicBool - let rec new'0 (val': bool) (sync_view: MutBorrow.t t_SyncView) - (return (x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global)) = any - [ return (result: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global result) + let rec new'0 (val': bool) (sync_view: MutBorrow.t t_SyncView) (return (x: tup2_AtomicBool_Ghost_Perm_AtomicBool)) = + any + [ return (result: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Perm_AtomicBool result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicBool result.f1 = singleton_Int (get_timestamp_AtomicBool result.f0 (fin_Ghost_refmut_SyncView sync_view)) { f0'0 = val'; f1'0 = sync_view.current }) @@ -156,7 +156,7 @@ module M_message_passing type t_Perm_PermCell_i32 - type tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = { f0'1: t_PermCell_i32; f1'1: t_Perm_PermCell_i32 } + type tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = { f0'1: t_PermCell_i32; f1'1: t_Perm_PermCell_i32 } function ward_PermCell_i32 (self: t_Perm_PermCell_i32) : t_PermCell_i32 @@ -166,16 +166,11 @@ module M_message_passing meta "rewrite_def" function view_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Perm_PermCell_i32) : Int32.t = - view_Perm_PermCell_i32 self - - meta "rewrite_def" function view_Box_Perm_PermCell_i32_Global - - let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> + let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32)) = any + [ return (result: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> {[@stop_split] [@expl:new_i32 ensures] ([@stop_split] [@expl:new ensures #0] result.f0'1 = ward_PermCell_i32 result.f1'1) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_i32_Global result.f1'1 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_i32 result.f1'1 = value)} (! return {result}) ] type t_Excl_unit = { f0'2: () } @@ -196,13 +191,13 @@ module M_message_passing {[@stop_split] [@expl:alloc ensures] view_Resource_Option_Excl_unit result = r} (! return {result}) ] - let rec into_inner_Box_Perm_AtomicBool_Global (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any + let rec into_inner_Perm_AtomicBool (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any [ return (result: t_Perm_AtomicBool) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - type t_AtView_Box_Perm_PermCell_i32_Global + type t_AtView_Perm_PermCell_i32 - type t_Option_AtView_Box_Perm_PermCell_i32_Global = None'1 | Some'1 t_AtView_Box_Perm_PermCell_i32_Global + type t_Option_AtView_Perm_PermCell_i32 = None'1 | Some'1 t_AtView_Perm_PermCell_i32 let rec deref_Ghost_Resource_Option_Excl_unit (self: t_Resource_Option_Excl_unit) (return (x: t_Resource_Option_Excl_unit)) = any @@ -259,27 +254,27 @@ module M_message_passing type t_MessagePassingAtomicInv = { atomic_own: t_Perm_AtomicBool; - at_view: t_Option_AtView_Box_Perm_PermCell_i32_Global; + at_view: t_Option_AtView_Perm_PermCell_i32; tok_write: t_Resource_Option_Excl_unit; tok_read: t_Resource_Option_Excl_unit; data: t_PermCell_i32 } - predicate inv_AtView_Box_Perm_PermCell_i32_Global (_1: t_AtView_Box_Perm_PermCell_i32_Global) + predicate inv_AtView_Perm_PermCell_i32 (_1: t_AtView_Perm_PermCell_i32) - predicate inv_Option_AtView_Box_Perm_PermCell_i32_Global (_1: t_Option_AtView_Box_Perm_PermCell_i32_Global) + predicate inv_Option_AtView_Perm_PermCell_i32 (_1: t_Option_AtView_Perm_PermCell_i32) axiom inv_axiom [@rewrite]: - forall x: t_Option_AtView_Box_Perm_PermCell_i32_Global [inv_Option_AtView_Box_Perm_PermCell_i32_Global x]. inv_Option_AtView_Box_Perm_PermCell_i32_Global x + forall x: t_Option_AtView_Perm_PermCell_i32 [inv_Option_AtView_Perm_PermCell_i32 x]. inv_Option_AtView_Perm_PermCell_i32 x = match x with | None'1 -> true - | Some'1 f0'4 -> inv_AtView_Box_Perm_PermCell_i32_Global f0'4 + | Some'1 f0'4 -> inv_AtView_Perm_PermCell_i32 f0'4 end predicate inv_MessagePassingAtomicInv (_1: t_MessagePassingAtomicInv) axiom inv_axiom'0 [@rewrite]: forall x: t_MessagePassingAtomicInv [inv_MessagePassingAtomicInv x]. inv_MessagePassingAtomicInv x - = inv_Option_AtView_Box_Perm_PermCell_i32_Global x.at_view + = inv_Option_AtView_Perm_PermCell_i32 x.at_view predicate invariant_Ghost_MessagePassingAtomicInv [@inline:trivial] (self: t_MessagePassingAtomicInv) = inv_MessagePassingAtomicInv self @@ -301,9 +296,9 @@ module M_message_passing type t_AtomicInvariant_MessagePassingAtomicInv - function val_Box_Perm_PermCell_i32_Global (self: t_AtView_Box_Perm_PermCell_i32_Global) : t_Perm_PermCell_i32 + function val_Perm_PermCell_i32 (self: t_AtView_Perm_PermCell_i32) : t_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global'0 (self: t_AtView_Box_Perm_PermCell_i32_Global) : t_SyncView + function view_Perm_PermCell_i32'0 (self: t_AtView_Perm_PermCell_i32) : t_SyncView predicate protocol_MessagePassingAtomicInv [@inline:trivial] (self: t_MessagePassingAtomicInv) = forall t: int. match get_Int (val_AtomicBool self.atomic_own) t with @@ -311,9 +306,9 @@ module M_message_passing \/ b /\ val_Option_Excl_unit self.tok_write = Some'0 { f0'2 = () } /\ match self.at_view with - | Some'1 at_view'0 -> self.data = ward_PermCell_i32 (val_Box_Perm_PermCell_i32_Global at_view'0) - /\ Int32.to_int (val_PermCell_i32 (val_Box_Perm_PermCell_i32_Global at_view'0)) = 1 - /\ le_log_SyncView (view_Box_Perm_PermCell_i32_Global'0 at_view'0) view + | Some'1 at_view'0 -> self.data = ward_PermCell_i32 (val_Perm_PermCell_i32 at_view'0) + /\ Int32.to_int (val_PermCell_i32 (val_Perm_PermCell_i32 at_view'0)) = 1 + /\ le_log_SyncView (view_Perm_PermCell_i32'0 at_view'0) view | None'1 -> val_Option_Excl_unit self.tok_read = Some'0 { f0'2 = () } end | None -> true @@ -378,16 +373,11 @@ module M_message_passing [ return (result: t_Resource_Option_Excl_unit) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - let rec deref_mut_Ghost_Box_Perm_PermCell_i32_Global (self: MutBorrow.t t_Perm_PermCell_i32) + let rec deref_mut_Ghost_Perm_PermCell_i32 (self: MutBorrow.t t_Perm_PermCell_i32) (return (x: MutBorrow.t t_Perm_PermCell_i32)) = any [ return (result: MutBorrow.t t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - predicate resolve_refmut_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_i32_Global - predicate resolve_refmut_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = _1.final = _1.current @@ -472,59 +462,55 @@ module M_message_passing /\ ([@stop_split] [@expl:swap ensures #1] y.final = x.current)} (! return {result}) ] - let rec into_inner_Box_Perm_PermCell_i32_Global (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any + let rec into_inner_Perm_PermCell_i32 (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - let rec new_Box_Perm_PermCell_i32_Global (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any + let rec new_Perm_PermCell_i32 (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - type tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global = { - f0'5: t_SyncView; - f1'5: t_AtView_Box_Perm_PermCell_i32_Global } + type tup2_SyncView_AtView_Perm_PermCell_i32 = { f0'5: t_SyncView; f1'5: t_AtView_Perm_PermCell_i32 } - predicate inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - inv_AtView_Box_Perm_PermCell_i32_Global _1.f1'5 + predicate inv_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: tup2_SyncView_AtView_Perm_PermCell_i32) = + inv_AtView_Perm_PermCell_i32 _1.f1'5 - meta "rewrite_def" predicate inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_tup2_SyncView_AtView_Perm_PermCell_i32 - predicate invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global self + predicate invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (self: tup2_SyncView_AtView_Perm_PermCell_i32) = + inv_tup2_SyncView_AtView_Perm_PermCell_i32 self - meta "rewrite_def" predicate invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 - predicate inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global _1 + predicate inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: tup2_SyncView_AtView_Perm_PermCell_i32) = + invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 _1 - meta "rewrite_def" predicate inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 - let rec new_Box_Perm_PermCell_i32_Global'0 (val': t_Perm_PermCell_i32) - (return (x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:new_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:new result type invariant] inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global result) - /\ ([@stop_split] [@expl:new ensures] result.f0'5 = view_Box_Perm_PermCell_i32_Global'0 result.f1'5 - /\ val_Box_Perm_PermCell_i32_Global result.f1'5 = val')} + let rec new_Perm_PermCell_i32'0 (val': t_Perm_PermCell_i32) (return (x: tup2_SyncView_AtView_Perm_PermCell_i32)) = any + [ return (result: tup2_SyncView_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:new_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:new result type invariant] inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 result) + /\ ([@stop_split] [@expl:new ensures] result.f0'5 = view_Perm_PermCell_i32'0 result.f1'5 + /\ val_Perm_PermCell_i32 result.f1'5 = val')} (! return {result}) ] - let rec into_inner_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global - (self: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) - (return (x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:into_inner 'self' type invariant] inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global self} + let rec into_inner_tup2_SyncView_AtView_Perm_PermCell_i32 (self: tup2_SyncView_AtView_Perm_PermCell_i32) + (return (x: tup2_SyncView_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:into_inner 'self' type invariant] inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 self} any - [ return (result: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:into_inner_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:into_inner result type invariant] inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: tup2_SyncView_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:into_inner_tup2_SyncView_AtView_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:into_inner result type invariant] inv_tup2_SyncView_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:into_inner ensures] result = self)} (! return {result}) ] - predicate resolve_AtView_Box_Perm_PermCell_i32_Global (_1: t_AtView_Box_Perm_PermCell_i32_Global) + predicate resolve_AtView_Perm_PermCell_i32 (_1: t_AtView_Perm_PermCell_i32) - predicate resolve_Option_AtView_Box_Perm_PermCell_i32_Global (_1: t_Option_AtView_Box_Perm_PermCell_i32_Global) + predicate resolve_Option_AtView_Perm_PermCell_i32 (_1: t_Option_AtView_Perm_PermCell_i32) axiom resolve_axiom [@rewrite]: - forall x: t_Option_AtView_Box_Perm_PermCell_i32_Global [resolve_Option_AtView_Box_Perm_PermCell_i32_Global x]. resolve_Option_AtView_Box_Perm_PermCell_i32_Global x + forall x: t_Option_AtView_Perm_PermCell_i32 [resolve_Option_AtView_Perm_PermCell_i32 x]. resolve_Option_AtView_Perm_PermCell_i32 x = match x with | None'1 -> true - | Some'1 x0 -> resolve_AtView_Box_Perm_PermCell_i32_Global x0 + | Some'1 x0 -> resolve_AtView_Perm_PermCell_i32 x0 end predicate shot_store_AtomicBool (self: t_Committer_AtomicBool_bool_None_Release) @@ -570,10 +556,9 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_SyncView - predicate resolve_refmut_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicBool [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicBool predicate invariant_refmut_MessagePassingAtomicInv [@inline:trivial] (self: MutBorrow.t t_MessagePassingAtomicInv) = inv_MessagePassingAtomicInv self.current /\ inv_MessagePassingAtomicInv self.final @@ -637,18 +622,16 @@ module M_message_passing | s13 = -{resolve_refmut_Resource_Option_Excl_unit _14}- s14 | s14 = -{resolve_refmut_Resource_Option_Excl_unit _13}- s15 | s15 = -{resolve_refmut_Resource_Option_Excl_unit _11}- s16 - | s16 = into_inner_Box_Perm_PermCell_i32_Global {self.c1'2} (fun (_x: t_Perm_PermCell_i32) -> [ &_21 <- _x ] s17) - | s17 = new_Box_Perm_PermCell_i32_Global {_21} (fun (_x: t_Perm_PermCell_i32) -> [ &_20 <- _x ] s18) - | s18 = new_Box_Perm_PermCell_i32_Global'0 {_20} - (fun (_x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> [ &_19 <- _x ] s19) - | s19 = into_inner_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global {_19} - (fun (_x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> [ &_18 <- _x ] s20) + | s16 = into_inner_Perm_PermCell_i32 {self.c1'2} (fun (_x: t_Perm_PermCell_i32) -> [ &_21 <- _x ] s17) + | s17 = new_Perm_PermCell_i32 {_21} (fun (_x: t_Perm_PermCell_i32) -> [ &_20 <- _x ] s18) + | s18 = new_Perm_PermCell_i32'0 {_20} (fun (_x: tup2_SyncView_AtView_Perm_PermCell_i32) -> [ &_19 <- _x ] s19) + | s19 = into_inner_tup2_SyncView_AtView_Perm_PermCell_i32 {_19} + (fun (_x: tup2_SyncView_AtView_Perm_PermCell_i32) -> [ &_18 <- _x ] s20) | s20 = [ &sync_view <- _18.f0'5 ] s21 | s21 = [ &at_view'0 <- _18.f1'5 ] s22 | s22 = [ &_23 <- Some'1 at_view'0 ] s23 - | s23 = s24 - [ _ck -> (! {[@expl:type invariant] inv_Option_AtView_Box_Perm_PermCell_i32_Global inv.current.at_view} any) ] - | s24 = -{resolve_Option_AtView_Box_Perm_PermCell_i32_Global inv.current.at_view}- s25 + | s23 = s24 [ _ck -> (! {[@expl:type invariant] inv_Option_AtView_Perm_PermCell_i32 inv.current.at_view} any) ] + | s24 = -{resolve_Option_AtView_Perm_PermCell_i32 inv.current.at_view}- s25 | s25 = [ &inv <- { inv with current = { inv.current with at_view = _23 } } ] s26 | s26 = MutBorrow.borrow_final {inv.current.atomic_own} {MutBorrow.inherit_id (MutBorrow.get_id inv) 0} @@ -667,7 +650,7 @@ module M_message_passing (fun (_bor: MutBorrow.t t_SyncView) -> [ &_29 <- _bor ] [ &_30 <- { _30 with current = _bor.final } ] s31) | s31 = shoot_store_AtomicBool {_26} {_27} {_29} (fun (_x: ()) -> [ &_25 <- _x ] s32) | s32 = -{resolve_refmut_SyncView _30}- s33 - | s33 = -{resolve_refmut_Box_Perm_AtomicBool_Global _28}- s34 + | s33 = -{resolve_refmut_Perm_AtomicBool _28}- s34 | s34 = s35 [ _ck -> (! {[@expl:type invariant] inv_refmut_MessagePassingAtomicInv inv} any) ] | s35 = -{resolve_refmut_MessagePassingAtomicInv inv}- s36 | s36 = -{match self with @@ -697,12 +680,12 @@ module M_message_passing | & _14: MutBorrow.t t_Resource_Option_Excl_unit = Any.any_l () | & _15: MutBorrow.t t_Resource_Option_Excl_unit = Any.any_l () | & sync_view: t_SyncView = Any.any_l () - | & at_view'0: t_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _18: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _19: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & at_view'0: t_AtView_Perm_PermCell_i32 = Any.any_l () + | & _18: tup2_SyncView_AtView_Perm_PermCell_i32 = Any.any_l () + | & _19: tup2_SyncView_AtView_Perm_PermCell_i32 = Any.any_l () | & _20: t_Perm_PermCell_i32 = Any.any_l () | & _21: t_Perm_PermCell_i32 = Any.any_l () - | & _23: t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _23: t_Option_AtView_Perm_PermCell_i32 = Any.any_l () | & _25: () = Any.any_l () | & _26: MutBorrow.t t_Committer_AtomicBool_bool_None_Release = Any.any_l () | & _27: MutBorrow.t t_Perm_AtomicBool = Any.any_l () @@ -879,15 +862,14 @@ module M_message_passing | s3 = MutBorrow.borrow_mut {self.c2'0} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_15 <- _bor ] [ &self <- { self with c2'0 = _bor.final } ] s4) - | s4 = deref_mut_Ghost_Box_Perm_PermCell_i32_Global {_15} - (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_14 <- _x ] s5) + | s4 = deref_mut_Ghost_Perm_PermCell_i32 {_15} (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_14 <- _x ] s5) | s5 = MutBorrow.borrow_final {_14.current} {MutBorrow.get_id _14} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_13 <- _bor ] [ &_14 <- { _14 with current = _bor.final } ] s6) | s6 = MutBorrow.borrow_final {_13.current} {MutBorrow.get_id _13} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_12 <- _bor ] [ &_13 <- { _13 with current = _bor.final } ] s7) - | s7 = -{resolve_refmut_Box_Perm_PermCell_i32_Global _14}- s8 + | s7 = -{resolve_refmut_Perm_PermCell_i32 _14}- s8 | s8 = -{resolve_refmut_Perm_PermCell_i32 _13}- s9 | s9 = MutBorrow.borrow_final {_12.current} {MutBorrow.get_id _12} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> @@ -979,18 +961,17 @@ module M_message_passing c2'3: t_AtomicInvariant_MessagePassingAtomicInv; c3'3: t_PermCell_i32 } - type t_Option_Box_Perm_PermCell_i32_Global = None'3 | Some'3 t_Perm_PermCell_i32 + type t_Option_Perm_PermCell_i32 = None'3 | Some'3 t_Perm_PermCell_i32 - let rec new_Option_Box_Perm_PermCell_i32_Global (x: t_Option_Box_Perm_PermCell_i32_Global) - (return (x'0: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:new ensures] result = x} + let rec new_Option_Perm_PermCell_i32 (x: t_Option_Perm_PermCell_i32) (return (x'0: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] type closure4 = { c0'4: t_AtomicInvariant_MessagePassingAtomicInv; c1'4: MutBorrow.t t_Tokens; c2'4: MutBorrow.t t_Resource_Option_Excl_unit; - c3'4: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global } + c3'4: MutBorrow.t t_Option_Perm_PermCell_i32 } let rec deref_mut_Ghost_Tokens (self: MutBorrow.t t_Tokens) (return (x: MutBorrow.t t_Tokens)) = any [ return (result: MutBorrow.t t_Tokens) -> {[@stop_split] [@expl:deref_mut ensures] result = self} @@ -1008,7 +989,7 @@ module M_message_passing type closure0'3 = { c0'5: t_Committer_AtomicBool_bool_Acquire_None; c1'5: MutBorrow.t t_Resource_Option_Excl_unit; - c2'5: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global } + c2'5: MutBorrow.t t_Option_Perm_PermCell_i32 } let rec into_ghost_bool (self: bool) (return (x: bool)) = any [ return (result: bool) -> {[@stop_split] [@expl:into_ghost ensures] result = self} (! return {result}) ] @@ -1042,57 +1023,54 @@ module M_message_passing end)} (! return {result}) ] - predicate invariant_refmut_Option_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) = - inv_Option_AtView_Box_Perm_PermCell_i32_Global self.current - /\ inv_Option_AtView_Box_Perm_PermCell_i32_Global self.final + predicate invariant_refmut_Option_AtView_Perm_PermCell_i32 [@inline:trivial] (self: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) = + inv_Option_AtView_Perm_PermCell_i32 self.current /\ inv_Option_AtView_Perm_PermCell_i32 self.final - meta "rewrite_def" predicate invariant_refmut_Option_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate invariant_refmut_Option_AtView_Perm_PermCell_i32 - predicate inv_refmut_Option_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) = - invariant_refmut_Option_AtView_Box_Perm_PermCell_i32_Global _1 + predicate inv_refmut_Option_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) = + invariant_refmut_Option_AtView_Perm_PermCell_i32 _1 - meta "rewrite_def" predicate inv_refmut_Option_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_refmut_Option_AtView_Perm_PermCell_i32 - let rec take_AtView_Box_Perm_PermCell_i32_Global (self_: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:take 'self_' type invariant] inv_refmut_Option_AtView_Box_Perm_PermCell_i32_Global self_} + let rec take_AtView_Perm_PermCell_i32 (self_: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) + (return (x: t_Option_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:take 'self_' type invariant] inv_refmut_Option_AtView_Perm_PermCell_i32 self_} any - [ return (result: t_Option_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:take_AtView_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:take result type invariant] inv_Option_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: t_Option_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:take_AtView_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:take result type invariant] inv_Option_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:take ensures] result = self_.current /\ self_.final = None'1)} (! return {result}) ] - let rec unwrap_AtView_Box_Perm_PermCell_i32_Global (self_: t_Option_AtView_Box_Perm_PermCell_i32_Global) - (return (x: t_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:unwrap_AtView_Box_Perm_PermCell_i32_Global requires] ([@stop_split] [@expl:unwrap 'self_' type invariant] inv_Option_AtView_Box_Perm_PermCell_i32_Global self_) + let rec unwrap_AtView_Perm_PermCell_i32 (self_: t_Option_AtView_Perm_PermCell_i32) + (return (x: t_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:unwrap_AtView_Perm_PermCell_i32 requires] ([@stop_split] [@expl:unwrap 'self_' type invariant] inv_Option_AtView_Perm_PermCell_i32 self_) /\ ([@stop_split] [@expl:unwrap requires] self_ <> None'1)} any - [ return (result: t_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:unwrap_AtView_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:unwrap result type invariant] inv_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: t_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:unwrap_AtView_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:unwrap result type invariant] inv_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:unwrap ensures] Some'1 result = self_)} (! return {result}) ] - let rec sync_Box_Perm_PermCell_i32_Global (self: t_AtView_Box_Perm_PermCell_i32_Global) (sync_view: t_SyncView) + let rec sync_Perm_PermCell_i32 (self: t_AtView_Perm_PermCell_i32) (sync_view: t_SyncView) (return (x: t_Perm_PermCell_i32)) = - {[@stop_split] [@expl:sync_Box_Perm_PermCell_i32_Global requires] ([@stop_split] [@expl:sync 'self' type invariant] inv_AtView_Box_Perm_PermCell_i32_Global self) - /\ ([@stop_split] [@expl:sync requires] le_log_SyncView (view_Box_Perm_PermCell_i32_Global'0 self) sync_view)} + {[@stop_split] [@expl:sync_Perm_PermCell_i32 requires] ([@stop_split] [@expl:sync 'self' type invariant] inv_AtView_Perm_PermCell_i32 self) + /\ ([@stop_split] [@expl:sync requires] le_log_SyncView (view_Perm_PermCell_i32'0 self) sync_view)} any - [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:sync ensures] result - = val_Box_Perm_PermCell_i32_Global self} + [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:sync ensures] result = val_Perm_PermCell_i32 self} (! return {result}) ] predicate resolve_refmut_closure0 [@inline:trivial] (_1: MutBorrow.t closure0'3) = _1.final = _1.current meta "rewrite_def" predicate resolve_refmut_closure0 - predicate resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) = + predicate resolve_refmut_Ghost_Option_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Option_Perm_PermCell_i32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Perm_PermCell_i32 predicate resolve_closure0 [@inline:trivial] (_1: closure0'3) = - resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global _1.c2'5 - /\ resolve_refmut_Ghost_Resource_Option_Excl_unit _1.c1'5 + resolve_refmut_Ghost_Option_Perm_PermCell_i32 _1.c2'5 /\ resolve_refmut_Ghost_Resource_Option_Excl_unit _1.c1'5 meta "rewrite_def" predicate resolve_closure0 @@ -1157,22 +1135,19 @@ module M_message_passing (fun (_bor: MutBorrow.t t_SyncView) -> [ &_33 <- _bor ] [ &_34 <- { _34 with current = _bor.final } ] s22) | s22 = shoot_load_AtomicBool {self.current.c0'5} {_32} {_33} (fun (_x: ()) -> [ &_29 <- _x ] s23) | s23 = -{resolve_refmut_SyncView _34}- s24 - | s24 = MutBorrow.borrow_final {inv.current.at_view} + | s24 = MutBorrow.borrow_final {inv.current.at_view} {MutBorrow.inherit_id (MutBorrow.get_id inv) 1} - (fun (_bor: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) -> - [ &_40 <- _bor ] -{inv_Option_AtView_Box_Perm_PermCell_i32_Global _bor.final}- + (fun (_bor: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) -> + [ &_40 <- _bor ] -{inv_Option_AtView_Perm_PermCell_i32 _bor.final}- [ &inv <- { inv with current = { inv.current with at_view = _bor.final } } ] s25) - [ _ck -> (! {[@expl:type invariant] inv_Option_AtView_Box_Perm_PermCell_i32_Global inv.current.at_view} any) ] - | s25 = take_AtView_Box_Perm_PermCell_i32_Global {_40} - (fun (_x: t_Option_AtView_Box_Perm_PermCell_i32_Global) -> [ &_39 <- _x ] s26) + [ _ck -> (! {[@expl:type invariant] inv_Option_AtView_Perm_PermCell_i32 inv.current.at_view} any) ] + | s25 = take_AtView_Perm_PermCell_i32 {_40} (fun (_x: t_Option_AtView_Perm_PermCell_i32) -> [ &_39 <- _x ] s26) | s26 = s27 [ _ck -> (! {[@expl:type invariant] inv_refmut_MessagePassingAtomicInv inv} any) ] | s27 = -{resolve_refmut_MessagePassingAtomicInv inv}- s28 - | s28 = unwrap_AtView_Box_Perm_PermCell_i32_Global {_39} - (fun (_x: t_AtView_Box_Perm_PermCell_i32_Global) -> [ &_38 <- _x ] s29) - | s29 = sync_Box_Perm_PermCell_i32_Global {_38} {sync_view} (fun (_x: t_Perm_PermCell_i32) -> [ &_37 <- _x ] s30) + | s28 = unwrap_AtView_Perm_PermCell_i32 {_39} (fun (_x: t_AtView_Perm_PermCell_i32) -> [ &_38 <- _x ] s29) + | s29 = sync_Perm_PermCell_i32 {_38} {sync_view} (fun (_x: t_Perm_PermCell_i32) -> [ &_37 <- _x ] s30) | s30 = [ &_36 <- Some'3 _37 ] s31 - | s31 = new_Option_Box_Perm_PermCell_i32_Global {_36} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_35 <- _x ] s32) + | s31 = new_Option_Perm_PermCell_i32 {_36} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_35 <- _x ] s32) | s32 = [ &self <- { self with current = { self.current with c2'5 = { self.current.c2'5 with current = _35 } } } ] s33 | s33 = -{resolve_refmut_closure0 self}- s34 @@ -1206,12 +1181,12 @@ module M_message_passing | & _32: t_Perm_AtomicBool = Any.any_l () | & _33: MutBorrow.t t_SyncView = Any.any_l () | & _34: MutBorrow.t t_SyncView = Any.any_l () - | & _35: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _36: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _35: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _36: t_Option_Perm_PermCell_i32 = Any.any_l () | & _37: t_Perm_PermCell_i32 = Any.any_l () - | & _38: t_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _39: t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _40: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _38: t_AtView_Perm_PermCell_i32 = Any.any_l () + | & _39: t_Option_AtView_Perm_PermCell_i32 = Any.any_l () + | & _40: MutBorrow.t t_Option_AtView_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure0 self.current self.final} return {result} ] @@ -1306,7 +1281,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Tokens predicate resolve_closure4 [@inline:trivial] (_1: closure4) = - resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global _1.c3'4 + resolve_refmut_Ghost_Option_Perm_PermCell_i32 _1.c3'4 /\ resolve_refmut_Ghost_Resource_Option_Excl_unit _1.c2'4 /\ resolve_refmut_Ghost_Tokens _1.c1'4 meta "rewrite_def" predicate resolve_closure4 @@ -1337,8 +1312,8 @@ module M_message_passing [ &_13 <- _bor ] [ &self <- { self with current = { self.current with c2'4 = { self.current.c2'4 with current = _bor.final } } } ] s6) - | s6 = MutBorrow.borrow_mut {self.current.c3'4.current} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> + | s6 = MutBorrow.borrow_mut {self.current.c3'4.current} + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_14 <- _bor ] [ &self <- { self with current = { self.current with c3'4 = { self.current.c3'4 with current = _bor.final } } } ] s7) @@ -1359,7 +1334,7 @@ module M_message_passing | & _10: t_FnGhostWrapper_closure0'1 = Any.any_l () | & _11: closure0'3 = Any.any_l () | & _13: MutBorrow.t t_Resource_Option_Excl_unit = Any.any_l () - | & _14: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _14: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure4 self.current self.final} return {result} ] @@ -1440,24 +1415,24 @@ module M_message_passing /\ val_load_AtomicBool'0 c = result /\ postcondition_once_FnGhostWrapper_closure4 f c ()} (! return {result}) ] - let rec deref_Ghost_Option_Box_Perm_PermCell_i32_Global (self: t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:deref ensures] result = self} + let rec deref_Ghost_Option_Perm_PermCell_i32 (self: t_Option_Perm_PermCell_i32) + (return (x: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] - type t_Option_ref_Box_Perm_PermCell_i32_Global = None'4 | Some'4 t_Perm_PermCell_i32 + type t_Option_ref_Perm_PermCell_i32 = None'4 | Some'4 t_Perm_PermCell_i32 - let rec as_ref_Box_Perm_PermCell_i32_Global (self_: t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_ref_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_ref_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:as_ref_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:as_ref ensures #0] self_ - = None'3 -> result = None'4) + let rec as_ref_Perm_PermCell_i32 (self_: t_Option_Perm_PermCell_i32) (return (x: t_Option_ref_Perm_PermCell_i32)) = + any + [ return (result: t_Option_ref_Perm_PermCell_i32) -> + {[@stop_split] [@expl:as_ref_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:as_ref ensures #0] self_ = None'3 + -> result = None'4) /\ ([@stop_split] [@expl:as_ref ensures #1] self_ = None'3 \/ (exists r: t_Perm_PermCell_i32. result = Some'4 r /\ self_ = Some'3 r))} (! return {result}) ] - let rec unwrap_ref_Box_Perm_PermCell_i32_Global (self_: t_Option_ref_Box_Perm_PermCell_i32_Global) - (return (x: t_Perm_PermCell_i32)) = {[@stop_split] [@expl:unwrap requires] self_ <> None'4} + let rec unwrap_ref_Perm_PermCell_i32 (self_: t_Option_ref_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = + {[@stop_split] [@expl:unwrap requires] self_ <> None'4} any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:unwrap ensures] Some'4 result = self_} (! return {result}) ] @@ -1485,8 +1460,7 @@ module M_message_passing | s1 = new_Resource_Option_Excl_unit {_4} (fun (_x: t_Resource_Option_Excl_unit) -> [ &excl <- _x ] s2) | s2 = [ &excl_snap <- excl ] s3 | s3 = [ &_10 <- None'3 ] s4 - | s4 = new_Option_Box_Perm_PermCell_i32_Global {_10} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &data_own <- _x ] s5) + | s4 = new_Option_Perm_PermCell_i32 {_10} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &data_own <- _x ] s5) | s5 = bb5 ] | bb5 = bb5 [ bb5 = {[@expl:loop invariant #0] excl = excl_snap} @@ -1496,20 +1470,17 @@ module M_message_passing (fun (_bor: MutBorrow.t t_Tokens) -> [ &_25 <- _bor ] [ &tokens <- _bor.final ] s1) | s1 = MutBorrow.borrow_mut {excl} (fun (_bor: MutBorrow.t t_Resource_Option_Excl_unit) -> [ &_26 <- _bor ] [ &excl <- _bor.final ] s2) - | s2 = MutBorrow.borrow_mut {data_own} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> - [ &_27 <- _bor ] [ &data_own <- _bor.final ] s3) + | s2 = MutBorrow.borrow_mut {data_own} + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_27 <- _bor ] [ &data_own <- _bor.final ] s3) | s3 = [ &_23 <- { c0'4 = self.c2'3; c1'4 = _25; c2'4 = _26; c3'4 = _27 } ] s4 | s4 = __new_closure4 {_23} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_22 <- _x ] s5) | s5 = new_FnGhostWrapper_closure4 {_22} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_21 <- _x ] s6) | s6 = load_FnGhostWrapper_closure4 {self.c1'3} {_21} (fun (_x: bool) -> [ &_19 <- _x ] s7) | s7 = any [ br0 -> {_19 = false} (! bb5) | br1 -> {_19} (! bb10) ] ] ] | bb10 = s0 - [ s0 = deref_Ghost_Option_Box_Perm_PermCell_i32_Global {data_own} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_36 <- _x ] s1) - | s1 = as_ref_Box_Perm_PermCell_i32_Global {_36} - (fun (_x: t_Option_ref_Box_Perm_PermCell_i32_Global) -> [ &_34 <- _x ] s2) - | s2 = unwrap_ref_Box_Perm_PermCell_i32_Global {_34} (fun (_x: t_Perm_PermCell_i32) -> [ &_33 <- _x ] s3) + [ s0 = deref_Ghost_Option_Perm_PermCell_i32 {data_own} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_36 <- _x ] s1) + | s1 = as_ref_Perm_PermCell_i32 {_36} (fun (_x: t_Option_ref_Perm_PermCell_i32) -> [ &_34 <- _x ] s2) + | s2 = unwrap_ref_Perm_PermCell_i32 {_34} (fun (_x: t_Perm_PermCell_i32) -> [ &_33 <- _x ] s3) | s3 = new_ref_Perm_PermCell_i32 {_33} (fun (_x: t_Perm_PermCell_i32) -> [ &_31 <- _x ] s4) | s4 = get_i32 {self.c3'3} {_31} (fun (_x: Int32.t) -> [ &res <- _x ] s5) | s5 = {[@expl:assertion] res = (1: Int32.t)} s6 @@ -1520,20 +1491,20 @@ module M_message_passing | & excl: t_Resource_Option_Excl_unit = Any.any_l () | & _4: t_Resource_Option_Excl_unit = Any.any_l () | & excl_snap: t_Resource_Option_Excl_unit = Any.any_l () - | & data_own: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _10: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & data_own: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _10: t_Option_Perm_PermCell_i32 = Any.any_l () | & _19: bool = Any.any_l () | & _21: t_FnGhostWrapper_closure4 = Any.any_l () | & _22: t_FnGhostWrapper_closure4 = Any.any_l () | & _23: closure4 = Any.any_l () | & _25: MutBorrow.t t_Tokens = Any.any_l () | & _26: MutBorrow.t t_Resource_Option_Excl_unit = Any.any_l () - | & _27: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _27: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () | & res: Int32.t = Any.any_l () | & _31: t_Perm_PermCell_i32 = Any.any_l () | & _33: t_Perm_PermCell_i32 = Any.any_l () - | & _34: t_Option_ref_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _36: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] [ return (result: ()) -> return {result} ] + | & _34: t_Option_ref_Perm_PermCell_i32 = Any.any_l () + | & _36: t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> return {result} ] meta "rewrite_def" predicate closure1'pre @@ -1652,17 +1623,17 @@ module M_message_passing | s1 = MutBorrow.borrow_mut {_6} (fun (_bor: MutBorrow.t t_SyncView) -> [ &_5 <- _bor ] [ &_6 <- _bor.final ] s2) | s2 = borrow_mut_SyncView {_5} (fun (_x: MutBorrow.t t_SyncView) -> [ &_4 <- _x ] s3) - | s3 = new'0 {false} {_4} (fun (_x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> [ &_3 <- _x ] s4) + | s3 = new'0 {false} {_4} (fun (_x: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> [ &_3 <- _x ] s4) | s4 = [ &atomic <- _3.f0 ] s5 | s5 = [ &atomic_own'0 <- _3.f1 ] s6 - | s6 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> [ &_9 <- _x ] s7) + | s6 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> [ &_9 <- _x ] s7) | s7 = [ &data'0 <- _9.f0'1 ] s8 | s8 = [ &data_own <- _9.f1'1 ] s9 | s9 = alloc_Option_Excl_unit {Some'0 { f0'2 = () }} (fun (_x: t_Resource_Option_Excl_unit) -> [ &excl_write <- _x ] s10) | s10 = alloc_Option_Excl_unit {Some'0 { f0'2 = () }} (fun (_x: t_Resource_Option_Excl_unit) -> [ &excl_read <- _x ] s11) - | s11 = into_inner_Box_Perm_AtomicBool_Global {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_19 <- _x ] s12) + | s11 = into_inner_Perm_AtomicBool {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_19 <- _x ] s12) | s12 = [ &_21 <- None'1 ] s13 | s13 = deref_Ghost_Resource_Option_Excl_unit {excl_write} (fun (_x: t_Resource_Option_Excl_unit) -> [ &_25 <- _x ] s14) @@ -1684,20 +1655,20 @@ module M_message_passing [ & _ret: () = Any.any_l () | & atomic: t_AtomicBool = Any.any_l () | & atomic_own'0: t_Perm_AtomicBool = Any.any_l () - | & _3: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = Any.any_l () + | & _3: tup2_AtomicBool_Ghost_Perm_AtomicBool = Any.any_l () | & _4: MutBorrow.t t_SyncView = Any.any_l () | & _5: MutBorrow.t t_SyncView = Any.any_l () | & _6: t_SyncView = Any.any_l () | & data'0: t_PermCell_i32 = Any.any_l () | & data_own: t_Perm_PermCell_i32 = Any.any_l () - | & _9: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _9: tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = Any.any_l () | & excl_write: t_Resource_Option_Excl_unit = Any.any_l () | & excl_read: t_Resource_Option_Excl_unit = Any.any_l () | & inv: t_AtomicInvariant_MessagePassingAtomicInv = Any.any_l () | & _17: t_MessagePassingAtomicInv = Any.any_l () | & _18: t_MessagePassingAtomicInv = Any.any_l () | & _19: t_Perm_AtomicBool = Any.any_l () - | & _21: t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _21: t_Option_AtView_Perm_PermCell_i32 = Any.any_l () | & _22: t_Resource_Option_Excl_unit = Any.any_l () | & _23: t_Id = Any.any_l () | & _25: t_Resource_Option_Excl_unit = Any.any_l () diff --git a/examples/message_passing/relacq_options.rs b/examples/message_passing/relacq_options.rs index 5e161faa87..e41be577d6 100644 --- a/examples/message_passing/relacq_options.rs +++ b/examples/message_passing/relacq_options.rs @@ -24,8 +24,8 @@ use creusot_std::{ declare_namespace! { MESSAGE_PASSING } struct MessagePassingAtomicInv { - atomic_own: Box>, - at_view: Option>>>>, + atomic_own: Perm, + at_view: Option>>>, tok_write: Resource>>, tok_read: Resource>>, data: Snapshot>, @@ -82,7 +82,7 @@ pub fn message_passing() { let t1 = s.spawn(move |tokens: Ghost| { let mut excl = ghost!(excl_write.into_inner()); - unsafe { *data.borrow_mut(ghost!(&mut **data_own)) = 1 } + unsafe { *data.borrow_mut(ghost!(&mut *data_own)) = 1 } atomic.store( true, diff --git a/examples/message_passing/relacq_options/proof.json b/examples/message_passing/relacq_options/proof.json index ce39da4f76..988c4d2e88 100644 --- a/examples/message_passing/relacq_options/proof.json +++ b/examples/message_passing/relacq_options/proof.json @@ -3,34 +3,31 @@ "proofs": { "M_message_passing": { "vc___new_closure0": { "prover": "alt-ergo", "time": 0.025 }, - "vc___new_closure0'0": { "prover": "alt-ergo", "time": 0.021 }, - "vc___new_closure0'1": { "prover": "alt-ergo", "time": 0.023 }, + "vc___new_closure0'0": { "prover": "alt-ergo", "time": 0.043 }, + "vc___new_closure0'1": { "prover": "alt-ergo", "time": 0.047 }, "vc___new_closure4": { "prover": "alt-ergo", "time": 0.028 }, - "vc_alloc_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.021 }, - "vc_as_ref_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.031 - }, + "vc_alloc_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.068 }, + "vc_as_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.053 }, "vc_borrow_AtomicInvariant_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.022 + "time": 0.063 }, "vc_borrow_mut_SyncView": { "prover": "alt-ergo", "time": 0.023 }, - "vc_borrow_mut_i32": { "prover": "alt-ergo", "time": 0.023 }, - "vc_closure0": { "prover": "alt-ergo", "time": 0.017 }, - "vc_closure0'0": { "prover": "alt-ergo", "time": 0.026 }, + "vc_borrow_mut_i32": { "prover": "alt-ergo", "time": 0.055 }, + "vc_closure0": { "prover": "alt-ergo", "time": 0.047 }, + "vc_closure0'0": { "prover": "alt-ergo", "time": 0.053 }, "vc_closure0'1": { "prover": "alt-ergo", "time": 0.022 }, "vc_closure0'2": { "prover": "alt-ergo", "time": 0.023 }, - "vc_closure0'3": { "prover": "alt-ergo", "time": 0.024 }, + "vc_closure0'3": { "prover": "alt-ergo", "time": 0.056 }, "vc_closure1": { "prover": "alt-ergo", "time": 0.027 }, "vc_closure4": { "prover": "alt-ergo", "time": 0.028 }, - "vc_deref_Ghost_Option_Box_Perm_PermCell_i32_Global": { + "vc_deref_Ghost_Option_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.032 + "time": 0.051 }, "vc_deref_Ghost_Resource_Option_Excl_unit": { "prover": "alt-ergo", - "time": 0.026 + "time": 0.065 }, "vc_deref_Ghost_SyncView": { "prover": "alt-ergo", "time": 0.025 }, "vc_deref_Ghost_bool": { "prover": "alt-ergo", "time": 0.025 }, @@ -38,34 +35,34 @@ "prover": "alt-ergo", "time": 0.025 }, - "vc_deref_mut_Ghost_Box_Perm_PermCell_i32_Global": { + "vc_deref_mut_Ghost_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.034 + "time": 0.036 }, "vc_deref_mut_Ghost_Resource_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.026 }, - "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.021 }, + "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.043 }, "vc_get_i32": { "prover": "alt-ergo", "time": 0.031 }, - "vc_id_ghost_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.026 }, + "vc_id_ghost_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.062 }, "vc_into_ghost_bool": { "prover": "alt-ergo", "time": 0.025 }, - "vc_into_inner_Box_Perm_AtomicBool_Global": { + "vc_into_inner_Perm_AtomicBool": { "prover": "alt-ergo", - "time": 0.021 + "time": 0.068 }, - "vc_into_inner_Box_Perm_PermCell_i32_Global": { + "vc_into_inner_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.024 + "time": 0.042 }, "vc_into_inner_Resource_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.034 }, "vc_into_inner_Tokens": { "prover": "alt-ergo", "time": 0.025 }, - "vc_into_inner_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global": { + "vc_into_inner_tup2_SyncView_AtView_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.022 + "time": 0.067 }, "vc_join_unwrap_ScopedJoinHandle_unit": { "prover": "alt-ergo", @@ -85,7 +82,7 @@ { "tactic": "split_vc", "children": [ - { "prover": "alt-ergo", "time": 0.031 }, + { "prover": "alt-ergo", "time": 0.062 }, { "tactic": "split_vc", "children": [ @@ -95,7 +92,7 @@ { "prover": "alt-ergo", "time": 0.053 }, { "prover": "alt-ergo", "time": 0.049 }, { "prover": "alt-ergo", "time": 0.05 }, - { "prover": "alt-ergo", "time": 0.037 }, + { "prover": "alt-ergo", "time": 0.079 }, { "prover": "alt-ergo", "time": 0.034 } ] } @@ -107,18 +104,10 @@ ] }, "vc_new": { "prover": "alt-ergo", "time": 0.023 }, - "vc_new'0": { "prover": "alt-ergo", "time": 0.016 }, - "vc_new_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.024 - }, - "vc_new_Box_Perm_PermCell_i32_Global'0": { - "prover": "alt-ergo", - "time": 0.022 - }, + "vc_new'0": { "prover": "alt-ergo", "time": 0.037 }, "vc_new_FnGhostWrapper_closure0": { "prover": "alt-ergo", - "time": 0.021 + "time": 0.043 }, "vc_new_FnGhostWrapper_closure4": { "prover": "alt-ergo", @@ -126,16 +115,18 @@ }, "vc_new_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.019 + "time": 0.04 }, "vc_new_MessagePassingAtomicInv'0": { "prover": "alt-ergo", "time": 0.022 }, - "vc_new_Option_Box_Perm_PermCell_i32_Global": { + "vc_new_Option_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.04 + "time": 0.051 }, + "vc_new_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.042 }, + "vc_new_Perm_PermCell_i32'0": { "prover": "alt-ergo", "time": 0.067 }, "vc_new_Resource_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.034 @@ -149,41 +140,38 @@ "vc_new_unit_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.027 }, "vc_open_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.026 + "time": 0.053 }, "vc_open_MessagePassingAtomicInv'0": { "prover": "alt-ergo", "time": 0.032 }, - "vc_reborrow": { "prover": "alt-ergo", "time": 0.02 }, + "vc_reborrow": { "prover": "alt-ergo", "time": 0.043 }, "vc_scope_closure0": { "prover": "alt-ergo", "time": 0.029 }, "vc_shoot_load_AtomicBool": { "prover": "alt-ergo", "time": 0.026 }, - "vc_shoot_store_AtomicBool": { "prover": "alt-ergo", "time": 0.023 }, + "vc_shoot_store_AtomicBool": { "prover": "alt-ergo", "time": 0.046 }, "vc_spawn_closure0": { "prover": "alt-ergo", "time": 0.024 }, - "vc_spawn_closure1": { "prover": "alt-ergo", "time": 0.029 }, + "vc_spawn_closure1": { "prover": "alt-ergo", "time": 0.062 }, "vc_store_FnGhostWrapper_closure0": { "prover": "alt-ergo", - "time": 0.018 + "time": 0.047 }, "vc_swap_Resource_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.024 }, - "vc_sync_Box_Perm_PermCell_i32_Global": { + "vc_sync_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.055 }, + "vc_take_AtView_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.021 + "time": 0.055 }, - "vc_take_AtView_Box_Perm_PermCell_i32_Global": { + "vc_unwrap_AtView_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.021 + "time": 0.055 }, - "vc_unwrap_AtView_Box_Perm_PermCell_i32_Global": { + "vc_unwrap_ref_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.021 - }, - "vc_unwrap_ref_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.031 + "time": 0.053 }, "vc_valid_op_lemma_Option_Excl_unit": { "prover": "alt-ergo", diff --git a/examples/message_passing/rlx.coma b/examples/message_passing/rlx.coma index 6208dfcfec..8ab81b65c1 100644 --- a/examples/message_passing/rlx.coma +++ b/examples/message_passing/rlx.coma @@ -23,14 +23,14 @@ module M_message_passing type t_Perm_AtomicBool - type tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } + type tup2_AtomicBool_Ghost_Perm_AtomicBool = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } predicate inv_AtomicBool (_1: t_AtomicBool) - predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) = + predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Perm_AtomicBool) = inv_AtomicBool _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool type t_FMap_Int_tup2_bool_SyncView @@ -142,10 +142,10 @@ module M_message_passing function ward_AtomicBool (self: t_Perm_AtomicBool) : t_AtomicBool - let rec new'0 (val': bool) (sync_view: MutBorrow.t t_SyncView) - (return (x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global)) = any - [ return (result: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global result) + let rec new'0 (val': bool) (sync_view: MutBorrow.t t_SyncView) (return (x: tup2_AtomicBool_Ghost_Perm_AtomicBool)) = + any + [ return (result: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Perm_AtomicBool result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicBool result.f1 = singleton_Int (get_timestamp_AtomicBool result.f0 (fin_Ghost_refmut_SyncView sync_view)) { f0'0 = val'; f1'0 = sync_view.current }) @@ -156,7 +156,7 @@ module M_message_passing type t_Perm_PermCell_i32 - type tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = { f0'1: t_PermCell_i32; f1'1: t_Perm_PermCell_i32 } + type tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = { f0'1: t_PermCell_i32; f1'1: t_Perm_PermCell_i32 } function ward_PermCell_i32 (self: t_Perm_PermCell_i32) : t_PermCell_i32 @@ -166,16 +166,11 @@ module M_message_passing meta "rewrite_def" function view_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Perm_PermCell_i32) : Int32.t = - view_Perm_PermCell_i32 self - - meta "rewrite_def" function view_Box_Perm_PermCell_i32_Global - - let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> + let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32)) = any + [ return (result: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> {[@stop_split] [@expl:new_i32 ensures] ([@stop_split] [@expl:new ensures #0] result.f0'1 = ward_PermCell_i32 result.f1'1) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_i32_Global result.f1'1 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_i32 result.f1'1 = value)} (! return {result}) ] type t_Excl_unit = { f0'2: () } @@ -192,15 +187,15 @@ module M_message_passing [ return (result: t_Resource_Excl_unit) -> {[@stop_split] [@expl:alloc ensures] view_Resource_Excl_unit result = r} (! return {result}) ] - let rec into_inner_Box_Perm_AtomicBool_Global (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any + let rec into_inner_Perm_AtomicBool (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any [ return (result: t_Perm_AtomicBool) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - type t_AtView_Box_Perm_PermCell_i32_Global + type t_AtView_Perm_PermCell_i32 type t_State = | NotWrittenYet - | Synchronisation t_AtView_Box_Perm_PermCell_i32_Global t_Resource_Excl_unit + | Synchronisation t_AtView_Perm_PermCell_i32 t_Resource_Excl_unit | Readable t_Resource_Excl_unit t_Resource_Excl_unit | Invalid @@ -215,14 +210,14 @@ module M_message_passing state: t_State; public_data: tup3_PermCell_i32_Id_Id } - predicate inv_AtView_Box_Perm_PermCell_i32_Global (_1: t_AtView_Box_Perm_PermCell_i32_Global) + predicate inv_AtView_Perm_PermCell_i32 (_1: t_AtView_Perm_PermCell_i32) predicate inv_State (_1: t_State) axiom inv_axiom [@rewrite]: forall x: t_State [inv_State x]. inv_State x = match x with | NotWrittenYet -> true - | Synchronisation f0'4 f1'2 -> inv_AtView_Box_Perm_PermCell_i32_Global f0'4 + | Synchronisation f0'4 f1'2 -> inv_AtView_Perm_PermCell_i32 f0'4 | Readable f0'4 f1'2 -> true | Invalid -> true end @@ -253,9 +248,9 @@ module M_message_passing type t_AtomicInvariant_MessagePassingAtomicInv - function val_Box_Perm_PermCell_i32_Global (self: t_AtView_Box_Perm_PermCell_i32_Global) : t_Perm_PermCell_i32 + function val_Perm_PermCell_i32 (self: t_AtView_Perm_PermCell_i32) : t_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global'0 (self: t_AtView_Box_Perm_PermCell_i32_Global) : t_SyncView + function view_Perm_PermCell_i32'0 (self: t_AtView_Perm_PermCell_i32) : t_SyncView predicate protocol_MessagePassingAtomicInv [@inline:trivial] (self: t_MessagePassingAtomicInv) = let {f0'3 = perm; f1'3 = excl_write; f2'3 = excl_read} = self.public_data in match self.state with @@ -267,9 +262,9 @@ module M_message_passing /\ (forall t: int. match get_Int (val_AtomicBool self.atomic_own) t with | Some {f0'0 = b; f1'0 = view} -> not b \/ b - /\ perm = ward_PermCell_i32 (val_Box_Perm_PermCell_i32_Global data_own) - /\ Int32.to_int (val_PermCell_i32 (val_Box_Perm_PermCell_i32_Global data_own)) = 1 - /\ le_log_SyncView (view_Box_Perm_PermCell_i32_Global'0 data_own) view + /\ perm = ward_PermCell_i32 (val_Perm_PermCell_i32 data_own) + /\ Int32.to_int (val_PermCell_i32 (val_Perm_PermCell_i32 data_own)) = 1 + /\ le_log_SyncView (view_Perm_PermCell_i32'0 data_own) view | None -> true end) | Readable tok_write tok_read -> excl_write = id_Excl_unit tok_write /\ excl_read = id_Excl_unit tok_read @@ -332,16 +327,11 @@ module M_message_passing let rec new_Resource_Excl_unit (x: t_Resource_Excl_unit) (return (x'0: t_Resource_Excl_unit)) = any [ return (result: t_Resource_Excl_unit) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - let rec deref_mut_Ghost_Box_Perm_PermCell_i32_Global (self: MutBorrow.t t_Perm_PermCell_i32) + let rec deref_mut_Ghost_Perm_PermCell_i32 (self: MutBorrow.t t_Perm_PermCell_i32) (return (x: MutBorrow.t t_Perm_PermCell_i32)) = any [ return (result: MutBorrow.t t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - predicate resolve_refmut_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_i32_Global - predicate resolve_refmut_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = _1.final = _1.current @@ -373,65 +363,60 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_i32 - let rec into_inner_Box_Perm_PermCell_i32_Global (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any + let rec into_inner_Perm_PermCell_i32 (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - let rec new_Box_Perm_PermCell_i32_Global (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any + let rec new_Perm_PermCell_i32 (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - type tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global = { - f0'5: t_SyncView; - f1'5: t_AtView_Box_Perm_PermCell_i32_Global } + type tup2_SyncView_AtView_Perm_PermCell_i32 = { f0'5: t_SyncView; f1'5: t_AtView_Perm_PermCell_i32 } - predicate inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - inv_AtView_Box_Perm_PermCell_i32_Global _1.f1'5 + predicate inv_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: tup2_SyncView_AtView_Perm_PermCell_i32) = + inv_AtView_Perm_PermCell_i32 _1.f1'5 - meta "rewrite_def" predicate inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_tup2_SyncView_AtView_Perm_PermCell_i32 - predicate invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - inv_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global self + predicate invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (self: tup2_SyncView_AtView_Perm_PermCell_i32) = + inv_tup2_SyncView_AtView_Perm_PermCell_i32 self - meta "rewrite_def" predicate invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 - predicate inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) = - invariant_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global _1 + predicate inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: tup2_SyncView_AtView_Perm_PermCell_i32) = + invariant_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 _1 - meta "rewrite_def" predicate inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 - let rec new_Box_Perm_PermCell_i32_Global'0 (val': t_Perm_PermCell_i32) - (return (x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:new_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:new result type invariant] inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global result) - /\ ([@stop_split] [@expl:new ensures] result.f0'5 = view_Box_Perm_PermCell_i32_Global'0 result.f1'5 - /\ val_Box_Perm_PermCell_i32_Global result.f1'5 = val')} + let rec new_Perm_PermCell_i32'0 (val': t_Perm_PermCell_i32) (return (x: tup2_SyncView_AtView_Perm_PermCell_i32)) = any + [ return (result: tup2_SyncView_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:new_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:new result type invariant] inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 result) + /\ ([@stop_split] [@expl:new ensures] result.f0'5 = view_Perm_PermCell_i32'0 result.f1'5 + /\ val_Perm_PermCell_i32 result.f1'5 = val')} (! return {result}) ] - type tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global = { - f0'6: t_SyncView; - f1'6: t_AtView_Box_Perm_PermCell_i32_Global } + type tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32 = { f0'6: t_SyncView; f1'6: t_AtView_Perm_PermCell_i32 } - predicate invariant_Ghost_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_AtView_Box_Perm_PermCell_i32_Global) = - inv_AtView_Box_Perm_PermCell_i32_Global self + predicate invariant_Ghost_AtView_Perm_PermCell_i32 [@inline:trivial] (self: t_AtView_Perm_PermCell_i32) = + inv_AtView_Perm_PermCell_i32 self - meta "rewrite_def" predicate invariant_Ghost_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate invariant_Ghost_AtView_Perm_PermCell_i32 - predicate inv_Ghost_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: t_AtView_Box_Perm_PermCell_i32_Global) = - invariant_Ghost_AtView_Box_Perm_PermCell_i32_Global _1 + predicate inv_Ghost_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: t_AtView_Perm_PermCell_i32) = + invariant_Ghost_AtView_Perm_PermCell_i32 _1 - meta "rewrite_def" predicate inv_Ghost_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_Ghost_AtView_Perm_PermCell_i32 - predicate inv_tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global) = - inv_Ghost_AtView_Box_Perm_PermCell_i32_Global _1.f1'6 + predicate inv_tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32) = + inv_Ghost_AtView_Perm_PermCell_i32 _1.f1'6 - meta "rewrite_def" predicate inv_tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32 - let rec split_SyncView (self: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) - (return (x: tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:split 'self' type invariant] inv_Ghost_tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global self} + let rec split_SyncView (self: tup2_SyncView_AtView_Perm_PermCell_i32) + (return (x: tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:split 'self' type invariant] inv_Ghost_tup2_SyncView_AtView_Perm_PermCell_i32 self} any - [ return (result: tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:split_SyncView ensures] ([@stop_split] [@expl:split result type invariant] inv_tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:split_SyncView ensures] ([@stop_split] [@expl:split result type invariant] inv_tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:split ensures #0] self.f0'5 = result.f0'6) /\ ([@stop_split] [@expl:split ensures #1] self.f1'5 = result.f1'6)} (! return {result}) ] @@ -451,7 +436,7 @@ module M_message_passing c0'1: t_AtomicInvariant_MessagePassingAtomicInv; c1'1: t_Tokens; c2'1: t_Resource_Excl_unit; - c3'1: t_AtView_Box_Perm_PermCell_i32_Global; + c3'1: t_AtView_Perm_PermCell_i32; c4'1: MutBorrow.t t_SyncView; c5'1: t_ReleaseSyncView } @@ -473,9 +458,9 @@ module M_message_passing end} any) ] - let rec elim_Synchronisation (_x: t_State) - (return (f0'7: t_AtView_Box_Perm_PermCell_i32_Global) (f1'2: t_Resource_Excl_unit)) = any - [ _k (f0'7: t_AtView_Box_Perm_PermCell_i32_Global) (f1'2: t_Resource_Excl_unit) -> {Synchronisation f0'7 f1'2 = _x} + let rec elim_Synchronisation (_x: t_State) (return (f0'7: t_AtView_Perm_PermCell_i32) (f1'2: t_Resource_Excl_unit)) = + any + [ _k (f0'7: t_AtView_Perm_PermCell_i32) (f1'2: t_Resource_Excl_unit) -> {Synchronisation f0'7 f1'2 = _x} (! return {f0'7} {f1'2}) | _chk -> (! {[@expl:elim Synchronisation] match _x with | Synchronisation _ _ -> true @@ -485,7 +470,7 @@ module M_message_passing type closure0'2 = { c0'2: t_Resource_Excl_unit; - c1'2: t_AtView_Box_Perm_PermCell_i32_Global; + c1'2: t_AtView_Perm_PermCell_i32; c2'2: MutBorrow.t t_Committer_AtomicBool_bool_None_Relaxed; c3'2: MutBorrow.t t_SyncView; c4'2: t_ReleaseSyncView } @@ -518,23 +503,23 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Resource_Excl_unit - let rec into_inner_AtView_Box_Perm_PermCell_i32_Global (self: t_AtView_Box_Perm_PermCell_i32_Global) - (return (x: t_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:into_inner 'self' type invariant] inv_Ghost_AtView_Box_Perm_PermCell_i32_Global self} + let rec into_inner_AtView_Perm_PermCell_i32 (self: t_AtView_Perm_PermCell_i32) + (return (x: t_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:into_inner 'self' type invariant] inv_Ghost_AtView_Perm_PermCell_i32 self} any - [ return (result: t_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:into_inner_AtView_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:into_inner result type invariant] inv_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: t_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:into_inner_AtView_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:into_inner result type invariant] inv_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:into_inner ensures] result = self)} (! return {result}) ] - predicate resolve_AtView_Box_Perm_PermCell_i32_Global (_1: t_AtView_Box_Perm_PermCell_i32_Global) + predicate resolve_AtView_Perm_PermCell_i32 (_1: t_AtView_Perm_PermCell_i32) predicate resolve_State (_1: t_State) axiom resolve_axiom [@rewrite]: forall x: t_State [resolve_State x]. resolve_State x = match x with | NotWrittenYet -> true - | Synchronisation x0 x1 -> resolve_AtView_Box_Perm_PermCell_i32_Global x0 + | Synchronisation x0 x1 -> resolve_AtView_Perm_PermCell_i32 x0 | Readable x0 x1 -> true | Invalid -> true end @@ -595,10 +580,9 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_SyncView - predicate resolve_refmut_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicBool [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicBool predicate invariant_refmut_MessagePassingAtomicInv [@inline:trivial] (self: MutBorrow.t t_MessagePassingAtomicInv) = inv_MessagePassingAtomicInv self.current /\ inv_MessagePassingAtomicInv self.final @@ -621,7 +605,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Committer_AtomicBool_bool_None_Relaxed predicate inv_closure0 [@inline:trivial] (_1: closure0'2) = - let {c0'2 = x0; c1'2 = x1; c2'2 = x2; c3'2 = x3; c4'2 = x4} = _1 in inv_Ghost_AtView_Box_Perm_PermCell_i32_Global x1 + let {c0'2 = x0; c1'2 = x1; c2'2 = x2; c3'2 = x3; c4'2 = x4} = _1 in inv_Ghost_AtView_Perm_PermCell_i32 x1 meta "rewrite_def" predicate inv_closure0 @@ -633,8 +617,7 @@ module M_message_passing [ s0 = [ &_4 <- inv.current.state ] s1 | s1 = any [ br0 -> {_4 = NotWrittenYet} (! bb9) - | br1 (x0: t_AtView_Box_Perm_PermCell_i32_Global) (x1: t_Resource_Excl_unit) -> {_4 = Synchronisation x0 x1} - (! bb4) + | br1 (x0: t_AtView_Perm_PermCell_i32) (x1: t_Resource_Excl_unit) -> {_4 = Synchronisation x0 x1} (! bb4) | br2 (x0: t_Resource_Excl_unit) (x1: t_Resource_Excl_unit) -> {_4 = Readable x0 x1} (! bb3) | br3 -> {_4 = Invalid} (! bb9) ] ] | bb3 = s0 @@ -642,7 +625,7 @@ module M_message_passing | s1 = bb5 ] | bb4 = s0 [ s0 = elim_Synchronisation {_4} - (fun (r0: t_AtView_Box_Perm_PermCell_i32_Global) (r1: t_Resource_Excl_unit) -> [ &excl_state <- r1 ] s1) + (fun (r0: t_AtView_Perm_PermCell_i32) (r1: t_Resource_Excl_unit) -> [ &excl_state <- r1 ] s1) | s1 = bb5 ] | bb5 = s0 [ s0 = MutBorrow.borrow_mut {self.c0'2} @@ -656,8 +639,7 @@ module M_message_passing | s4 = -{resolve_refmut_Resource_Excl_unit _9}- s5 | s5 = bb9 ] | bb9 = s0 - [ s0 = into_inner_AtView_Box_Perm_PermCell_i32_Global {self.c1'2} - (fun (_x: t_AtView_Box_Perm_PermCell_i32_Global) -> [ &_13 <- _x ] s1) + [ s0 = into_inner_AtView_Perm_PermCell_i32 {self.c1'2} (fun (_x: t_AtView_Perm_PermCell_i32) -> [ &_13 <- _x ] s1) | s1 = into_inner_Resource_Excl_unit {self.c0'2} (fun (_x: t_Resource_Excl_unit) -> [ &_15 <- _x ] s2) | s2 = [ &_12 <- Synchronisation _13 _15 ] s3 | s3 = s4 [ _ck -> (! {[@expl:type invariant] inv_State inv.current.state} any) ] @@ -686,7 +668,7 @@ module M_message_passing | s14 = shoot_store_AtomicBool {_18} {_19} {_21} {_25} (fun (_x: ()) -> [ &_17 <- _x ] s15) | s15 = -{resolve_refmut_Ghost_SyncView _24}- s16 | s16 = -{resolve_refmut_SyncView _22}- s17 - | s17 = -{resolve_refmut_Box_Perm_AtomicBool_Global _20}- s18 + | s17 = -{resolve_refmut_Perm_AtomicBool _20}- s18 | s18 = s19 [ _ck -> (! {[@expl:type invariant] inv_refmut_MessagePassingAtomicInv inv} any) ] | s19 = -{resolve_refmut_MessagePassingAtomicInv inv}- s20 | s20 = -{match self with @@ -710,7 +692,7 @@ module M_message_passing | & _9: MutBorrow.t t_Resource_Excl_unit = Any.any_l () | & _10: MutBorrow.t t_Resource_Excl_unit = Any.any_l () | & _12: t_State = Any.any_l () - | & _13: t_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _13: t_AtView_Perm_PermCell_i32 = Any.any_l () | & _15: t_Resource_Excl_unit = Any.any_l () | & _17: () = Any.any_l () | & _18: MutBorrow.t t_Committer_AtomicBool_bool_None_Relaxed = Any.any_l () @@ -790,7 +772,7 @@ module M_message_passing (! return {result}) ] predicate inv_closure0'0 [@inline:trivial] (_1: closure0'1) = - let {c0'1 = x0; c1'1 = x1; c2'1 = x2; c3'1 = x3; c4'1 = x4; c5'1 = x5} = _1 in inv_Ghost_AtView_Box_Perm_PermCell_i32_Global x3 + let {c0'1 = x0; c1'1 = x1; c2'1 = x2; c3'1 = x3; c4'1 = x4; c5'1 = x5} = _1 in inv_Ghost_AtView_Perm_PermCell_i32 x3 meta "rewrite_def" predicate inv_closure0'0 @@ -931,15 +913,14 @@ module M_message_passing | s3 = MutBorrow.borrow_mut {self.c2'0} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_15 <- _bor ] [ &self <- { self with c2'0 = _bor.final } ] s4) - | s4 = deref_mut_Ghost_Box_Perm_PermCell_i32_Global {_15} - (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_14 <- _x ] s5) + | s4 = deref_mut_Ghost_Perm_PermCell_i32 {_15} (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_14 <- _x ] s5) | s5 = MutBorrow.borrow_final {_14.current} {MutBorrow.get_id _14} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_13 <- _bor ] [ &_14 <- { _14 with current = _bor.final } ] s6) | s6 = MutBorrow.borrow_final {_13.current} {MutBorrow.get_id _13} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_12 <- _bor ] [ &_13 <- { _13 with current = _bor.final } ] s7) - | s7 = -{resolve_refmut_Box_Perm_PermCell_i32_Global _14}- s8 + | s7 = -{resolve_refmut_Perm_PermCell_i32 _14}- s8 | s8 = -{resolve_refmut_Perm_PermCell_i32 _13}- s9 | s9 = MutBorrow.borrow_final {_12.current} {MutBorrow.get_id _12} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> @@ -953,12 +934,10 @@ module M_message_passing | s14 = borrow_mut_i32 {_8} {_9} (fun (_x: MutBorrow.t Int32.t) -> [ &_7 <- _x ] s15) | s15 = [ &_7 <- { _7 with current = (1: Int32.t) } ] s16 | s16 = -{resolve_refmut_i32 _7}- s17 - | s17 = into_inner_Box_Perm_PermCell_i32_Global {self.c2'0} (fun (_x: t_Perm_PermCell_i32) -> [ &_21 <- _x ] s18) - | s18 = new_Box_Perm_PermCell_i32_Global {_21} (fun (_x: t_Perm_PermCell_i32) -> [ &_20 <- _x ] s19) - | s19 = new_Box_Perm_PermCell_i32_Global'0 {_20} - (fun (_x: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global) -> [ &_19 <- _x ] s20) - | s20 = split_SyncView {_19} - (fun (_x: tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global) -> [ &_18 <- _x ] s21) + | s17 = into_inner_Perm_PermCell_i32 {self.c2'0} (fun (_x: t_Perm_PermCell_i32) -> [ &_21 <- _x ] s18) + | s18 = new_Perm_PermCell_i32 {_21} (fun (_x: t_Perm_PermCell_i32) -> [ &_20 <- _x ] s19) + | s19 = new_Perm_PermCell_i32'0 {_20} (fun (_x: tup2_SyncView_AtView_Perm_PermCell_i32) -> [ &_19 <- _x ] s20) + | s20 = split_SyncView {_19} (fun (_x: tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32) -> [ &_18 <- _x ] s21) | s21 = [ &sync_view <- _18.f0'6 ] s22 | s22 = [ &at_view <- _18.f1'6 ] s23 | s23 = fence_release {sync_view} (fun (_x: t_ReleaseSyncView) -> [ &rel_view <- _x ] s24) @@ -985,9 +964,9 @@ module M_message_passing | & _14: MutBorrow.t t_Perm_PermCell_i32 = Any.any_l () | & _15: MutBorrow.t t_Perm_PermCell_i32 = Any.any_l () | & sync_view: t_SyncView = Any.any_l () - | & at_view: t_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _18: tup2_Ghost_SyncView_Ghost_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _19: tup2_SyncView_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & at_view: t_AtView_Perm_PermCell_i32 = Any.any_l () + | & _18: tup2_Ghost_SyncView_Ghost_AtView_Perm_PermCell_i32 = Any.any_l () + | & _19: tup2_SyncView_AtView_Perm_PermCell_i32 = Any.any_l () | & _20: t_Perm_PermCell_i32 = Any.any_l () | & _21: t_Perm_PermCell_i32 = Any.any_l () | & rel_view: t_ReleaseSyncView = Any.any_l () @@ -1062,33 +1041,33 @@ module M_message_passing let rec new_Option_AcquireSyncView (x: t_Option_AcquireSyncView) (return (x'0: t_Option_AcquireSyncView)) = any [ return (result: t_Option_AcquireSyncView) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - type t_Option_AtView_Box_Perm_PermCell_i32_Global = None'3 | Some'3 t_AtView_Box_Perm_PermCell_i32_Global + type t_Option_AtView_Perm_PermCell_i32 = None'3 | Some'3 t_AtView_Perm_PermCell_i32 - predicate inv_Option_AtView_Box_Perm_PermCell_i32_Global (_1: t_Option_AtView_Box_Perm_PermCell_i32_Global) + predicate inv_Option_AtView_Perm_PermCell_i32 (_1: t_Option_AtView_Perm_PermCell_i32) axiom inv_axiom'3 [@rewrite]: - forall x: t_Option_AtView_Box_Perm_PermCell_i32_Global [inv_Option_AtView_Box_Perm_PermCell_i32_Global x]. inv_Option_AtView_Box_Perm_PermCell_i32_Global x + forall x: t_Option_AtView_Perm_PermCell_i32 [inv_Option_AtView_Perm_PermCell_i32 x]. inv_Option_AtView_Perm_PermCell_i32 x = match x with | None'3 -> true - | Some'3 f0'9 -> inv_AtView_Box_Perm_PermCell_i32_Global f0'9 + | Some'3 f0'9 -> inv_AtView_Perm_PermCell_i32 f0'9 end - predicate invariant_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Option_AtView_Box_Perm_PermCell_i32_Global) = - inv_Option_AtView_Box_Perm_PermCell_i32_Global self + predicate invariant_Ghost_Option_AtView_Perm_PermCell_i32 [@inline:trivial] (self: t_Option_AtView_Perm_PermCell_i32) = + inv_Option_AtView_Perm_PermCell_i32 self - meta "rewrite_def" predicate invariant_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate invariant_Ghost_Option_AtView_Perm_PermCell_i32 - predicate inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: t_Option_AtView_Box_Perm_PermCell_i32_Global) = - invariant_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global _1 + predicate inv_Ghost_Option_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: t_Option_AtView_Perm_PermCell_i32) = + invariant_Ghost_Option_AtView_Perm_PermCell_i32 _1 - meta "rewrite_def" predicate inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_Ghost_Option_AtView_Perm_PermCell_i32 - let rec new_Option_AtView_Box_Perm_PermCell_i32_Global (x: t_Option_AtView_Box_Perm_PermCell_i32_Global) - (return (x'0: t_Option_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:new 'x' type invariant] inv_Option_AtView_Box_Perm_PermCell_i32_Global x} + let rec new_Option_AtView_Perm_PermCell_i32 (x: t_Option_AtView_Perm_PermCell_i32) + (return (x'0: t_Option_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:new 'x' type invariant] inv_Option_AtView_Perm_PermCell_i32 x} any - [ return (result: t_Option_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:new_Option_AtView_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:new result type invariant] inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: t_Option_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:new_Option_AtView_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:new result type invariant] inv_Ghost_Option_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:new ensures] result = x)} (! return {result}) ] @@ -1097,7 +1076,7 @@ module M_message_passing c1'4: MutBorrow.t t_Tokens; c2'4: MutBorrow.t t_Option_Resource_Excl_unit; c3'4: MutBorrow.t t_Option_AcquireSyncView; - c4'4: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global } + c4'4: MutBorrow.t t_Option_AtView_Perm_PermCell_i32 } let rec deref_mut_Ghost_Tokens (self: MutBorrow.t t_Tokens) (return (x: MutBorrow.t t_Tokens)) = any [ return (result: MutBorrow.t t_Tokens) -> {[@stop_split] [@expl:deref_mut ensures] result = self} @@ -1116,7 +1095,7 @@ module M_message_passing c0'5: t_Committer_AtomicBool_bool_Relaxed_None; c1'5: MutBorrow.t t_Option_Resource_Excl_unit; c2'5: MutBorrow.t t_Option_AcquireSyncView; - c3'5: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global } + c3'5: MutBorrow.t t_Option_AtView_Perm_PermCell_i32 } let rec into_ghost_bool (self: bool) (return (x: bool)) = any [ return (result: bool) -> {[@stop_split] [@expl:into_ghost ensures] result = self} (! return {result}) ] @@ -1202,19 +1181,18 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_State - predicate invariant_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) = - inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global self.current - /\ inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global self.final + predicate invariant_refmut_Ghost_Option_AtView_Perm_PermCell_i32 [@inline:trivial] (self: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) = + inv_Ghost_Option_AtView_Perm_PermCell_i32 self.current /\ inv_Ghost_Option_AtView_Perm_PermCell_i32 self.final - meta "rewrite_def" predicate invariant_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate invariant_refmut_Ghost_Option_AtView_Perm_PermCell_i32 - predicate inv_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) = - invariant_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global _1 + predicate inv_refmut_Ghost_Option_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) = + invariant_refmut_Ghost_Option_AtView_Perm_PermCell_i32 _1 - meta "rewrite_def" predicate inv_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate inv_refmut_Ghost_Option_AtView_Perm_PermCell_i32 predicate inv_closure0'2 [@inline:trivial] (_1: closure0'3) = - let {c0'5 = x0; c1'5 = x1; c2'5 = x2; c3'5 = x3} = _1 in inv_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global x3 + let {c0'5 = x0; c1'5 = x1; c2'5 = x2; c3'5 = x3} = _1 in inv_refmut_Ghost_Option_AtView_Perm_PermCell_i32 x3 meta "rewrite_def" predicate inv_closure0'2 @@ -1243,29 +1221,29 @@ module M_message_passing [ return (result: t_Resource_Excl_unit) -> {[@stop_split] [@expl:unwrap ensures] Some'1 result = self_} (! return {result}) ] - predicate resolve_Option_AtView_Box_Perm_PermCell_i32_Global (_1: t_Option_AtView_Box_Perm_PermCell_i32_Global) + predicate resolve_Option_AtView_Perm_PermCell_i32 (_1: t_Option_AtView_Perm_PermCell_i32) axiom resolve_axiom'0 [@rewrite]: - forall x: t_Option_AtView_Box_Perm_PermCell_i32_Global [resolve_Option_AtView_Box_Perm_PermCell_i32_Global x]. resolve_Option_AtView_Box_Perm_PermCell_i32_Global x + forall x: t_Option_AtView_Perm_PermCell_i32 [resolve_Option_AtView_Perm_PermCell_i32 x]. resolve_Option_AtView_Perm_PermCell_i32 x = match x with | None'3 -> true - | Some'3 x0 -> resolve_AtView_Box_Perm_PermCell_i32_Global x0 + | Some'3 x0 -> resolve_AtView_Perm_PermCell_i32 x0 end - predicate resolve_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Option_AtView_Box_Perm_PermCell_i32_Global) = - resolve_Option_AtView_Box_Perm_PermCell_i32_Global self + predicate resolve_Ghost_Option_AtView_Perm_PermCell_i32 [@inline:trivial] (self: t_Option_AtView_Perm_PermCell_i32) = + resolve_Option_AtView_Perm_PermCell_i32 self - meta "rewrite_def" predicate resolve_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate resolve_Ghost_Option_AtView_Perm_PermCell_i32 - predicate resolve_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global'0 [@inline:trivial] (_1: t_Option_AtView_Box_Perm_PermCell_i32_Global) = - resolve_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global _1 + predicate resolve_Ghost_Option_AtView_Perm_PermCell_i32'0 [@inline:trivial] (_1: t_Option_AtView_Perm_PermCell_i32) = + resolve_Ghost_Option_AtView_Perm_PermCell_i32 _1 - meta "rewrite_def" predicate resolve_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global'0 + meta "rewrite_def" predicate resolve_Ghost_Option_AtView_Perm_PermCell_i32'0 - predicate resolve_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) = + predicate resolve_refmut_Ghost_Option_AtView_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate resolve_refmut_Ghost_Option_AtView_Perm_PermCell_i32 predicate resolve_refmut_Ghost_Option_AcquireSyncView [@inline:trivial] (_1: MutBorrow.t t_Option_AcquireSyncView) = _1.final = _1.current @@ -1278,7 +1256,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Resource_Excl_unit predicate resolve_closure0 [@inline:trivial] (_1: closure0'3) = - resolve_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global _1.c3'5 + resolve_refmut_Ghost_Option_AtView_Perm_PermCell_i32 _1.c3'5 /\ resolve_refmut_Ghost_Option_AcquireSyncView _1.c2'5 /\ resolve_refmut_Ghost_Option_Resource_Excl_unit _1.c1'5 meta "rewrite_def" predicate resolve_closure0 @@ -1303,8 +1281,7 @@ module M_message_passing [ s0 = [ &_13 <- inv.current.state ] s1 | s1 = any [ br0 -> {_13 = NotWrittenYet} (! bb13) - | br1 (x0: t_AtView_Box_Perm_PermCell_i32_Global) (x1: t_Resource_Excl_unit) -> {_13 = Synchronisation x0 x1} - (! bb13) + | br1 (x0: t_AtView_Perm_PermCell_i32) (x1: t_Resource_Excl_unit) -> {_13 = Synchronisation x0 x1} (! bb13) | br2 (x0: t_Resource_Excl_unit) (x1: t_Resource_Excl_unit) -> {_13 = Readable x0 x1} (! bb8) | br3 -> {_13 = Invalid} (! bb13) ] ] | bb8 = s0 @@ -1362,19 +1339,18 @@ module M_message_passing | s18 = -{resolve_State _41}- s19 | s19 = any [ br0 -> {_41 = NotWrittenYet} (! bb21) - | br1 (x0: t_AtView_Box_Perm_PermCell_i32_Global) (x1: t_Resource_Excl_unit) -> {_41 = Synchronisation x0 x1} - (! bb20) + | br1 (x0: t_AtView_Perm_PermCell_i32) (x1: t_Resource_Excl_unit) -> {_41 = Synchronisation x0 x1} (! bb20) | br2 (x0: t_Resource_Excl_unit) (x1: t_Resource_Excl_unit) -> {_41 = Readable x0 x1} (! bb21) | br3 -> {_41 = Invalid} (! bb21) ] ] | bb21 = s0 [ s0 = s1 [ _ck -> (! {[@expl:type invariant] match _41 with - | Synchronisation x _ -> inv_AtView_Box_Perm_PermCell_i32_Global x + | Synchronisation x _ -> inv_AtView_Perm_PermCell_i32 x | _ -> true end} any) ] | s1 = -{match _41 with - | Synchronisation x _ -> resolve_AtView_Box_Perm_PermCell_i32_Global x + | Synchronisation x _ -> resolve_AtView_Perm_PermCell_i32 x | _ -> true end}- s2 @@ -1385,9 +1361,9 @@ module M_message_passing | s6 = {false} any ] | bb20 = s0 [ s0 = elim_Synchronisation {_41} - (fun (r0: t_AtView_Box_Perm_PermCell_i32_Global) (r1: t_Resource_Excl_unit) -> [ &at_view <- r0 ] s1) + (fun (r0: t_AtView_Perm_PermCell_i32) (r1: t_Resource_Excl_unit) -> [ &at_view <- r0 ] s1) | s1 = elim_Synchronisation {_41} - (fun (r0: t_AtView_Box_Perm_PermCell_i32_Global) (r1: t_Resource_Excl_unit) -> [ &tok_write <- r1 ] s2) + (fun (r0: t_AtView_Perm_PermCell_i32) (r1: t_Resource_Excl_unit) -> [ &tok_write <- r1 ] s2) | s2 = MutBorrow.borrow_mut {self.current.c1'5.current} (fun (_bor: MutBorrow.t t_Option_Resource_Excl_unit) -> [ &_52 <- _bor ] @@ -1408,16 +1384,16 @@ module M_message_passing | s12 = s13 [ _ck -> (! {[@expl:type invariant] inv_refmut_MessagePassingAtomicInv inv} any) ] | s13 = -{resolve_refmut_MessagePassingAtomicInv inv}- s14 | s14 = [ &_54 <- Some'3 at_view ] s15 - | s15 = new_Option_AtView_Box_Perm_PermCell_i32_Global {_54} - (fun (_x: t_Option_AtView_Box_Perm_PermCell_i32_Global) -> [ &_53 <- _x ] s16) + | s15 = new_Option_AtView_Perm_PermCell_i32 {_54} + (fun (_x: t_Option_AtView_Perm_PermCell_i32) -> [ &_53 <- _x ] s16) | s16 = s17 [ _ck -> (! {[@expl:type invariant] match self with - | {current = {c3'5 = x}} -> inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global x.current + | {current = {c3'5 = x}} -> inv_Ghost_Option_AtView_Perm_PermCell_i32 x.current | _ -> true end} any) ] | s17 = -{match self with - | {current = {c3'5 = x}} -> resolve_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global'0 x.current + | {current = {c3'5 = x}} -> resolve_Ghost_Option_AtView_Perm_PermCell_i32'0 x.current | _ -> true end}- s18 @@ -1455,7 +1431,7 @@ module M_message_passing | & _33: MutBorrow.t t_SyncView = Any.any_l () | & _34: t_Option_AcquireSyncView = Any.any_l () | & _35: t_Option_AcquireSyncView = Any.any_l () - | & at_view: t_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & at_view: t_AtView_Perm_PermCell_i32 = Any.any_l () | & tok_write: t_Resource_Excl_unit = Any.any_l () | & _41: t_State = Any.any_l () | & _42: MutBorrow.t t_State = Any.any_l () @@ -1467,8 +1443,8 @@ module M_message_passing | & _50: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () | & _51: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () | & _52: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () - | & _53: t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _54: t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _53: t_Option_AtView_Perm_PermCell_i32 = Any.any_l () + | & _54: t_Option_AtView_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure0 self.current self.final} return {result} ] @@ -1567,7 +1543,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Tokens predicate inv_closure4 [@inline:trivial] (_1: closure4) = - let {c0'4 = x0; c1'4 = x1; c2'4 = x2; c3'4 = x3; c4'4 = x4} = _1 in inv_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global x4 + let {c0'4 = x0; c1'4 = x1; c2'4 = x2; c3'4 = x3; c4'4 = x4} = _1 in inv_refmut_Ghost_Option_AtView_Perm_PermCell_i32 x4 meta "rewrite_def" predicate inv_closure4 @@ -1589,7 +1565,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Tokens predicate resolve_closure4 [@inline:trivial] (_1: closure4) = - resolve_refmut_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global _1.c4'4 + resolve_refmut_Ghost_Option_AtView_Perm_PermCell_i32 _1.c4'4 /\ resolve_refmut_Ghost_Option_AcquireSyncView _1.c3'4 /\ resolve_refmut_Ghost_Option_Resource_Excl_unit _1.c2'4 /\ resolve_refmut_Ghost_Tokens _1.c1'4 @@ -1628,14 +1604,12 @@ module M_message_passing [ &_14 <- _bor ] [ &self <- { self with current = { self.current with c3'4 = { self.current.c3'4 with current = _bor.final } } } ] s7) - | s7 = MutBorrow.borrow_mut {self.current.c4'4.current} - (fun (_bor: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) -> - [ &_15 <- _bor ] -{inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global _bor.final}- + | s7 = MutBorrow.borrow_mut {self.current.c4'4.current} + (fun (_bor: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) -> + [ &_15 <- _bor ] -{inv_Ghost_Option_AtView_Perm_PermCell_i32 _bor.final}- [ &self <- { self with current = { self.current with c4'4 = { self.current.c4'4 with current = _bor.final } } } ] s8) - [ _ck -> - (! {[@expl:type invariant] inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global self.current.c4'4.current} - any) ] + [ _ck -> (! {[@expl:type invariant] inv_Ghost_Option_AtView_Perm_PermCell_i32 self.current.c4'4.current} any) ] | s8 = [ &_11 <- { c0'5 = c; c1'5 = _13; c2'5 = _14; c3'5 = _15 } ] s9 | s9 = __new_closure0'1 {_11} (fun (_x: t_FnGhostWrapper_closure0'1) -> [ &_10 <- _x ] s10) | s10 = open_MessagePassingAtomicInv'0 {_4} {_6} {_10} (fun (_x: ()) -> [ &_ret <- _x ] s11) @@ -1655,7 +1629,7 @@ module M_message_passing | & _11: closure0'3 = Any.any_l () | & _13: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () | & _14: MutBorrow.t t_Option_AcquireSyncView = Any.any_l () - | & _15: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _15: MutBorrow.t t_Option_AtView_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure4 self.current self.final} return {result} ] @@ -1781,35 +1755,34 @@ module M_message_passing = result} (! return {result}) ] - let rec into_inner_Option_AtView_Box_Perm_PermCell_i32_Global (self: t_Option_AtView_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:into_inner 'self' type invariant] inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global self} + let rec into_inner_Option_AtView_Perm_PermCell_i32 (self: t_Option_AtView_Perm_PermCell_i32) + (return (x: t_Option_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:into_inner 'self' type invariant] inv_Ghost_Option_AtView_Perm_PermCell_i32 self} any - [ return (result: t_Option_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:into_inner_Option_AtView_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:into_inner result type invariant] inv_Option_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: t_Option_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:into_inner_Option_AtView_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:into_inner result type invariant] inv_Option_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:into_inner ensures] result = self)} (! return {result}) ] - let rec unwrap_AtView_Box_Perm_PermCell_i32_Global (self_: t_Option_AtView_Box_Perm_PermCell_i32_Global) - (return (x: t_AtView_Box_Perm_PermCell_i32_Global)) = - {[@stop_split] [@expl:unwrap_AtView_Box_Perm_PermCell_i32_Global requires] ([@stop_split] [@expl:unwrap 'self_' type invariant] inv_Option_AtView_Box_Perm_PermCell_i32_Global self_) + let rec unwrap_AtView_Perm_PermCell_i32 (self_: t_Option_AtView_Perm_PermCell_i32) + (return (x: t_AtView_Perm_PermCell_i32)) = + {[@stop_split] [@expl:unwrap_AtView_Perm_PermCell_i32 requires] ([@stop_split] [@expl:unwrap 'self_' type invariant] inv_Option_AtView_Perm_PermCell_i32 self_) /\ ([@stop_split] [@expl:unwrap requires] self_ <> None'3)} any - [ return (result: t_AtView_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:unwrap_AtView_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:unwrap result type invariant] inv_AtView_Box_Perm_PermCell_i32_Global result) + [ return (result: t_AtView_Perm_PermCell_i32) -> + {[@stop_split] [@expl:unwrap_AtView_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:unwrap result type invariant] inv_AtView_Perm_PermCell_i32 result) /\ ([@stop_split] [@expl:unwrap ensures] Some'3 result = self_)} (! return {result}) ] - let rec sync_Box_Perm_PermCell_i32_Global (self: t_AtView_Box_Perm_PermCell_i32_Global) (sync_view: t_SyncView) + let rec sync_Perm_PermCell_i32 (self: t_AtView_Perm_PermCell_i32) (sync_view: t_SyncView) (return (x: t_Perm_PermCell_i32)) = - {[@stop_split] [@expl:sync_Box_Perm_PermCell_i32_Global requires] ([@stop_split] [@expl:sync 'self' type invariant] inv_AtView_Box_Perm_PermCell_i32_Global self) - /\ ([@stop_split] [@expl:sync requires] le_log_SyncView (view_Box_Perm_PermCell_i32_Global'0 self) sync_view)} + {[@stop_split] [@expl:sync_Perm_PermCell_i32 requires] ([@stop_split] [@expl:sync 'self' type invariant] inv_AtView_Perm_PermCell_i32 self) + /\ ([@stop_split] [@expl:sync requires] le_log_SyncView (view_Perm_PermCell_i32'0 self) sync_view)} any - [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:sync ensures] result - = val_Box_Perm_PermCell_i32_Global self} + [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:sync ensures] result = val_Perm_PermCell_i32 self} (! return {result}) ] - let rec deref_Ghost_Box_Perm_PermCell_i32_Global (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any + let rec deref_Ghost_Perm_PermCell_i32 (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] let rec new_ref_Perm_PermCell_i32 (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any @@ -1837,12 +1810,11 @@ module M_message_passing | s4 = [ &_11 <- None'2 ] s5 | s5 = new_Option_AcquireSyncView {_11} (fun (_x: t_Option_AcquireSyncView) -> [ &data_acq_view <- _x ] s6) | s6 = [ &_13 <- None'3 ] s7 - | s7 = new_Option_AtView_Box_Perm_PermCell_i32_Global {_13} - (fun (_x: t_Option_AtView_Box_Perm_PermCell_i32_Global) -> [ &data_at_view <- _x ] s8) + | s7 = new_Option_AtView_Perm_PermCell_i32 {_13} + (fun (_x: t_Option_AtView_Perm_PermCell_i32) -> [ &data_at_view <- _x ] s8) | s8 = bb6 ] | bb6 = bb6 - [ bb6 = - {[@expl:inferred invariant: type invariant] inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global data_at_view} + [ bb6 = {[@expl:inferred invariant: type invariant] inv_Ghost_Option_AtView_Perm_PermCell_i32 data_at_view} {[@expl:loop invariant #0] excl = excl_snap} {[@expl:loop invariant #1] contains tokens (Namespace_MESSAGE_PASSING 0)} (! s0) @@ -1852,11 +1824,11 @@ module M_message_passing (fun (_bor: MutBorrow.t t_Option_Resource_Excl_unit) -> [ &_29 <- _bor ] [ &excl <- _bor.final ] s2) | s2 = MutBorrow.borrow_mut {data_acq_view} (fun (_bor: MutBorrow.t t_Option_AcquireSyncView) -> [ &_30 <- _bor ] [ &data_acq_view <- _bor.final ] s3) - | s3 = MutBorrow.borrow_mut {data_at_view} - (fun (_bor: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global) -> - [ &_31 <- _bor ] -{inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global _bor.final}- + | s3 = MutBorrow.borrow_mut {data_at_view} + (fun (_bor: MutBorrow.t t_Option_AtView_Perm_PermCell_i32) -> + [ &_31 <- _bor ] -{inv_Ghost_Option_AtView_Perm_PermCell_i32 _bor.final}- [ &data_at_view <- _bor.final ] s4) - [ _ck -> (! {[@expl:type invariant] inv_Ghost_Option_AtView_Box_Perm_PermCell_i32_Global data_at_view} any) ] + [ _ck -> (! {[@expl:type invariant] inv_Ghost_Option_AtView_Perm_PermCell_i32 data_at_view} any) ] | s4 = [ &_26 <- { c0'4 = self.c2'3; c1'4 = _28; c2'4 = _29; c3'4 = _30; c4'4 = _31 } ] s5 | s5 = __new_closure4 {_26} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_25 <- _x ] s6) | s6 = new_FnGhostWrapper_closure4 {_25} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_24 <- _x ] s7) @@ -1868,14 +1840,13 @@ module M_message_passing | s1 = unwrap_AcquireSyncView {_37} (fun (_x: t_AcquireSyncView) -> [ &_35 <- _x ] s2) | s2 = new_AcquireSyncView {_35} (fun (_x: t_AcquireSyncView) -> [ &_34 <- _x ] s3) | s3 = fence_acquire {_34} (fun (_x: t_SyncView) -> [ &sync_view <- _x ] s4) - | s4 = into_inner_Option_AtView_Box_Perm_PermCell_i32_Global {data_at_view} - (fun (_x: t_Option_AtView_Box_Perm_PermCell_i32_Global) -> [ &_42 <- _x ] s5) - | s5 = unwrap_AtView_Box_Perm_PermCell_i32_Global {_42} - (fun (_x: t_AtView_Box_Perm_PermCell_i32_Global) -> [ &_41 <- _x ] s6) + | s4 = into_inner_Option_AtView_Perm_PermCell_i32 {data_at_view} + (fun (_x: t_Option_AtView_Perm_PermCell_i32) -> [ &_42 <- _x ] s5) + | s5 = unwrap_AtView_Perm_PermCell_i32 {_42} (fun (_x: t_AtView_Perm_PermCell_i32) -> [ &_41 <- _x ] s6) | s6 = deref_Ghost_SyncView {sync_view} (fun (_x: t_SyncView) -> [ &_45 <- _x ] s7) - | s7 = sync_Box_Perm_PermCell_i32_Global {_41} {_45} (fun (_x: t_Perm_PermCell_i32) -> [ &_40 <- _x ] s8) - | s8 = new_Box_Perm_PermCell_i32_Global {_40} (fun (_x: t_Perm_PermCell_i32) -> [ &data_own <- _x ] s9) - | s9 = deref_Ghost_Box_Perm_PermCell_i32_Global {data_own} (fun (_x: t_Perm_PermCell_i32) -> [ &_52 <- _x ] s10) + | s7 = sync_Perm_PermCell_i32 {_41} {_45} (fun (_x: t_Perm_PermCell_i32) -> [ &_40 <- _x ] s8) + | s8 = new_Perm_PermCell_i32 {_40} (fun (_x: t_Perm_PermCell_i32) -> [ &data_own <- _x ] s9) + | s9 = deref_Ghost_Perm_PermCell_i32 {data_own} (fun (_x: t_Perm_PermCell_i32) -> [ &_52 <- _x ] s10) | s10 = [ &_51 <- _52 ] s11 | s11 = new_ref_Perm_PermCell_i32 {_51} (fun (_x: t_Perm_PermCell_i32) -> [ &_49 <- _x ] s12) | s12 = get_i32 {self.c3'3} {_49} (fun (_x: Int32.t) -> [ &res <- _x ] s13) @@ -1890,8 +1861,8 @@ module M_message_passing | & excl_snap: t_Option_Resource_Excl_unit = Any.any_l () | & data_acq_view: t_Option_AcquireSyncView = Any.any_l () | & _11: t_Option_AcquireSyncView = Any.any_l () - | & data_at_view: t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _13: t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & data_at_view: t_Option_AtView_Perm_PermCell_i32 = Any.any_l () + | & _13: t_Option_AtView_Perm_PermCell_i32 = Any.any_l () | & _22: bool = Any.any_l () | & _24: t_FnGhostWrapper_closure4 = Any.any_l () | & _25: t_FnGhostWrapper_closure4 = Any.any_l () @@ -1899,15 +1870,15 @@ module M_message_passing | & _28: MutBorrow.t t_Tokens = Any.any_l () | & _29: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () | & _30: MutBorrow.t t_Option_AcquireSyncView = Any.any_l () - | & _31: MutBorrow.t t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _31: MutBorrow.t t_Option_AtView_Perm_PermCell_i32 = Any.any_l () | & sync_view: t_SyncView = Any.any_l () | & _34: t_AcquireSyncView = Any.any_l () | & _35: t_AcquireSyncView = Any.any_l () | & _37: t_Option_AcquireSyncView = Any.any_l () | & data_own: t_Perm_PermCell_i32 = Any.any_l () | & _40: t_Perm_PermCell_i32 = Any.any_l () - | & _41: t_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _42: t_Option_AtView_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _41: t_AtView_Perm_PermCell_i32 = Any.any_l () + | & _42: t_Option_AtView_Perm_PermCell_i32 = Any.any_l () | & _45: t_SyncView = Any.any_l () | & res: Int32.t = Any.any_l () | & _49: t_Perm_PermCell_i32 = Any.any_l () @@ -2031,15 +2002,15 @@ module M_message_passing | s1 = MutBorrow.borrow_mut {_6} (fun (_bor: MutBorrow.t t_SyncView) -> [ &_5 <- _bor ] [ &_6 <- _bor.final ] s2) | s2 = borrow_mut_SyncView {_5} (fun (_x: MutBorrow.t t_SyncView) -> [ &_4 <- _x ] s3) - | s3 = new'0 {false} {_4} (fun (_x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> [ &_3 <- _x ] s4) + | s3 = new'0 {false} {_4} (fun (_x: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> [ &_3 <- _x ] s4) | s4 = [ &atomic <- _3.f0 ] s5 | s5 = [ &atomic_own'0 <- _3.f1 ] s6 - | s6 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> [ &_9 <- _x ] s7) + | s6 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> [ &_9 <- _x ] s7) | s7 = [ &data <- _9.f0'1 ] s8 | s8 = [ &data_own <- _9.f1'1 ] s9 | s9 = alloc_Excl_unit {{ f0'2 = () }} (fun (_x: t_Resource_Excl_unit) -> [ &excl_write <- _x ] s10) | s10 = alloc_Excl_unit {{ f0'2 = () }} (fun (_x: t_Resource_Excl_unit) -> [ &excl_read <- _x ] s11) - | s11 = into_inner_Box_Perm_AtomicBool_Global {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_19 <- _x ] s12) + | s11 = into_inner_Perm_AtomicBool {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_19 <- _x ] s12) | s12 = [ &_21 <- NotWrittenYet ] s13 | s13 = [ &_18 <- { atomic_own = _19; state = _21; @@ -2057,13 +2028,13 @@ module M_message_passing [ & _ret: () = Any.any_l () | & atomic: t_AtomicBool = Any.any_l () | & atomic_own'0: t_Perm_AtomicBool = Any.any_l () - | & _3: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = Any.any_l () + | & _3: tup2_AtomicBool_Ghost_Perm_AtomicBool = Any.any_l () | & _4: MutBorrow.t t_SyncView = Any.any_l () | & _5: MutBorrow.t t_SyncView = Any.any_l () | & _6: t_SyncView = Any.any_l () | & data: t_PermCell_i32 = Any.any_l () | & data_own: t_Perm_PermCell_i32 = Any.any_l () - | & _9: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _9: tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = Any.any_l () | & excl_write: t_Resource_Excl_unit = Any.any_l () | & excl_read: t_Resource_Excl_unit = Any.any_l () | & inv: t_AtomicInvariant_MessagePassingAtomicInv = Any.any_l () diff --git a/examples/message_passing/rlx.rs b/examples/message_passing/rlx.rs index ad34d1cdab..520a2eaa0c 100644 --- a/examples/message_passing/rlx.rs +++ b/examples/message_passing/rlx.rs @@ -25,14 +25,14 @@ use creusot_std::{ declare_namespace! { MESSAGE_PASSING } struct MessagePassingAtomicInv { - atomic_own: Box>, + atomic_own: Perm, state: State, public_data: Snapshot<(PermCell, Id, Id)>, } enum State { NotWrittenYet, - Synchronisation(AtView>>>, Resource>), + Synchronisation(AtView>>, Resource>), Readable(Resource>, Resource>), Invalid, } @@ -89,7 +89,7 @@ pub fn message_passing() { let t1 = s.spawn(move |tokens: Ghost| { let mut excl = ghost!(excl_write.into_inner()); - unsafe { *data.borrow_mut(ghost!(&mut **data_own)) = 1 } + unsafe { *data.borrow_mut(ghost!(&mut *data_own)) = 1 } let (mut sync_view, at_view) = AtView::new(ghost!(data_own.into_inner())).split(); let rel_view = fence_release(sync_view); @@ -144,7 +144,7 @@ pub fn message_passing() { let sync_view = fence_acquire(ghost!(data_acq_view.unwrap())); let data_own = ghost!(data_at_view.into_inner().unwrap().sync(*sync_view)); - let res = unsafe { data.get(ghost!(&**data_own)) }; + let res = unsafe { data.get(ghost!(&*data_own)) }; proof_assert!(res == 1i32) }); diff --git a/examples/message_passing/rlx/proof.json b/examples/message_passing/rlx/proof.json index 6cbe4e7f41..de29328d5d 100644 --- a/examples/message_passing/rlx/proof.json +++ b/examples/message_passing/rlx/proof.json @@ -2,74 +2,74 @@ "profile": [], "proofs": { "M_message_passing": { - "vc___new_closure0": { "prover": "alt-ergo", "time": 0.023 }, + "vc___new_closure0": { "prover": "alt-ergo", "time": 0.047 }, "vc___new_closure0'0": { "prover": "alt-ergo", "time": 0.024 }, "vc___new_closure0'1": { "prover": "alt-ergo", "time": 0.039 }, "vc___new_closure4": { "prover": "alt-ergo", "time": 0.041 }, - "vc_alloc_Excl_unit": { "prover": "alt-ergo", "time": 0.038 }, + "vc_alloc_Excl_unit": { "prover": "alt-ergo", "time": 0.094 }, "vc_as_mut_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.052 }, "vc_borrow_AtomicInvariant_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.026 + "time": 0.059 }, "vc_borrow_mut_SyncView": { "prover": "alt-ergo", "time": 0.023 }, "vc_borrow_mut_i32": { "prover": "alt-ergo", "time": 0.044 }, - "vc_closure0": { "prover": "alt-ergo", "time": 0.019 }, - "vc_closure0'0": { "prover": "alt-ergo", "time": 0.023 }, + "vc_closure0": { "prover": "alt-ergo", "time": 0.046 }, + "vc_closure0'0": { "prover": "alt-ergo", "time": 0.047 }, "vc_closure0'1": { "prover": "alt-ergo", "time": 0.024 }, "vc_closure0'2": { "prover": "alt-ergo", "time": 0.025 }, "vc_closure0'3": { "prover": "alt-ergo", "time": 0.042 }, "vc_closure1": { "prover": "alt-ergo", "time": 0.039 }, "vc_closure4": { "prover": "alt-ergo", "time": 0.034 }, - "vc_deref_Ghost_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.044 - }, "vc_deref_Ghost_Option_AcquireSyncView": { "prover": "alt-ergo", "time": 0.037 }, + "vc_deref_Ghost_Perm_PermCell_i32": { + "prover": "alt-ergo", + "time": 0.067 + }, "vc_deref_Ghost_SyncView": { "prover": "alt-ergo", "time": 0.025 }, - "vc_deref_Ghost_bool": { "prover": "alt-ergo", "time": 0.019 }, + "vc_deref_Ghost_bool": { "prover": "alt-ergo", "time": 0.039 }, "vc_deref_Ghost_ref_AtomicInvariant_MessagePassingAtomicInv": { "prover": "alt-ergo", "time": 0.043 }, - "vc_deref_mut_Ghost_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.046 - }, "vc_deref_mut_Ghost_Option_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.045 }, + "vc_deref_mut_Ghost_Perm_PermCell_i32": { + "prover": "alt-ergo", + "time": 0.042 + }, "vc_deref_mut_Ghost_Resource_Excl_unit": { "prover": "alt-ergo", - "time": 0.021 + "time": 0.042 }, "vc_deref_mut_Ghost_SyncView": { "prover": "alt-ergo", "time": 0.025 }, "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.024 }, - "vc_elim_Readable": { "prover": "alt-ergo", "time": 0.027 }, - "vc_elim_Synchronisation": { "prover": "alt-ergo", "time": 0.027 }, + "vc_elim_Readable": { "prover": "alt-ergo", "time": 0.065 }, + "vc_elim_Synchronisation": { "prover": "alt-ergo", "time": 0.065 }, "vc_fence_acquire": { "prover": "alt-ergo", "time": 0.037 }, - "vc_fence_release": { "prover": "alt-ergo", "time": 0.03 }, + "vc_fence_release": { "prover": "alt-ergo", "time": 0.091 }, "vc_get_i32": { "prover": "alt-ergo", "time": 0.044 }, - "vc_into_ghost_bool": { "prover": "alt-ergo", "time": 0.019 }, - "vc_into_inner_AtView_Box_Perm_PermCell_i32_Global": { + "vc_into_ghost_bool": { "prover": "alt-ergo", "time": 0.039 }, + "vc_into_inner_AtView_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.024 + "time": 0.056 }, - "vc_into_inner_Box_Perm_AtomicBool_Global": { + "vc_into_inner_Option_AtView_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.038 + "time": 0.067 }, - "vc_into_inner_Box_Perm_PermCell_i32_Global": { + "vc_into_inner_Perm_AtomicBool": { "prover": "alt-ergo", - "time": 0.042 + "time": 0.094 }, - "vc_into_inner_Option_AtView_Box_Perm_PermCell_i32_Global": { + "vc_into_inner_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.037 + "time": 0.07 }, "vc_into_inner_ReleaseSyncView": { "prover": "alt-ergo", @@ -126,7 +126,7 @@ "children": [ { "prover": "alt-ergo", "time": 0.139 }, { "prover": "z3", "time": 0.069 }, - { "prover": "z3", "time": 1.5 }, + { "prover": "z3", "time": 3.1 }, { "prover": "alt-ergo", "time": 0.086 }, { "prover": "z3", "time": 0.084 }, { "prover": "alt-ergo", "time": 0.111 } @@ -163,7 +163,7 @@ } ] }, - { "prover": "alt-ergo", "time": 0.035 } + { "prover": "alt-ergo", "time": 0.07 } ] } ] @@ -171,14 +171,6 @@ "vc_new": { "prover": "alt-ergo", "time": 0.023 }, "vc_new'0": { "prover": "alt-ergo", "time": 0.052 }, "vc_new_AcquireSyncView": { "prover": "alt-ergo", "time": 0.034 }, - "vc_new_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.048 - }, - "vc_new_Box_Perm_PermCell_i32_Global'0": { - "prover": "alt-ergo", - "time": 0.024 - }, "vc_new_FnGhostWrapper_closure0": { "prover": "alt-ergo", "time": 0.022 @@ -189,7 +181,7 @@ }, "vc_new_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.037 + "time": 0.078 }, "vc_new_MessagePassingAtomicInv'0": { "prover": "alt-ergo", @@ -199,14 +191,16 @@ "prover": "alt-ergo", "time": 0.025 }, - "vc_new_Option_AtView_Box_Perm_PermCell_i32_Global": { + "vc_new_Option_AtView_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.022 + "time": 0.039 }, "vc_new_Option_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.026 }, + "vc_new_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.07 }, + "vc_new_Perm_PermCell_i32'0": { "prover": "alt-ergo", "time": 0.069 }, "vc_new_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.037 }, "vc_new_i32": { "prover": "alt-ergo", "time": 0.039 }, "vc_new_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.057 }, @@ -223,33 +217,30 @@ "time": 0.051 }, "vc_reborrow": { "prover": "alt-ergo", "time": 0.024 }, - "vc_replace_State": { "prover": "alt-ergo", "time": 0.022 }, + "vc_replace_State": { "prover": "alt-ergo", "time": 0.047 }, "vc_scope_closure0": { "prover": "alt-ergo", "time": 0.038 }, "vc_shoot_load_AtomicBool": { "prover": "alt-ergo", "time": 0.029 }, "vc_shoot_store_AtomicBool": { "prover": "alt-ergo", "time": 0.049 }, "vc_spawn_closure0": { "prover": "alt-ergo", "time": 0.022 }, "vc_spawn_closure1": { "prover": "alt-ergo", "time": 0.043 }, - "vc_split_SyncView": { "prover": "alt-ergo", "time": 0.024 }, + "vc_split_SyncView": { "prover": "alt-ergo", "time": 0.08 }, "vc_store_FnGhostWrapper_closure0": { "prover": "alt-ergo", - "time": 0.021 - }, - "vc_sync_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.07 + "time": 0.045 }, - "vc_take_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.023 }, + "vc_sync_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.067 }, + "vc_take_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.049 }, "vc_unwrap_AcquireSyncView": { "prover": "alt-ergo", "time": 0.036 }, - "vc_unwrap_AtView_Box_Perm_PermCell_i32_Global": { + "vc_unwrap_AtView_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.042 + "time": 0.067 }, - "vc_unwrap_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.023 }, + "vc_unwrap_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.049 }, "vc_unwrap_refmut_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.025 }, - "vc_valid_op_lemma_Excl_unit": { "prover": "alt-ergo", "time": 0.022 } + "vc_valid_op_lemma_Excl_unit": { "prover": "alt-ergo", "time": 0.071 } } } } diff --git a/examples/message_passing/sc.coma b/examples/message_passing/sc.coma index 730b47bd0b..0984f30e0a 100644 --- a/examples/message_passing/sc.coma +++ b/examples/message_passing/sc.coma @@ -12,22 +12,22 @@ module M_message_passing type t_Perm_AtomicBool - type tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } + type tup2_AtomicBool_Ghost_Perm_AtomicBool = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } predicate inv_AtomicBool (_1: t_AtomicBool) - predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) = + predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Perm_AtomicBool) = inv_AtomicBool _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool function val_AtomicBool (self: t_Perm_AtomicBool) : bool function ward_AtomicBool (self: t_Perm_AtomicBool) : t_AtomicBool - let rec new (val': bool) (return (x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global)) = any - [ return (result: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global result) + let rec new (val': bool) (return (x: tup2_AtomicBool_Ghost_Perm_AtomicBool)) = any + [ return (result: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Perm_AtomicBool result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicBool result.f1 = val') /\ ([@stop_split] [@expl:new ensures #1] ward_AtomicBool result.f1 = result.f0)} (! return {result}) ] @@ -36,7 +36,7 @@ module M_message_passing type t_Perm_PermCell_i32 - type tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = { f0'0: t_PermCell_i32; f1'0: t_Perm_PermCell_i32 } + type tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = { f0'0: t_PermCell_i32; f1'0: t_Perm_PermCell_i32 } function ward_PermCell_i32 (self: t_Perm_PermCell_i32) : t_PermCell_i32 @@ -46,16 +46,11 @@ module M_message_passing meta "rewrite_def" function view_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Perm_PermCell_i32) : Int32.t = - view_Perm_PermCell_i32 self - - meta "rewrite_def" function view_Box_Perm_PermCell_i32_Global - - let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> + let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32)) = any + [ return (result: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> {[@stop_split] [@expl:new_i32 ensures] ([@stop_split] [@expl:new ensures #0] result.f0'0 = ward_PermCell_i32 result.f1'0) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_i32_Global result.f1'0 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_i32 result.f1'0 = value)} (! return {result}) ] type t_Excl_unit = { f0'1: () } @@ -72,7 +67,7 @@ module M_message_passing [ return (result: t_Resource_Excl_unit) -> {[@stop_split] [@expl:alloc ensures] view_Resource_Excl_unit result = r} (! return {result}) ] - let rec into_inner_Box_Perm_AtomicBool_Global (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any + let rec into_inner_Perm_AtomicBool (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any [ return (result: t_Perm_AtomicBool) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] @@ -143,16 +138,11 @@ module M_message_passing c2'0: t_AtomicBool; c3'0: t_AtomicInvariantSC_MessagePassingAtomicInv } - let rec deref_mut_Ghost_Box_Perm_PermCell_i32_Global (self: MutBorrow.t t_Perm_PermCell_i32) + let rec deref_mut_Ghost_Perm_PermCell_i32 (self: MutBorrow.t t_Perm_PermCell_i32) (return (x: MutBorrow.t t_Perm_PermCell_i32)) = any [ return (result: MutBorrow.t t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - predicate resolve_refmut_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_i32_Global - predicate resolve_refmut_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = _1.final = _1.current @@ -201,7 +191,7 @@ module M_message_passing type closure0'2 = { c0'2: t_Perm_PermCell_i32; c1'2: MutBorrow.t t_Committer_AtomicBool_bool_None_SeqCst } - let rec into_inner_Box_Perm_PermCell_i32_Global (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any + let rec into_inner_Perm_PermCell_i32 (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] @@ -234,10 +224,9 @@ module M_message_passing /\ ([@stop_split] [@expl:shoot_store ensures #3] val_AtomicBool own.final = val_store_AtomicBool self.current)} (! return {result}) ] - predicate resolve_refmut_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicBool [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicBool predicate resolve_refmut_MessagePassingAtomicInv [@inline:trivial] (_1: MutBorrow.t t_MessagePassingAtomicInv) = _1.final = _1.current @@ -252,7 +241,7 @@ module M_message_passing let rec closure0 [@coma:extspec] (self: closure0'2) (inv: MutBorrow.t t_MessagePassingAtomicInv) (return (x: ())) = bb0 [ bb0 = s0 - [ s0 = into_inner_Box_Perm_PermCell_i32_Global {self.c0'2} (fun (_x: t_Perm_PermCell_i32) -> [ &_4 <- _x ] s1) + [ s0 = into_inner_Perm_PermCell_i32 {self.c0'2} (fun (_x: t_Perm_PermCell_i32) -> [ &_4 <- _x ] s1) | s1 = [ &_3 <- Synchronisation _4 ] s2 | s2 = [ &inv <- { inv with current = { inv.current with state = _3 } } ] s3 | s3 = MutBorrow.borrow_final {inv.current.atomic_own} @@ -266,7 +255,7 @@ module M_message_passing | s5 = MutBorrow.borrow_final {_9.current} {MutBorrow.get_id _9} (fun (_bor: MutBorrow.t t_Perm_AtomicBool) -> [ &_8 <- _bor ] [ &_9 <- { _9 with current = _bor.final } ] s6) | s6 = shoot_store_AtomicBool {_7} {_8} (fun (_x: ()) -> [ &_6 <- _x ] s7) - | s7 = -{resolve_refmut_Box_Perm_AtomicBool_Global _9}- s8 + | s7 = -{resolve_refmut_Perm_AtomicBool _9}- s8 | s8 = -{resolve_refmut_MessagePassingAtomicInv inv}- s9 | s9 = -{match self with | {c1'2 = x} -> resolve_refmut_Committer_AtomicBool_bool_None_SeqCst x @@ -438,15 +427,14 @@ module M_message_passing | s1 = MutBorrow.borrow_mut {self.c1'0} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_12 <- _bor ] [ &self <- { self with c1'0 = _bor.final } ] s2) - | s2 = deref_mut_Ghost_Box_Perm_PermCell_i32_Global {_12} - (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_11 <- _x ] s3) + | s2 = deref_mut_Ghost_Perm_PermCell_i32 {_12} (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_11 <- _x ] s3) | s3 = MutBorrow.borrow_final {_11.current} {MutBorrow.get_id _11} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_10 <- _bor ] [ &_11 <- { _11 with current = _bor.final } ] s4) | s4 = MutBorrow.borrow_final {_10.current} {MutBorrow.get_id _10} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_9 <- _bor ] [ &_10 <- { _10 with current = _bor.final } ] s5) - | s5 = -{resolve_refmut_Box_Perm_PermCell_i32_Global _11}- s6 + | s5 = -{resolve_refmut_Perm_PermCell_i32 _11}- s6 | s6 = -{resolve_refmut_Perm_PermCell_i32 _10}- s7 | s7 = MutBorrow.borrow_final {_9.current} {MutBorrow.get_id _9} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> @@ -544,18 +532,17 @@ module M_message_passing [ return (result: t_Option_Resource_Excl_unit) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - type t_Option_Box_Perm_PermCell_i32_Global = None'0 | Some'0 t_Perm_PermCell_i32 + type t_Option_Perm_PermCell_i32 = None'0 | Some'0 t_Perm_PermCell_i32 - let rec new_Option_Box_Perm_PermCell_i32_Global (x: t_Option_Box_Perm_PermCell_i32_Global) - (return (x'0: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:new ensures] result = x} + let rec new_Option_Perm_PermCell_i32 (x: t_Option_Perm_PermCell_i32) (return (x'0: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] type closure4 = { c0'4: t_AtomicInvariantSC_MessagePassingAtomicInv; c1'4: MutBorrow.t t_Tokens; c2'4: MutBorrow.t t_Option_Resource_Excl_unit; - c3'4: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global } + c3'4: MutBorrow.t t_Option_Perm_PermCell_i32 } let rec deref_mut_Ghost_Tokens (self: MutBorrow.t t_Tokens) (return (x: MutBorrow.t t_Tokens)) = any [ return (result: MutBorrow.t t_Tokens) -> {[@stop_split] [@expl:deref_mut ensures] result = self} @@ -573,7 +560,7 @@ module M_message_passing type closure0'3 = { c0'5: t_Committer_AtomicBool_bool_SeqCst_None; c1'5: MutBorrow.t t_Option_Resource_Excl_unit; - c2'5: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global } + c2'5: MutBorrow.t t_Option_Perm_PermCell_i32 } let rec into_ghost_bool (self: bool) (return (x: bool)) = any [ return (result: bool) -> {[@stop_split] [@expl:into_ghost ensures] result = self} (! return {result}) ] @@ -687,10 +674,10 @@ module M_message_passing end} any) ] - predicate resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) = + predicate resolve_refmut_Ghost_Option_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Option_Perm_PermCell_i32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Perm_PermCell_i32 predicate resolve_refmut_Ghost_Option_Resource_Excl_unit [@inline:trivial] (_1: MutBorrow.t t_Option_Resource_Excl_unit) = _1.final = _1.current @@ -698,8 +685,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Resource_Excl_unit predicate resolve_closure0 [@inline:trivial] (_1: closure0'3) = - resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global _1.c2'5 - /\ resolve_refmut_Ghost_Option_Resource_Excl_unit _1.c1'5 + resolve_refmut_Ghost_Option_Perm_PermCell_i32 _1.c2'5 /\ resolve_refmut_Ghost_Option_Resource_Excl_unit _1.c1'5 meta "rewrite_def" predicate resolve_closure0 @@ -775,8 +761,7 @@ module M_message_passing | bb20 = s0 [ s0 = elim_Synchronisation {_30} (fun (r0: t_Perm_PermCell_i32) -> [ &d_own <- r0 ] s1) | s1 = [ &_41 <- Some'0 d_own ] s2 - | s2 = new_Option_Box_Perm_PermCell_i32_Global {_41} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_40 <- _x ] s3) + | s2 = new_Option_Perm_PermCell_i32 {_41} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_40 <- _x ] s3) | s3 = [ &self <- { self with current = { self.current with c2'5 = { self.current.c2'5 with current = _40 } } } ] s4 | s4 = -{resolve_refmut_closure0 self}- s5 @@ -811,8 +796,8 @@ module M_message_passing | & _36: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () | & _37: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () | & _38: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () - | & _40: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _41: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _40: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _41: t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure0 self.current self.final} return {result} ] @@ -907,7 +892,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Tokens predicate resolve_closure4 [@inline:trivial] (_1: closure4) = - resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global _1.c3'4 + resolve_refmut_Ghost_Option_Perm_PermCell_i32 _1.c3'4 /\ resolve_refmut_Ghost_Option_Resource_Excl_unit _1.c2'4 /\ resolve_refmut_Ghost_Tokens _1.c1'4 meta "rewrite_def" predicate resolve_closure4 @@ -938,8 +923,8 @@ module M_message_passing [ &_13 <- _bor ] [ &self <- { self with current = { self.current with c2'4 = { self.current.c2'4 with current = _bor.final } } } ] s6) - | s6 = MutBorrow.borrow_mut {self.current.c3'4.current} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> + | s6 = MutBorrow.borrow_mut {self.current.c3'4.current} + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_14 <- _bor ] [ &self <- { self with current = { self.current with c3'4 = { self.current.c3'4 with current = _bor.final } } } ] s7) @@ -960,7 +945,7 @@ module M_message_passing | & _10: t_FnGhostWrapper_closure0'1 = Any.any_l () | & _11: closure0'3 = Any.any_l () | & _13: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () - | & _14: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _14: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure4 self.current self.final} return {result} ] @@ -1037,24 +1022,24 @@ module M_message_passing /\ val_load_AtomicBool'0 c = result /\ postcondition_once_FnGhostWrapper_closure4 f c ()} (! return {result}) ] - let rec deref_Ghost_Option_Box_Perm_PermCell_i32_Global (self: t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:deref ensures] result = self} + let rec deref_Ghost_Option_Perm_PermCell_i32 (self: t_Option_Perm_PermCell_i32) + (return (x: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] - type t_Option_ref_Box_Perm_PermCell_i32_Global = None'3 | Some'3 t_Perm_PermCell_i32 + type t_Option_ref_Perm_PermCell_i32 = None'3 | Some'3 t_Perm_PermCell_i32 - let rec as_ref_Box_Perm_PermCell_i32_Global (self_: t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_ref_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_ref_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:as_ref_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:as_ref ensures #0] self_ - = None'0 -> result = None'3) + let rec as_ref_Perm_PermCell_i32 (self_: t_Option_Perm_PermCell_i32) (return (x: t_Option_ref_Perm_PermCell_i32)) = + any + [ return (result: t_Option_ref_Perm_PermCell_i32) -> + {[@stop_split] [@expl:as_ref_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:as_ref ensures #0] self_ = None'0 + -> result = None'3) /\ ([@stop_split] [@expl:as_ref ensures #1] self_ = None'0 \/ (exists r: t_Perm_PermCell_i32. result = Some'3 r /\ self_ = Some'0 r))} (! return {result}) ] - let rec unwrap_ref_Box_Perm_PermCell_i32_Global (self_: t_Option_ref_Box_Perm_PermCell_i32_Global) - (return (x: t_Perm_PermCell_i32)) = {[@stop_split] [@expl:unwrap requires] self_ <> None'3} + let rec unwrap_ref_Perm_PermCell_i32 (self_: t_Option_ref_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = + {[@stop_split] [@expl:unwrap requires] self_ <> None'3} any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:unwrap ensures] Some'3 result = self_} (! return {result}) ] @@ -1082,8 +1067,7 @@ module M_message_passing | s2 = new_Option_Resource_Excl_unit {_4} (fun (_x: t_Option_Resource_Excl_unit) -> [ &excl <- _x ] s3) | s3 = [ &excl_snap <- excl ] s4 | s4 = [ &_11 <- None'0 ] s5 - | s5 = new_Option_Box_Perm_PermCell_i32_Global {_11} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &data_own <- _x ] s6) + | s5 = new_Option_Perm_PermCell_i32 {_11} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &data_own <- _x ] s6) | s6 = bb5 ] | bb5 = bb5 [ bb5 = {[@expl:loop invariant #0] excl = excl_snap} @@ -1093,20 +1077,17 @@ module M_message_passing (fun (_bor: MutBorrow.t t_Tokens) -> [ &_26 <- _bor ] [ &tokens <- _bor.final ] s1) | s1 = MutBorrow.borrow_mut {excl} (fun (_bor: MutBorrow.t t_Option_Resource_Excl_unit) -> [ &_27 <- _bor ] [ &excl <- _bor.final ] s2) - | s2 = MutBorrow.borrow_mut {data_own} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> - [ &_28 <- _bor ] [ &data_own <- _bor.final ] s3) + | s2 = MutBorrow.borrow_mut {data_own} + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_28 <- _bor ] [ &data_own <- _bor.final ] s3) | s3 = [ &_24 <- { c0'4 = self.c2'3; c1'4 = _26; c2'4 = _27; c3'4 = _28 } ] s4 | s4 = __new_closure4 {_24} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_23 <- _x ] s5) | s5 = new_FnGhostWrapper_closure4 {_23} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_22 <- _x ] s6) | s6 = load_FnGhostWrapper_closure4 {self.c1'3} {_22} (fun (_x: bool) -> [ &_20 <- _x ] s7) | s7 = any [ br0 -> {_20 = false} (! bb5) | br1 -> {_20} (! bb10) ] ] ] | bb10 = s0 - [ s0 = deref_Ghost_Option_Box_Perm_PermCell_i32_Global {data_own} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_37 <- _x ] s1) - | s1 = as_ref_Box_Perm_PermCell_i32_Global {_37} - (fun (_x: t_Option_ref_Box_Perm_PermCell_i32_Global) -> [ &_35 <- _x ] s2) - | s2 = unwrap_ref_Box_Perm_PermCell_i32_Global {_35} (fun (_x: t_Perm_PermCell_i32) -> [ &_34 <- _x ] s3) + [ s0 = deref_Ghost_Option_Perm_PermCell_i32 {data_own} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_37 <- _x ] s1) + | s1 = as_ref_Perm_PermCell_i32 {_37} (fun (_x: t_Option_ref_Perm_PermCell_i32) -> [ &_35 <- _x ] s2) + | s2 = unwrap_ref_Perm_PermCell_i32 {_35} (fun (_x: t_Perm_PermCell_i32) -> [ &_34 <- _x ] s3) | s3 = new_ref_Perm_PermCell_i32 {_34} (fun (_x: t_Perm_PermCell_i32) -> [ &_32 <- _x ] s4) | s4 = get_i32 {self.c3'3} {_32} (fun (_x: Int32.t) -> [ &res <- _x ] s5) | s5 = {[@expl:assertion] res = (1: Int32.t)} s6 @@ -1118,20 +1099,20 @@ module M_message_passing | & _4: t_Option_Resource_Excl_unit = Any.any_l () | & _5: t_Resource_Excl_unit = Any.any_l () | & excl_snap: t_Option_Resource_Excl_unit = Any.any_l () - | & data_own: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _11: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & data_own: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _11: t_Option_Perm_PermCell_i32 = Any.any_l () | & _20: bool = Any.any_l () | & _22: t_FnGhostWrapper_closure4 = Any.any_l () | & _23: t_FnGhostWrapper_closure4 = Any.any_l () | & _24: closure4 = Any.any_l () | & _26: MutBorrow.t t_Tokens = Any.any_l () | & _27: MutBorrow.t t_Option_Resource_Excl_unit = Any.any_l () - | & _28: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _28: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () | & res: Int32.t = Any.any_l () | & _32: t_Perm_PermCell_i32 = Any.any_l () | & _34: t_Perm_PermCell_i32 = Any.any_l () - | & _35: t_Option_ref_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _37: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] [ return (result: ()) -> return {result} ] + | & _35: t_Option_ref_Perm_PermCell_i32 = Any.any_l () + | & _37: t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> return {result} ] meta "rewrite_def" predicate closure1'pre @@ -1246,14 +1227,14 @@ module M_message_passing let rec message_passing (return (x: ())) = (! bb0 [ bb0 = s0 - [ s0 = new {false} (fun (_x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> [ &_3 <- _x ] s1) + [ s0 = new {false} (fun (_x: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> [ &_3 <- _x ] s1) | s1 = [ &atomic <- _3.f0 ] s2 | s2 = [ &atomic_own'0 <- _3.f1 ] s3 - | s3 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> [ &_6 <- _x ] s4) + | s3 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> [ &_6 <- _x ] s4) | s4 = [ &data <- _6.f0'0 ] s5 | s5 = [ &data_own <- _6.f1'0 ] s6 | s6 = alloc_Excl_unit {{ f0'1 = () }} (fun (_x: t_Resource_Excl_unit) -> [ &excl <- _x ] s7) - | s7 = into_inner_Box_Perm_AtomicBool_Global {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_13 <- _x ] s8) + | s7 = into_inner_Perm_AtomicBool {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_13 <- _x ] s8) | s8 = [ &_15 <- NotWrittenYet ] s9 | s9 = [ &_12 <- { atomic_own = _13; state = _15; public_data = { f0'2 = data; f1'2 = id_Excl_unit excl } } ] s10 | s10 = new_MessagePassingAtomicInv {_12} (fun (_x: t_MessagePassingAtomicInv) -> [ &_11 <- _x ] s11) @@ -1267,10 +1248,10 @@ module M_message_passing [ & _ret: () = Any.any_l () | & atomic: t_AtomicBool = Any.any_l () | & atomic_own'0: t_Perm_AtomicBool = Any.any_l () - | & _3: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = Any.any_l () + | & _3: tup2_AtomicBool_Ghost_Perm_AtomicBool = Any.any_l () | & data: t_PermCell_i32 = Any.any_l () | & data_own: t_Perm_PermCell_i32 = Any.any_l () - | & _6: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _6: tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = Any.any_l () | & excl: t_Resource_Excl_unit = Any.any_l () | & inv: t_AtomicInvariantSC_MessagePassingAtomicInv = Any.any_l () | & _11: t_MessagePassingAtomicInv = Any.any_l () diff --git a/examples/message_passing/sc.rs b/examples/message_passing/sc.rs index 39ffd425dc..f06fdf5949 100644 --- a/examples/message_passing/sc.rs +++ b/examples/message_passing/sc.rs @@ -18,14 +18,14 @@ use creusot_std::{ declare_namespace! { MESSAGE_PASSING } struct MessagePassingAtomicInv { - atomic_own: Box>, + atomic_own: Perm, state: State, public_data: Snapshot<(PermCell, Id)>, } enum State { NotWrittenYet, - Synchronisation(Box>>), + Synchronisation(Perm>), Readable(Resource>), } @@ -70,7 +70,7 @@ pub fn message_passing() { let atomic = &atomic; let t1 = s.spawn(move |tokens: Ghost| { - unsafe { *data.borrow_mut(ghost!(&mut **data_own)) = 1 } + unsafe { *data.borrow_mut(ghost!(&mut *data_own)) = 1 } atomic.store( true, diff --git a/examples/message_passing/sc/proof.json b/examples/message_passing/sc/proof.json index c68a1f04ac..a56c44e30a 100644 --- a/examples/message_passing/sc/proof.json +++ b/examples/message_passing/sc/proof.json @@ -3,56 +3,53 @@ "proofs": { "M_message_passing": { "vc___new_closure0": { "prover": "alt-ergo", "time": 0.031 }, - "vc___new_closure0'0": { "prover": "alt-ergo", "time": 0.016 }, + "vc___new_closure0'0": { "prover": "alt-ergo", "time": 0.049 }, "vc___new_closure0'1": { "prover": "alt-ergo", "time": 0.028 }, "vc___new_closure4": { "prover": "alt-ergo", "time": 0.031 }, - "vc_alloc_Excl_unit": { "prover": "alt-ergo", "time": 0.013 }, - "vc_as_mut_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.019 }, - "vc_as_ref_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.029 - }, + "vc_alloc_Excl_unit": { "prover": "alt-ergo", "time": 0.063 }, + "vc_as_mut_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.042 }, + "vc_as_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.077 }, "vc_borrow_AtomicInvariantSC_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.022 + "time": 0.045 }, - "vc_borrow_mut_i32": { "prover": "alt-ergo", "time": 0.016 }, - "vc_closure0": { "prover": "alt-ergo", "time": 0.015 }, + "vc_borrow_mut_i32": { "prover": "alt-ergo", "time": 0.054 }, + "vc_closure0": { "prover": "alt-ergo", "time": 0.044 }, "vc_closure0'0": { "prover": "alt-ergo", "time": 0.031 }, "vc_closure0'1": { "prover": "alt-ergo", "time": 0.034 }, "vc_closure0'2": { "prover": "alt-ergo", "time": 0.019 }, "vc_closure0'3": { "prover": "alt-ergo", "time": 0.026 }, - "vc_closure1": { "prover": "alt-ergo", "time": 0.025 }, + "vc_closure1": { "prover": "alt-ergo", "time": 0.055 }, "vc_closure4": { "prover": "alt-ergo", "time": 0.023 }, - "vc_deref_Ghost_Option_Box_Perm_PermCell_i32_Global": { + "vc_deref_Ghost_Option_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.03 + "time": 0.053 }, - "vc_deref_Ghost_bool": { "prover": "alt-ergo", "time": 0.022 }, + "vc_deref_Ghost_bool": { "prover": "alt-ergo", "time": 0.049 }, "vc_deref_Ghost_ref_AtomicInvariantSC_MessagePassingAtomicInv": { "prover": "alt-ergo", "time": 0.031 }, - "vc_deref_mut_Ghost_Box_Perm_PermCell_i32_Global": { + "vc_deref_mut_Ghost_Option_Resource_Excl_unit": { "prover": "alt-ergo", - "time": 0.033 + "time": 0.049 }, - "vc_deref_mut_Ghost_Option_Resource_Excl_unit": { + "vc_deref_mut_Ghost_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.022 + "time": 0.081 }, - "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.018 }, - "vc_elim_Readable": { "prover": "alt-ergo", "time": 0.022 }, - "vc_elim_Synchronisation": { "prover": "alt-ergo", "time": 0.02 }, - "vc_get_i32": { "prover": "alt-ergo", "time": 0.029 }, - "vc_into_ghost_bool": { "prover": "alt-ergo", "time": 0.022 }, - "vc_into_inner_Box_Perm_AtomicBool_Global": { + "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.042 }, + "vc_elim_Readable": { "prover": "alt-ergo", "time": 0.049 }, + "vc_elim_Synchronisation": { "prover": "alt-ergo", "time": 0.04 }, + "vc_get_i32": { "prover": "alt-ergo", "time": 0.077 }, + "vc_into_ghost_bool": { "prover": "alt-ergo", "time": 0.049 }, + "vc_into_inner_Perm_AtomicBool": { "prover": "alt-ergo", - "time": 0.013 + "time": 0.063 }, - "vc_into_inner_Box_Perm_PermCell_i32_Global": { + "vc_into_inner_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.024 + "time": 0.06 }, "vc_into_inner_Resource_Excl_unit": { "prover": "alt-ergo", @@ -71,10 +68,10 @@ "tactic": "compute_specified", "children": [ { "prover": "cvc5", "time": 0.356 } ] }, - "vc_new": { "prover": "alt-ergo", "time": 0.02 }, + "vc_new": { "prover": "alt-ergo", "time": 0.041 }, "vc_new_FnGhostWrapper_closure0": { "prover": "alt-ergo", - "time": 0.016 + "time": 0.049 }, "vc_new_FnGhostWrapper_closure4": { "prover": "alt-ergo", @@ -82,22 +79,22 @@ }, "vc_new_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.021 + "time": 0.049 }, "vc_new_MessagePassingAtomicInv'0": { "prover": "alt-ergo", - "time": 0.02 + "time": 0.05 }, - "vc_new_Option_Box_Perm_PermCell_i32_Global": { + "vc_new_Option_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.024 + "time": 0.041 }, "vc_new_Option_Resource_Excl_unit": { "prover": "alt-ergo", - "time": 0.021 + "time": 0.047 }, "vc_new_i32": { "prover": "alt-ergo", "time": 0.018 }, - "vc_new_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.029 }, + "vc_new_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.077 }, "vc_new_refmut_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.016 @@ -110,10 +107,10 @@ "prover": "alt-ergo", "time": 0.023 }, - "vc_reborrow": { "prover": "alt-ergo", "time": 0.018 }, - "vc_replace_State": { "prover": "alt-ergo", "time": 0.021 }, + "vc_reborrow": { "prover": "alt-ergo", "time": 0.042 }, + "vc_replace_State": { "prover": "alt-ergo", "time": 0.045 }, "vc_scope_closure0": { "prover": "alt-ergo", "time": 0.027 }, - "vc_shoot_load_AtomicBool": { "prover": "alt-ergo", "time": 0.019 }, + "vc_shoot_load_AtomicBool": { "prover": "alt-ergo", "time": 0.045 }, "vc_shoot_store_AtomicBool": { "prover": "alt-ergo", "time": 0.027 }, "vc_spawn_closure0": { "prover": "alt-ergo", "time": 0.022 }, "vc_spawn_closure1": { "prover": "alt-ergo", "time": 0.032 }, @@ -121,15 +118,15 @@ "prover": "alt-ergo", "time": 0.02 }, - "vc_take_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.021 }, - "vc_unwrap_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.021 }, - "vc_unwrap_ref_Box_Perm_PermCell_i32_Global": { + "vc_take_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.045 }, + "vc_unwrap_Resource_Excl_unit": { "prover": "alt-ergo", "time": 0.045 }, + "vc_unwrap_ref_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.029 + "time": 0.077 }, "vc_unwrap_refmut_Resource_Excl_unit": { "prover": "alt-ergo", - "time": 0.019 + "time": 0.042 }, "vc_valid_op_lemma_Excl_unit": { "prover": "alt-ergo", "time": 0.02 } } diff --git a/examples/message_passing/sc_options.coma b/examples/message_passing/sc_options.coma index 661b7eeb78..190b13af31 100644 --- a/examples/message_passing/sc_options.coma +++ b/examples/message_passing/sc_options.coma @@ -13,22 +13,22 @@ module M_message_passing type t_Perm_AtomicBool - type tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } + type tup2_AtomicBool_Ghost_Perm_AtomicBool = { f0: t_AtomicBool; f1: t_Perm_AtomicBool } predicate inv_AtomicBool (_1: t_AtomicBool) - predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) = + predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool [@inline:trivial] (_1: tup2_AtomicBool_Ghost_Perm_AtomicBool) = inv_AtomicBool _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate inv_tup2_AtomicBool_Ghost_Perm_AtomicBool function val_AtomicBool (self: t_Perm_AtomicBool) : bool function ward_AtomicBool (self: t_Perm_AtomicBool) : t_AtomicBool - let rec new (val': bool) (return (x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global)) = any - [ return (result: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global result) + let rec new (val': bool) (return (x: tup2_AtomicBool_Ghost_Perm_AtomicBool)) = any + [ return (result: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicBool_Ghost_Perm_AtomicBool result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicBool result.f1 = val') /\ ([@stop_split] [@expl:new ensures #1] ward_AtomicBool result.f1 = result.f0)} (! return {result}) ] @@ -37,7 +37,7 @@ module M_message_passing type t_Perm_PermCell_i32 - type tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = { f0'0: t_PermCell_i32; f1'0: t_Perm_PermCell_i32 } + type tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = { f0'0: t_PermCell_i32; f1'0: t_Perm_PermCell_i32 } function ward_PermCell_i32 (self: t_Perm_PermCell_i32) : t_PermCell_i32 @@ -47,16 +47,11 @@ module M_message_passing meta "rewrite_def" function view_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Perm_PermCell_i32) : Int32.t = - view_Perm_PermCell_i32 self - - meta "rewrite_def" function view_Box_Perm_PermCell_i32_Global - - let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> + let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32)) = any + [ return (result: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> {[@stop_split] [@expl:new_i32 ensures] ([@stop_split] [@expl:new ensures #0] result.f0'0 = ward_PermCell_i32 result.f1'0) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_i32_Global result.f1'0 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_i32 result.f1'0 = value)} (! return {result}) ] type t_Excl_unit = { f0'1: () } @@ -77,11 +72,11 @@ module M_message_passing {[@stop_split] [@expl:alloc ensures] view_Resource_Option_Excl_unit result = r} (! return {result}) ] - let rec into_inner_Box_Perm_AtomicBool_Global (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any + let rec into_inner_Perm_AtomicBool (self: t_Perm_AtomicBool) (return (x: t_Perm_AtomicBool)) = any [ return (result: t_Perm_AtomicBool) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - type t_Option_Box_Perm_PermCell_i32_Global = None'0 | Some'0 t_Perm_PermCell_i32 + type t_Option_Perm_PermCell_i32 = None'0 | Some'0 t_Perm_PermCell_i32 let rec deref_Ghost_Resource_Option_Excl_unit (self: t_Resource_Option_Excl_unit) (return (x: t_Resource_Option_Excl_unit)) = any @@ -138,7 +133,7 @@ module M_message_passing type t_MessagePassingAtomicInv = { atomic_own: t_Perm_AtomicBool; - data_own: t_Option_Box_Perm_PermCell_i32_Global; + data_own: t_Option_Perm_PermCell_i32; data: t_PermCell_i32; tok: t_Resource_Option_Excl_unit } @@ -199,16 +194,11 @@ module M_message_passing c2'0: t_AtomicBool; c3'0: t_AtomicInvariantSC_MessagePassingAtomicInv } - let rec deref_mut_Ghost_Box_Perm_PermCell_i32_Global (self: MutBorrow.t t_Perm_PermCell_i32) + let rec deref_mut_Ghost_Perm_PermCell_i32 (self: MutBorrow.t t_Perm_PermCell_i32) (return (x: MutBorrow.t t_Perm_PermCell_i32)) = any [ return (result: MutBorrow.t t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - predicate resolve_refmut_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_i32_Global - predicate resolve_refmut_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = _1.final = _1.current @@ -257,7 +247,7 @@ module M_message_passing type closure0'2 = { c0'2: t_Perm_PermCell_i32; c1'2: MutBorrow.t t_Committer_AtomicBool_bool_None_SeqCst } - let rec into_inner_Box_Perm_PermCell_i32_Global (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any + let rec into_inner_Perm_PermCell_i32 (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] @@ -290,10 +280,9 @@ module M_message_passing /\ ([@stop_split] [@expl:shoot_store ensures #3] val_AtomicBool own.final = val_store_AtomicBool self.current)} (! return {result}) ] - predicate resolve_refmut_Box_Perm_AtomicBool_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicBool [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicBool) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicBool_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicBool predicate resolve_refmut_MessagePassingAtomicInv [@inline:trivial] (_1: MutBorrow.t t_MessagePassingAtomicInv) = _1.final = _1.current @@ -308,7 +297,7 @@ module M_message_passing let rec closure0 [@coma:extspec] (self: closure0'2) (inv: MutBorrow.t t_MessagePassingAtomicInv) (return (x: ())) = bb0 [ bb0 = s0 - [ s0 = into_inner_Box_Perm_PermCell_i32_Global {self.c0'2} (fun (_x: t_Perm_PermCell_i32) -> [ &_4 <- _x ] s1) + [ s0 = into_inner_Perm_PermCell_i32 {self.c0'2} (fun (_x: t_Perm_PermCell_i32) -> [ &_4 <- _x ] s1) | s1 = [ &_3 <- Some'0 _4 ] s2 | s2 = [ &inv <- { inv with current = { inv.current with data_own = _3 } } ] s3 | s3 = MutBorrow.borrow_final {inv.current.atomic_own} @@ -322,7 +311,7 @@ module M_message_passing | s5 = MutBorrow.borrow_final {_9.current} {MutBorrow.get_id _9} (fun (_bor: MutBorrow.t t_Perm_AtomicBool) -> [ &_8 <- _bor ] [ &_9 <- { _9 with current = _bor.final } ] s6) | s6 = shoot_store_AtomicBool {_7} {_8} (fun (_x: ()) -> [ &_6 <- _x ] s7) - | s7 = -{resolve_refmut_Box_Perm_AtomicBool_Global _9}- s8 + | s7 = -{resolve_refmut_Perm_AtomicBool _9}- s8 | s8 = -{resolve_refmut_MessagePassingAtomicInv inv}- s9 | s9 = -{match self with | {c1'2 = x} -> resolve_refmut_Committer_AtomicBool_bool_None_SeqCst x @@ -333,7 +322,7 @@ module M_message_passing [ & _ret: () = Any.any_l () | & self: closure0'2 = self | & inv: MutBorrow.t t_MessagePassingAtomicInv = inv - | & _3: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _3: t_Option_Perm_PermCell_i32 = Any.any_l () | & _4: t_Perm_PermCell_i32 = Any.any_l () | & _6: () = Any.any_l () | & _7: MutBorrow.t t_Committer_AtomicBool_bool_None_SeqCst = Any.any_l () @@ -494,15 +483,14 @@ module M_message_passing | s1 = MutBorrow.borrow_mut {self.c1'0} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_12 <- _bor ] [ &self <- { self with c1'0 = _bor.final } ] s2) - | s2 = deref_mut_Ghost_Box_Perm_PermCell_i32_Global {_12} - (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_11 <- _x ] s3) + | s2 = deref_mut_Ghost_Perm_PermCell_i32 {_12} (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_11 <- _x ] s3) | s3 = MutBorrow.borrow_final {_11.current} {MutBorrow.get_id _11} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_10 <- _bor ] [ &_11 <- { _11 with current = _bor.final } ] s4) | s4 = MutBorrow.borrow_final {_10.current} {MutBorrow.get_id _10} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_9 <- _bor ] [ &_10 <- { _10 with current = _bor.final } ] s5) - | s5 = -{resolve_refmut_Box_Perm_PermCell_i32_Global _11}- s6 + | s5 = -{resolve_refmut_Perm_PermCell_i32 _11}- s6 | s6 = -{resolve_refmut_Perm_PermCell_i32 _10}- s7 | s7 = MutBorrow.borrow_final {_9.current} {MutBorrow.get_id _9} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> @@ -589,16 +577,15 @@ module M_message_passing c2'3: t_AtomicInvariantSC_MessagePassingAtomicInv; c3'3: t_PermCell_i32 } - let rec new_Option_Box_Perm_PermCell_i32_Global (x: t_Option_Box_Perm_PermCell_i32_Global) - (return (x'0: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:new ensures] result = x} + let rec new_Option_Perm_PermCell_i32 (x: t_Option_Perm_PermCell_i32) (return (x'0: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] type closure4 = { c0'4: t_AtomicInvariantSC_MessagePassingAtomicInv; c1'4: MutBorrow.t t_Tokens; c2'4: MutBorrow.t t_Resource_Option_Excl_unit; - c3'4: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global } + c3'4: MutBorrow.t t_Option_Perm_PermCell_i32 } let rec deref_mut_Ghost_Tokens (self: MutBorrow.t t_Tokens) (return (x: MutBorrow.t t_Tokens)) = any [ return (result: MutBorrow.t t_Tokens) -> {[@stop_split] [@expl:deref_mut ensures] result = self} @@ -616,7 +603,7 @@ module M_message_passing type closure0'3 = { c0'5: t_Committer_AtomicBool_bool_SeqCst_None; c1'5: MutBorrow.t t_Resource_Option_Excl_unit; - c2'5: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global } + c2'5: MutBorrow.t t_Option_Perm_PermCell_i32 } let rec into_ghost_bool (self: bool) (return (x: bool)) = any [ return (result: bool) -> {[@stop_split] [@expl:into_ghost ensures] result = self} (! return {result}) ] @@ -666,10 +653,9 @@ module M_message_passing [ return (result: ()) -> {[@stop_split] [@expl:shoot_load ensures] val_load_AtomicBool'0 self = val_AtomicBool own} (! return {result}) ] - let rec take_Box_Perm_PermCell_i32_Global (self_: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:take ensures] result - = self_.current + let rec take_Perm_PermCell_i32 (self_: MutBorrow.t t_Option_Perm_PermCell_i32) + (return (x: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:take ensures] result = self_.current /\ self_.final = None'0} (! return {result}) ] @@ -677,10 +663,10 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_closure0 - predicate resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) = + predicate resolve_refmut_Ghost_Option_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Option_Perm_PermCell_i32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global + meta "rewrite_def" predicate resolve_refmut_Ghost_Option_Perm_PermCell_i32 predicate resolve_refmut_Ghost_Resource_Option_Excl_unit [@inline:trivial] (_1: MutBorrow.t t_Resource_Option_Excl_unit) = _1.final = _1.current @@ -688,8 +674,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Resource_Option_Excl_unit predicate resolve_closure0 [@inline:trivial] (_1: closure0'3) = - resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global _1.c2'5 - /\ resolve_refmut_Ghost_Resource_Option_Excl_unit _1.c1'5 + resolve_refmut_Ghost_Option_Perm_PermCell_i32 _1.c2'5 /\ resolve_refmut_Ghost_Resource_Option_Excl_unit _1.c1'5 meta "rewrite_def" predicate resolve_closure0 @@ -747,17 +732,15 @@ module M_message_passing {MutBorrow.inherit_id (MutBorrow.get_id inv) 0} (fun (_bor: MutBorrow.t t_Perm_AtomicBool) -> [ &_28 <- _bor ] [ &inv <- { inv with current = { inv.current with atomic_own = _bor.final } } ] s17) - | s17 = -{resolve_refmut_Box_Perm_AtomicBool_Global _28}- s18 + | s17 = -{resolve_refmut_Perm_AtomicBool _28}- s18 | s18 = shoot_load_AtomicBool {self.current.c0'5} {_28.current} (fun (_x: ()) -> [ &_25 <- _x ] s19) - | s19 = MutBorrow.borrow_final {inv.current.data_own} + | s19 = MutBorrow.borrow_final {inv.current.data_own} {MutBorrow.inherit_id (MutBorrow.get_id inv) 1} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_31 <- _bor ] [ &inv <- { inv with current = { inv.current with data_own = _bor.final } } ] s20) - | s20 = take_Box_Perm_PermCell_i32_Global {_31} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_30 <- _x ] s21) + | s20 = take_Perm_PermCell_i32 {_31} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_30 <- _x ] s21) | s21 = -{resolve_refmut_MessagePassingAtomicInv inv}- s22 - | s22 = new_Option_Box_Perm_PermCell_i32_Global {_30} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_29 <- _x ] s23) + | s22 = new_Option_Perm_PermCell_i32 {_30} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_29 <- _x ] s23) | s23 = [ &self <- { self with current = { self.current with c2'5 = { self.current.c2'5 with current = _29 } } } ] s24 | s24 = -{resolve_refmut_closure0 self}- s25 @@ -785,9 +768,9 @@ module M_message_passing | & _24: MutBorrow.t t_Resource_Option_Excl_unit = Any.any_l () | & _25: () = Any.any_l () | & _28: MutBorrow.t t_Perm_AtomicBool = Any.any_l () - | & _29: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _30: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _31: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _29: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _30: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _31: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure0 self.current self.final} return {result} ] @@ -882,7 +865,7 @@ module M_message_passing meta "rewrite_def" predicate resolve_refmut_Ghost_Tokens predicate resolve_closure4 [@inline:trivial] (_1: closure4) = - resolve_refmut_Ghost_Option_Box_Perm_PermCell_i32_Global _1.c3'4 + resolve_refmut_Ghost_Option_Perm_PermCell_i32 _1.c3'4 /\ resolve_refmut_Ghost_Resource_Option_Excl_unit _1.c2'4 /\ resolve_refmut_Ghost_Tokens _1.c1'4 meta "rewrite_def" predicate resolve_closure4 @@ -913,8 +896,8 @@ module M_message_passing [ &_13 <- _bor ] [ &self <- { self with current = { self.current with c2'4 = { self.current.c2'4 with current = _bor.final } } } ] s6) - | s6 = MutBorrow.borrow_mut {self.current.c3'4.current} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> + | s6 = MutBorrow.borrow_mut {self.current.c3'4.current} + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_14 <- _bor ] [ &self <- { self with current = { self.current with c3'4 = { self.current.c3'4 with current = _bor.final } } } ] s7) @@ -935,7 +918,7 @@ module M_message_passing | & _10: t_FnGhostWrapper_closure0'1 = Any.any_l () | & _11: closure0'3 = Any.any_l () | & _13: MutBorrow.t t_Resource_Option_Excl_unit = Any.any_l () - | & _14: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () ] + | & _14: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> {[@stop_split] [@expl:closure hist_inv post] hist_inv_closure4 self.current self.final} return {result} ] @@ -1017,24 +1000,24 @@ module M_message_passing meta "rewrite_def" predicate inv_closure1 - let rec deref_Ghost_Option_Box_Perm_PermCell_i32_Global (self: t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_i32_Global) -> {[@stop_split] [@expl:deref ensures] result = self} + let rec deref_Ghost_Option_Perm_PermCell_i32 (self: t_Option_Perm_PermCell_i32) + (return (x: t_Option_Perm_PermCell_i32)) = any + [ return (result: t_Option_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] - type t_Option_ref_Box_Perm_PermCell_i32_Global = None'2 | Some'2 t_Perm_PermCell_i32 + type t_Option_ref_Perm_PermCell_i32 = None'2 | Some'2 t_Perm_PermCell_i32 - let rec as_ref_Box_Perm_PermCell_i32_Global (self_: t_Option_Box_Perm_PermCell_i32_Global) - (return (x: t_Option_ref_Box_Perm_PermCell_i32_Global)) = any - [ return (result: t_Option_ref_Box_Perm_PermCell_i32_Global) -> - {[@stop_split] [@expl:as_ref_Box_Perm_PermCell_i32_Global ensures] ([@stop_split] [@expl:as_ref ensures #0] self_ - = None'0 -> result = None'2) + let rec as_ref_Perm_PermCell_i32 (self_: t_Option_Perm_PermCell_i32) (return (x: t_Option_ref_Perm_PermCell_i32)) = + any + [ return (result: t_Option_ref_Perm_PermCell_i32) -> + {[@stop_split] [@expl:as_ref_Perm_PermCell_i32 ensures] ([@stop_split] [@expl:as_ref ensures #0] self_ = None'0 + -> result = None'2) /\ ([@stop_split] [@expl:as_ref ensures #1] self_ = None'0 \/ (exists r: t_Perm_PermCell_i32. result = Some'2 r /\ self_ = Some'0 r))} (! return {result}) ] - let rec unwrap_ref_Box_Perm_PermCell_i32_Global (self_: t_Option_ref_Box_Perm_PermCell_i32_Global) - (return (x: t_Perm_PermCell_i32)) = {[@stop_split] [@expl:unwrap requires] self_ <> None'2} + let rec unwrap_ref_Perm_PermCell_i32 (self_: t_Option_ref_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = + {[@stop_split] [@expl:unwrap requires] self_ <> None'2} any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:unwrap ensures] Some'2 result = self_} (! return {result}) ] @@ -1054,8 +1037,7 @@ module M_message_passing [ bb0 = s0 [ s0 = [ &excl_snap <- self.c0'3 ] s1 | s1 = [ &_7 <- None'0 ] s2 - | s2 = new_Option_Box_Perm_PermCell_i32_Global {_7} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &data_own'0 <- _x ] s3) + | s2 = new_Option_Perm_PermCell_i32 {_7} (fun (_x: t_Option_Perm_PermCell_i32) -> [ &data_own'0 <- _x ] s3) | s3 = [ &_old <- self.c1'3 ] s4 | s4 = [ &_old'0 <- self.c2'3 ] s5 | s5 = [ &_old'1 <- self.c3'3 ] s6 @@ -1075,9 +1057,8 @@ module M_message_passing | s3 = MutBorrow.borrow_mut {self.c0'3} (fun (_bor: MutBorrow.t t_Resource_Option_Excl_unit) -> [ &_23 <- _bor ] [ &self <- { self with c0'3 = _bor.final } ] s4) - | s4 = MutBorrow.borrow_mut {data_own'0} - (fun (_bor: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global) -> - [ &_24 <- _bor ] [ &data_own'0 <- _bor.final ] s5) + | s4 = MutBorrow.borrow_mut {data_own'0} + (fun (_bor: MutBorrow.t t_Option_Perm_PermCell_i32) -> [ &_24 <- _bor ] [ &data_own'0 <- _bor.final ] s5) | s5 = [ &_20 <- { c0'4 = _21; c1'4 = _22; c2'4 = _23; c3'4 = _24 } ] s6 | s6 = __new_closure4 {_20} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_19 <- _x ] s7) | s7 = new_FnGhostWrapper_closure4 {_19} (fun (_x: t_FnGhostWrapper_closure4) -> [ &_18 <- _x ] s8) @@ -1085,11 +1066,10 @@ module M_message_passing | s9 = any [ br0 -> {_16 = false} (! bb3) | br1 -> {_16} (! bb8) ] ] ] | bb8 = s0 [ s0 = s1 [ _ck -> (! {[@expl:type invariant] inv_closure1 self} any) ] - | s1 = deref_Ghost_Option_Box_Perm_PermCell_i32_Global {data_own'0} - (fun (_x: t_Option_Box_Perm_PermCell_i32_Global) -> [ &_33 <- _x ] s2) - | s2 = as_ref_Box_Perm_PermCell_i32_Global {_33} - (fun (_x: t_Option_ref_Box_Perm_PermCell_i32_Global) -> [ &_31 <- _x ] s3) - | s3 = unwrap_ref_Box_Perm_PermCell_i32_Global {_31} (fun (_x: t_Perm_PermCell_i32) -> [ &_30 <- _x ] s4) + | s1 = deref_Ghost_Option_Perm_PermCell_i32 {data_own'0} + (fun (_x: t_Option_Perm_PermCell_i32) -> [ &_33 <- _x ] s2) + | s2 = as_ref_Perm_PermCell_i32 {_33} (fun (_x: t_Option_ref_Perm_PermCell_i32) -> [ &_31 <- _x ] s3) + | s3 = unwrap_ref_Perm_PermCell_i32 {_31} (fun (_x: t_Perm_PermCell_i32) -> [ &_30 <- _x ] s4) | s4 = new_ref_Perm_PermCell_i32 {_30} (fun (_x: t_Perm_PermCell_i32) -> [ &_28 <- _x ] s5) | s5 = get_i32 {self.c3'3} {_28} (fun (_x: Int32.t) -> [ &res <- _x ] s6) | s6 = {[@expl:assertion] res = (1: Int32.t)} s7 @@ -1098,8 +1078,8 @@ module M_message_passing | & self: closure1 = self | & tokens: t_Tokens = tokens | & excl_snap: t_Resource_Option_Excl_unit = Any.any_l () - | & data_own'0: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _7: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & data_own'0: t_Option_Perm_PermCell_i32 = Any.any_l () + | & _7: t_Option_Perm_PermCell_i32 = Any.any_l () | & _16: bool = Any.any_l () | & _17: t_AtomicBool = Any.any_l () | & _18: t_FnGhostWrapper_closure4 = Any.any_l () @@ -1108,12 +1088,12 @@ module M_message_passing | & _21: t_AtomicInvariantSC_MessagePassingAtomicInv = Any.any_l () | & _22: MutBorrow.t t_Tokens = Any.any_l () | & _23: MutBorrow.t t_Resource_Option_Excl_unit = Any.any_l () - | & _24: MutBorrow.t t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _24: MutBorrow.t t_Option_Perm_PermCell_i32 = Any.any_l () | & res: Int32.t = Any.any_l () | & _28: t_Perm_PermCell_i32 = Any.any_l () | & _30: t_Perm_PermCell_i32 = Any.any_l () - | & _31: t_Option_ref_Box_Perm_PermCell_i32_Global = Any.any_l () - | & _33: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _31: t_Option_ref_Perm_PermCell_i32 = Any.any_l () + | & _33: t_Option_Perm_PermCell_i32 = Any.any_l () | & _old: t_AtomicBool = Any.any_l () | & _old'0: t_AtomicInvariantSC_MessagePassingAtomicInv = Any.any_l () | & _old'1: t_PermCell_i32 = Any.any_l () ] [ return (result: ()) -> return {result} ] @@ -1231,14 +1211,14 @@ module M_message_passing let rec message_passing (return (x: ())) = (! bb0 [ bb0 = s0 - [ s0 = new {false} (fun (_x: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global) -> [ &_3 <- _x ] s1) + [ s0 = new {false} (fun (_x: tup2_AtomicBool_Ghost_Perm_AtomicBool) -> [ &_3 <- _x ] s1) | s1 = [ &atomic <- _3.f0 ] s2 | s2 = [ &atomic_own'0 <- _3.f1 ] s3 - | s3 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> [ &_6 <- _x ] s4) + | s3 = new_i32 {(0: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> [ &_6 <- _x ] s4) | s4 = [ &data'0 <- _6.f0'0 ] s5 | s5 = [ &data_own'0 <- _6.f1'0 ] s6 | s6 = alloc_Option_Excl_unit {Some { f0'1 = () }} (fun (_x: t_Resource_Option_Excl_unit) -> [ &excl <- _x ] s7) - | s7 = into_inner_Box_Perm_AtomicBool_Global {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_13 <- _x ] s8) + | s7 = into_inner_Perm_AtomicBool {atomic_own'0} (fun (_x: t_Perm_AtomicBool) -> [ &_13 <- _x ] s8) | s8 = [ &_15 <- None'0 ] s9 | s9 = deref_Ghost_Resource_Option_Excl_unit {excl} (fun (_x: t_Resource_Option_Excl_unit) -> [ &_22 <- _x ] s10) | s10 = id_ghost_Option_Excl_unit {_22} (fun (_x: t_Id) -> [ &_20 <- _x ] s11) @@ -1255,16 +1235,16 @@ module M_message_passing [ & _ret: () = Any.any_l () | & atomic: t_AtomicBool = Any.any_l () | & atomic_own'0: t_Perm_AtomicBool = Any.any_l () - | & _3: tup2_AtomicBool_Ghost_Box_Perm_AtomicBool_Global = Any.any_l () + | & _3: tup2_AtomicBool_Ghost_Perm_AtomicBool = Any.any_l () | & data'0: t_PermCell_i32 = Any.any_l () | & data_own'0: t_Perm_PermCell_i32 = Any.any_l () - | & _6: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _6: tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = Any.any_l () | & excl: t_Resource_Option_Excl_unit = Any.any_l () | & inv: t_AtomicInvariantSC_MessagePassingAtomicInv = Any.any_l () | & _11: t_MessagePassingAtomicInv = Any.any_l () | & _12: t_MessagePassingAtomicInv = Any.any_l () | & _13: t_Perm_AtomicBool = Any.any_l () - | & _15: t_Option_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _15: t_Option_Perm_PermCell_i32 = Any.any_l () | & _19: t_Resource_Option_Excl_unit = Any.any_l () | & _20: t_Id = Any.any_l () | & _22: t_Resource_Option_Excl_unit = Any.any_l () diff --git a/examples/message_passing/sc_options.rs b/examples/message_passing/sc_options.rs index d930a2a68a..8d98255ad1 100644 --- a/examples/message_passing/sc_options.rs +++ b/examples/message_passing/sc_options.rs @@ -18,8 +18,8 @@ use creusot_std::{ declare_namespace! { MESSAGE_PASSING } struct MessagePassingAtomicInv { - atomic_own: Box>, - data_own: Option>>>, + atomic_own: Perm, + data_own: Option>>, data: Snapshot>, tok: Resource>>, } @@ -65,7 +65,7 @@ pub fn message_passing() { let atomic = &atomic; let t1 = s.spawn(move |tokens: Ghost| { - unsafe { *data.borrow_mut(ghost!(&mut **data_own)) = 1 } + unsafe { *data.borrow_mut(ghost!(&mut *data_own)) = 1 } atomic.store( true, diff --git a/examples/message_passing/sc_options/proof.json b/examples/message_passing/sc_options/proof.json index a8a1dd293a..49b87f69a5 100644 --- a/examples/message_passing/sc_options/proof.json +++ b/examples/message_passing/sc_options/proof.json @@ -5,27 +5,24 @@ "vc___new_closure0": { "prover": "alt-ergo", "time": 0.03 }, "vc___new_closure0'0": { "prover": "alt-ergo", "time": 0.031 }, "vc___new_closure0'1": { "prover": "alt-ergo", "time": 0.024 }, - "vc___new_closure4": { "prover": "alt-ergo", "time": 0.025 }, - "vc_alloc_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.033 }, - "vc_as_ref_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.03 - }, + "vc___new_closure4": { "prover": "alt-ergo", "time": 0.054 }, + "vc_alloc_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.069 }, + "vc_as_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.062 }, "vc_borrow_AtomicInvariantSC_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.019 + "time": 0.039 }, "vc_borrow_mut_i32": { "prover": "alt-ergo", "time": 0.026 }, - "vc_closure0": { "prover": "alt-ergo", "time": 0.01 }, + "vc_closure0": { "prover": "alt-ergo", "time": 0.056 }, "vc_closure0'0": { "prover": "alt-ergo", "time": 0.025 }, "vc_closure0'1": { "prover": "alt-ergo", "time": 0.023 }, - "vc_closure0'2": { "prover": "alt-ergo", "time": 0.016 }, + "vc_closure0'2": { "prover": "alt-ergo", "time": 0.052 }, "vc_closure0'3": { "prover": "alt-ergo", "time": 0.025 }, - "vc_closure1": { "prover": "alt-ergo", "time": 0.03 }, + "vc_closure1": { "prover": "alt-ergo", "time": 0.062 }, "vc_closure4": { "prover": "alt-ergo", "time": 0.025 }, - "vc_deref_Ghost_Option_Box_Perm_PermCell_i32_Global": { + "vc_deref_Ghost_Option_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.03 + "time": 0.045 }, "vc_deref_Ghost_Resource_Option_Excl_unit": { "prover": "alt-ergo", @@ -36,30 +33,30 @@ "prover": "alt-ergo", "time": 0.034 }, - "vc_deref_mut_Ghost_Box_Perm_PermCell_i32_Global": { + "vc_deref_mut_Ghost_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.022 + "time": 0.073 }, "vc_deref_mut_Ghost_Resource_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.021 }, - "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.02 }, - "vc_get_i32": { "prover": "alt-ergo", "time": 0.03 }, - "vc_id_ghost_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.014 }, + "vc_deref_mut_Ghost_Tokens": { "prover": "alt-ergo", "time": 0.053 }, + "vc_get_i32": { "prover": "alt-ergo", "time": 0.062 }, + "vc_id_ghost_Option_Excl_unit": { "prover": "alt-ergo", "time": 0.034 }, "vc_into_ghost_bool": { "prover": "alt-ergo", "time": 0.021 }, - "vc_into_inner_Box_Perm_AtomicBool_Global": { + "vc_into_inner_Perm_AtomicBool": { "prover": "alt-ergo", - "time": 0.033 + "time": 0.069 }, - "vc_into_inner_Box_Perm_PermCell_i32_Global": { + "vc_into_inner_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.019 + "time": 0.062 }, "vc_into_inner_Tokens": { "prover": "alt-ergo", "time": 0.034 }, "vc_join_unwrap_ScopedJoinHandle_unit": { "prover": "alt-ergo", - "time": 0.024 + "time": 0.051 }, "vc_load_FnGhostWrapper_closure4": { "prover": "alt-ergo", @@ -76,22 +73,22 @@ }, "vc_new_FnGhostWrapper_closure4": { "prover": "alt-ergo", - "time": 0.025 + "time": 0.054 }, "vc_new_MessagePassingAtomicInv": { "prover": "alt-ergo", - "time": 0.019 + "time": 0.06 }, "vc_new_MessagePassingAtomicInv'0": { "prover": "alt-ergo", - "time": 0.014 + "time": 0.042 }, - "vc_new_Option_Box_Perm_PermCell_i32_Global": { + "vc_new_Option_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.02 + "time": 0.048 }, - "vc_new_i32": { "prover": "alt-ergo", "time": 0.019 }, - "vc_new_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.03 }, + "vc_new_i32": { "prover": "alt-ergo", "time": 0.047 }, + "vc_new_ref_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.062 }, "vc_new_refmut_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.024 @@ -103,29 +100,26 @@ }, "vc_open_MessagePassingAtomicInv'0": { "prover": "alt-ergo", - "time": 0.017 + "time": 0.047 }, - "vc_reborrow": { "prover": "alt-ergo", "time": 0.02 }, + "vc_reborrow": { "prover": "alt-ergo", "time": 0.053 }, "vc_scope_closure0": { "prover": "alt-ergo", "time": 0.028 }, - "vc_shoot_load_AtomicBool": { "prover": "alt-ergo", "time": 0.017 }, - "vc_shoot_store_AtomicBool": { "prover": "alt-ergo", "time": 0.021 }, - "vc_spawn_closure0": { "prover": "alt-ergo", "time": 0.018 }, + "vc_shoot_load_AtomicBool": { "prover": "alt-ergo", "time": 0.034 }, + "vc_shoot_store_AtomicBool": { "prover": "alt-ergo", "time": 0.055 }, + "vc_spawn_closure0": { "prover": "alt-ergo", "time": 0.044 }, "vc_spawn_closure1": { "prover": "alt-ergo", "time": 0.03 }, "vc_store_FnGhostWrapper_closure0": { "prover": "alt-ergo", - "time": 0.021 + "time": 0.043 }, "vc_swap_Resource_Option_Excl_unit": { "prover": "alt-ergo", - "time": 0.017 - }, - "vc_take_Box_Perm_PermCell_i32_Global": { - "prover": "alt-ergo", - "time": 0.021 + "time": 0.058 }, - "vc_unwrap_ref_Box_Perm_PermCell_i32_Global": { + "vc_take_Perm_PermCell_i32": { "prover": "alt-ergo", "time": 0.034 }, + "vc_unwrap_ref_Perm_PermCell_i32": { "prover": "alt-ergo", - "time": 0.03 + "time": 0.062 }, "vc_valid_op_lemma_Option_Excl_unit": { "prover": "alt-ergo", diff --git a/examples/parallel_add/rlx.coma b/examples/parallel_add/rlx.coma index 87cb71217c..fa810433c9 100644 --- a/examples/parallel_add/rlx.coma +++ b/examples/parallel_add/rlx.coma @@ -24,14 +24,14 @@ module M_parallel_add type t_Perm_AtomicI32 - type tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global = { f0: t_AtomicI32; f1: t_Perm_AtomicI32 } + type tup2_AtomicI32_Ghost_Perm_AtomicI32 = { f0: t_AtomicI32; f1: t_Perm_AtomicI32 } predicate inv_AtomicI32 (_1: t_AtomicI32) - predicate inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global [@inline:trivial] (_1: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) = + predicate inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 [@inline:trivial] (_1: tup2_AtomicI32_Ghost_Perm_AtomicI32) = inv_AtomicI32 _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global + meta "rewrite_def" predicate inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 type t_FMap_Int_tup2_i32_SyncView @@ -143,10 +143,10 @@ module M_parallel_add function ward_AtomicI32 (self: t_Perm_AtomicI32) : t_AtomicI32 - let rec new'0 (val': Int32.t) (sync_view: MutBorrow.t t_SyncView) - (return (x: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global)) = any - [ return (result: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global result) + let rec new'0 (val': Int32.t) (sync_view: MutBorrow.t t_SyncView) (return (x: tup2_AtomicI32_Ghost_Perm_AtomicI32)) = + any + [ return (result: tup2_AtomicI32_Ghost_Perm_AtomicI32) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicI32 result.f1 = singleton_Int (get_timestamp_AtomicI32 result.f0 (fin_Ghost_refmut_SyncView sync_view)) { f0'0 = val'; f1'0 = sync_view.current }) @@ -484,7 +484,7 @@ module M_parallel_add axiom such_that_Int_spec: forall p: Map.map int bool [such_that_Int p]. (exists x: int. index_Mapping_Int_bool p x) -> index_Mapping_Int_bool p (such_that_Int p) - let rec into_inner_Box_Perm_AtomicI32_Global (self: t_Perm_AtomicI32) (return (x: t_Perm_AtomicI32)) = any + let rec into_inner_Perm_AtomicI32 (self: t_Perm_AtomicI32) (return (x: t_Perm_AtomicI32)) = any [ return (result: t_Perm_AtomicI32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] @@ -697,10 +697,9 @@ module M_parallel_add + 1) { f0'0 = val_store_AtomicI32 self.current; f1'0 = view_ReleaseSyncView rel_view })} (! return {result}) ] - predicate resolve_refmut_Box_Perm_AtomicI32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicI32) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicI32 [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicI32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicI32_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicI32 predicate resolve_refmut_closure0 [@inline:trivial] (_1: MutBorrow.t closure0'2) = _1.final = _1.current @@ -813,7 +812,7 @@ module M_parallel_add | s25 = shoot_store_AtomicI32 {_20} {_21} {_23} {_29} (fun (_x: ()) -> [ &_19 <- _x ] s26) | s26 = -{resolve_refmut_SyncView _25}- s27 | s27 = -{resolve_refmut_SyncView _24}- s28 - | s28 = -{resolve_refmut_Box_Perm_AtomicI32_Global _22}- s29 + | s28 = -{resolve_refmut_Perm_AtomicI32 _22}- s29 | s29 = -{resolve_refmut_closure0 self}- s30 | s30 = new'2 {(1: Int128.t)} (fun (_x: int) -> [ &_35 <- _x ] s31) | s31 = into_inner_Int {_35} (fun (_x: int) -> [ &_34 <- _x ] s32) @@ -1218,7 +1217,7 @@ module M_parallel_add | s25 = shoot_store_AtomicI32 {_20} {_21} {_23} {_29} (fun (_x: ()) -> [ &_19 <- _x ] s26) | s26 = -{resolve_refmut_SyncView _25}- s27 | s27 = -{resolve_refmut_SyncView _24}- s28 - | s28 = -{resolve_refmut_Box_Perm_AtomicI32_Global _22}- s29 + | s28 = -{resolve_refmut_Perm_AtomicI32 _22}- s29 | s29 = -{resolve_refmut_closure0'0 self}- s30 | s30 = new'2 {(1: Int128.t)} (fun (_x: int) -> [ &_35 <- _x ] s31) | s31 = into_inner_Int {_35} (fun (_x: int) -> [ &_34 <- _x ] s32) @@ -1621,7 +1620,7 @@ module M_parallel_add predicate resolve_Authority_Option_Excl_bool (_1: t_Authority_Option_Excl_bool) - let rec new_Box_Perm_AtomicI32_Global (x: t_Perm_AtomicI32) (return (x'0: t_Perm_AtomicI32)) = any + let rec new_Perm_AtomicI32 (x: t_Perm_AtomicI32) (return (x'0: t_Perm_AtomicI32)) = any [ return (result: t_Perm_AtomicI32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] let rec new_refmut_SyncView (x: MutBorrow.t t_SyncView) (return (x'0: MutBorrow.t t_SyncView)) = any @@ -1657,7 +1656,7 @@ module M_parallel_add | s1 = MutBorrow.borrow_mut {_6} (fun (_bor: MutBorrow.t t_SyncView) -> [ &_5 <- _bor ] [ &_6 <- _bor.final ] s2) | s2 = borrow_mut_SyncView {_5} (fun (_x: MutBorrow.t t_SyncView) -> [ &_4 <- _x ] s3) - | s3 = new'0 {(0: Int32.t)} {_4} (fun (_x: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) -> [ &_3 <- _x ] s4) + | s3 = new'0 {(0: Int32.t)} {_4} (fun (_x: tup2_AtomicI32_Ghost_Perm_AtomicI32) -> [ &_3 <- _x ] s4) | s4 = [ &atomic <- _3.f0 ] s5 | s5 = [ &own'0 <- _3.f1 ] s6 | s6 = alloc_Option_Excl_bool (fun (_x: t_Authority_Option_Excl_bool) -> [ &auth1'0 <- _x ] s7) @@ -1730,7 +1729,7 @@ module M_parallel_add | s39 = -{resolve_refmut_Authority_Option_Excl_bool _35}- s40 | s40 = new_unit {_22} (fun (_x: ()) -> [ &_21 <- _x ] s41) | s41 = [ ×tamp <- such_that_Int (fun (t: int) -> contains_Int (val_AtomicI32 own'0) t) ] s42 - | s42 = into_inner_Box_Perm_AtomicI32_Global {own'0} (fun (_x: t_Perm_AtomicI32) -> [ &_49 <- _x ] s43) + | s42 = into_inner_Perm_AtomicI32 {own'0} (fun (_x: t_Perm_AtomicI32) -> [ &_49 <- _x ] s43) | s43 = into_inner_Authority_Option_Excl_bool {auth1'0} (fun (_x: t_Authority_Option_Excl_bool) -> [ &_51 <- _x ] s44) | s44 = into_inner_Authority_Option_Excl_bool {auth2'0} @@ -1760,7 +1759,7 @@ module M_parallel_add | s63 = [ &_84 <- frag2 ] s64 | s64 = deref_Ghost_Fragment_Option_Excl_bool {_84} (fun (_x: t_Fragment_Option_Excl_bool) -> [ &_82 <- _x ] s65) | s65 = frag_lemma_Option_Excl_bool {inv'0.auth2} {_82} (fun (_x: ()) -> [ &_79 <- _x ] s66) - | s66 = new_Box_Perm_AtomicI32_Global {inv'0.own} (fun (_x: t_Perm_AtomicI32) -> [ &own'1 <- _x ] s67) + | s66 = new_Perm_AtomicI32 {inv'0.own} (fun (_x: t_Perm_AtomicI32) -> [ &own'1 <- _x ] s67) | s67 = new (fun (_x: t_SyncView) -> [ &view <- _x ] s68) | s68 = MutBorrow.borrow_mut {view} (fun (_bor: MutBorrow.t t_SyncView) -> [ &_96 <- _bor ] [ &view <- _bor.final ] s69) @@ -1785,7 +1784,7 @@ module M_parallel_add [ & _ret: () = Any.any_l () | & atomic: t_AtomicI32 = Any.any_l () | & own'0: t_Perm_AtomicI32 = Any.any_l () - | & _3: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global = Any.any_l () + | & _3: tup2_AtomicI32_Ghost_Perm_AtomicI32 = Any.any_l () | & _4: MutBorrow.t t_SyncView = Any.any_l () | & _5: MutBorrow.t t_SyncView = Any.any_l () | & _6: t_SyncView = Any.any_l () diff --git a/examples/parallel_add/rlx.rs b/examples/parallel_add/rlx.rs index 0bbcbd496d..8df2db223d 100644 --- a/examples/parallel_add/rlx.rs +++ b/examples/parallel_add/rlx.rs @@ -23,7 +23,7 @@ use creusot_std::{ declare_namespace! { PARALLEL_ADD } struct ParallelAddAtomicInv { - own: Box>, + own: Perm, auth1: Authority>>, auth2: Authority>>, t_last: Timestamp, diff --git a/examples/parallel_add/rlx/proof.json b/examples/parallel_add/rlx/proof.json index 446ae755c0..fea6a498a5 100644 --- a/examples/parallel_add/rlx/proof.json +++ b/examples/parallel_add/rlx/proof.json @@ -77,15 +77,12 @@ "prover": "alt-ergo", "time": 0.053 }, - "vc_into_inner_Box_Perm_AtomicI32_Global": { - "prover": "alt-ergo", - "time": 0.022 - }, "vc_into_inner_Int": { "prover": "alt-ergo", "time": 0.029 }, "vc_into_inner_ParallelAddAtomicInv": { "prover": "alt-ergo", "time": 0.034 }, + "vc_into_inner_Perm_AtomicI32": { "prover": "alt-ergo", "time": 0.031 }, "vc_into_inner_Tokens": { "prover": "alt-ergo", "time": 0.023 }, "vc_join_unwrap_ScopedJoinHandle_unit": { "prover": "alt-ergo", @@ -95,10 +92,6 @@ "vc_new'0": { "prover": "alt-ergo", "time": 0.032 }, "vc_new'1": { "prover": "alt-ergo", "time": 0.037 }, "vc_new'2": { "prover": "alt-ergo", "time": 0.025 }, - "vc_new_Box_Perm_AtomicI32_Global": { - "prover": "alt-ergo", - "time": 0.037 - }, "vc_new_FnGhostWrapper_closure0": { "prover": "alt-ergo", "time": 0.041 @@ -116,6 +109,7 @@ "prover": "alt-ergo", "time": 0.029 }, + "vc_new_Perm_AtomicI32": { "prover": "alt-ergo", "time": 0.041 }, "vc_new_refmut_SyncView": { "prover": "alt-ergo", "time": 0.035 }, "vc_new_unit": { "prover": "alt-ergo", "time": 0.049 }, "vc_new_unit_Option_Excl_bool": { "prover": "alt-ergo", "time": 0.047 }, @@ -163,7 +157,7 @@ "tactic": "split_vc", "children": [ { "prover": "alt-ergo", "time": 0.07 }, - { "prover": "z3", "time": 5.7 } + { "prover": "z3", "time": 0.862 } ] }, { "prover": "alt-ergo", "time": 0.096 } @@ -184,7 +178,7 @@ "tactic": "split_vc", "children": [ { "prover": "alt-ergo", "time": 0.051 }, - { "prover": "z3", "time": 7.3 } + { "prover": "z3", "time": 3.1 } ] }, { "prover": "alt-ergo", "time": 0.081 } diff --git a/examples/parallel_add/rlx_generic.coma b/examples/parallel_add/rlx_generic.coma index c1801c6f54..0f0cf3b431 100644 --- a/examples/parallel_add/rlx_generic.coma +++ b/examples/parallel_add/rlx_generic.coma @@ -214,14 +214,14 @@ module M_parallel_add type t_Perm_AtomicI32 - type tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global = { f0: t_AtomicI32; f1: t_Perm_AtomicI32 } + type tup2_AtomicI32_Ghost_Perm_AtomicI32 = { f0: t_AtomicI32; f1: t_Perm_AtomicI32 } predicate inv_AtomicI32 (_1: t_AtomicI32) - predicate inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global [@inline:trivial] (_1: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) = + predicate inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 [@inline:trivial] (_1: tup2_AtomicI32_Ghost_Perm_AtomicI32) = inv_AtomicI32 _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global + meta "rewrite_def" predicate inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 type t_FMap_Int_tup2_i32_SyncView @@ -333,10 +333,10 @@ module M_parallel_add function ward_AtomicI32 (self: t_Perm_AtomicI32) : t_AtomicI32 - let rec new'0 (val': Int32.t) (sync_view: MutBorrow.t t_SyncView) - (return (x: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global)) = any - [ return (result: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global result) + let rec new'0 (val': Int32.t) (sync_view: MutBorrow.t t_SyncView) (return (x: tup2_AtomicI32_Ghost_Perm_AtomicI32)) = + any + [ return (result: tup2_AtomicI32_Ghost_Perm_AtomicI32) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicI32 result.f1 = singleton_Int (get_timestamp_AtomicI32 result.f0 (fin_Ghost_refmut_SyncView sync_view)) { f0'0 = val'; f1'0 = sync_view.current }) @@ -829,7 +829,7 @@ module M_parallel_add axiom such_that_Int_spec: forall p: Map.map int bool [such_that_Int p]. (exists x: int. index_Mapping_Int_bool p x) -> index_Mapping_Int_bool p (such_that_Int p) - let rec into_inner_Box_Perm_AtomicI32_Global (self: t_Perm_AtomicI32) (return (x: t_Perm_AtomicI32)) = any + let rec into_inner_Perm_AtomicI32 (self: t_Perm_AtomicI32) (return (x: t_Perm_AtomicI32)) = any [ return (result: t_Perm_AtomicI32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] @@ -1321,10 +1321,9 @@ module M_parallel_add + 1) { f0'0 = val_store_AtomicI32 self.current; f1'0 = view_ReleaseSyncView rel_view })} (! return {result}) ] - predicate resolve_refmut_Box_Perm_AtomicI32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicI32) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicI32 [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicI32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicI32_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicI32 predicate resolve_refmut_closure0 [@inline:trivial] (_1: MutBorrow.t closure0'2) = _1.final = _1.current @@ -1433,7 +1432,7 @@ module M_parallel_add | s31 = shoot_store_AtomicI32 {_24} {_25} {_27} {_33} (fun (_x: ()) -> [ &_23 <- _x ] s32) | s32 = -{resolve_refmut_SyncView _29}- s33 | s33 = -{resolve_refmut_SyncView _28}- s34 - | s34 = -{resolve_refmut_Box_Perm_AtomicI32_Global _26}- s35 + | s34 = -{resolve_refmut_Perm_AtomicI32 _26}- s35 | s35 = -{resolve_refmut_closure0 self}- s36 | s36 = new'2 {(1: Int128.t)} (fun (_x: int) -> [ &_39 <- _x ] s37) | s37 = into_inner_Int {_39} (fun (_x: int) -> [ &_38 <- _x ] s38) @@ -2163,7 +2162,7 @@ module M_parallel_add | s1 = MutBorrow.borrow_mut {_9} (fun (_bor: MutBorrow.t t_SyncView) -> [ &_8 <- _bor ] [ &_9 <- _bor.final ] s2) | s2 = borrow_mut_SyncView {_8} (fun (_x: MutBorrow.t t_SyncView) -> [ &_7 <- _x ] s3) - | s3 = new'0 {(0: Int32.t)} {_7} (fun (_x: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) -> [ &_6 <- _x ] s4) + | s3 = new'0 {(0: Int32.t)} {_7} (fun (_x: tup2_AtomicI32_Ghost_Perm_AtomicI32) -> [ &_6 <- _x ] s4) | s4 = [ &atomic <- _6.f0 ] s5 | s5 = [ &own'0 <- _6.f1 ] s6 | s6 = [ &_10 <- { f0'1 = (); f1'1 = () } ] s7 @@ -2208,7 +2207,7 @@ module M_parallel_add | s23 = -{resolve_refmut_Authority_Option_tup2_PositiveReal_Int _23}- s24 | s24 = new_unit {_20} (fun (_x: ()) -> [ &_19 <- _x ] s25) | s25 = [ ×tamp <- such_that_Int (fun (t: int) -> contains_Int (val_AtomicI32 own'0) t) ] s26 - | s26 = into_inner_Box_Perm_AtomicI32_Global {own'0} (fun (_x: t_Perm_AtomicI32) -> [ &_37 <- _x ] s27) + | s26 = into_inner_Perm_AtomicI32 {own'0} (fun (_x: t_Perm_AtomicI32) -> [ &_37 <- _x ] s27) | s27 = into_inner_Authority_Option_tup2_PositiveReal_Int {auth'0} (fun (_x: t_Authority_Option_tup2_PositiveReal_Int) -> [ &_39 <- _x ] s28) | s28 = into_ghost_Int {timestamp} (fun (_x: int) -> [ &_44 <- _x ] s29) @@ -2228,7 +2227,7 @@ module M_parallel_add | & n: Int32.t = n | & atomic: t_AtomicI32 = Any.any_l () | & own'0: t_Perm_AtomicI32 = Any.any_l () - | & _6: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global = Any.any_l () + | & _6: tup2_AtomicI32_Ghost_Perm_AtomicI32 = Any.any_l () | & _7: MutBorrow.t t_SyncView = Any.any_l () | & _8: MutBorrow.t t_SyncView = Any.any_l () | & _9: t_SyncView = Any.any_l () @@ -2656,7 +2655,7 @@ module M_final_read {[@stop_split] [@expl:frag_lemma ensures] incl_Option_tup2_PositiveReal_Int (view_Fragment_Option_tup2_PositiveReal_Int frag) (view_Authority_Option_tup2_PositiveReal_Int self)} (! return {result}) ] - let rec new_Box_Perm_AtomicI32_Global (x: t_Perm_AtomicI32) (return (x'0: t_Perm_AtomicI32)) = any + let rec new_Perm_AtomicI32 (x: t_Perm_AtomicI32) (return (x'0: t_Perm_AtomicI32)) = any [ return (result: t_Perm_AtomicI32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] let rec new'0 (return (x: t_SyncView)) = any [ return (result: t_SyncView) -> (! return {result}) ] @@ -2781,7 +2780,7 @@ module M_final_read | s5 = deref_Ghost_Fragment_Option_tup2_PositiveReal_Int {_22} (fun (_x: t_Fragment_Option_tup2_PositiveReal_Int) -> [ &_20 <- _x ] s6) | s6 = frag_lemma_Option_tup2_PositiveReal_Int {inv'0.auth} {_20} (fun (_x: ()) -> [ &_17 <- _x ] s7) - | s7 = new_Box_Perm_AtomicI32_Global {inv'0.own} (fun (_x: t_Perm_AtomicI32) -> [ &own'0 <- _x ] s8) + | s7 = new_Perm_AtomicI32 {inv'0.own} (fun (_x: t_Perm_AtomicI32) -> [ &own'0 <- _x ] s8) | s8 = new'0 (fun (_x: t_SyncView) -> [ &view <- _x ] s9) | s9 = MutBorrow.borrow_mut {view} (fun (_bor: MutBorrow.t t_SyncView) -> [ &_34 <- _bor ] [ &view <- _bor.final ] s10) diff --git a/examples/parallel_add/rlx_generic.rs b/examples/parallel_add/rlx_generic.rs index e889e0dff1..2d4bfb5892 100644 --- a/examples/parallel_add/rlx_generic.rs +++ b/examples/parallel_add/rlx_generic.rs @@ -42,7 +42,7 @@ fn fraction_add(a: Int, b: Int, n: Int) { } struct ParallelAddAtomicInv { - own: Box>, + own: Perm, auth: Authority>, t_last: Timestamp, } diff --git a/examples/parallel_add/rlx_generic/proof.json b/examples/parallel_add/rlx_generic/proof.json index 1b793b7ea1..caf2f565c6 100644 --- a/examples/parallel_add/rlx_generic/proof.json +++ b/examples/parallel_add/rlx_generic/proof.json @@ -22,10 +22,7 @@ "time": 0.018 }, "vc_new'0": { "prover": "alt-ergo", "time": 0.035 }, - "vc_new_Box_Perm_AtomicI32_Global": { - "prover": "alt-ergo", - "time": 0.023 - }, + "vc_new_Perm_AtomicI32": { "prover": "alt-ergo", "time": 0.038 }, "vc_new_refmut_SyncView": { "prover": "alt-ergo", "time": 0.025 } }, "M_fraction_1": { "vc_fraction_1": { "prover": "cvc5", "time": 0.034 } }, @@ -90,15 +87,12 @@ "prover": "alt-ergo", "time": 0.052 }, - "vc_into_inner_Box_Perm_AtomicI32_Global": { - "prover": "alt-ergo", - "time": 0.045 - }, "vc_into_inner_Fragment_Option_tup2_PositiveReal_Int": { "prover": "alt-ergo", "time": 0.038 }, "vc_into_inner_Int": { "prover": "alt-ergo", "time": 0.03 }, + "vc_into_inner_Perm_AtomicI32": { "prover": "alt-ergo", "time": 0.037 }, "vc_into_inner_Tokens": { "prover": "alt-ergo", "time": 0.036 }, "vc_into_iter_Range_i32": { "prover": "alt-ergo", "time": 0.057 }, "vc_into_iter_Vec_ScopedJoinHandle_Ghost_Fragment_Option_tup2_PositiveReal_Int_Global": { diff --git a/examples/parallel_add/sc.coma b/examples/parallel_add/sc.coma index 4ed21ff224..10f0afdd76 100644 --- a/examples/parallel_add/sc.coma +++ b/examples/parallel_add/sc.coma @@ -14,22 +14,22 @@ module M_parallel_add type t_Perm_AtomicI32 - type tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global = { f0: t_AtomicI32; f1: t_Perm_AtomicI32 } + type tup2_AtomicI32_Ghost_Perm_AtomicI32 = { f0: t_AtomicI32; f1: t_Perm_AtomicI32 } predicate inv_AtomicI32 (_1: t_AtomicI32) - predicate inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global [@inline:trivial] (_1: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) = + predicate inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 [@inline:trivial] (_1: tup2_AtomicI32_Ghost_Perm_AtomicI32) = inv_AtomicI32 _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global + meta "rewrite_def" predicate inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 function val_AtomicI32 (self: t_Perm_AtomicI32) : Int32.t function ward_AtomicI32 (self: t_Perm_AtomicI32) : t_AtomicI32 - let rec new (val': Int32.t) (return (x: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global)) = any - [ return (result: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global result) + let rec new (val': Int32.t) (return (x: tup2_AtomicI32_Ghost_Perm_AtomicI32)) = any + [ return (result: tup2_AtomicI32_Ghost_Perm_AtomicI32) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicI32 result.f1 = val') /\ ([@stop_split] [@expl:new ensures #1] ward_AtomicI32 result.f1 = result.f0)} (! return {result}) ] @@ -356,7 +356,7 @@ module M_parallel_add let rec new_unit (x: ()) (return (x'0: ())) = any [ return (result: ()) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - let rec into_inner_Box_Perm_AtomicI32_Global (self: t_Perm_AtomicI32) (return (x: t_Perm_AtomicI32)) = any + let rec into_inner_Perm_AtomicI32 (self: t_Perm_AtomicI32) (return (x: t_Perm_AtomicI32)) = any [ return (result: t_Perm_AtomicI32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] @@ -518,10 +518,9 @@ module M_parallel_add /\ ([@stop_split] [@expl:shoot_store ensures #3] val_AtomicI32 own'0.final = val_store_AtomicI32 self.current)} (! return {result}) ] - predicate resolve_refmut_Box_Perm_AtomicI32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicI32) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicI32 [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicI32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicI32_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicI32 predicate invariant_refmut_ParallelAddAtomicInv [@inline:trivial] (self: MutBorrow.t t_ParallelAddAtomicInv) = inv_ParallelAddAtomicInv self.current /\ inv_ParallelAddAtomicInv self.final @@ -600,7 +599,7 @@ module M_parallel_add (fun (_bor: MutBorrow.t t_Perm_AtomicI32) -> [ &_16 <- _bor ] [ &_17 <- { _17 with current = _bor.final } ] s11) | s11 = shoot_store_AtomicI32 {_15} {_16} (fun (_x: ()) -> [ &_14 <- _x ] s12) - | s12 = -{resolve_refmut_Box_Perm_AtomicI32_Global _17}- s13 + | s12 = -{resolve_refmut_Perm_AtomicI32 _17}- s13 | s13 = s14 [ _ck -> (! {[@expl:type invariant] inv_refmut_ParallelAddAtomicInv inv} any) ] | s14 = -{resolve_refmut_ParallelAddAtomicInv inv}- s15 | s15 = -{resolve_refmut_closure0 self}- s16 @@ -959,7 +958,7 @@ module M_parallel_add (fun (_bor: MutBorrow.t t_Perm_AtomicI32) -> [ &_16 <- _bor ] [ &_17 <- { _17 with current = _bor.final } ] s11) | s11 = shoot_store_AtomicI32 {_15} {_16} (fun (_x: ()) -> [ &_14 <- _x ] s12) - | s12 = -{resolve_refmut_Box_Perm_AtomicI32_Global _17}- s13 + | s12 = -{resolve_refmut_Perm_AtomicI32 _17}- s13 | s13 = s14 [ _ck -> (! {[@expl:type invariant] inv_refmut_ParallelAddAtomicInv inv} any) ] | s14 = -{resolve_refmut_ParallelAddAtomicInv inv}- s15 | s15 = -{resolve_refmut_closure0'0 self}- s16 @@ -1340,7 +1339,7 @@ module M_parallel_add predicate resolve_Authority_Option_Excl_bool (_1: t_Authority_Option_Excl_bool) - let rec new_Box_Perm_AtomicI32_Global (x: t_Perm_AtomicI32) (return (x'0: t_Perm_AtomicI32)) = any + let rec new_Perm_AtomicI32 (x: t_Perm_AtomicI32) (return (x'0: t_Perm_AtomicI32)) = any [ return (result: t_Perm_AtomicI32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] let rec into_inner (self: t_AtomicI32) (own'0: t_Perm_AtomicI32) (return (x: Int32.t)) = @@ -1356,7 +1355,7 @@ module M_parallel_add let rec parallel_add (return (x: ())) = (! bb0 [ bb0 = s0 - [ s0 = new {(0: Int32.t)} (fun (_x: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) -> [ &_3 <- _x ] s1) + [ s0 = new {(0: Int32.t)} (fun (_x: tup2_AtomicI32_Ghost_Perm_AtomicI32) -> [ &_3 <- _x ] s1) | s1 = [ &atomic <- _3.f0 ] s2 | s2 = [ &own'0 <- _3.f1 ] s3 | s3 = alloc_Option_Excl_bool (fun (_x: t_Authority_Option_Excl_bool) -> [ &auth1'0 <- _x ] s4) @@ -1428,7 +1427,7 @@ module M_parallel_add | s35 = s36 [ _ck -> (! {[@expl:type invariant] inv_refmut_Authority_Option_Excl_bool _32} any) ] | s36 = -{resolve_refmut_Authority_Option_Excl_bool _32}- s37 | s37 = new_unit {_19} (fun (_x: ()) -> [ &_18 <- _x ] s38) - | s38 = into_inner_Box_Perm_AtomicI32_Global {own'0} (fun (_x: t_Perm_AtomicI32) -> [ &_43 <- _x ] s39) + | s38 = into_inner_Perm_AtomicI32 {own'0} (fun (_x: t_Perm_AtomicI32) -> [ &_43 <- _x ] s39) | s39 = into_inner_Authority_Option_Excl_bool {auth1'0} (fun (_x: t_Authority_Option_Excl_bool) -> [ &_45 <- _x ] s40) | s40 = into_inner_Authority_Option_Excl_bool {auth2'0} @@ -1456,14 +1455,14 @@ module M_parallel_add | s57 = [ &_73 <- frag2 ] s58 | s58 = deref_Ghost_Fragment_Option_Excl_bool {_73} (fun (_x: t_Fragment_Option_Excl_bool) -> [ &_71 <- _x ] s59) | s59 = frag_lemma_Option_Excl_bool {inv'0.auth2} {_71} (fun (_x: ()) -> [ &_68 <- _x ] s60) - | s60 = new_Box_Perm_AtomicI32_Global {inv'0.own} (fun (_x: t_Perm_AtomicI32) -> [ &own'1 <- _x ] s61) + | s60 = new_Perm_AtomicI32 {inv'0.own} (fun (_x: t_Perm_AtomicI32) -> [ &own'1 <- _x ] s61) | s61 = into_inner {atomic} {own'1} (fun (_x: Int32.t) -> [ &n <- _x ] s62) | s62 = {[@expl:assertion] n = (4: Int32.t)} s63 | s63 = return {_ret} ] ] [ & _ret: () = Any.any_l () | & atomic: t_AtomicI32 = Any.any_l () | & own'0: t_Perm_AtomicI32 = Any.any_l () - | & _3: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global = Any.any_l () + | & _3: tup2_AtomicI32_Ghost_Perm_AtomicI32 = Any.any_l () | & auth1'0: t_Authority_Option_Excl_bool = Any.any_l () | & auth2'0: t_Authority_Option_Excl_bool = Any.any_l () | & frag1: t_Fragment_Option_Excl_bool = Any.any_l () diff --git a/examples/parallel_add/sc.rs b/examples/parallel_add/sc.rs index 2fd1d8a08f..5054fe2b86 100644 --- a/examples/parallel_add/sc.rs +++ b/examples/parallel_add/sc.rs @@ -18,7 +18,7 @@ use creusot_std::{ declare_namespace! { PARALLEL_ADD } struct ParallelAddAtomicInv { - own: Box>, + own: Perm, auth1: Authority>>, auth2: Authority>>, } diff --git a/examples/parallel_add/sc/proof.json b/examples/parallel_add/sc/proof.json index fc3f268140..4c71684f2d 100644 --- a/examples/parallel_add/sc/proof.json +++ b/examples/parallel_add/sc/proof.json @@ -11,7 +11,7 @@ "vc___new_closure0'0": { "prover": "cvc5", "time": 0.017 }, "vc___new_closure0'1": { "prover": "cvc5", "time": 0.027 }, "vc___new_closure0'2": { "prover": "cvc5", "time": 0.06 }, - "vc_alloc_Option_Excl_bool": { "prover": "cvc5", "time": 0.019 }, + "vc_alloc_Option_Excl_bool": { "prover": "cvc5", "time": 0.089 }, "vc_borrow_AtomicInvariantSC_ParallelAddAtomicInv": { "prover": "alt-ergo", "time": 0.038 @@ -70,28 +70,25 @@ "prover": "cvc5", "time": 0.032 }, - "vc_into_inner_Box_Perm_AtomicI32_Global": { - "prover": "cvc5", - "time": 0.032 - }, "vc_into_inner_ParallelAddAtomicInv": { "prover": "cvc5", "time": 0.025 }, + "vc_into_inner_Perm_AtomicI32": { "prover": "alt-ergo", "time": 0.055 }, "vc_into_inner_Tokens": { "prover": "cvc5", "time": 0.038 }, "vc_join_unwrap_ScopedJoinHandle_unit": { "prover": "cvc5", "time": 0.024 }, "vc_new": { "prover": "cvc5", "time": 0.03 }, - "vc_new_Box_Perm_AtomicI32_Global": { "prover": "cvc5", "time": 0.026 }, "vc_new_FnGhostWrapper_closure0": { "prover": "cvc5", "time": 0.02 }, "vc_new_FnGhostWrapper_closure0'0": { "prover": "cvc5", "time": 0.06 }, - "vc_new_Fragment_Option_Excl_bool": { "prover": "cvc5", "time": 0.031 }, + "vc_new_Fragment_Option_Excl_bool": { "prover": "cvc5", "time": 0.079 }, "vc_new_ParallelAddAtomicInv": { "prover": "cvc5", "time": 0.029 }, "vc_new_ParallelAddAtomicInv'0": { "prover": "cvc5", "time": 0.028 }, + "vc_new_Perm_AtomicI32": { "prover": "alt-ergo", "time": 0.046 }, "vc_new_unit": { "prover": "cvc5", "time": 0.032 }, - "vc_new_unit_Option_Excl_bool": { "prover": "cvc5", "time": 0.031 }, + "vc_new_unit_Option_Excl_bool": { "prover": "cvc5", "time": 0.079 }, "vc_open_ParallelAddAtomicInv": { "prover": "cvc5", "time": 0.022 }, "vc_open_ParallelAddAtomicInv'0": { "prover": "cvc5", "time": 0.025 }, "vc_parallel_add": { @@ -100,28 +97,28 @@ { "tactic": "split_vc", "children": [ - { "prover": "cvc5", "time": 0.027 }, - { "prover": "cvc5", "time": 0.025 }, - { "prover": "cvc5", "time": 0.024 }, - { "prover": "cvc5", "time": 0.022 }, + { "prover": "cvc5", "time": 0.055 }, + { "prover": "cvc5", "time": 0.05 }, + { "prover": "cvc5", "time": 0.051 }, + { "prover": "cvc5", "time": 0.049 }, { "prover": "cvc5", "time": 0.025 }, { "prover": "z3", "time": 0.035 }, { "prover": "cvc5", "time": 0.027 }, { "prover": "z3", "time": 0.041 }, { "prover": "cvc5", "time": 0.026 }, - { "prover": "cvc5", "time": 0.023 }, + { "prover": "cvc5", "time": 0.053 }, { "prover": "cvc5", "time": 0.024 }, { "prover": "cvc5", "time": 0.043 }, { "tactic": "split_vc", "children": [ - { "prover": "cvc5", "time": 0.023 }, + { "prover": "cvc5", "time": 0.049 }, { "tactic": "split_vc", "children": [ { "prover": "cvc5", "time": 0.057 }, - { "prover": "z3", "time": 0.457 }, - { "prover": "z3", "time": 0.52 }, + { "prover": "z3", "time": 0.985 }, + { "prover": "z3", "time": 1.4 }, { "prover": "cvc5", "time": 0.049 }, { "prover": "cvc5", "time": 0.047 }, { "prover": "cvc5", "time": 0.05 }, diff --git a/examples/parallel_add/sc_generic.coma b/examples/parallel_add/sc_generic.coma index b6823c2907..7b7b8b2027 100644 --- a/examples/parallel_add/sc_generic.coma +++ b/examples/parallel_add/sc_generic.coma @@ -205,22 +205,22 @@ module M_parallel_add type t_Perm_AtomicI32 - type tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global = { f0: t_AtomicI32; f1: t_Perm_AtomicI32 } + type tup2_AtomicI32_Ghost_Perm_AtomicI32 = { f0: t_AtomicI32; f1: t_Perm_AtomicI32 } predicate inv_AtomicI32 (_1: t_AtomicI32) - predicate inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global [@inline:trivial] (_1: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) = + predicate inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 [@inline:trivial] (_1: tup2_AtomicI32_Ghost_Perm_AtomicI32) = inv_AtomicI32 _1.f0 - meta "rewrite_def" predicate inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global + meta "rewrite_def" predicate inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 function val_AtomicI32 (self: t_Perm_AtomicI32) : Int32.t function ward_AtomicI32 (self: t_Perm_AtomicI32) : t_AtomicI32 - let rec new (val': Int32.t) (return (x: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global)) = any - [ return (result: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) -> - {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global result) + let rec new (val': Int32.t) (return (x: tup2_AtomicI32_Ghost_Perm_AtomicI32)) = any + [ return (result: tup2_AtomicI32_Ghost_Perm_AtomicI32) -> + {[@stop_split] [@expl:new ensures] ([@stop_split] [@expl:new result type invariant] inv_tup2_AtomicI32_Ghost_Perm_AtomicI32 result) /\ ([@stop_split] [@expl:new ensures #0] val_AtomicI32 result.f1 = val') /\ ([@stop_split] [@expl:new ensures #1] ward_AtomicI32 result.f1 = result.f0)} (! return {result}) ] @@ -704,7 +704,7 @@ module M_parallel_add let rec new_unit (x: ()) (return (x'0: ())) = any [ return (result: ()) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - let rec into_inner_Box_Perm_AtomicI32_Global (self: t_Perm_AtomicI32) (return (x: t_Perm_AtomicI32)) = any + let rec into_inner_Perm_AtomicI32 (self: t_Perm_AtomicI32) (return (x: t_Perm_AtomicI32)) = any [ return (result: t_Perm_AtomicI32) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] @@ -1148,10 +1148,9 @@ module M_parallel_add /\ ([@stop_split] [@expl:shoot_store ensures #3] val_AtomicI32 own'0.final = val_store_AtomicI32 self.current)} (! return {result}) ] - predicate resolve_refmut_Box_Perm_AtomicI32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicI32) = - _1.final = _1.current + predicate resolve_refmut_Perm_AtomicI32 [@inline:trivial] (_1: MutBorrow.t t_Perm_AtomicI32) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_AtomicI32_Global + meta "rewrite_def" predicate resolve_refmut_Perm_AtomicI32 predicate invariant_refmut_ParallelAddAtomicInv [@inline:trivial] (self: MutBorrow.t t_ParallelAddAtomicInv) = inv_ParallelAddAtomicInv self.current /\ inv_ParallelAddAtomicInv self.final @@ -1233,7 +1232,7 @@ module M_parallel_add (fun (_bor: MutBorrow.t t_Perm_AtomicI32) -> [ &_20 <- _bor ] [ &_21 <- { _21 with current = _bor.final } ] s17) | s17 = shoot_store_AtomicI32 {_19} {_20} (fun (_x: ()) -> [ &_18 <- _x ] s18) - | s18 = -{resolve_refmut_Box_Perm_AtomicI32_Global _21}- s19 + | s18 = -{resolve_refmut_Perm_AtomicI32 _21}- s19 | s19 = s20 [ _ck -> (! {[@expl:type invariant] inv_refmut_ParallelAddAtomicInv inv} any) ] | s20 = -{resolve_refmut_ParallelAddAtomicInv inv}- s21 | s21 = -{resolve_refmut_closure0 self}- s22 @@ -1970,7 +1969,7 @@ module M_parallel_add {[@stop_split] [@expl:frag_lemma ensures] incl_Option_tup2_PositiveReal_Int (view_Fragment_Option_tup2_PositiveReal_Int frag) (view_Authority_Option_tup2_PositiveReal_Int self)} (! return {result}) ] - let rec new_Box_Perm_AtomicI32_Global (x: t_Perm_AtomicI32) (return (x'0: t_Perm_AtomicI32)) = any + let rec new_Perm_AtomicI32 (x: t_Perm_AtomicI32) (return (x'0: t_Perm_AtomicI32)) = any [ return (result: t_Perm_AtomicI32) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] let rec into_inner (self: t_AtomicI32) (own'0: t_Perm_AtomicI32) (return (x: Int32.t)) = @@ -1987,7 +1986,7 @@ module M_parallel_add let rec parallel_add (n: Int32.t) (return (x: ())) = {[@stop_split] [@expl:parallel_add requires] Int32.to_int n >= 0} (! bb0 [ bb0 = s0 - [ s0 = new {(0: Int32.t)} (fun (_x: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global) -> [ &_6 <- _x ] s1) + [ s0 = new {(0: Int32.t)} (fun (_x: tup2_AtomicI32_Ghost_Perm_AtomicI32) -> [ &_6 <- _x ] s1) | s1 = [ &atomic <- _6.f0 ] s2 | s2 = [ &own'0 <- _6.f1 ] s3 | s3 = [ &_7 <- { f0'0 = (); f1'0 = () } ] s4 @@ -2031,7 +2030,7 @@ module M_parallel_add | s19 = s20 [ _ck -> (! {[@expl:type invariant] inv_refmut_Authority_Option_tup2_PositiveReal_Int _20} any) ] | s20 = -{resolve_refmut_Authority_Option_tup2_PositiveReal_Int _20}- s21 | s21 = new_unit {_17} (fun (_x: ()) -> [ &_16 <- _x ] s22) - | s22 = into_inner_Box_Perm_AtomicI32_Global {own'0} (fun (_x: t_Perm_AtomicI32) -> [ &_31 <- _x ] s23) + | s22 = into_inner_Perm_AtomicI32 {own'0} (fun (_x: t_Perm_AtomicI32) -> [ &_31 <- _x ] s23) | s23 = into_inner_Authority_Option_tup2_PositiveReal_Int {auth'0} (fun (_x: t_Authority_Option_tup2_PositiveReal_Int) -> [ &_33 <- _x ] s24) | s24 = [ &_30 <- { own = _31; auth = _33 } ] s25 @@ -2056,7 +2055,7 @@ module M_parallel_add | s36 = deref_Ghost_Fragment_Option_tup2_PositiveReal_Int {_56} (fun (_x: t_Fragment_Option_tup2_PositiveReal_Int) -> [ &_54 <- _x ] s37) | s37 = frag_lemma_Option_tup2_PositiveReal_Int {inv'0.auth} {_54} (fun (_x: ()) -> [ &_51 <- _x ] s38) - | s38 = new_Box_Perm_AtomicI32_Global {inv'0.own} (fun (_x: t_Perm_AtomicI32) -> [ &own'1 <- _x ] s39) + | s38 = new_Perm_AtomicI32 {inv'0.own} (fun (_x: t_Perm_AtomicI32) -> [ &own'1 <- _x ] s39) | s39 = into_inner {atomic} {own'1} (fun (_x: Int32.t) -> [ &x <- _x ] s40) | s40 = {[@expl:assertion] n = x} s41 | s41 = return {_ret} ] ] @@ -2064,7 +2063,7 @@ module M_parallel_add | & n: Int32.t = n | & atomic: t_AtomicI32 = Any.any_l () | & own'0: t_Perm_AtomicI32 = Any.any_l () - | & _6: tup2_AtomicI32_Ghost_Box_Perm_AtomicI32_Global = Any.any_l () + | & _6: tup2_AtomicI32_Ghost_Perm_AtomicI32 = Any.any_l () | & _7: tup2_fraction_1_fraction_add = Any.any_l () | & auth'0: t_Authority_Option_tup2_PositiveReal_Int = Any.any_l () | & frag: t_Fragment_Option_tup2_PositiveReal_Int = Any.any_l () diff --git a/examples/parallel_add/sc_generic.rs b/examples/parallel_add/sc_generic.rs index 59e3cc036f..9ca83994f0 100644 --- a/examples/parallel_add/sc_generic.rs +++ b/examples/parallel_add/sc_generic.rs @@ -38,7 +38,7 @@ fn fraction_add(a: Int, b: Int, n: Int) { } struct ParallelAddAtomicInv { - own: Box>, + own: Perm, auth: Authority>, } diff --git a/examples/parallel_add/sc_generic/proof.json b/examples/parallel_add/sc_generic/proof.json index 5a73a5f60f..b642f86fd7 100644 --- a/examples/parallel_add/sc_generic/proof.json +++ b/examples/parallel_add/sc_generic/proof.json @@ -68,10 +68,6 @@ "prover": "cvc5", "time": 0.052 }, - "vc_into_inner_Box_Perm_AtomicI32_Global": { - "prover": "cvc5", - "time": 0.052 - }, "vc_into_inner_Fragment_Option_tup2_PositiveReal_Int": { "prover": "cvc5", "time": 0.035 @@ -81,6 +77,7 @@ "prover": "cvc5", "time": 0.033 }, + "vc_into_inner_Perm_AtomicI32": { "prover": "alt-ergo", "time": 0.102 }, "vc_into_inner_Tokens": { "prover": "cvc5", "time": 0.074 }, "vc_into_iter_Range_i32": { "prover": "cvc5", "time": 0.052 }, "vc_into_iter_Vec_ScopedJoinHandle_Ghost_Fragment_Option_tup2_PositiveReal_Int_Global": { @@ -97,7 +94,6 @@ }, "vc_new": { "prover": "cvc5", "time": 0.036 }, "vc_new'1": { "prover": "cvc5", "time": 0.051 }, - "vc_new_Box_Perm_AtomicI32_Global": { "prover": "cvc5", "time": 0.066 }, "vc_new_FnGhostWrapper_closure0": { "prover": "cvc5", "time": 0.062 }, "vc_new_Fragment_Option_tup2_PositiveReal_Int": { "prover": "cvc5", @@ -105,6 +101,7 @@ }, "vc_new_ParallelAddAtomicInv": { "prover": "cvc5", "time": 0.05 }, "vc_new_ParallelAddAtomicInv'0": { "prover": "cvc5", "time": 0.05 }, + "vc_new_Perm_AtomicI32": { "prover": "alt-ergo", "time": 0.059 }, "vc_new_ScopedJoinHandle_Ghost_Fragment_Option_tup2_PositiveReal_Int": { "prover": "cvc5", "time": 0.05 @@ -162,7 +159,7 @@ { "tactic": "split_vc", "children": [ - { "prover": "alt-ergo", "time": 0.041 }, + { "prover": "alt-ergo", "time": 0.093 }, { "prover": "cvc5", "time": 1.8 } ] } diff --git a/examples/persistent_array.coma b/examples/persistent_array.coma index feccd3f6b3..f9bcf7aed8 100644 --- a/examples/persistent_array.coma +++ b/examples/persistent_array.coma @@ -860,9 +860,7 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste type t_Perm_PermCell_Inner_T - type tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global = { - f0'0: t_PermCell_Inner_T; - f1'0: t_Perm_PermCell_Inner_T } + type tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T = { f0'0: t_PermCell_Inner_T; f1'0: t_Perm_PermCell_Inner_T } predicate inv_T (_1: t_T) @@ -908,18 +906,13 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste meta "rewrite_def" function view_Perm_PermCell_Inner_T - function view_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (self: t_Perm_PermCell_Inner_T) : t_Inner_T = - view_Perm_PermCell_Inner_T self - - meta "rewrite_def" function view_Box_Perm_PermCell_Inner_T_Global - - let rec new_Inner_T (value: t_Inner_T) (return (x: tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global)) = + let rec new_Inner_T (value: t_Inner_T) (return (x: tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T)) = {[@stop_split] [@expl:new 'value' type invariant] inv_Inner_T value} any - [ return (result: tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global) -> + [ return (result: tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:new_Inner_T ensures] ([@stop_split] [@expl:new ensures #0] result.f0'0 = ward_PermCell_Inner_T result.f1'0) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_Inner_T_Global result.f1'0 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_Inner_T result.f1'0 = value)} (! return {result}) ] type t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T @@ -1359,71 +1352,69 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste let rec new_unit (x: ()) (return (x'0: ())) = any [ return (result: ()) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] - type t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + type t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T - type t_Option_Box_Perm_PermCell_Inner_T_Global = None'2 | Some'2 t_Perm_PermCell_Inner_T + type t_Option_Perm_PermCell_Inner_T = None'2 | Some'2 t_Perm_PermCell_Inner_T - function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : Map.map t_PermCell_Inner_T t_Option_Box_Perm_PermCell_Inner_T_Global + function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : Map.map t_PermCell_Inner_T t_Option_Perm_PermCell_Inner_T - function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Option_Box_Perm_PermCell_Inner_T_Global + function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Option_Perm_PermCell_Inner_T = Map.get (to_mapping_Snapshot_PermCell_Inner_T self) k meta "rewrite_def" function get_Snapshot_PermCell_Inner_T - predicate ext_eq_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (other: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) = + predicate ext_eq_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (other: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) = forall k: t_PermCell_Inner_T. get_Snapshot_PermCell_Inner_T self k = get_Snapshot_PermCell_Inner_T other k axiom ext_eq_Snapshot_PermCell_Inner_T_spec: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, other: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [self + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, other: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [self = other]. ext_eq_Snapshot_PermCell_Inner_T self other = (self = other) - function len_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : int + function len_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : int axiom len_Snapshot_PermCell_Inner_T_spec: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [len_Snapshot_PermCell_Inner_T self]. len_Snapshot_PermCell_Inner_T self + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [len_Snapshot_PermCell_Inner_T self]. len_Snapshot_PermCell_Inner_T self >= 0 - constant empty_Snapshot_PermCell_Inner_T : t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + constant empty_Snapshot_PermCell_Inner_T : t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T axiom empty_Snapshot_PermCell_Inner_T_spec: len_Snapshot_PermCell_Inner_T empty_Snapshot_PermCell_Inner_T = 0 axiom empty_Snapshot_PermCell_Inner_T_spec'0: to_mapping_Snapshot_PermCell_Inner_T empty_Snapshot_PermCell_Inner_T = Const.const (None'2) - predicate is_empty_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) = + predicate is_empty_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) = ext_eq_Snapshot_PermCell_Inner_T self empty_Snapshot_PermCell_Inner_T - let rec new_Snapshot_PermCell_Inner_T - (return (x: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + let rec new_Snapshot_PermCell_Inner_T (return (x: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T)) = any + [ return (result: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:new ensures] is_empty_Snapshot_PermCell_Inner_T result} (! return {result}) ] - let rec deref_mut_Ghost_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global - (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) - (return (x: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + let rec deref_mut_Ghost_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T + (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) + (return (x: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T)) = any + [ return (result: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - let rec into_inner_Box_Perm_PermCell_Inner_T_Global (self: t_Perm_PermCell_Inner_T) - (return (x: t_Perm_PermCell_Inner_T)) = any + let rec into_inner_Perm_PermCell_Inner_T (self: t_Perm_PermCell_Inner_T) (return (x: t_Perm_PermCell_Inner_T)) = any [ return (result: t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) = + predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) = get_Snapshot_PermCell_Inner_T self k <> None'2 meta "rewrite_def" predicate contains_Snapshot_PermCell_Inner_T - function insert_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) (v: t_Perm_PermCell_Inner_T) : t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + function insert_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) (v: t_Perm_PermCell_Inner_T) : t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T axiom insert_Snapshot_PermCell_Inner_T_spec: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. to_mapping_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. to_mapping_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) = Map.set (to_mapping_Snapshot_PermCell_Inner_T self) k (Some'2 v) axiom insert_Snapshot_PermCell_Inner_T_spec'0: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. len_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. len_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) = (if contains_Snapshot_PermCell_Inner_T self k then len_Snapshot_PermCell_Inner_T self else @@ -1431,23 +1422,23 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste ) let rec insert_ghost_Snapshot_PermCell_Inner_T - (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) - (value: t_Perm_PermCell_Inner_T) (return (x: t_Option_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_Inner_T_Global) -> + (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) + (value: t_Perm_PermCell_Inner_T) (return (x: t_Option_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:insert_ghost_Snapshot_PermCell_Inner_T ensures] ([@stop_split] [@expl:insert_ghost ensures #0] self.final = insert_Snapshot_PermCell_Inner_T self.current key value) /\ ([@stop_split] [@expl:insert_ghost ensures #1] result = get_Snapshot_PermCell_Inner_T self.current key)} (! return {result}) ] - predicate resolve_refmut_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (_1: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) = + predicate resolve_refmut_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [@inline:trivial] (_1: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" predicate resolve_refmut_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T - let rec into_inner_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global - (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) - (return (x: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + let rec into_inner_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T + (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) + (return (x: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T)) = any + [ return (result: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] @@ -1461,7 +1452,7 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste (! return {result}) ] type t_PA_T = { - perms: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global; + perms: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T; auth: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T; depth: Map.map t_PermCell_Inner_T int } @@ -1487,32 +1478,32 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste type t_NonAtomicInvariant_PA_T - predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = + predicate index_Mapping_Perm_PermCell_Inner_T_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = Map.get self a - meta "rewrite_def" predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool + meta "rewrite_def" predicate index_Mapping_Perm_PermCell_Inner_T_bool - function such_that_Box_Perm_PermCell_Inner_T_Global (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T + function such_that_Perm_PermCell_Inner_T (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T - axiom such_that_Box_Perm_PermCell_Inner_T_Global_spec: - forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Box_Perm_PermCell_Inner_T_Global p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p x) - -> index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p (such_that_Box_Perm_PermCell_Inner_T_Global p) + axiom such_that_Perm_PermCell_Inner_T_spec: + forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Perm_PermCell_Inner_T p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Perm_PermCell_Inner_T_bool p x) + -> index_Mapping_Perm_PermCell_Inner_T_bool p (such_that_Perm_PermCell_Inner_T p) - function unwrap_Option_Box_Perm_PermCell_Inner_T_Global (self: t_Option_Box_Perm_PermCell_Inner_T_Global) : t_Perm_PermCell_Inner_T - = match self with + function unwrap_Option_Perm_PermCell_Inner_T (self: t_Option_Perm_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = + match self with | Some'2 x -> x - | None'2 -> such_that_Box_Perm_PermCell_Inner_T_Global (fun (__0: t_Perm_PermCell_Inner_T) -> true) + | None'2 -> such_that_Perm_PermCell_Inner_T (fun (__0: t_Perm_PermCell_Inner_T) -> true) end - function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T - = unwrap_Option_Box_Perm_PermCell_Inner_T_Global (get_Snapshot_PermCell_Inner_T self k) + function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + = unwrap_Option_Perm_PermCell_Inner_T (get_Snapshot_PermCell_Inner_T self k) meta "rewrite_def" function lookup_Snapshot_PermCell_Inner_T - function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = lookup_Snapshot_PermCell_Inner_T self key - meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T predicate index_Mapping_Ag_Seq_T_bool [@inline:trivial] (self: Map.map t_Ag_Seq_T bool) (a: t_Ag_Seq_T) = Map.get self a @@ -1550,9 +1541,8 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste predicate partial_invariant_T [@inline:trivial] (self: t_PA_T) = forall pc: t_PermCell_Inner_T. contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc /\ contains_Snapshot_PermCell_Inner_T self.perms pc - -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) - = pc - /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) with + -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) = pc + /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) with | Direct v -> (index_FMap_PermCell_Inner_T_Ag_Seq_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc).f0 = view_Vec_T_Global v | Link index value next -> contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) (view_Rc_PermCell_Inner_T_Global next) @@ -1664,8 +1654,7 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste [ bb0 = s0 [ s0 = [ &new_ag <- { f0 = view_Vec_T_Global v } ] s1 | s1 = [ &_10 <- Direct v ] s2 - | s2 = new_Inner_T {_10} - (fun (_x: tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global) -> [ &_9 <- _x ] s3) + | s2 = new_Inner_T {_10} (fun (_x: tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T) -> [ &_9 <- _x ] s3) | s3 = [ &permcell'0 <- _9.f0'0 ] s4 | s4 = [ &perm <- _9.f1'0 ] s5 | s5 = alloc_FMap_PermCell_Inner_T_Ag_Seq_T @@ -1708,24 +1697,22 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste | s22 = -{resolve_refmut_Authority_FMap_PermCell_Inner_T_Ag_Seq_T _22}- s23 | s23 = new_unit {_20} (fun (_x: ()) -> [ &_19 <- _x ] s24) | s24 = new_Snapshot_PermCell_Inner_T - (fun (_x: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> [ &perms'0 <- _x ] s25) - | s25 = MutBorrow.borrow_mut {perms'0} - (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + (fun (_x: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &perms'0 <- _x ] s25) + | s25 = MutBorrow.borrow_mut {perms'0} + (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_39 <- _bor ] [ &perms'0 <- _bor.final ] s26) - | s26 = deref_mut_Ghost_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global {_39} - (fun (_x: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> - [ &_38 <- _x ] s27) - | s27 = into_inner_Box_Perm_PermCell_Inner_T_Global {perm} - (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_43 <- _x ] s28) - | s28 = MutBorrow.borrow_final {_38.current} + | s26 = deref_mut_Ghost_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T {_39} + (fun (_x: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_38 <- _x ] s27) + | s27 = into_inner_Perm_PermCell_Inner_T {perm} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_43 <- _x ] s28) + | s28 = MutBorrow.borrow_final {_38.current} {MutBorrow.get_id _38} - (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_37 <- _bor ] [ &_38 <- { _38 with current = _bor.final } ] s29) | s29 = insert_ghost_Snapshot_PermCell_Inner_T {_37} {ward_PermCell_Inner_T perm} {_43} - (fun (_x: t_Option_Box_Perm_PermCell_Inner_T_Global) -> [ &_36 <- _x ] s30) - | s30 = -{resolve_refmut_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global _38}- s31 - | s31 = into_inner_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global {perms'0} - (fun (_x: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> [ &_48 <- _x ] s32) + (fun (_x: t_Option_Perm_PermCell_Inner_T) -> [ &_36 <- _x ] s30) + | s30 = -{resolve_refmut_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T _38}- s31 + | s31 = into_inner_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T {perms'0} + (fun (_x: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_48 <- _x ] s32) | s32 = into_inner_Authority_FMap_PermCell_Inner_T_Ag_Seq_T {auth'0} (fun (_x: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T) -> [ &_50 <- _x ] s33) | s33 = [ &_47 <- { perms = _48; auth = _50; depth = fun (__0: t_PermCell_Inner_T) -> 0 } ] s34 @@ -1743,7 +1730,7 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste | & new_ag: t_Ag_Seq_T = Any.any_l () | & permcell'0: t_PermCell_Inner_T = Any.any_l () | & perm: t_Perm_PermCell_Inner_T = Any.any_l () - | & _9: tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _9: tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T = Any.any_l () | & _10: t_Inner_T = Any.any_l () | & auth'0: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T = Any.any_l () | & frag'0: t_Fragment_FMap_PermCell_Inner_T_Ag_Seq_T = Any.any_l () @@ -1762,16 +1749,16 @@ module M_implementation__impl_PersistentArray_T__new (* implementation::Persiste | & _28: t_FMapInsertLocalUpdate_PermCell_Inner_T_Ag_Seq_T = Any.any_l () | & inv'0: t_Rc_NonAtomicInvariant_PA_T_Global = Any.any_l () | & _34: t_Rc_NonAtomicInvariant_PA_T_Global = Any.any_l () - | & perms'0: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _36: t_Option_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _37: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _38: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _39: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & perms'0: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () + | & _36: t_Option_Perm_PermCell_Inner_T = Any.any_l () + | & _37: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () + | & _38: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () + | & _39: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () | & _43: t_Perm_PermCell_Inner_T = Any.any_l () | & na_inv: t_NonAtomicInvariant_PA_T = Any.any_l () | & _46: t_PA_T = Any.any_l () | & _47: t_PA_T = Any.any_l () - | & _48: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _48: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () | & _50: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T = Any.any_l () | & _56: t_NonAtomicInvariant_PA_T = Any.any_l () | & _58: t_Rc_PermCell_Inner_T_Global = Any.any_l () ]) @@ -1795,14 +1782,14 @@ module M_implementation__impl_PersistentArray_T__get (* implementation::Persiste use set.Set use int.Int - type t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + type t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T type t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T type t_PermCell_Inner_T type t_PA_T = { - perms: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global; + perms: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T; auth: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T; depth: Map.map t_PermCell_Inner_T int } @@ -2221,48 +2208,48 @@ module M_implementation__impl_PersistentArray_T__get (* implementation::Persiste type t_Perm_PermCell_Inner_T - type t_Option_Box_Perm_PermCell_Inner_T_Global = None'2 | Some'2 t_Perm_PermCell_Inner_T + type t_Option_Perm_PermCell_Inner_T = None'2 | Some'2 t_Perm_PermCell_Inner_T - function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : Map.map t_PermCell_Inner_T t_Option_Box_Perm_PermCell_Inner_T_Global + function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : Map.map t_PermCell_Inner_T t_Option_Perm_PermCell_Inner_T - function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Option_Box_Perm_PermCell_Inner_T_Global + function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Option_Perm_PermCell_Inner_T = Map.get (to_mapping_Snapshot_PermCell_Inner_T self) k meta "rewrite_def" function get_Snapshot_PermCell_Inner_T - predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) = + predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) = get_Snapshot_PermCell_Inner_T self k <> None'2 meta "rewrite_def" predicate contains_Snapshot_PermCell_Inner_T function ward_PermCell_Inner_T (self: t_Perm_PermCell_Inner_T) : t_PermCell_Inner_T - predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = + predicate index_Mapping_Perm_PermCell_Inner_T_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = Map.get self a - meta "rewrite_def" predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool + meta "rewrite_def" predicate index_Mapping_Perm_PermCell_Inner_T_bool - function such_that_Box_Perm_PermCell_Inner_T_Global (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T + function such_that_Perm_PermCell_Inner_T (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T - axiom such_that_Box_Perm_PermCell_Inner_T_Global_spec: - forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Box_Perm_PermCell_Inner_T_Global p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p x) - -> index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p (such_that_Box_Perm_PermCell_Inner_T_Global p) + axiom such_that_Perm_PermCell_Inner_T_spec: + forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Perm_PermCell_Inner_T p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Perm_PermCell_Inner_T_bool p x) + -> index_Mapping_Perm_PermCell_Inner_T_bool p (such_that_Perm_PermCell_Inner_T p) - function unwrap_Option_Box_Perm_PermCell_Inner_T_Global (self: t_Option_Box_Perm_PermCell_Inner_T_Global) : t_Perm_PermCell_Inner_T - = match self with + function unwrap_Option_Perm_PermCell_Inner_T (self: t_Option_Perm_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = + match self with | Some'2 x -> x - | None'2 -> such_that_Box_Perm_PermCell_Inner_T_Global (fun (__0: t_Perm_PermCell_Inner_T) -> true) + | None'2 -> such_that_Perm_PermCell_Inner_T (fun (__0: t_Perm_PermCell_Inner_T) -> true) end - function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T - = unwrap_Option_Box_Perm_PermCell_Inner_T_Global (get_Snapshot_PermCell_Inner_T self k) + function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + = unwrap_Option_Perm_PermCell_Inner_T (get_Snapshot_PermCell_Inner_T self k) meta "rewrite_def" function lookup_Snapshot_PermCell_Inner_T - function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = lookup_Snapshot_PermCell_Inner_T self key - meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T type t_Vec_T_Global @@ -2313,9 +2300,8 @@ module M_implementation__impl_PersistentArray_T__get (* implementation::Persiste predicate partial_invariant_T [@inline:trivial] (self: t_PA_T) = forall pc: t_PermCell_Inner_T. contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc /\ contains_Snapshot_PermCell_Inner_T self.perms pc - -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) - = pc - /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) with + -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) = pc + /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) with | Direct v -> (index_FMap_PermCell_Inner_T_Ag_Seq_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc).f0'0 = view_Vec_T_Global v | Link index value next -> contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) (view_Rc_PermCell_Inner_T_Global next) @@ -2354,7 +2340,7 @@ module M_implementation__impl_PersistentArray_T__get (* implementation::Persiste = index_Mapping_PermCell_Inner_T_Int (fin_Ghost_refmut_PA_T pa).depth id) /\ ([@stop_split] [@expl:reroot ensures #3] forall id: t_PermCell_Inner_T. contains_Snapshot_PermCell_Inner_T (fin_Ghost_refmut_PA_T pa).perms id = contains_Snapshot_PermCell_Inner_T pa.current.perms id) - /\ ([@stop_split] [@expl:reroot ensures #4] match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global (fin_Ghost_refmut_PA_T pa).perms (view_Rc_PermCell_Inner_T_Global cur)) with + /\ ([@stop_split] [@expl:reroot ensures #4] match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T (fin_Ghost_refmut_PA_T pa).perms (view_Rc_PermCell_Inner_T_Global cur)) with | Direct _ -> true | Link _ _ _ -> false end)} @@ -2368,21 +2354,21 @@ module M_implementation__impl_PersistentArray_T__get (* implementation::Persiste /\ ([@stop_split] [@expl:into_inner ensures] result = self)} (! return {result}) ] - type t_Option_ref_Box_Perm_PermCell_Inner_T_Global = None'3 | Some'3 t_Perm_PermCell_Inner_T + type t_Option_ref_Perm_PermCell_Inner_T = None'3 | Some'3 t_Perm_PermCell_Inner_T - function map_Option_Box_Perm_PermCell_Inner_T_Global (self: t_Option_Box_Perm_PermCell_Inner_T_Global) (f: Map.map t_Perm_PermCell_Inner_T t_Perm_PermCell_Inner_T) : t_Option_ref_Box_Perm_PermCell_Inner_T_Global + function map_Option_Perm_PermCell_Inner_T (self: t_Option_Perm_PermCell_Inner_T) (f: Map.map t_Perm_PermCell_Inner_T t_Perm_PermCell_Inner_T) : t_Option_ref_Perm_PermCell_Inner_T = match self with | None'2 -> None'3 | Some'2 x -> Some'3 (Map.get f x) end - let rec get_ghost_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) - (key: t_PermCell_Inner_T) (return (x: t_Option_ref_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_ref_Box_Perm_PermCell_Inner_T_Global) -> {[@stop_split] [@expl:get_ghost ensures] result - = map_Option_Box_Perm_PermCell_Inner_T_Global (get_Snapshot_PermCell_Inner_T self key) (fun (v: t_Perm_PermCell_Inner_T) -> v)} + let rec get_ghost_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) + (key: t_PermCell_Inner_T) (return (x: t_Option_ref_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_ref_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:get_ghost ensures] result + = map_Option_Perm_PermCell_Inner_T (get_Snapshot_PermCell_Inner_T self key) (fun (v: t_Perm_PermCell_Inner_T) -> v)} (! return {result}) ] - let rec unwrap_ref_Box_Perm_PermCell_Inner_T_Global (self_: t_Option_ref_Box_Perm_PermCell_Inner_T_Global) + let rec unwrap_ref_Perm_PermCell_Inner_T (self_: t_Option_ref_Perm_PermCell_Inner_T) (return (x: t_Perm_PermCell_Inner_T)) = {[@stop_split] [@expl:unwrap requires] self_ <> None'3} any [ return (result: t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:unwrap ensures] Some'3 result = self_} @@ -2604,9 +2590,8 @@ module M_implementation__impl_PersistentArray_T__get (* implementation::Persiste | s24 = -{resolve_refmut_PA_T _27}- s25 | s25 = [ &_30 <- view_Rc_PermCell_Inner_T_Global self.c0.permcell ] s26 | s26 = get_ghost_Snapshot_PermCell_Inner_T {_27.current.perms} {_30} - (fun (_x: t_Option_ref_Box_Perm_PermCell_Inner_T_Global) -> [ &_25 <- _x ] s27) - | s27 = unwrap_ref_Box_Perm_PermCell_Inner_T_Global {_25} - (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_24 <- _x ] s28) + (fun (_x: t_Option_ref_Perm_PermCell_Inner_T) -> [ &_25 <- _x ] s27) + | s27 = unwrap_ref_Perm_PermCell_Inner_T {_25} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_24 <- _x ] s28) | s28 = new_ref_Perm_PermCell_Inner_T {_24} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &perm <- _x ] s29) | s29 = deref_Rc_PermCell_Inner_T_Global {self.c0.permcell} (fun (_x: t_PermCell_Inner_T) -> [ &_38 <- _x ] s30) | s30 = borrow_Inner_T {_38} {perm} (fun (_x: t_Inner_T) -> [ &_36 <- _x ] s31) @@ -2638,7 +2623,7 @@ module M_implementation__impl_PersistentArray_T__get (* implementation::Persiste | & _21: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & perm: t_Perm_PermCell_Inner_T = Any.any_l () | & _24: t_Perm_PermCell_Inner_T = Any.any_l () - | & _25: t_Option_ref_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _25: t_Option_ref_Perm_PermCell_Inner_T = Any.any_l () | & _27: MutBorrow.t t_PA_T = Any.any_l () | & _30: t_PermCell_Inner_T = Any.any_l () | & arr: t_Vec_T_Global = Any.any_l () @@ -3355,9 +3340,7 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste type t_Perm_PermCell_Inner_T - type tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global = { - f0'3: t_PermCell_Inner_T; - f1'3: t_Perm_PermCell_Inner_T } + type tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T = { f0'3: t_PermCell_Inner_T; f1'3: t_Perm_PermCell_Inner_T } predicate inv_T (_1: t_T) @@ -3408,26 +3391,21 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste meta "rewrite_def" function view_Perm_PermCell_Inner_T - function view_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (self: t_Perm_PermCell_Inner_T) : t_Inner_T = - view_Perm_PermCell_Inner_T self - - meta "rewrite_def" function view_Box_Perm_PermCell_Inner_T_Global - - let rec new_Inner_T (value: t_Inner_T) (return (x: tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global)) = + let rec new_Inner_T (value: t_Inner_T) (return (x: tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T)) = {[@stop_split] [@expl:new 'value' type invariant] inv_Inner_T value} any - [ return (result: tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global) -> + [ return (result: tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:new_Inner_T ensures] ([@stop_split] [@expl:new ensures #0] result.f0'3 = ward_PermCell_Inner_T result.f1'3) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_Inner_T_Global result.f1'3 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_Inner_T result.f1'3 = value)} (! return {result}) ] - type t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + type t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T type t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T type t_PA_T = { - perms: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global; + perms: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T; auth: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T; depth: Map.map t_PermCell_Inner_T int } @@ -3552,65 +3530,65 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste /\ ([@stop_split] [@expl:deref_mut ensures] result = self)} (! return {result}) ] - type t_Option_refmut_Box_Perm_PermCell_Inner_T_Global = None'2 | Some'2 (MutBorrow.t t_Perm_PermCell_Inner_T) + type t_Option_refmut_Perm_PermCell_Inner_T = None'2 | Some'2 (MutBorrow.t t_Perm_PermCell_Inner_T) - type t_Option_Box_Perm_PermCell_Inner_T_Global = None'3 | Some'3 t_Perm_PermCell_Inner_T + type t_Option_Perm_PermCell_Inner_T = None'3 | Some'3 t_Perm_PermCell_Inner_T - function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : Map.map t_PermCell_Inner_T t_Option_Box_Perm_PermCell_Inner_T_Global + function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : Map.map t_PermCell_Inner_T t_Option_Perm_PermCell_Inner_T - function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Option_Box_Perm_PermCell_Inner_T_Global + function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Option_Perm_PermCell_Inner_T = Map.get (to_mapping_Snapshot_PermCell_Inner_T self) k meta "rewrite_def" function get_Snapshot_PermCell_Inner_T - predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) = + predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) = get_Snapshot_PermCell_Inner_T self k <> None'3 meta "rewrite_def" predicate contains_Snapshot_PermCell_Inner_T - predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = + predicate index_Mapping_Perm_PermCell_Inner_T_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = Map.get self a - meta "rewrite_def" predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool + meta "rewrite_def" predicate index_Mapping_Perm_PermCell_Inner_T_bool - function such_that_Box_Perm_PermCell_Inner_T_Global (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T + function such_that_Perm_PermCell_Inner_T (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T - axiom such_that_Box_Perm_PermCell_Inner_T_Global_spec: - forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Box_Perm_PermCell_Inner_T_Global p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p x) - -> index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p (such_that_Box_Perm_PermCell_Inner_T_Global p) + axiom such_that_Perm_PermCell_Inner_T_spec: + forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Perm_PermCell_Inner_T p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Perm_PermCell_Inner_T_bool p x) + -> index_Mapping_Perm_PermCell_Inner_T_bool p (such_that_Perm_PermCell_Inner_T p) - function unwrap_Option_Box_Perm_PermCell_Inner_T_Global (self: t_Option_Box_Perm_PermCell_Inner_T_Global) : t_Perm_PermCell_Inner_T - = match self with + function unwrap_Option_Perm_PermCell_Inner_T (self: t_Option_Perm_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = + match self with | Some'3 x -> x - | None'3 -> such_that_Box_Perm_PermCell_Inner_T_Global (fun (__0: t_Perm_PermCell_Inner_T) -> true) + | None'3 -> such_that_Perm_PermCell_Inner_T (fun (__0: t_Perm_PermCell_Inner_T) -> true) end - function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T - = unwrap_Option_Box_Perm_PermCell_Inner_T_Global (get_Snapshot_PermCell_Inner_T self k) + function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + = unwrap_Option_Perm_PermCell_Inner_T (get_Snapshot_PermCell_Inner_T self k) meta "rewrite_def" function lookup_Snapshot_PermCell_Inner_T - function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = lookup_Snapshot_PermCell_Inner_T self key - meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T - function len_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : int + function len_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : int axiom len_Snapshot_PermCell_Inner_T_spec: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [len_Snapshot_PermCell_Inner_T self]. len_Snapshot_PermCell_Inner_T self + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [len_Snapshot_PermCell_Inner_T self]. len_Snapshot_PermCell_Inner_T self >= 0 let rec get_mut_ghost_Snapshot_PermCell_Inner_T - (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) - (return (x: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global) -> + (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) + (return (x: t_Option_refmut_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_refmut_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:get_mut_ghost_Snapshot_PermCell_Inner_T ensures] ([@stop_split] [@expl:get_mut_ghost ensures #0] if contains_Snapshot_PermCell_Inner_T self.current key then match result with | None'2 -> false | Some'2 r -> contains_Snapshot_PermCell_Inner_T self.final key - /\ index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.current key = r.current - /\ index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.final key = r.final + /\ index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.current key = r.current + /\ index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.final key = r.final end else result = None'2 /\ self.current = self.final @@ -3621,17 +3599,17 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste = len_Snapshot_PermCell_Inner_T self.final)} (! return {result}) ] - predicate resolve_refmut_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_Inner_T) = + predicate resolve_refmut_Perm_PermCell_Inner_T [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_Inner_T) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" predicate resolve_refmut_Perm_PermCell_Inner_T predicate resolve_refmut_refmut_PA_T [@inline:trivial] (_1: MutBorrow.t (MutBorrow.t t_PA_T)) = _1.final = _1.current meta "rewrite_def" predicate resolve_refmut_refmut_PA_T - let rec elim_Some (_x: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global) - (return (f0'4: MutBorrow.t t_Perm_PermCell_Inner_T)) = any + let rec elim_Some (_x: t_Option_refmut_Perm_PermCell_Inner_T) (return (f0'4: MutBorrow.t t_Perm_PermCell_Inner_T)) = + any [ _k (f0'4: MutBorrow.t t_Perm_PermCell_Inner_T) -> {Some'2 f0'4 = _x} (! return {f0'4}) | _chk -> (! {[@expl:elim Some] match _x with | Some'2 _ -> true @@ -3639,8 +3617,7 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste end} any) ] - let rec deref_Ghost_Box_Perm_PermCell_Inner_T_Global (self: t_Perm_PermCell_Inner_T) - (return (x: t_Perm_PermCell_Inner_T)) = any + let rec deref_Ghost_Perm_PermCell_Inner_T (self: t_Perm_PermCell_Inner_T) (return (x: t_Perm_PermCell_Inner_T)) = any [ return (result: t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] @@ -3656,19 +3633,18 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste /\ ([@stop_split] [@expl:disjoint_lemma ensures #1] self.current = self.final)} (! return {result}) ] - let rec into_inner_Box_Perm_PermCell_Inner_T_Global (self: t_Perm_PermCell_Inner_T) - (return (x: t_Perm_PermCell_Inner_T)) = any + let rec into_inner_Perm_PermCell_Inner_T (self: t_Perm_PermCell_Inner_T) (return (x: t_Perm_PermCell_Inner_T)) = any [ return (result: t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - function insert_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) (v: t_Perm_PermCell_Inner_T) : t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + function insert_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) (v: t_Perm_PermCell_Inner_T) : t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T axiom insert_Snapshot_PermCell_Inner_T_spec: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. to_mapping_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. to_mapping_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) = Map.set (to_mapping_Snapshot_PermCell_Inner_T self) k (Some'3 v) axiom insert_Snapshot_PermCell_Inner_T_spec'0: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. len_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. len_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) = (if contains_Snapshot_PermCell_Inner_T self k then len_Snapshot_PermCell_Inner_T self else @@ -3676,9 +3652,9 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste ) let rec insert_ghost_Snapshot_PermCell_Inner_T - (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) - (value: t_Perm_PermCell_Inner_T) (return (x: t_Option_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_Inner_T_Global) -> + (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) + (value: t_Perm_PermCell_Inner_T) (return (x: t_Option_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:insert_ghost_Snapshot_PermCell_Inner_T ensures] ([@stop_split] [@expl:insert_ghost ensures #0] self.final = insert_Snapshot_PermCell_Inner_T self.current key value) /\ ([@stop_split] [@expl:insert_ghost ensures #1] result = get_Snapshot_PermCell_Inner_T self.current key)} @@ -3849,20 +3825,19 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste [ &pa <- _bor.final ] s5) [ _ck -> (! {[@expl:type invariant] inv_Ghost_refmut_PA_T pa} any) ] | s5 = deref_mut_Ghost_refmut_PA_T {_16} (fun (_x: MutBorrow.t (MutBorrow.t t_PA_T)) -> [ &_15 <- _x ] s6) | s6 = [ &_18 <- self.c1 ] s7 - | s7 = MutBorrow.borrow_mut - {_15.current.current.perms} - (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + | s7 = MutBorrow.borrow_mut {_15.current.current.perms} + (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_14 <- _bor ] [ &_15 <- { _15 with current = { _15.current with current = { _15.current.current with perms = _bor.final } } } ] s8) | s8 = get_mut_ghost_Snapshot_PermCell_Inner_T {_14} {_18} - (fun (_x: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global) -> [ &_13 <- _x ] s9) + (fun (_x: t_Option_refmut_Perm_PermCell_Inner_T) -> [ &_13 <- _x ] s9) | s9 = any [ br0 -> {_13 = None'2} (! bb11) | br1 (x0: MutBorrow.t t_Perm_PermCell_Inner_T) -> {_13 = Some'2 x0} (! bb8) ] ] | bb11 = s0 [ s0 = -{match _13 with - | Some'2 x -> resolve_refmut_Box_Perm_PermCell_Inner_T_Global x + | Some'2 x -> resolve_refmut_Perm_PermCell_Inner_T x | _ -> true end}- s1 @@ -3872,12 +3847,12 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste | bb8 = s0 [ s0 = elim_Some {_13} (fun (r0: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &other <- r0 ] s1) | s1 = [ &_29 <- self.c2 ] s2 - | s2 = deref_Ghost_Box_Perm_PermCell_Inner_T_Global {_29} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_27 <- _x ] s3) + | s2 = deref_Ghost_Perm_PermCell_Inner_T {_29} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_27 <- _x ] s3) | s3 = MutBorrow.borrow_final {other.current} {MutBorrow.get_id other} (fun (_bor: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_25 <- _bor ] [ &other <- { other with current = _bor.final } ] s4) | s4 = disjoint_lemma_PermCell_Inner_T {_25} {_27} (fun (_x: ()) -> [ &_24 <- _x ] s5) - | s5 = -{resolve_refmut_Box_Perm_PermCell_Inner_T_Global other}- s6 + | s5 = -{resolve_refmut_Perm_PermCell_Inner_T other}- s6 | s6 = s7 [ _ck -> (! {[@expl:type invariant] inv_refmut_refmut_PA_T _15} any) ] | s7 = -{resolve_refmut_refmut_PA_T _15}- s8 | s8 = {[@expl:assertion] false} s9 @@ -3888,16 +3863,14 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste [ &_34 <- _bor ] -{inv_Ghost_refmut_PA_T _bor.final}- [ &pa <- _bor.final ] s1) [ _ck -> (! {[@expl:type invariant] inv_Ghost_refmut_PA_T pa} any) ] | s1 = deref_mut_Ghost_refmut_PA_T {_34} (fun (_x: MutBorrow.t (MutBorrow.t t_PA_T)) -> [ &_33 <- _x ] s2) - | s2 = into_inner_Box_Perm_PermCell_Inner_T_Global {self.c2} - (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_38 <- _x ] s3) - | s3 = MutBorrow.borrow_mut - {_33.current.current.perms} - (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + | s2 = into_inner_Perm_PermCell_Inner_T {self.c2} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_38 <- _x ] s3) + | s3 = MutBorrow.borrow_mut {_33.current.current.perms} + (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_32 <- _bor ] [ &_33 <- { _33 with current = { _33.current with current = { _33.current.current with perms = _bor.final } } } ] s4) | s4 = insert_ghost_Snapshot_PermCell_Inner_T {_32} {self.c1} {_38} - (fun (_x: t_Option_Box_Perm_PermCell_Inner_T_Global) -> [ &_31 <- _x ] s5) + (fun (_x: t_Option_Perm_PermCell_Inner_T) -> [ &_31 <- _x ] s5) | s5 = s6 [ _ck -> (! {[@expl:type invariant] inv_refmut_refmut_PA_T _33} any) ] | s6 = -{resolve_refmut_refmut_PA_T _33}- s7 | s7 = @@ -3951,8 +3924,8 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste | & _6: MutBorrow.t t_PA_T = Any.any_l () | & _9: t_Fragment_FMap_PermCell_Inner_T_Ag_Seq_T = Any.any_l () | & _11: t_Fragment_FMap_PermCell_Inner_T_Ag_Seq_T = Any.any_l () - | & _13: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _14: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _13: t_Option_refmut_Perm_PermCell_Inner_T = Any.any_l () + | & _14: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () | & _15: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _16: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _18: t_PermCell_Inner_T = Any.any_l () @@ -3961,8 +3934,8 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste | & _25: MutBorrow.t t_Perm_PermCell_Inner_T = Any.any_l () | & _27: t_Perm_PermCell_Inner_T = Any.any_l () | & _29: t_Perm_PermCell_Inner_T = Any.any_l () - | & _31: t_Option_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _32: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _31: t_Option_Perm_PermCell_Inner_T = Any.any_l () + | & _32: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () | & _33: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _34: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _38: t_Perm_PermCell_Inner_T = Any.any_l () @@ -4115,9 +4088,8 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste predicate partial_invariant_T [@inline:trivial] (self: t_PA_T) = forall pc: t_PermCell_Inner_T. contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc /\ contains_Snapshot_PermCell_Inner_T self.perms pc - -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) - = pc - /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) with + -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) = pc + /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) with | Direct v -> (index_FMap_PermCell_Inner_T_Ag_Seq_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc).f0'0 = view_Vec_T_Global v | Link index value next -> contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) (view_Rc_PermCell_Inner_T_Global next) @@ -4411,8 +4383,7 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste | s1 = clone_Rc_PermCell_Inner_T_Global {self.permcell} (fun (_x: t_Rc_PermCell_Inner_T_Global) -> [ &_25 <- _x ] s2) | s2 = [ &_22 <- Link index value _25 ] s3 - | s3 = new_Inner_T {_22} - (fun (_x: tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global) -> [ &_21 <- _x ] s4) + | s3 = new_Inner_T {_22} (fun (_x: tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T) -> [ &_21 <- _x ] s4) | s4 = [ &permcell'0 <- _21.f0'3 ] s5 | s5 = [ &perm <- _21.f1'3 ] s6 | s6 = [ &_30 <- { c0 = self; c1 = permcell'0; c2 = perm; c3 = new_ag } ] s7 @@ -4435,7 +4406,7 @@ module M_implementation__impl_PersistentArray_T__set (* implementation::Persiste | & new_ag: t_Ag_Seq_T = Any.any_l () | & permcell'0: t_PermCell_Inner_T = Any.any_l () | & perm: t_Perm_PermCell_Inner_T = Any.any_l () - | & _21: tup2_PermCell_Inner_T_Ghost_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _21: tup2_PermCell_Inner_T_Ghost_Perm_PermCell_Inner_T = Any.any_l () | & _22: t_Inner_T = Any.any_l () | & _25: t_Rc_PermCell_Inner_T_Global = Any.any_l () | & frag'0: t_Fragment_FMap_PermCell_Inner_T_Ag_Seq_T = Any.any_l () @@ -4534,14 +4505,14 @@ module M_implementation__impl_PersistentArray_T__get_immut (* implementation::Pe let rec deref_Ghost_ref_Tokens (self: t_Tokens) (return (x: t_Tokens)) = any [ return (result: t_Tokens) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] - type t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + type t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T type t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T type t_PermCell_Inner_T type t_PA_T = { - perms: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global; + perms: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T; auth: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T; depth: Map.map t_PermCell_Inner_T int } @@ -4608,48 +4579,48 @@ module M_implementation__impl_PersistentArray_T__get_immut (* implementation::Pe type t_Perm_PermCell_Inner_T - type t_Option_Box_Perm_PermCell_Inner_T_Global = None'0 | Some'0 t_Perm_PermCell_Inner_T + type t_Option_Perm_PermCell_Inner_T = None'0 | Some'0 t_Perm_PermCell_Inner_T - function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : Map.map t_PermCell_Inner_T t_Option_Box_Perm_PermCell_Inner_T_Global + function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : Map.map t_PermCell_Inner_T t_Option_Perm_PermCell_Inner_T - function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Option_Box_Perm_PermCell_Inner_T_Global + function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Option_Perm_PermCell_Inner_T = Map.get (to_mapping_Snapshot_PermCell_Inner_T self) k meta "rewrite_def" function get_Snapshot_PermCell_Inner_T - predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) = + predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) = get_Snapshot_PermCell_Inner_T self k <> None'0 meta "rewrite_def" predicate contains_Snapshot_PermCell_Inner_T function ward_PermCell_Inner_T (self: t_Perm_PermCell_Inner_T) : t_PermCell_Inner_T - predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = + predicate index_Mapping_Perm_PermCell_Inner_T_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = Map.get self a - meta "rewrite_def" predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool + meta "rewrite_def" predicate index_Mapping_Perm_PermCell_Inner_T_bool - function such_that_Box_Perm_PermCell_Inner_T_Global (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T + function such_that_Perm_PermCell_Inner_T (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T - axiom such_that_Box_Perm_PermCell_Inner_T_Global_spec: - forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Box_Perm_PermCell_Inner_T_Global p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p x) - -> index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p (such_that_Box_Perm_PermCell_Inner_T_Global p) + axiom such_that_Perm_PermCell_Inner_T_spec: + forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Perm_PermCell_Inner_T p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Perm_PermCell_Inner_T_bool p x) + -> index_Mapping_Perm_PermCell_Inner_T_bool p (such_that_Perm_PermCell_Inner_T p) - function unwrap_Option_Box_Perm_PermCell_Inner_T_Global (self: t_Option_Box_Perm_PermCell_Inner_T_Global) : t_Perm_PermCell_Inner_T - = match self with + function unwrap_Option_Perm_PermCell_Inner_T (self: t_Option_Perm_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = + match self with | Some'0 x -> x - | None'0 -> such_that_Box_Perm_PermCell_Inner_T_Global (fun (__0: t_Perm_PermCell_Inner_T) -> true) + | None'0 -> such_that_Perm_PermCell_Inner_T (fun (__0: t_Perm_PermCell_Inner_T) -> true) end - function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T - = unwrap_Option_Box_Perm_PermCell_Inner_T_Global (get_Snapshot_PermCell_Inner_T self k) + function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + = unwrap_Option_Perm_PermCell_Inner_T (get_Snapshot_PermCell_Inner_T self k) meta "rewrite_def" function lookup_Snapshot_PermCell_Inner_T - function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = lookup_Snapshot_PermCell_Inner_T self key - meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T type t_Vec_T_Global @@ -4700,9 +4671,8 @@ module M_implementation__impl_PersistentArray_T__get_immut (* implementation::Pe predicate partial_invariant_T [@inline:trivial] (self: t_PA_T) = forall pc: t_PermCell_Inner_T. contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc /\ contains_Snapshot_PermCell_Inner_T self.perms pc - -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) - = pc - /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) with + -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) = pc + /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) with | Direct v -> (index_FMap_PermCell_Inner_T_Ag_Seq_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc).f0'0 = view_Vec_T_Global v | Link index value next -> contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) (view_Rc_PermCell_Inner_T_Global next) @@ -5177,12 +5147,12 @@ module M_implementation__impl_PersistentArray_T__get_inner_immut (* implementati = view_Rc_PermCell_Inner_T_Global self_} (! return {result}) ] - type t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + type t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T type t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T type t_PA_T = { - perms: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global; + perms: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T; auth: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T; depth: Map.map t_PermCell_Inner_T int } @@ -5241,30 +5211,30 @@ module M_implementation__impl_PersistentArray_T__get_inner_immut (* implementati type t_Perm_PermCell_Inner_T - type t_Option_ref_Box_Perm_PermCell_Inner_T_Global = None | Some t_Perm_PermCell_Inner_T + type t_Option_ref_Perm_PermCell_Inner_T = None | Some t_Perm_PermCell_Inner_T - type t_Option_Box_Perm_PermCell_Inner_T_Global = None'0 | Some'0 t_Perm_PermCell_Inner_T + type t_Option_Perm_PermCell_Inner_T = None'0 | Some'0 t_Perm_PermCell_Inner_T - function map_Option_Box_Perm_PermCell_Inner_T_Global (self: t_Option_Box_Perm_PermCell_Inner_T_Global) (f: Map.map t_Perm_PermCell_Inner_T t_Perm_PermCell_Inner_T) : t_Option_ref_Box_Perm_PermCell_Inner_T_Global + function map_Option_Perm_PermCell_Inner_T (self: t_Option_Perm_PermCell_Inner_T) (f: Map.map t_Perm_PermCell_Inner_T t_Perm_PermCell_Inner_T) : t_Option_ref_Perm_PermCell_Inner_T = match self with | None'0 -> None | Some'0 x -> Some (Map.get f x) end - function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : Map.map t_PermCell_Inner_T t_Option_Box_Perm_PermCell_Inner_T_Global + function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : Map.map t_PermCell_Inner_T t_Option_Perm_PermCell_Inner_T - function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Option_Box_Perm_PermCell_Inner_T_Global + function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Option_Perm_PermCell_Inner_T = Map.get (to_mapping_Snapshot_PermCell_Inner_T self) k meta "rewrite_def" function get_Snapshot_PermCell_Inner_T - let rec get_ghost_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) - (key: t_PermCell_Inner_T) (return (x: t_Option_ref_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_ref_Box_Perm_PermCell_Inner_T_Global) -> {[@stop_split] [@expl:get_ghost ensures] result - = map_Option_Box_Perm_PermCell_Inner_T_Global (get_Snapshot_PermCell_Inner_T self key) (fun (v: t_Perm_PermCell_Inner_T) -> v)} + let rec get_ghost_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) + (key: t_PermCell_Inner_T) (return (x: t_Option_ref_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_ref_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:get_ghost ensures] result + = map_Option_Perm_PermCell_Inner_T (get_Snapshot_PermCell_Inner_T self key) (fun (v: t_Perm_PermCell_Inner_T) -> v)} (! return {result}) ] - let rec unwrap_ref_Box_Perm_PermCell_Inner_T_Global (self_: t_Option_ref_Box_Perm_PermCell_Inner_T_Global) + let rec unwrap_ref_Perm_PermCell_Inner_T (self_: t_Option_ref_Perm_PermCell_Inner_T) (return (x: t_Perm_PermCell_Inner_T)) = {[@stop_split] [@expl:unwrap requires] self_ <> None} any [ return (result: t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:unwrap ensures] Some result = self_} @@ -5407,37 +5377,37 @@ module M_implementation__impl_PersistentArray_T__get_inner_immut (* implementati function view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T (self: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T) : t_FMap_PermCell_Inner_T_Ag_Seq_T - predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) = + predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) = get_Snapshot_PermCell_Inner_T self k <> None'0 meta "rewrite_def" predicate contains_Snapshot_PermCell_Inner_T - predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = + predicate index_Mapping_Perm_PermCell_Inner_T_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = Map.get self a - meta "rewrite_def" predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool + meta "rewrite_def" predicate index_Mapping_Perm_PermCell_Inner_T_bool - function such_that_Box_Perm_PermCell_Inner_T_Global (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T + function such_that_Perm_PermCell_Inner_T (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T - axiom such_that_Box_Perm_PermCell_Inner_T_Global_spec: - forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Box_Perm_PermCell_Inner_T_Global p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p x) - -> index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p (such_that_Box_Perm_PermCell_Inner_T_Global p) + axiom such_that_Perm_PermCell_Inner_T_spec: + forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Perm_PermCell_Inner_T p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Perm_PermCell_Inner_T_bool p x) + -> index_Mapping_Perm_PermCell_Inner_T_bool p (such_that_Perm_PermCell_Inner_T p) - function unwrap_Option_Box_Perm_PermCell_Inner_T_Global (self: t_Option_Box_Perm_PermCell_Inner_T_Global) : t_Perm_PermCell_Inner_T - = match self with + function unwrap_Option_Perm_PermCell_Inner_T (self: t_Option_Perm_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = + match self with | Some'0 x -> x - | None'0 -> such_that_Box_Perm_PermCell_Inner_T_Global (fun (__0: t_Perm_PermCell_Inner_T) -> true) + | None'0 -> such_that_Perm_PermCell_Inner_T (fun (__0: t_Perm_PermCell_Inner_T) -> true) end - function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T - = unwrap_Option_Box_Perm_PermCell_Inner_T_Global (get_Snapshot_PermCell_Inner_T self k) + function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + = unwrap_Option_Perm_PermCell_Inner_T (get_Snapshot_PermCell_Inner_T self k) meta "rewrite_def" function lookup_Snapshot_PermCell_Inner_T - function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = lookup_Snapshot_PermCell_Inner_T self key - meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T predicate index_Mapping_Ag_Seq_T_bool [@inline:trivial] (self: Map.map t_Ag_Seq_T bool) (a: t_Ag_Seq_T) = Map.get self a @@ -5473,9 +5443,8 @@ module M_implementation__impl_PersistentArray_T__get_inner_immut (* implementati predicate partial_invariant_T [@inline:trivial] (self: t_PA_T) = forall pc: t_PermCell_Inner_T. contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc /\ contains_Snapshot_PermCell_Inner_T self.perms pc - -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) - = pc - /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) with + -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) = pc + /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) with | Direct v -> (index_FMap_PermCell_Inner_T_Ag_Seq_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc).f0 = view_Vec_T_Global v | Link index value next -> contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) (view_Rc_PermCell_Inner_T_Global next) @@ -5513,8 +5482,8 @@ module M_implementation__impl_PersistentArray_T__get_inner_immut (* implementati | s1 = deref_Ghost_ref_PA_T {pa} (fun (_x: t_PA_T) -> [ &_27 <- _x ] s2) | s2 = [ &_30 <- view_Rc_PermCell_Inner_T_Global inner ] s3 | s3 = get_ghost_Snapshot_PermCell_Inner_T {_27.perms} {_30} - (fun (_x: t_Option_ref_Box_Perm_PermCell_Inner_T_Global) -> [ &_25 <- _x ] s4) - | s4 = unwrap_ref_Box_Perm_PermCell_Inner_T_Global {_25} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_24 <- _x ] s5) + (fun (_x: t_Option_ref_Perm_PermCell_Inner_T) -> [ &_25 <- _x ] s4) + | s4 = unwrap_ref_Perm_PermCell_Inner_T {_25} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_24 <- _x ] s5) | s5 = new_ref_Perm_PermCell_Inner_T {_24} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_22 <- _x ] s6) | s6 = borrow_Inner_T {_20} {_22} (fun (_x: t_Inner_T) -> [ &_18 <- _x ] s7) | s7 = any @@ -5552,7 +5521,7 @@ module M_implementation__impl_PersistentArray_T__get_inner_immut (* implementati | & _20: t_PermCell_Inner_T = Any.any_l () | & _22: t_Perm_PermCell_Inner_T = Any.any_l () | & _24: t_Perm_PermCell_Inner_T = Any.any_l () - | & _25: t_Option_ref_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _25: t_Option_ref_Perm_PermCell_Inner_T = Any.any_l () | & _27: t_PA_T = Any.any_l () | & _30: t_PermCell_Inner_T = Any.any_l () | & v: t_Vec_T_Global = Any.any_l () @@ -5584,14 +5553,14 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi use creusot.prelude.Any use int.Int - type t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + type t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T type t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T type t_PermCell_Inner_T type t_PA_T = { - perms: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global; + perms: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T; auth: t_Authority_FMap_PermCell_Inner_T_Ag_Seq_T; depth: Map.map t_PermCell_Inner_T int } @@ -5660,34 +5629,34 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi type t_Perm_PermCell_Inner_T - type t_Option_Box_Perm_PermCell_Inner_T_Global = None | Some t_Perm_PermCell_Inner_T + type t_Option_Perm_PermCell_Inner_T = None | Some t_Perm_PermCell_Inner_T - function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : Map.map t_PermCell_Inner_T t_Option_Box_Perm_PermCell_Inner_T_Global + function to_mapping_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : Map.map t_PermCell_Inner_T t_Option_Perm_PermCell_Inner_T - function len_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) : int + function len_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) : int axiom len_Snapshot_PermCell_Inner_T_spec: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [len_Snapshot_PermCell_Inner_T self]. len_Snapshot_PermCell_Inner_T self + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [len_Snapshot_PermCell_Inner_T self]. len_Snapshot_PermCell_Inner_T self >= 0 - function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Option_Box_Perm_PermCell_Inner_T_Global + function get_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Option_Perm_PermCell_Inner_T = Map.get (to_mapping_Snapshot_PermCell_Inner_T self) k meta "rewrite_def" function get_Snapshot_PermCell_Inner_T - predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) = + predicate contains_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) = get_Snapshot_PermCell_Inner_T self k <> None meta "rewrite_def" predicate contains_Snapshot_PermCell_Inner_T - function remove_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + function remove_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T axiom remove_Snapshot_PermCell_Inner_T_spec: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, k: t_PermCell_Inner_T [remove_Snapshot_PermCell_Inner_T self k]. to_mapping_Snapshot_PermCell_Inner_T (remove_Snapshot_PermCell_Inner_T self k) + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, k: t_PermCell_Inner_T [remove_Snapshot_PermCell_Inner_T self k]. to_mapping_Snapshot_PermCell_Inner_T (remove_Snapshot_PermCell_Inner_T self k) = Map.set (to_mapping_Snapshot_PermCell_Inner_T self) k (None) axiom remove_Snapshot_PermCell_Inner_T_spec'0: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, k: t_PermCell_Inner_T [remove_Snapshot_PermCell_Inner_T self k]. len_Snapshot_PermCell_Inner_T (remove_Snapshot_PermCell_Inner_T self k) + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, k: t_PermCell_Inner_T [remove_Snapshot_PermCell_Inner_T self k]. len_Snapshot_PermCell_Inner_T (remove_Snapshot_PermCell_Inner_T self k) = (if contains_Snapshot_PermCell_Inner_T self k then len_Snapshot_PermCell_Inner_T self - 1 else @@ -5695,9 +5664,9 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi ) let rec remove_ghost_Snapshot_PermCell_Inner_T - (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) - (return (x: t_Option_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_Inner_T_Global) -> + (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) + (return (x: t_Option_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:remove_ghost_Snapshot_PermCell_Inner_T ensures] ([@stop_split] [@expl:remove_ghost ensures #0] self.final = remove_Snapshot_PermCell_Inner_T self.current key) /\ ([@stop_split] [@expl:remove_ghost ensures #1] result = get_Snapshot_PermCell_Inner_T self.current key)} @@ -5707,14 +5676,13 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi meta "rewrite_def" predicate resolve_refmut_refmut_PA_T - let rec unwrap_Box_Perm_PermCell_Inner_T_Global (self_: t_Option_Box_Perm_PermCell_Inner_T_Global) - (return (x: t_Perm_PermCell_Inner_T)) = {[@stop_split] [@expl:unwrap requires] self_ <> None} + let rec unwrap_Perm_PermCell_Inner_T (self_: t_Option_Perm_PermCell_Inner_T) (return (x: t_Perm_PermCell_Inner_T)) = + {[@stop_split] [@expl:unwrap requires] self_ <> None} any [ return (result: t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:unwrap ensures] Some result = self_} (! return {result}) ] - let rec new_Box_Perm_PermCell_Inner_T_Global (x: t_Perm_PermCell_Inner_T) (return (x'0: t_Perm_PermCell_Inner_T)) = - any + let rec new_Perm_PermCell_Inner_T (x: t_Perm_PermCell_Inner_T) (return (x'0: t_Perm_PermCell_Inner_T)) = any [ return (result: t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] predicate inv_Rc_PermCell_Inner_T_Global (_1: t_Rc_PermCell_Inner_T_Global) @@ -5736,20 +5704,15 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi = view_Rc_PermCell_Inner_T_Global self_} (! return {result}) ] - let rec deref_mut_Ghost_Box_Perm_PermCell_Inner_T_Global (self: MutBorrow.t t_Perm_PermCell_Inner_T) + let rec deref_mut_Ghost_Perm_PermCell_Inner_T (self: MutBorrow.t t_Perm_PermCell_Inner_T) (return (x: MutBorrow.t t_Perm_PermCell_Inner_T)) = any [ return (result: MutBorrow.t t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - predicate resolve_refmut_Ghost_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_Inner_T) = + predicate resolve_refmut_Ghost_Perm_PermCell_Inner_T [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_Inner_T) = _1.final = _1.current - meta "rewrite_def" predicate resolve_refmut_Ghost_Box_Perm_PermCell_Inner_T_Global - - predicate resolve_refmut_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_Inner_T) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" predicate resolve_refmut_Ghost_Perm_PermCell_Inner_T predicate resolve_refmut_Perm_PermCell_Inner_T [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_Inner_T) = _1.final = _1.current @@ -5847,19 +5810,18 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi meta "rewrite_def" predicate resolve_refmut_Inner_T - let rec into_inner_Box_Perm_PermCell_Inner_T_Global (self: t_Perm_PermCell_Inner_T) - (return (x: t_Perm_PermCell_Inner_T)) = any + let rec into_inner_Perm_PermCell_Inner_T (self: t_Perm_PermCell_Inner_T) (return (x: t_Perm_PermCell_Inner_T)) = any [ return (result: t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:into_inner ensures] result = self} (! return {result}) ] - function insert_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) (v: t_Perm_PermCell_Inner_T) : t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + function insert_Snapshot_PermCell_Inner_T (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) (v: t_Perm_PermCell_Inner_T) : t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T axiom insert_Snapshot_PermCell_Inner_T_spec: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. to_mapping_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. to_mapping_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) = Map.set (to_mapping_Snapshot_PermCell_Inner_T self) k (Some v) axiom insert_Snapshot_PermCell_Inner_T_spec'0: - forall self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. len_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) + forall self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T, k: t_PermCell_Inner_T, v: t_Perm_PermCell_Inner_T [insert_Snapshot_PermCell_Inner_T self k v]. len_Snapshot_PermCell_Inner_T (insert_Snapshot_PermCell_Inner_T self k v) = (if contains_Snapshot_PermCell_Inner_T self k then len_Snapshot_PermCell_Inner_T self else @@ -5867,9 +5829,9 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi ) let rec insert_ghost_Snapshot_PermCell_Inner_T - (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) - (value: t_Perm_PermCell_Inner_T) (return (x: t_Option_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_Inner_T_Global) -> + (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) + (value: t_Perm_PermCell_Inner_T) (return (x: t_Option_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:insert_ghost_Snapshot_PermCell_Inner_T ensures] ([@stop_split] [@expl:insert_ghost ensures #0] self.final = insert_Snapshot_PermCell_Inner_T self.current key value) /\ ([@stop_split] [@expl:insert_ghost ensures #1] result = get_Snapshot_PermCell_Inner_T self.current key)} @@ -5887,9 +5849,9 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi meta "rewrite_def" predicate resolve_Ghost_refmut_PA_T'0 - let rec new_Option_Box_Perm_PermCell_Inner_T_Global (x: t_Option_Box_Perm_PermCell_Inner_T_Global) - (return (x'0: t_Option_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_Box_Perm_PermCell_Inner_T_Global) -> {[@stop_split] [@expl:new ensures] result = x} + let rec new_Option_Perm_PermCell_Inner_T (x: t_Option_Perm_PermCell_Inner_T) + (return (x'0: t_Option_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:new ensures] result = x} (! return {result}) ] let rec elim_Link (_x: t_Inner_T) (return (index: UInt64.t) (value: t_T) (next: t_Rc_PermCell_Inner_T_Global)) = any @@ -5944,45 +5906,45 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi meta "rewrite_def" predicate resolve_refmut_Rc_PermCell_Inner_T_Global - type t_Option_refmut_Box_Perm_PermCell_Inner_T_Global = None'0 | Some'0 (MutBorrow.t t_Perm_PermCell_Inner_T) + type t_Option_refmut_Perm_PermCell_Inner_T = None'0 | Some'0 (MutBorrow.t t_Perm_PermCell_Inner_T) - predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = + predicate index_Mapping_Perm_PermCell_Inner_T_bool [@inline:trivial] (self: Map.map t_Perm_PermCell_Inner_T bool) (a: t_Perm_PermCell_Inner_T) = Map.get self a - meta "rewrite_def" predicate index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool + meta "rewrite_def" predicate index_Mapping_Perm_PermCell_Inner_T_bool - function such_that_Box_Perm_PermCell_Inner_T_Global (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T + function such_that_Perm_PermCell_Inner_T (p: Map.map t_Perm_PermCell_Inner_T bool) : t_Perm_PermCell_Inner_T - axiom such_that_Box_Perm_PermCell_Inner_T_Global_spec: - forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Box_Perm_PermCell_Inner_T_Global p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p x) - -> index_Mapping_Box_Perm_PermCell_Inner_T_Global_bool p (such_that_Box_Perm_PermCell_Inner_T_Global p) + axiom such_that_Perm_PermCell_Inner_T_spec: + forall p: Map.map t_Perm_PermCell_Inner_T bool [such_that_Perm_PermCell_Inner_T p]. (exists x: t_Perm_PermCell_Inner_T. index_Mapping_Perm_PermCell_Inner_T_bool p x) + -> index_Mapping_Perm_PermCell_Inner_T_bool p (such_that_Perm_PermCell_Inner_T p) - function unwrap_Option_Box_Perm_PermCell_Inner_T_Global (self: t_Option_Box_Perm_PermCell_Inner_T_Global) : t_Perm_PermCell_Inner_T - = match self with + function unwrap_Option_Perm_PermCell_Inner_T (self: t_Option_Perm_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = + match self with | Some x -> x - | None -> such_that_Box_Perm_PermCell_Inner_T_Global (fun (__0: t_Perm_PermCell_Inner_T) -> true) + | None -> such_that_Perm_PermCell_Inner_T (fun (__0: t_Perm_PermCell_Inner_T) -> true) end - function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T - = unwrap_Option_Box_Perm_PermCell_Inner_T_Global (get_Snapshot_PermCell_Inner_T self k) + function lookup_Snapshot_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (k: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + = unwrap_Option_Perm_PermCell_Inner_T (get_Snapshot_PermCell_Inner_T self k) meta "rewrite_def" function lookup_Snapshot_PermCell_Inner_T - function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T + function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T [@inline:trivial] (self: t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) : t_Perm_PermCell_Inner_T = lookup_Snapshot_PermCell_Inner_T self key - meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global + meta "rewrite_def" function index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T let rec get_mut_ghost_Snapshot_PermCell_Inner_T - (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) (key: t_PermCell_Inner_T) - (return (x: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global)) = any - [ return (result: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global) -> + (self: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) (key: t_PermCell_Inner_T) + (return (x: t_Option_refmut_Perm_PermCell_Inner_T)) = any + [ return (result: t_Option_refmut_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:get_mut_ghost_Snapshot_PermCell_Inner_T ensures] ([@stop_split] [@expl:get_mut_ghost ensures #0] if contains_Snapshot_PermCell_Inner_T self.current key then match result with | None'0 -> false | Some'0 r -> contains_Snapshot_PermCell_Inner_T self.final key - /\ index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.current key = r.current - /\ index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.final key = r.final + /\ index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.current key = r.current + /\ index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.final key = r.final end else result = None'0 /\ self.current = self.final @@ -5993,7 +5955,7 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi = len_Snapshot_PermCell_Inner_T self.final)} (! return {result}) ] - let rec unwrap_refmut_Box_Perm_PermCell_Inner_T_Global (self_: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global) + let rec unwrap_refmut_Perm_PermCell_Inner_T (self_: t_Option_refmut_Perm_PermCell_Inner_T) (return (x: MutBorrow.t t_Perm_PermCell_Inner_T)) = {[@stop_split] [@expl:unwrap requires] self_ <> None'0} any [ return (result: MutBorrow.t t_Perm_PermCell_Inner_T) -> {[@stop_split] [@expl:unwrap ensures] Some'0 result @@ -6142,9 +6104,8 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi predicate partial_invariant_T [@inline:trivial] (self: t_PA_T) = forall pc: t_PermCell_Inner_T. contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc /\ contains_Snapshot_PermCell_Inner_T self.perms pc - -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) - = pc - /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global self.perms pc) with + -> ward_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) = pc + /\ match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T self.perms pc) with | Direct v -> (index_FMap_PermCell_Inner_T_Ag_Seq_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) pc).f0 = view_Vec_T_Global v | Link index value next -> contains_PermCell_Inner_T (view_Authority_FMap_PermCell_Inner_T_Ag_Seq_T self.auth) (view_Rc_PermCell_Inner_T_Global next) @@ -6183,31 +6144,30 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi [ &pa <- _bor.final ] s1) [ _ck -> (! {[@expl:type invariant] inv_Ghost_refmut_PA_T pa} any) ] | s1 = deref_mut_Ghost_refmut_PA_T {_28} (fun (_x: MutBorrow.t (MutBorrow.t t_PA_T)) -> [ &_27 <- _x ] s2) | s2 = [ &_30 <- view_Rc_PermCell_Inner_T_Global cur ] s3 - | s3 = MutBorrow.borrow_mut - {_27.current.current.perms} - (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + | s3 = MutBorrow.borrow_mut {_27.current.current.perms} + (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_26 <- _bor ] [ &_27 <- { _27 with current = { _27.current with current = { _27.current.current with perms = _bor.final } } } ] s4) | s4 = remove_ghost_Snapshot_PermCell_Inner_T {_26} {_30} - (fun (_x: t_Option_Box_Perm_PermCell_Inner_T_Global) -> [ &_25 <- _x ] s5) + (fun (_x: t_Option_Perm_PermCell_Inner_T) -> [ &_25 <- _x ] s5) | s5 = s6 [ _ck -> (! {[@expl:type invariant] inv_refmut_refmut_PA_T _27} any) ] | s6 = -{resolve_refmut_refmut_PA_T _27}- s7 - | s7 = unwrap_Box_Perm_PermCell_Inner_T_Global {_25} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_24 <- _x ] s8) - | s8 = new_Box_Perm_PermCell_Inner_T_Global {_24} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &perm_cur <- _x ] s9) + | s7 = unwrap_Perm_PermCell_Inner_T {_25} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_24 <- _x ] s8) + | s8 = new_Perm_PermCell_Inner_T {_24} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &perm_cur <- _x ] s9) | s9 = deref_Rc_PermCell_Inner_T_Global {cur} (fun (_x: t_PermCell_Inner_T) -> [ &_37 <- _x ] s10) | s10 = MutBorrow.borrow_mut {perm_cur} (fun (_bor: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_45 <- _bor ] [ &perm_cur <- _bor.final ] s11) | s11 = MutBorrow.borrow_final {_45.current} {MutBorrow.get_id _45} (fun (_bor: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_44 <- _bor ] [ &_45 <- { _45 with current = _bor.final } ] s12) - | s12 = deref_mut_Ghost_Box_Perm_PermCell_Inner_T_Global {_44} + | s12 = deref_mut_Ghost_Perm_PermCell_Inner_T {_44} (fun (_x: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_43 <- _x ] s13) | s13 = MutBorrow.borrow_final {_43.current} {MutBorrow.get_id _43} (fun (_bor: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_42 <- _bor ] [ &_43 <- { _43 with current = _bor.final } ] s14) - | s14 = -{resolve_refmut_Ghost_Box_Perm_PermCell_Inner_T_Global _45}- s15 - | s15 = -{resolve_refmut_Box_Perm_PermCell_Inner_T_Global _43}- s16 + | s14 = -{resolve_refmut_Ghost_Perm_PermCell_Inner_T _45}- s15 + | s15 = -{resolve_refmut_Perm_PermCell_Inner_T _43}- s16 | s16 = MutBorrow.borrow_final {_42.current} {MutBorrow.get_id _42} (fun (_bor: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_41 <- _bor ] [ &_42 <- { _42 with current = _bor.final } ] s17) @@ -6238,22 +6198,19 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi [ &_51 <- _bor ] -{inv_Ghost_refmut_PA_T _bor.final}- [ &pa <- _bor.final ] s3) [ _ck -> (! {[@expl:type invariant] inv_Ghost_refmut_PA_T pa} any) ] | s3 = deref_mut_Ghost_refmut_PA_T {_51} (fun (_x: MutBorrow.t (MutBorrow.t t_PA_T)) -> [ &_50 <- _x ] s4) - | s4 = into_inner_Box_Perm_PermCell_Inner_T_Global {perm_cur} - (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_55 <- _x ] s5) - | s5 = MutBorrow.borrow_mut - {_50.current.current.perms} - (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + | s4 = into_inner_Perm_PermCell_Inner_T {perm_cur} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_55 <- _x ] s5) + | s5 = MutBorrow.borrow_mut {_50.current.current.perms} + (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_49 <- _bor ] [ &_50 <- { _50 with current = { _50.current with current = { _50.current.current with perms = _bor.final } } } ] s6) | s6 = insert_ghost_Snapshot_PermCell_Inner_T {_49} {view_Rc_PermCell_Inner_T_Global cur} {_55} - (fun (_x: t_Option_Box_Perm_PermCell_Inner_T_Global) -> [ &_48 <- _x ] s7) + (fun (_x: t_Option_Perm_PermCell_Inner_T) -> [ &_48 <- _x ] s7) | s7 = s8 [ _ck -> (! {[@expl:type invariant] inv_refmut_refmut_PA_T _50} any) ] | s8 = -{resolve_refmut_refmut_PA_T _50}- s9 | s9 = s10 [ _ck -> (! {[@expl:type invariant] inv_Ghost_refmut_PA_T pa} any) ] | s10 = -{resolve_Ghost_refmut_PA_T'0 pa}- s11 - | s11 = new_Option_Box_Perm_PermCell_Inner_T_Global {_48} - (fun (_x: t_Option_Box_Perm_PermCell_Inner_T_Global) -> [ &_47 <- _x ] s12) + | s11 = new_Option_Perm_PermCell_Inner_T {_48} (fun (_x: t_Option_Perm_PermCell_Inner_T) -> [ &_47 <- _x ] s12) | s12 = return {_ret} ] | bb17 = s0 [ s0 = elim_Link {bor_cur.current} @@ -6327,22 +6284,21 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi [ &pa <- _bor.final ] s26) [ _ck -> (! {[@expl:type invariant] inv_Ghost_refmut_PA_T pa} any) ] | s26 = deref_mut_Ghost_refmut_PA_T {_83} (fun (_x: MutBorrow.t (MutBorrow.t t_PA_T)) -> [ &_82 <- _x ] s27) | s27 = [ &_85 <- view_Rc_PermCell_Inner_T_Global next'0 ] s28 - | s28 = MutBorrow.borrow_mut - {_82.current.current.perms} - (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + | s28 = MutBorrow.borrow_mut {_82.current.current.perms} + (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_81 <- _bor ] [ &_82 <- { _82 with current = { _82.current with current = { _82.current.current with perms = _bor.final } } } ] s29) | s29 = get_mut_ghost_Snapshot_PermCell_Inner_T {_81} {_85} - (fun (_x: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global) -> [ &_80 <- _x ] s30) - | s30 = unwrap_refmut_Box_Perm_PermCell_Inner_T_Global {_80} + (fun (_x: t_Option_refmut_Perm_PermCell_Inner_T) -> [ &_80 <- _x ] s30) + | s30 = unwrap_refmut_Perm_PermCell_Inner_T {_80} (fun (_x: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_79 <- _x ] s31) | s31 = MutBorrow.borrow_final {_79.current} {MutBorrow.get_id _79} (fun (_bor: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_78 <- _bor ] [ &_79 <- { _79 with current = _bor.final } ] s32) | s32 = s33 [ _ck -> (! {[@expl:type invariant] inv_refmut_refmut_PA_T _82} any) ] | s33 = -{resolve_refmut_refmut_PA_T _82}- s34 - | s34 = -{resolve_refmut_Box_Perm_PermCell_Inner_T_Global _79}- s35 + | s34 = -{resolve_refmut_Perm_PermCell_Inner_T _79}- s35 | s35 = MutBorrow.borrow_final {_78.current} {MutBorrow.get_id _78} (fun (_bor: MutBorrow.t t_Perm_PermCell_Inner_T) -> [ &_77 <- _bor ] [ &_78 <- { _78 with current = _bor.final } ] s36) @@ -6434,16 +6390,14 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi [ &_113 <- _bor ] -{inv_Ghost_refmut_PA_T _bor.final}- [ &pa <- _bor.final ] s24) [ _ck -> (! {[@expl:type invariant] inv_Ghost_refmut_PA_T pa} any) ] | s24 = deref_mut_Ghost_refmut_PA_T {_113} (fun (_x: MutBorrow.t (MutBorrow.t t_PA_T)) -> [ &_112 <- _x ] s25) - | s25 = into_inner_Box_Perm_PermCell_Inner_T_Global {perm_cur} - (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_117 <- _x ] s26) - | s26 = MutBorrow.borrow_mut - {_112.current.current.perms} - (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global) -> + | s25 = into_inner_Perm_PermCell_Inner_T {perm_cur} (fun (_x: t_Perm_PermCell_Inner_T) -> [ &_117 <- _x ] s26) + | s26 = MutBorrow.borrow_mut {_112.current.current.perms} + (fun (_bor: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T) -> [ &_111 <- _bor ] [ &_112 <- { _112 with current = { _112.current with current = { _112.current.current with perms = _bor.final } } } ] s27) | s27 = insert_ghost_Snapshot_PermCell_Inner_T {_111} {view_Rc_PermCell_Inner_T_Global cur} {_117} - (fun (_x: t_Option_Box_Perm_PermCell_Inner_T_Global) -> [ &_110 <- _x ] s28) + (fun (_x: t_Option_Perm_PermCell_Inner_T) -> [ &_110 <- _x ] s28) | s28 = s29 [ _ck -> (! {[@expl:type invariant] inv_refmut_refmut_PA_T _112} any) ] | s29 = -{resolve_refmut_refmut_PA_T _112}- s30 | s30 = @@ -6469,8 +6423,8 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi | & pa: MutBorrow.t t_PA_T = pa | & perm_cur: t_Perm_PermCell_Inner_T = Any.any_l () | & _24: t_Perm_PermCell_Inner_T = Any.any_l () - | & _25: t_Option_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _26: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _25: t_Option_Perm_PermCell_Inner_T = Any.any_l () + | & _26: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () | & _27: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _28: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _30: t_PermCell_Inner_T = Any.any_l () @@ -6484,9 +6438,9 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi | & _43: MutBorrow.t t_Perm_PermCell_Inner_T = Any.any_l () | & _44: MutBorrow.t t_Perm_PermCell_Inner_T = Any.any_l () | & _45: MutBorrow.t t_Perm_PermCell_Inner_T = Any.any_l () - | & _47: t_Option_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _48: t_Option_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _49: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _47: t_Option_Perm_PermCell_Inner_T = Any.any_l () + | & _48: t_Option_Perm_PermCell_Inner_T = Any.any_l () + | & _49: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () | & _50: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _51: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _55: t_Perm_PermCell_Inner_T = Any.any_l () @@ -6510,8 +6464,8 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi | & _77: MutBorrow.t t_Perm_PermCell_Inner_T = Any.any_l () | & _78: MutBorrow.t t_Perm_PermCell_Inner_T = Any.any_l () | & _79: MutBorrow.t t_Perm_PermCell_Inner_T = Any.any_l () - | & _80: t_Option_refmut_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _81: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _80: t_Option_refmut_Perm_PermCell_Inner_T = Any.any_l () + | & _81: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () | & _82: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _83: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _85: t_PermCell_Inner_T = Any.any_l () @@ -6530,8 +6484,8 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi | & _107: MutBorrow.t t_Inner_T = Any.any_l () | & _108: () = Any.any_l () | & _109: () = Any.any_l () - | & _110: t_Option_Box_Perm_PermCell_Inner_T_Global = Any.any_l () - | & _111: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global = Any.any_l () + | & _110: t_Option_Perm_PermCell_Inner_T = Any.any_l () + | & _111: MutBorrow.t t_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T = Any.any_l () | & _112: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _113: MutBorrow.t (MutBorrow.t t_PA_T) = Any.any_l () | & _117: t_Perm_PermCell_Inner_T = Any.any_l () @@ -6550,7 +6504,7 @@ module M_implementation__impl_PersistentArray_T__reroot (* implementation::Persi = index_Mapping_PermCell_Inner_T_Int (fin_Ghost_refmut_PA_T pa).depth id) /\ ([@stop_split] [@expl:reroot ensures #3] forall id: t_PermCell_Inner_T. contains_Snapshot_PermCell_Inner_T (fin_Ghost_refmut_PA_T pa).perms id = contains_Snapshot_PermCell_Inner_T pa.current.perms id) - /\ ([@stop_split] [@expl:reroot ensures #4] match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global (fin_Ghost_refmut_PA_T pa).perms (view_Rc_PermCell_Inner_T_Global cur)) with + /\ ([@stop_split] [@expl:reroot ensures #4] match val_PermCell_Inner_T (index_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T (fin_Ghost_refmut_PA_T pa).perms (view_Rc_PermCell_Inner_T_Global cur)) with | Direct _ -> true | Link _ _ _ -> false end)} diff --git a/examples/persistent_array.rs b/examples/persistent_array.rs index edd0cf97b0..021886e786 100644 --- a/examples/persistent_array.rs +++ b/examples/persistent_array.rs @@ -84,7 +84,7 @@ pub mod implementation { /// Structure describing the invariants respected by the pointers. struct PA { /// Holds the permission for each pointer. - perms: FMap>>, Box>>>>, + perms: FMap>>, Perm>>>, /// Holds the 'authoritative' version of the map of logical values. /// /// When we open the invariant, we get (a mutable borrow to) this, and can learn @@ -242,9 +242,8 @@ pub mod implementation { // prove that self is contained in the map by validity ghost! { pa.auth.frag_lemma(&self.frag) }; Self::reroot(&self.permcell, ghost!(&mut *pa)); - let perm = ghost!( - &**pa.into_inner().perms.get_ghost(&snapshot!(*self.permcell@)).unwrap() - ); + let perm = + ghost!(&*pa.into_inner().perms.get_ghost(&snapshot!(*self.permcell@)).unwrap()); let Inner::Direct(arr) = (unsafe { self.permcell.borrow(perm) }) else { unreachable!() }; @@ -286,7 +285,7 @@ pub mod implementation { let next = std::mem::replace(next, cur.clone()); // Take the ownership of next - let perm_next = ghost! { &mut **pa.perms.get_mut_ghost(&snapshot!(*next@)).unwrap() }; + let perm_next = ghost! { &mut *pa.perms.get_mut_ghost(&snapshot!(*next@)).unwrap() }; let bor_next = unsafe { next.borrow_mut(perm_next) }; // Exchange the value field witht the content of the array diff --git a/examples/persistent_array/proof.json b/examples/persistent_array/proof.json index a7a1899633..5a85dcedc0 100644 --- a/examples/persistent_array/proof.json +++ b/examples/persistent_array/proof.json @@ -89,9 +89,9 @@ "time": 0.051 }, "vc_reroot_T": { "prover": "cvc5", "time": 0.024 }, - "vc_unwrap_ref_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.025 + "vc_unwrap_ref_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.022 } }, "M_implementation__impl_PersistentArray_T__get_immut": { @@ -135,9 +135,9 @@ "vc_get_inner_immut_T": { "prover": "cvc5", "time": 0.077 }, "vc_index_Vec_T_Global": { "prover": "cvc5", "time": 0.018 }, "vc_new_ref_Perm_PermCell_Inner_T": { "prover": "cvc5", "time": 0.029 }, - "vc_unwrap_ref_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.029 + "vc_unwrap_ref_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.014 } }, "M_implementation__impl_PersistentArray_T__new": { @@ -153,9 +153,9 @@ "prover": "cvc5", "time": 0.035 }, - "vc_deref_mut_Ghost_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.03 + "vc_deref_mut_Ghost_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.039 }, "vc_deref_mut_Ghost_Fragment_FMap_PermCell_Inner_T_Ag_Seq_T": { "prover": "cvc5", @@ -173,18 +173,18 @@ "prover": "cvc5", "time": 0.026 }, - "vc_into_inner_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.03 - }, - "vc_into_inner_FMap_Snapshot_PermCell_Inner_T_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.026 + "vc_into_inner_FMap_Snapshot_PermCell_Inner_T_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.035 }, "vc_into_inner_NonAtomicInvariant_PA_T": { "prover": "cvc5", "time": 0.027 }, + "vc_into_inner_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.039 + }, "vc_new_Fragment_FMap_PermCell_Inner_T_Ag_Seq_T": { "prover": "cvc5", "time": 0.034 @@ -251,9 +251,9 @@ "prover": "cvc5", "time": 0.023 }, - "vc_deref_mut_Ghost_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.023 + "vc_deref_mut_Ghost_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.021 }, "vc_deref_mut_Ghost_refmut_PA_T": { "prover": "cvc5", "time": 0.019 }, "vc_elim_Direct": { "prover": "cvc5", "time": 0.022 }, @@ -267,18 +267,15 @@ "prover": "cvc5", "time": 0.022 }, - "vc_into_inner_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.021 - }, - "vc_new_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.025 + "vc_into_inner_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.017 }, - "vc_new_Option_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.021 + "vc_new_Option_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.02 }, + "vc_new_Perm_PermCell_Inner_T": { "prover": "alt-ergo", "time": 0.014 }, "vc_new_refmut_PA_T": { "prover": "cvc5", "time": 0.022 }, "vc_new_refmut_Perm_PermCell_Inner_T": { "prover": "cvc5", @@ -375,13 +372,13 @@ }, "vc_swap_Inner_T": { "prover": "cvc5", "time": 0.024 }, "vc_swap_T": { "prover": "cvc5", "time": 0.026 }, - "vc_unwrap_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.025 + "vc_unwrap_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.014 }, - "vc_unwrap_refmut_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.022 + "vc_unwrap_refmut_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.018 } }, "M_implementation__impl_PersistentArray_T__set": { @@ -394,14 +391,14 @@ "time": 0.025 }, "vc_closure0": { "prover": "cvc5", "time": 0.028 }, - "vc_deref_Ghost_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.029 - }, "vc_deref_Ghost_Fragment_FMap_PermCell_Inner_T_Ag_Seq_T": { "prover": "cvc5", "time": 0.026 }, + "vc_deref_Ghost_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.024 + }, "vc_deref_Ghost_Rc_NonAtomicInvariant_PA_T_Global": { "prover": "cvc5", "time": 0.043 @@ -433,9 +430,9 @@ "prover": "cvc5", "time": 0.027 }, - "vc_into_inner_Box_Perm_PermCell_Inner_T_Global": { - "prover": "cvc5", - "time": 0.036 + "vc_into_inner_Perm_PermCell_Inner_T": { + "prover": "alt-ergo", + "time": 0.025 }, "vc_new_Fragment_FMap_PermCell_Inner_T_Ag_Seq_T": { "prover": "cvc5", @@ -514,8 +511,8 @@ { "prover": "cvc5", "time": 0.08 }, { "prover": "z3", "time": 0.027 }, { "prover": "cvc4", "time": 0.126 }, - { "prover": "z3", "time": 0.034 }, - { "prover": "z3", "time": 0.142 }, + { "prover": "z3", "time": 0.253 }, + { "prover": "z3", "time": 0.028 }, { "tactic": "compute_specified", "children": [ diff --git a/tests/creusot-std/creusot-std.coma b/tests/creusot-std/creusot-std.coma index b505829732..77738b4302 100644 --- a/tests/creusot-std/creusot-std.coma +++ b/tests/creusot-std/creusot-std.coma @@ -45205,166 +45205,6 @@ module M_std__num__extern_spec_core_ops_RemAssign_ref_isize_isize_rem_assign_bod = ComputerDivision.mod (Int64.to_int self_.current) (Int64.to_int rhs)} (! return {result}) ] end -module M_std__boxed__extern_spec_T_A_Deref_Box_T_A_deref_body - type namespace_other - - type t_Namespace = Other namespace_other - - use creusot.prelude.Any - - type t_T - - predicate inv_T (_1: t_T) - - predicate invariant_Box_T_A (self: t_T) = inv_T self - - predicate inv_Box_T_A [@inline:trivial] (_1: t_T) = invariant_Box_T_A _1 - - meta "rewrite_def" predicate inv_Box_T_A - - predicate invariant_ref_Box_T_A [@inline:trivial] (self: t_T) = inv_Box_T_A self - - meta "rewrite_def" predicate invariant_ref_Box_T_A - - predicate inv_ref_Box_T_A [@inline:trivial] (_1: t_T) = invariant_ref_Box_T_A _1 - - meta "rewrite_def" predicate inv_ref_Box_T_A - - predicate invariant_ref_T [@inline:trivial] (self: t_T) = inv_T self - - meta "rewrite_def" predicate invariant_ref_T - - predicate inv_ref_T [@inline:trivial] (_1: t_T) = invariant_ref_T _1 - - meta "rewrite_def" predicate inv_ref_T - - meta "compute_max_steps" 1000000 - - meta "select_lsinst" "all" - - let rec extern_spec_T_A_Deref_Box_T_A_deref_body_T (self_: t_T) (return (x: t_T)) = - {[@stop_split] [@expl:extern_spec_T_A_Deref_Box_T_A_deref_body 'self_' type invariant] inv_ref_Box_T_A self_} - (! bb0 - [ bb0 = s0 [ s0 = [ &_4 <- self_ ] s1 | s1 = [ &_ret <- _4 ] s2 | s2 = return {_ret} ] ] - [ & _ret: t_T = Any.any_l () | & self_: t_T = self_ | & _4: t_T = Any.any_l () ]) - [ return (result: t_T) -> - {[@stop_split] [@expl:extern_spec_T_A_Deref_Box_T_A_deref_body_T ensures] ([@stop_split] [@expl:extern_spec_T_A_Deref_Box_T_A_deref_body result type invariant] inv_ref_T result) - /\ ([@stop_split] [@expl:extern_spec_T_A_Deref_Box_T_A_deref_body ensures] result = self_)} - (! return {result}) ] -end -module M_std__boxed__extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body - type namespace_other - - type t_Namespace = Other namespace_other - - use creusot.prelude.MutBorrow - use creusot.prelude.Any - - type t_T - - predicate inv_T (_1: t_T) - - predicate invariant_refmut_T [@inline:trivial] (self: MutBorrow.t t_T) = inv_T self.current /\ inv_T self.final - - meta "rewrite_def" predicate invariant_refmut_T - - predicate inv_refmut_T [@inline:trivial] (_1: MutBorrow.t t_T) = invariant_refmut_T _1 - - meta "rewrite_def" predicate inv_refmut_T - - predicate resolve_refmut_T [@inline:trivial] (_1: MutBorrow.t t_T) = _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_T - - predicate invariant_Box_T_A (self: t_T) = inv_T self - - predicate inv_Box_T_A [@inline:trivial] (_1: t_T) = invariant_Box_T_A _1 - - meta "rewrite_def" predicate inv_Box_T_A - - predicate invariant_refmut_Box_T_A [@inline:trivial] (self: MutBorrow.t t_T) = - inv_Box_T_A self.current /\ inv_Box_T_A self.final - - meta "rewrite_def" predicate invariant_refmut_Box_T_A - - predicate inv_refmut_Box_T_A [@inline:trivial] (_1: MutBorrow.t t_T) = invariant_refmut_Box_T_A _1 - - meta "rewrite_def" predicate inv_refmut_Box_T_A - - predicate resolve_refmut_Box_T_A [@inline:trivial] (_1: MutBorrow.t t_T) = _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_T_A - - meta "compute_max_steps" 1000000 - - meta "select_lsinst" "all" - - let rec extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body_T (self_: MutBorrow.t t_T) (return (x: MutBorrow.t t_T)) = - {[@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body 'self_' type invariant] inv_refmut_Box_T_A self_} - (! bb0 - [ bb0 = s0 - [ s0 = MutBorrow.borrow_final {self_.current} {MutBorrow.get_id self_} - (fun (_bor: MutBorrow.t t_T) -> - [ &_7 <- _bor ] -{inv_T _bor.final}- - [ &self_ <- { self_ with current = _bor.final } ] s1) - [ _ck -> (! {[@expl:type invariant] inv_T self_.current} any) ] - | s1 = MutBorrow.borrow_final {_7.current} {MutBorrow.get_id _7} - (fun (_bor: MutBorrow.t t_T) -> - [ &_2 <- _bor ] -{inv_T _bor.final}- - [ &_7 <- { _7 with current = _bor.final } ] s2) [ _ck -> (! {[@expl:type invariant] inv_T _7.current} any) ] - | s2 = s3 [ _ck -> (! {[@expl:type invariant] inv_refmut_T _7} any) ] - | s3 = -{resolve_refmut_T _7}- s4 - | s4 = MutBorrow.borrow_final {_2.current} {MutBorrow.get_id _2} - (fun (_bor: MutBorrow.t t_T) -> - [ &_ret <- _bor ] -{inv_T _bor.final}- - [ &_2 <- { _2 with current = _bor.final } ] s5) [ _ck -> (! {[@expl:type invariant] inv_T _2.current} any) ] - | s5 = s6 [ _ck -> (! {[@expl:type invariant] inv_refmut_T _2} any) ] - | s6 = -{resolve_refmut_T _2}- s7 - | s7 = s8 [ _ck -> (! {[@expl:type invariant] inv_refmut_Box_T_A self_} any) ] - | s8 = -{resolve_refmut_Box_T_A self_}- s9 - | s9 = return {_ret} ] ] - [ & _ret: MutBorrow.t t_T = Any.any_l () - | & self_: MutBorrow.t t_T = self_ - | & _2: MutBorrow.t t_T = Any.any_l () - | & _7: MutBorrow.t t_T = Any.any_l () ]) - [ return (result: MutBorrow.t t_T) -> - {[@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body_T ensures] ([@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body result type invariant] inv_refmut_T result) - /\ ([@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body ensures #0] result.current - = self_.current) - /\ ([@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body ensures #1] result.final = self_.final)} - (! return {result}) ] -end -module M_std__boxed__impl_Resolve_for_Box_T_A__resolve_coherence__refines (* as resolve::Resolve> *) - type namespace_other - - type t_Namespace = Other namespace_other - - type t_T - - predicate inv_T (_1: t_T) - - predicate invariant_Box_T_A (self: t_T) = inv_T self - - predicate inv_Box_T_A [@inline:trivial] (_1: t_T) = invariant_Box_T_A _1 - - meta "rewrite_def" predicate inv_Box_T_A - - predicate resolve_T (_1: t_T) - - predicate structural_resolve_Box_T_A (_1: t_T) = resolve_T _1 - - predicate resolve_Box_T_A [@inline:trivial] (self: t_T) = true - - meta "rewrite_def" predicate resolve_Box_T_A - - meta "compute_max_steps" 1000000 - - meta "select_lsinst" "all" - - goal refines: forall self: t_T. inv_Box_T_A self - -> structural_resolve_Box_T_A self - -> structural_resolve_Box_T_A self /\ (forall result: (). resolve_Box_T_A self -> resolve_Box_T_A self) -end module M_std__range__extern_spec_T_From_Range_T_legacy_Range_T_from_body type namespace_other @@ -45747,63 +45587,6 @@ module M_std__hint__extern_spec_core_hint_must_use_body /\ ([@stop_split] [@expl:extern_spec_core_hint_must_use_body ensures] result = value)} (! return {result}) ] end -module M_std__rc__extern_spec_T_A_Deref_Rc_T_A_deref_body - type namespace_other - - type t_Namespace = Other namespace_other - - use creusot.prelude.Any - - type t_Rc_T_A - - type t_T - - predicate inv_Rc_T_A (_1: t_Rc_T_A) - - predicate invariant_ref_Rc_T_A [@inline:trivial] (self: t_Rc_T_A) = inv_Rc_T_A self - - meta "rewrite_def" predicate invariant_ref_Rc_T_A - - predicate inv_ref_Rc_T_A [@inline:trivial] (_1: t_Rc_T_A) = invariant_ref_Rc_T_A _1 - - meta "rewrite_def" predicate inv_ref_Rc_T_A - - predicate inv_T (_1: t_T) - - predicate invariant_ref_T [@inline:trivial] (self: t_T) = inv_T self - - meta "rewrite_def" predicate invariant_ref_T - - predicate inv_ref_T [@inline:trivial] (_1: t_T) = invariant_ref_T _1 - - meta "rewrite_def" predicate inv_ref_T - - function view_Rc_T_A (self: t_Rc_T_A) : t_T - - let rec as_ref_Rc_T_A (self_: t_Rc_T_A) (return (x: t_T)) = - {[@stop_split] [@expl:as_ref 'self_' type invariant] inv_ref_Rc_T_A self_} - any - [ return (result: t_T) -> - {[@stop_split] [@expl:as_ref_Rc_T_A ensures] ([@stop_split] [@expl:as_ref result type invariant] inv_ref_T result) - /\ ([@stop_split] [@expl:as_ref ensures] result = view_Rc_T_A self_)} - (! return {result}) ] - - meta "compute_max_steps" 1000000 - - meta "select_lsinst" "all" - - let rec extern_spec_T_A_Deref_Rc_T_A_deref_body_T (self_: t_Rc_T_A) (return (x: t_T)) = - {[@stop_split] [@expl:extern_spec_T_A_Deref_Rc_T_A_deref_body 'self_' type invariant] inv_ref_Rc_T_A self_} - (! bb0 - [ bb0 = s0 - [ s0 = as_ref_Rc_T_A {self_} (fun (_x: t_T) -> [ &_4 <- _x ] s1) - | s1 = [ &_ret <- _4 ] s2 - | s2 = return {_ret} ] ] [ & _ret: t_T = Any.any_l () | & self_: t_Rc_T_A = self_ | & _4: t_T = Any.any_l () ]) - [ return (result: t_T) -> - {[@stop_split] [@expl:extern_spec_T_A_Deref_Rc_T_A_deref_body_T ensures] ([@stop_split] [@expl:extern_spec_T_A_Deref_Rc_T_A_deref_body result type invariant] inv_ref_T result) - /\ ([@stop_split] [@expl:extern_spec_T_A_Deref_Rc_T_A_deref_body ensures] result = view_Rc_T_A self_)} - (! return {result}) ] -end module M_std__tuples__impl_Plain_for_tup1_T__into_ghost (* <(T,) as ghost::Plain> *) type namespace_other @@ -52936,6 +52719,166 @@ module M_std__collections__hash_set__impl_IteratorSpec_for_Difference_T_S_Global /\ (forall result: (). produces_Difference_T_S_Global a (Seq.(++) ab bc) c -> produces_Difference_T_S_Global a (Seq.(++) ab bc) c) end +module M_std__boxed__extern_spec_T_A_Deref_Box_T_A_deref_body + type namespace_other + + type t_Namespace = Other namespace_other + + use creusot.prelude.Any + + type t_T + + predicate inv_T (_1: t_T) + + predicate invariant_Box_T_A (self: t_T) = inv_T self + + predicate inv_Box_T_A [@inline:trivial] (_1: t_T) = invariant_Box_T_A _1 + + meta "rewrite_def" predicate inv_Box_T_A + + predicate invariant_ref_Box_T_A [@inline:trivial] (self: t_T) = inv_Box_T_A self + + meta "rewrite_def" predicate invariant_ref_Box_T_A + + predicate inv_ref_Box_T_A [@inline:trivial] (_1: t_T) = invariant_ref_Box_T_A _1 + + meta "rewrite_def" predicate inv_ref_Box_T_A + + predicate invariant_ref_T [@inline:trivial] (self: t_T) = inv_T self + + meta "rewrite_def" predicate invariant_ref_T + + predicate inv_ref_T [@inline:trivial] (_1: t_T) = invariant_ref_T _1 + + meta "rewrite_def" predicate inv_ref_T + + meta "compute_max_steps" 1000000 + + meta "select_lsinst" "all" + + let rec extern_spec_T_A_Deref_Box_T_A_deref_body_T (self_: t_T) (return (x: t_T)) = + {[@stop_split] [@expl:extern_spec_T_A_Deref_Box_T_A_deref_body 'self_' type invariant] inv_ref_Box_T_A self_} + (! bb0 + [ bb0 = s0 [ s0 = [ &_4 <- self_ ] s1 | s1 = [ &_ret <- _4 ] s2 | s2 = return {_ret} ] ] + [ & _ret: t_T = Any.any_l () | & self_: t_T = self_ | & _4: t_T = Any.any_l () ]) + [ return (result: t_T) -> + {[@stop_split] [@expl:extern_spec_T_A_Deref_Box_T_A_deref_body_T ensures] ([@stop_split] [@expl:extern_spec_T_A_Deref_Box_T_A_deref_body result type invariant] inv_ref_T result) + /\ ([@stop_split] [@expl:extern_spec_T_A_Deref_Box_T_A_deref_body ensures] result = self_)} + (! return {result}) ] +end +module M_std__boxed__extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body + type namespace_other + + type t_Namespace = Other namespace_other + + use creusot.prelude.MutBorrow + use creusot.prelude.Any + + type t_T + + predicate inv_T (_1: t_T) + + predicate invariant_refmut_T [@inline:trivial] (self: MutBorrow.t t_T) = inv_T self.current /\ inv_T self.final + + meta "rewrite_def" predicate invariant_refmut_T + + predicate inv_refmut_T [@inline:trivial] (_1: MutBorrow.t t_T) = invariant_refmut_T _1 + + meta "rewrite_def" predicate inv_refmut_T + + predicate resolve_refmut_T [@inline:trivial] (_1: MutBorrow.t t_T) = _1.final = _1.current + + meta "rewrite_def" predicate resolve_refmut_T + + predicate invariant_Box_T_A (self: t_T) = inv_T self + + predicate inv_Box_T_A [@inline:trivial] (_1: t_T) = invariant_Box_T_A _1 + + meta "rewrite_def" predicate inv_Box_T_A + + predicate invariant_refmut_Box_T_A [@inline:trivial] (self: MutBorrow.t t_T) = + inv_Box_T_A self.current /\ inv_Box_T_A self.final + + meta "rewrite_def" predicate invariant_refmut_Box_T_A + + predicate inv_refmut_Box_T_A [@inline:trivial] (_1: MutBorrow.t t_T) = invariant_refmut_Box_T_A _1 + + meta "rewrite_def" predicate inv_refmut_Box_T_A + + predicate resolve_refmut_Box_T_A [@inline:trivial] (_1: MutBorrow.t t_T) = _1.final = _1.current + + meta "rewrite_def" predicate resolve_refmut_Box_T_A + + meta "compute_max_steps" 1000000 + + meta "select_lsinst" "all" + + let rec extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body_T (self_: MutBorrow.t t_T) (return (x: MutBorrow.t t_T)) = + {[@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body 'self_' type invariant] inv_refmut_Box_T_A self_} + (! bb0 + [ bb0 = s0 + [ s0 = MutBorrow.borrow_final {self_.current} {MutBorrow.get_id self_} + (fun (_bor: MutBorrow.t t_T) -> + [ &_7 <- _bor ] -{inv_T _bor.final}- + [ &self_ <- { self_ with current = _bor.final } ] s1) + [ _ck -> (! {[@expl:type invariant] inv_T self_.current} any) ] + | s1 = MutBorrow.borrow_final {_7.current} {MutBorrow.get_id _7} + (fun (_bor: MutBorrow.t t_T) -> + [ &_2 <- _bor ] -{inv_T _bor.final}- + [ &_7 <- { _7 with current = _bor.final } ] s2) [ _ck -> (! {[@expl:type invariant] inv_T _7.current} any) ] + | s2 = s3 [ _ck -> (! {[@expl:type invariant] inv_refmut_T _7} any) ] + | s3 = -{resolve_refmut_T _7}- s4 + | s4 = MutBorrow.borrow_final {_2.current} {MutBorrow.get_id _2} + (fun (_bor: MutBorrow.t t_T) -> + [ &_ret <- _bor ] -{inv_T _bor.final}- + [ &_2 <- { _2 with current = _bor.final } ] s5) [ _ck -> (! {[@expl:type invariant] inv_T _2.current} any) ] + | s5 = s6 [ _ck -> (! {[@expl:type invariant] inv_refmut_T _2} any) ] + | s6 = -{resolve_refmut_T _2}- s7 + | s7 = s8 [ _ck -> (! {[@expl:type invariant] inv_refmut_Box_T_A self_} any) ] + | s8 = -{resolve_refmut_Box_T_A self_}- s9 + | s9 = return {_ret} ] ] + [ & _ret: MutBorrow.t t_T = Any.any_l () + | & self_: MutBorrow.t t_T = self_ + | & _2: MutBorrow.t t_T = Any.any_l () + | & _7: MutBorrow.t t_T = Any.any_l () ]) + [ return (result: MutBorrow.t t_T) -> + {[@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body_T ensures] ([@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body result type invariant] inv_refmut_T result) + /\ ([@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body ensures #0] result.current + = self_.current) + /\ ([@stop_split] [@expl:extern_spec_T_A_DerefMut_Box_T_A_deref_mut_body ensures #1] result.final = self_.final)} + (! return {result}) ] +end +module M_std__boxed__impl_Resolve_for_Box_T_A__resolve_coherence__refines (* as resolve::Resolve> *) + type namespace_other + + type t_Namespace = Other namespace_other + + type t_T + + predicate inv_T (_1: t_T) + + predicate invariant_Box_T_A (self: t_T) = inv_T self + + predicate inv_Box_T_A [@inline:trivial] (_1: t_T) = invariant_Box_T_A _1 + + meta "rewrite_def" predicate inv_Box_T_A + + predicate resolve_T (_1: t_T) + + predicate structural_resolve_Box_T_A (_1: t_T) = resolve_T _1 + + predicate resolve_Box_T_A [@inline:trivial] (self: t_T) = true + + meta "rewrite_def" predicate resolve_Box_T_A + + meta "compute_max_steps" 1000000 + + meta "select_lsinst" "all" + + goal refines: forall self: t_T. inv_Box_T_A self + -> structural_resolve_Box_T_A self + -> structural_resolve_Box_T_A self /\ (forall result: (). resolve_Box_T_A self -> resolve_Box_T_A self) +end module M_std__deque__impl_IteratorSpec_for_Iter_T__produces_refl (* as std::iter::IteratorSpec> *) type namespace_other @@ -53215,6 +53158,63 @@ module M_std__io__extern_spec_std_io_eprint_body (! bb0 [ bb0 = return {_ret} ] [ & _ret: () = Any.any_l () ]) [ return (result: ()) -> (! return {result}) ] end +module M_std__rc__extern_spec_T_A_Deref_Rc_T_A_deref_body + type namespace_other + + type t_Namespace = Other namespace_other + + use creusot.prelude.Any + + type t_Rc_T_A + + type t_T + + predicate inv_Rc_T_A (_1: t_Rc_T_A) + + predicate invariant_ref_Rc_T_A [@inline:trivial] (self: t_Rc_T_A) = inv_Rc_T_A self + + meta "rewrite_def" predicate invariant_ref_Rc_T_A + + predicate inv_ref_Rc_T_A [@inline:trivial] (_1: t_Rc_T_A) = invariant_ref_Rc_T_A _1 + + meta "rewrite_def" predicate inv_ref_Rc_T_A + + predicate inv_T (_1: t_T) + + predicate invariant_ref_T [@inline:trivial] (self: t_T) = inv_T self + + meta "rewrite_def" predicate invariant_ref_T + + predicate inv_ref_T [@inline:trivial] (_1: t_T) = invariant_ref_T _1 + + meta "rewrite_def" predicate inv_ref_T + + function view_Rc_T_A (self: t_Rc_T_A) : t_T + + let rec as_ref_Rc_T_A (self_: t_Rc_T_A) (return (x: t_T)) = + {[@stop_split] [@expl:as_ref 'self_' type invariant] inv_ref_Rc_T_A self_} + any + [ return (result: t_T) -> + {[@stop_split] [@expl:as_ref_Rc_T_A ensures] ([@stop_split] [@expl:as_ref result type invariant] inv_ref_T result) + /\ ([@stop_split] [@expl:as_ref ensures] result = view_Rc_T_A self_)} + (! return {result}) ] + + meta "compute_max_steps" 1000000 + + meta "select_lsinst" "all" + + let rec extern_spec_T_A_Deref_Rc_T_A_deref_body_T (self_: t_Rc_T_A) (return (x: t_T)) = + {[@stop_split] [@expl:extern_spec_T_A_Deref_Rc_T_A_deref_body 'self_' type invariant] inv_ref_Rc_T_A self_} + (! bb0 + [ bb0 = s0 + [ s0 = as_ref_Rc_T_A {self_} (fun (_x: t_T) -> [ &_4 <- _x ] s1) + | s1 = [ &_ret <- _4 ] s2 + | s2 = return {_ret} ] ] [ & _ret: t_T = Any.any_l () | & self_: t_Rc_T_A = self_ | & _4: t_T = Any.any_l () ]) + [ return (result: t_T) -> + {[@stop_split] [@expl:extern_spec_T_A_Deref_Rc_T_A_deref_body_T ensures] ([@stop_split] [@expl:extern_spec_T_A_Deref_Rc_T_A_deref_body result type invariant] inv_ref_T result) + /\ ([@stop_split] [@expl:extern_spec_T_A_Deref_Rc_T_A_deref_body ensures] result = view_Rc_T_A self_)} + (! return {result}) ] +end module M_snapshot__impl_Clone_for_Snapshot_T__clone (* as std::clone::Clone> *) type namespace_other diff --git a/tests/should_fail/wrong_permissions.coma b/tests/should_fail/wrong_permissions.coma index b80019c237..1f4657b332 100644 --- a/tests/should_fail/wrong_permissions.coma +++ b/tests/should_fail/wrong_permissions.coma @@ -39,7 +39,7 @@ module M_wrong_permcell_permission type t_Perm_PermCell_i32 - type tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = { f0: t_PermCell_i32; f1: t_Perm_PermCell_i32 } + type tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = { f0: t_PermCell_i32; f1: t_Perm_PermCell_i32 } function ward_PermCell_i32 (self: t_Perm_PermCell_i32) : t_PermCell_i32 @@ -49,19 +49,14 @@ module M_wrong_permcell_permission meta "rewrite_def" function view_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Perm_PermCell_i32) : Int32.t = - view_Perm_PermCell_i32 self - - meta "rewrite_def" function view_Box_Perm_PermCell_i32_Global - - let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> + let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32)) = any + [ return (result: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> {[@stop_split] [@expl:new_i32 ensures] ([@stop_split] [@expl:new ensures #0] result.f0 = ward_PermCell_i32 result.f1) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_i32_Global result.f1 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_i32 result.f1 = value)} (! return {result}) ] - let rec deref_Ghost_Box_Perm_PermCell_i32_Global (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any + let rec deref_Ghost_Perm_PermCell_i32 (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] let rec new_ref_Perm_PermCell_i32 (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any @@ -79,20 +74,20 @@ module M_wrong_permcell_permission let rec wrong_permcell_permission (return (x: ())) = (! bb0 [ bb0 = s0 - [ s0 = new_i32 {(1: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> [ &_2 <- _x ] s1) + [ s0 = new_i32 {(1: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> [ &_2 <- _x ] s1) | s1 = [ &cell <- _2.f0 ] s2 - | s2 = new_i32 {(1: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> [ &_4 <- _x ] s3) + | s2 = new_i32 {(1: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> [ &_4 <- _x ] s3) | s3 = [ &perm <- _4.f1 ] s4 - | s4 = deref_Ghost_Box_Perm_PermCell_i32_Global {perm} (fun (_x: t_Perm_PermCell_i32) -> [ &_10 <- _x ] s5) + | s4 = deref_Ghost_Perm_PermCell_i32 {perm} (fun (_x: t_Perm_PermCell_i32) -> [ &_10 <- _x ] s5) | s5 = [ &_9 <- _10 ] s6 | s6 = new_ref_Perm_PermCell_i32 {_9} (fun (_x: t_Perm_PermCell_i32) -> [ &_7 <- _x ] s7) | s7 = borrow_i32 {cell} {_7} (fun (_x: Int32.t) -> [ &_5 <- _x ] s8) | s8 = return {_ret} ] ] [ & _ret: () = Any.any_l () | & cell: t_PermCell_i32 = Any.any_l () - | & _2: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _2: tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = Any.any_l () | & perm: t_Perm_PermCell_i32 = Any.any_l () - | & _4: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _4: tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = Any.any_l () | & _5: Int32.t = Any.any_l () | & _7: t_Perm_PermCell_i32 = Any.any_l () | & _9: t_Perm_PermCell_i32 = Any.any_l () diff --git a/tests/should_fail/wrong_permissions.rs b/tests/should_fail/wrong_permissions.rs index 8a11740828..2bb9e29e54 100644 --- a/tests/should_fail/wrong_permissions.rs +++ b/tests/should_fail/wrong_permissions.rs @@ -11,7 +11,7 @@ pub fn wrong_permcell_permission() { let (_, perm) = PermCell::new(1i32); // does not work: we know that `perm` is not `cell`'s permission - let _ = unsafe { cell.borrow(ghost!(&**perm)) }; + let _ = unsafe { cell.borrow(ghost!(&*perm)) }; } pub fn unknown_ptr_perm_permission(ptr: *const i32, perm: Ghost<&Perm<*const i32>>) { @@ -23,5 +23,5 @@ pub fn wrong_ptr_perm_permission() { let (_, perm) = Perm::new(1i32); // does not work: we know that `perm` is not `ptr`'s permission - let _ = unsafe { Perm::as_ref(ptr, ghost!(&**perm)) }; + let _ = unsafe { Perm::as_ref(ptr, ghost!(&*perm)) }; } diff --git a/tests/should_fail/wrong_permissions/why3session.xml b/tests/should_fail/wrong_permissions/why3session.xml index c6090229ca..e21d4af2c6 100644 --- a/tests/should_fail/wrong_permissions/why3session.xml +++ b/tests/should_fail/wrong_permissions/why3session.xml @@ -12,7 +12,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -45,10 +45,10 @@ - + - + @@ -70,10 +70,10 @@ - + - + diff --git a/tests/should_fail/wrong_permissions/why3shapes.gz b/tests/should_fail/wrong_permissions/why3shapes.gz index a6b62f606f..d7375efbb0 100644 Binary files a/tests/should_fail/wrong_permissions/why3shapes.gz and b/tests/should_fail/wrong_permissions/why3shapes.gz differ diff --git a/tests/should_succeed/bug/1562.coma b/tests/should_succeed/bug/1562.coma index 7c87877e46..fe873e6ef5 100644 --- a/tests/should_succeed/bug/1562.coma +++ b/tests/should_succeed/bug/1562.coma @@ -119,16 +119,11 @@ module M_impl_List_T__foo (* List *) type t_Perm_PermCell_List_T - let rec deref_mut_Ghost_Box_Perm_PermCell_List_T_Global (self: MutBorrow.t t_Perm_PermCell_List_T) + let rec deref_mut_Ghost_Perm_PermCell_List_T (self: MutBorrow.t t_Perm_PermCell_List_T) (return (x: MutBorrow.t t_Perm_PermCell_List_T)) = any [ return (result: MutBorrow.t t_Perm_PermCell_List_T) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - predicate resolve_refmut_Box_Perm_PermCell_List_T_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_List_T) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_List_T_Global - predicate resolve_refmut_Perm_PermCell_List_T [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_List_T) = _1.final = _1.current @@ -200,7 +195,7 @@ module M_impl_List_T__foo (* List *) | s11 = as_ref_Rc_PermCell_List_T_Global {next'0} (fun (_x: t_PermCell_List_T) -> [ &_17 <- _x ] s12) | s12 = MutBorrow.borrow_mut {perm} (fun (_bor: MutBorrow.t t_Perm_PermCell_List_T) -> [ &_25 <- _bor ] [ &perm <- _bor.final ] s13) - | s13 = deref_mut_Ghost_Box_Perm_PermCell_List_T_Global {_25} + | s13 = deref_mut_Ghost_Perm_PermCell_List_T {_25} (fun (_x: MutBorrow.t t_Perm_PermCell_List_T) -> [ &_24 <- _x ] s14) | s14 = MutBorrow.borrow_final {_24.current} {MutBorrow.get_id _24} (fun (_bor: MutBorrow.t t_Perm_PermCell_List_T) -> @@ -208,7 +203,7 @@ module M_impl_List_T__foo (* List *) | s15 = MutBorrow.borrow_final {_23.current} {MutBorrow.get_id _23} (fun (_bor: MutBorrow.t t_Perm_PermCell_List_T) -> [ &_22 <- _bor ] [ &_23 <- { _23 with current = _bor.final } ] s16) - | s16 = -{resolve_refmut_Box_Perm_PermCell_List_T_Global _24}- s17 + | s16 = -{resolve_refmut_Perm_PermCell_List_T _24}- s17 | s17 = -{resolve_refmut_Perm_PermCell_List_T _23}- s18 | s18 = MutBorrow.borrow_final {_22.current} {MutBorrow.get_id _22} (fun (_bor: MutBorrow.t t_Perm_PermCell_List_T) -> diff --git a/tests/should_succeed/bug/1562.rs b/tests/should_succeed/bug/1562.rs index e74c8a6522..d2a92f6d85 100644 --- a/tests/should_succeed/bug/1562.rs +++ b/tests/should_succeed/bug/1562.rs @@ -11,7 +11,7 @@ pub struct List { impl List { #[requires(false)] - pub fn foo(&mut self, mut perm: Ghost>>>>) { + pub fn foo(&mut self, mut perm: Ghost>>>) { let mut p = self; let mut next; @@ -19,7 +19,7 @@ impl List { let curr = p.head.take().unwrap(); next = curr.next.clone(); unsafe { - p = next.as_ref().borrow_mut(ghost!(&mut **perm)); + p = next.as_ref().borrow_mut(ghost!(&mut *perm)); } } } diff --git a/tests/should_succeed/bug/1562/proof.json b/tests/should_succeed/bug/1562/proof.json index 642ed637d0..5798f6587c 100644 --- a/tests/should_succeed/bug/1562/proof.json +++ b/tests/should_succeed/bug/1562/proof.json @@ -8,26 +8,26 @@ "proofs": { "M_impl_List_T__foo": { "vc_as_ref_Rc_PermCell_List_T_Global": { - "prover": "cvc5@1.3.1", - "time": 0.035 + "prover": "cvc5", + "time": 0.019 }, - "vc_borrow_mut_List_T": { "prover": "cvc5@1.3.1", "time": 0.035 }, + "vc_borrow_mut_List_T": { "prover": "cvc5", "time": 0.036 }, "vc_clone_Rc_PermCell_List_T_Global": { - "prover": "cvc5@1.3.1", - "time": 0.035 + "prover": "cvc5", + "time": 0.02 }, - "vc_deref_mut_Ghost_Box_Perm_PermCell_List_T_Global": { - "prover": "cvc5@1.3.1", - "time": 0.034 + "vc_deref_mut_Ghost_Perm_PermCell_List_T": { + "prover": "alt-ergo", + "time": 0.029 }, - "vc_foo_T": { "prover": "cvc5@1.3.1", "time": 0.012 }, - "vc_is_none_Node_T": { "prover": "cvc5@1.3.1", "time": 0.019 }, + "vc_foo_T": { "prover": "cvc5", "time": 0.034 }, + "vc_is_none_Node_T": { "prover": "cvc5", "time": 0.021 }, "vc_new_refmut_Perm_PermCell_List_T": { - "prover": "cvc5@1.3.1", - "time": 0.033 + "prover": "cvc5", + "time": 0.038 }, - "vc_take_Node_T": { "prover": "cvc5@1.3.1", "time": 0.037 }, - "vc_unwrap_Node_T": { "prover": "cvc5@1.3.1", "time": 0.036 } + "vc_take_Node_T": { "prover": "cvc5", "time": 0.023 }, + "vc_unwrap_Node_T": { "prover": "cvc5", "time": 0.019 } } } } diff --git a/tests/should_succeed/non_atomic_invariant_cellinv.coma b/tests/should_succeed/non_atomic_invariant_cellinv.coma index 66ce3073c0..fcc615b6e8 100644 --- a/tests/should_succeed/non_atomic_invariant_cellinv.coma +++ b/tests/should_succeed/non_atomic_invariant_cellinv.coma @@ -307,11 +307,6 @@ module M_impl_CellInv_T__write (* CellInv *) meta "rewrite_def" predicate resolve_refmut_PermCellNAInv_T - predicate resolve_refmut_Box_Perm_PermCell_T_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_T) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_T_Global - predicate resolve_refmut_Perm_PermCell_T [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_T) = _1.final = _1.current meta "rewrite_def" predicate resolve_refmut_Perm_PermCell_T @@ -408,7 +403,7 @@ module M_impl_CellInv_T__write (* CellInv *) (fun (_bor: MutBorrow.t t_Perm_PermCell_T) -> [ &_9 <- _bor ] [ &_10 <- { _10 with current = _bor.final } ] s3) | s3 = -{resolve_refmut_PermCellNAInv_T _11}- s4 - | s4 = -{resolve_refmut_Box_Perm_PermCell_T_Global _10}- s5 + | s4 = -{resolve_refmut_Perm_PermCell_T _10}- s5 | s5 = MutBorrow.borrow_final {_9.current} {MutBorrow.get_id _9} (fun (_bor: MutBorrow.t t_Perm_PermCell_T) -> [ &_8 <- _bor ] [ &_9 <- { _9 with current = _bor.final } ] s6) | s6 = -{resolve_refmut_Perm_PermCell_T _9}- s7 diff --git a/tests/should_succeed/non_atomic_invariant_cellinv.rs b/tests/should_succeed/non_atomic_invariant_cellinv.rs index e972aea1cc..fe8184a856 100644 --- a/tests/should_succeed/non_atomic_invariant_cellinv.rs +++ b/tests/should_succeed/non_atomic_invariant_cellinv.rs @@ -24,7 +24,7 @@ impl Invariant for CellInv { } } -struct PermCellNAInv(Box>>); +struct PermCellNAInv(Perm>); impl Protocol for PermCellNAInv { type Public = PermCell; diff --git a/tests/should_succeed/permcell.coma b/tests/should_succeed/permcell.coma index 17487c8508..0b8125ccb1 100644 --- a/tests/should_succeed/permcell.coma +++ b/tests/should_succeed/permcell.coma @@ -7,7 +7,7 @@ module M_foo type t_Perm_PermCell_i32 - type tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = { f0: t_PermCell_i32; f1: t_Perm_PermCell_i32 } + type tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = { f0: t_PermCell_i32; f1: t_Perm_PermCell_i32 } function ward_PermCell_i32 (self: t_Perm_PermCell_i32) : t_PermCell_i32 @@ -17,19 +17,14 @@ module M_foo meta "rewrite_def" function view_Perm_PermCell_i32 - function view_Box_Perm_PermCell_i32_Global [@inline:trivial] (self: t_Perm_PermCell_i32) : Int32.t = - view_Perm_PermCell_i32 self - - meta "rewrite_def" function view_Box_Perm_PermCell_i32_Global - - let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global)) = any - [ return (result: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> + let rec new_i32 (value: Int32.t) (return (x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32)) = any + [ return (result: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> {[@stop_split] [@expl:new_i32 ensures] ([@stop_split] [@expl:new ensures #0] result.f0 = ward_PermCell_i32 result.f1) - /\ ([@stop_split] [@expl:new ensures #1] view_Box_Perm_PermCell_i32_Global result.f1 = value)} + /\ ([@stop_split] [@expl:new ensures #1] view_Perm_PermCell_i32 result.f1 = value)} (! return {result}) ] - let rec deref_Ghost_Box_Perm_PermCell_i32_Global (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any + let rec deref_Ghost_Perm_PermCell_i32 (self: t_Perm_PermCell_i32) (return (x: t_Perm_PermCell_i32)) = any [ return (result: t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref ensures] result = self} (! return {result}) ] let rec new_ref_Perm_PermCell_i32 (x: t_Perm_PermCell_i32) (return (x'0: t_Perm_PermCell_i32)) = any @@ -41,16 +36,11 @@ module M_foo [ return (result: Int32.t) -> {[@stop_split] [@expl:borrow ensures] result = view_Perm_PermCell_i32 perm} (! return {result}) ] - let rec deref_mut_Ghost_Box_Perm_PermCell_i32_Global (self: MutBorrow.t t_Perm_PermCell_i32) + let rec deref_mut_Ghost_Perm_PermCell_i32 (self: MutBorrow.t t_Perm_PermCell_i32) (return (x: MutBorrow.t t_Perm_PermCell_i32)) = any [ return (result: MutBorrow.t t_Perm_PermCell_i32) -> {[@stop_split] [@expl:deref_mut ensures] result = self} (! return {result}) ] - predicate resolve_refmut_Box_Perm_PermCell_i32_Global [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = - _1.final = _1.current - - meta "rewrite_def" predicate resolve_refmut_Box_Perm_PermCell_i32_Global - predicate resolve_refmut_Perm_PermCell_i32 [@inline:trivial] (_1: MutBorrow.t t_Perm_PermCell_i32) = _1.final = _1.current @@ -95,8 +85,7 @@ module M_foo let rec into_inner_i32 (self: t_PermCell_i32) (perm: t_Perm_PermCell_i32) (return (x: Int32.t)) = {[@stop_split] [@expl:into_inner requires] self = ward_PermCell_i32 perm} any - [ return (result: Int32.t) -> {[@stop_split] [@expl:into_inner ensures] result - = view_Box_Perm_PermCell_i32_Global perm} + [ return (result: Int32.t) -> {[@stop_split] [@expl:into_inner ensures] result = view_Perm_PermCell_i32 perm} (! return {result}) ] meta "compute_max_steps" 1000000 @@ -105,10 +94,10 @@ module M_foo let rec foo (return (x: Int32.t)) = (! bb0 [ bb0 = s0 - [ s0 = new_i32 {(1: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global) -> [ &_4 <- _x ] s1) + [ s0 = new_i32 {(1: Int32.t)} (fun (_x: tup2_PermCell_i32_Ghost_Perm_PermCell_i32) -> [ &_4 <- _x ] s1) | s1 = [ &p <- _4.f0 ] s2 | s2 = [ &own <- _4.f1 ] s3 - | s3 = deref_Ghost_Box_Perm_PermCell_i32_Global {own} (fun (_x: t_Perm_PermCell_i32) -> [ &_13 <- _x ] s4) + | s3 = deref_Ghost_Perm_PermCell_i32 {own} (fun (_x: t_Perm_PermCell_i32) -> [ &_13 <- _x ] s4) | s4 = [ &_12 <- _13 ] s5 | s5 = new_ref_Perm_PermCell_i32 {_12} (fun (_x: t_Perm_PermCell_i32) -> [ &_10 <- _x ] s6) | s6 = borrow_i32 {p} {_10} (fun (_x: Int32.t) -> [ &_8 <- _x ] s7) @@ -117,15 +106,14 @@ module M_foo | bb5 = s0 [ s0 = MutBorrow.borrow_mut {own} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_25 <- _bor ] [ &own <- _bor.final ] s1) - | s1 = deref_mut_Ghost_Box_Perm_PermCell_i32_Global {_25} - (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_24 <- _x ] s2) + | s1 = deref_mut_Ghost_Perm_PermCell_i32 {_25} (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_24 <- _x ] s2) | s2 = MutBorrow.borrow_final {_24.current} {MutBorrow.get_id _24} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_23 <- _bor ] [ &_24 <- { _24 with current = _bor.final } ] s3) | s3 = MutBorrow.borrow_final {_23.current} {MutBorrow.get_id _23} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_22 <- _bor ] [ &_23 <- { _23 with current = _bor.final } ] s4) - | s4 = -{resolve_refmut_Box_Perm_PermCell_i32_Global _24}- s5 + | s4 = -{resolve_refmut_Perm_PermCell_i32 _24}- s5 | s5 = -{resolve_refmut_Perm_PermCell_i32 _23}- s6 | s6 = MutBorrow.borrow_final {_22.current} {MutBorrow.get_id _22} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> @@ -139,7 +127,7 @@ module M_foo | s11 = borrow_mut_i32 {p} {_19} (fun (_x: MutBorrow.t Int32.t) -> [ &_17 <- _x ] s12) | s12 = [ &_17 <- { _17 with current = (2: Int32.t) } ] s13 | s13 = -{resolve_refmut_i32 _17}- s14 - | s14 = deref_Ghost_Box_Perm_PermCell_i32_Global {own} (fun (_x: t_Perm_PermCell_i32) -> [ &_34 <- _x ] s15) + | s14 = deref_Ghost_Perm_PermCell_i32 {own} (fun (_x: t_Perm_PermCell_i32) -> [ &_34 <- _x ] s15) | s15 = [ &_33 <- _34 ] s16 | s16 = new_ref_Perm_PermCell_i32 {_33} (fun (_x: t_Perm_PermCell_i32) -> [ &_31 <- _x ] s17) | s17 = borrow_i32 {p} {_31} (fun (_x: Int32.t) -> [ &_29 <- _x ] s18) @@ -148,15 +136,14 @@ module M_foo | bb13 = s0 [ s0 = MutBorrow.borrow_mut {own} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_47 <- _bor ] [ &own <- _bor.final ] s1) - | s1 = deref_mut_Ghost_Box_Perm_PermCell_i32_Global {_47} - (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_46 <- _x ] s2) + | s1 = deref_mut_Ghost_Perm_PermCell_i32 {_47} (fun (_x: MutBorrow.t t_Perm_PermCell_i32) -> [ &_46 <- _x ] s2) | s2 = MutBorrow.borrow_final {_46.current} {MutBorrow.get_id _46} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_45 <- _bor ] [ &_46 <- { _46 with current = _bor.final } ] s3) | s3 = MutBorrow.borrow_final {_45.current} {MutBorrow.get_id _45} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> [ &_44 <- _bor ] [ &_45 <- { _45 with current = _bor.final } ] s4) - | s4 = -{resolve_refmut_Box_Perm_PermCell_i32_Global _46}- s5 + | s4 = -{resolve_refmut_Perm_PermCell_i32 _46}- s5 | s5 = -{resolve_refmut_Perm_PermCell_i32 _45}- s6 | s6 = MutBorrow.borrow_final {_44.current} {MutBorrow.get_id _44} (fun (_bor: MutBorrow.t t_Perm_PermCell_i32) -> @@ -177,7 +164,7 @@ module M_foo [ & _ret: Int32.t = Any.any_l () | & p: t_PermCell_i32 = Any.any_l () | & own: t_Perm_PermCell_i32 = Any.any_l () - | & _4: tup2_PermCell_i32_Ghost_Box_Perm_PermCell_i32_Global = Any.any_l () + | & _4: tup2_PermCell_i32_Ghost_Perm_PermCell_i32 = Any.any_l () | & _6: bool = Any.any_l () | & _8: Int32.t = Any.any_l () | & _10: t_Perm_PermCell_i32 = Any.any_l () diff --git a/tests/should_succeed/permcell.rs b/tests/should_succeed/permcell.rs index 01d8a443df..e25d2a4462 100644 --- a/tests/should_succeed/permcell.rs +++ b/tests/should_succeed/permcell.rs @@ -5,13 +5,13 @@ use creusot_std::{cell::PermCell, prelude::*}; pub fn foo() -> i32 { let (p, mut own) = PermCell::new(1i32); - assert!(unsafe { *p.borrow(ghost!(&**own)) } == 1); + assert!(unsafe { *p.borrow(ghost!(&*own)) } == 1); unsafe { - *p.borrow_mut(ghost!(&mut **own)) = 2; + *p.borrow_mut(ghost!(&mut *own)) = 2; } - assert!(unsafe { *p.borrow(ghost!(&**own)) } == 2); + assert!(unsafe { *p.borrow(ghost!(&*own)) } == 2); - assert!(unsafe { p.replace(ghost!(&mut **own), 3) } == 2); + assert!(unsafe { p.replace(ghost!(&mut *own), 3) } == 2); p.into_inner(own) } diff --git a/tests/should_succeed/permcell/proof.json b/tests/should_succeed/permcell/proof.json index d6f6602e48..f148e10a47 100644 --- a/tests/should_succeed/permcell/proof.json +++ b/tests/should_succeed/permcell/proof.json @@ -7,28 +7,22 @@ ], "proofs": { "M_foo": { - "vc_borrow_i32": { "prover": "cvc5@1.3.1", "time": 0.014 }, - "vc_borrow_mut_i32": { "prover": "cvc5@1.3.1", "time": 0.012 }, - "vc_deref_Ghost_Box_Perm_PermCell_i32_Global": { - "prover": "cvc5@1.3.1", - "time": 0.011 + "vc_borrow_i32": { "prover": "cvc5", "time": 0.056 }, + "vc_borrow_mut_i32": { "prover": "cvc5", "time": 0.049 }, + "vc_deref_Ghost_Perm_PermCell_i32": { + "prover": "alt-ergo", + "time": 0.086 }, - "vc_deref_mut_Ghost_Box_Perm_PermCell_i32_Global": { - "prover": "cvc5@1.3.1", - "time": 0.011 + "vc_deref_mut_Ghost_Perm_PermCell_i32": { + "prover": "alt-ergo", + "time": 0.086 }, - "vc_foo": { "prover": "cvc5@1.3.1", "time": 0.014 }, - "vc_into_inner_i32": { "prover": "cvc5@1.3.1", "time": 0.013 }, - "vc_new_i32": { "prover": "cvc5@1.3.1", "time": 0.014 }, - "vc_new_ref_Perm_PermCell_i32": { - "prover": "cvc5@1.3.1", - "time": 0.011 - }, - "vc_new_refmut_Perm_PermCell_i32": { - "prover": "cvc5@1.3.1", - "time": 0.011 - }, - "vc_replace_i32": { "prover": "cvc5@1.3.1", "time": 0.013 } + "vc_foo": { "prover": "cvc5", "time": 0.037 }, + "vc_into_inner_i32": { "prover": "cvc5", "time": 0.04 }, + "vc_new_i32": { "prover": "cvc5", "time": 0.056 }, + "vc_new_ref_Perm_PermCell_i32": { "prover": "cvc5", "time": 0.056 }, + "vc_new_refmut_Perm_PermCell_i32": { "prover": "cvc5", "time": 0.051 }, + "vc_replace_i32": { "prover": "cvc5", "time": 0.04 } } } }