diff options
| author |  Dan Liew <daniel.liew@imperial.ac.uk> | 2015-06-28 01:44:30 +0100 |
|---|---|---|
| committer | Dan Liew <daniel.liew@imperial.ac.uk> | 2015-06-28 01:44:30 +0100 |
| commit | 962f8d5252b3f5ec4d19e0cd2a430934bd55cc6d (patch) | |
| tree | 27d5f9b0d130c6c1a6758bc0b7456b0aa51e34e0 /Test/test21 | |
| parent | e11d65009d0b4ba1327f5f5dd6b26367330611f0 (diff) | |
Normalise line endings using a .gitattributes file. Unfortunately
this required that this commit globally modify most files. If you
want to use git blame to see the real author of a line use the
``-w`` flag so that whitespace changes are ignored.
Diffstat (limited to 'Test/test21')
40 files changed, 3210 insertions, 3210 deletions
diff --git a/Test/test21/BooleanQuantification.bpl b/Test/test21/BooleanQuantification.bpl index 1493269b..7a0c66d5 100644 --- a/Test/test21/BooleanQuantification.bpl +++ b/Test/test21/BooleanQuantification.bpl @@ -1,38 +1,38 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-
-function f(bool) returns (int);
-
-axiom f(true) == 17;
-axiom f(false) == 19;
-
-procedure P() returns () {
- assert (forall x:bool :: f(x) >= 0);
-}
-
-procedure Q() returns () {
- assert (forall x:int :: (x==7 || x==9) ==> x >= 0);
-}
-
-procedure R() returns () {
- assert f((forall x:bool :: f(x) >= 10)) < 19;
- assert (exists x:bool :: f(x) > 20); // should not be provable
-}
-
-
-function g<a>(a) returns (int);
-
-axiom g(true) == 17;
-axiom g(false) == 21;
-
-procedure S() returns () {
- assert (forall x:bool :: g(x) >= 0);
- assert g((forall x:bool :: g(x) >= 0)) >= 17;
- assert (forall x:bool :: f(x) == g(x)); // should not be provable
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + + +function f(bool) returns (int); + +axiom f(true) == 17; +axiom f(false) == 19; + +procedure P() returns () { + assert (forall x:bool :: f(x) >= 0); +} + +procedure Q() returns () { + assert (forall x:int :: (x==7 || x==9) ==> x >= 0); +} + +procedure R() returns () { + assert f((forall x:bool :: f(x) >= 10)) < 19; + assert (exists x:bool :: f(x) > 20); // should not be provable +} + + +function g<a>(a) returns (int); + +axiom g(true) == 17; +axiom g(false) == 21; + +procedure S() returns () { + assert (forall x:bool :: g(x) >= 0); + assert g((forall x:bool :: g(x) >= 0)) >= 17; + assert (forall x:bool :: f(x) == g(x)); // should not be provable }
\ No newline at end of file diff --git a/Test/test21/BooleanQuantification2.bpl b/Test/test21/BooleanQuantification2.bpl index 22dfd217..77ac26c8 100644 --- a/Test/test21/BooleanQuantification2.bpl +++ b/Test/test21/BooleanQuantification2.bpl @@ -1,20 +1,20 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-axiom (forall x:bool :: x || !x);
-axiom (forall x:bool :: x == true || x == false);
-
-procedure P() returns () {
- var i : int;
- var j : bool;
-
- assert i != 3 || i != 4;
- assert j || !j;
-
- assert false;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +axiom (forall x:bool :: x || !x); +axiom (forall x:bool :: x == true || x == false); + +procedure P() returns () { + var i : int; + var j : bool; + + assert i != 3 || i != 4; + assert j || !j; + + assert false; }
\ No newline at end of file diff --git a/Test/test21/Boxing.bpl b/Test/test21/Boxing.bpl index 0112b6cf..aa7c53b3 100644 --- a/Test/test21/Boxing.bpl +++ b/Test/test21/Boxing.bpl @@ -1,27 +1,27 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-type Box;
-
-function box<a>(a) returns (Box);
-function unbox<a>(Box) returns (a);
-
-axiom (forall<a> x:a :: unbox(box(x)) == x);
-
-var b1: Box;
-var b2: Box;
-var b3: Box;
-
-procedure P() returns ()
- modifies b1, b2, b3; {
- b1 := box(13);
- b2 := box(true);
- b3 := box(b1);
-
- assert unbox(b1) == 13 && unbox(b2) == true && unbox(unbox(b3)) == 13;
- assert unbox(b1) == true; // error
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + +type Box; + +function box<a>(a) returns (Box); +function unbox<a>(Box) returns (a); + +axiom (forall<a> x:a :: unbox(box(x)) == x); + +var b1: Box; +var b2: Box; +var b3: Box; + +procedure P() returns () + modifies b1, b2, b3; { + b1 := box(13); + b2 := box(true); + b3 := box(b1); + + assert unbox(b1) == 13 && unbox(b2) == true && unbox(unbox(b3)) == 13; + assert unbox(b1) == true; // error }
\ No newline at end of file diff --git a/Test/test21/Casts.bpl b/Test/test21/Casts.bpl index 739185ea..07494ec1 100644 --- a/Test/test21/Casts.bpl +++ b/Test/test21/Casts.bpl @@ -1,17 +1,17 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-procedure P() returns () {
- var m : [int]int, n : [int]int, x : int;
-
- assume m[x] == x;
- assume n[x] == 1;
-
- assert n[m[x]] == 1;
- assert m[n[x]] == 1; // should not be provable
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +procedure P() returns () { + var m : [int]int, n : [int]int, x : int; + + assume m[x] == x; + assume n[x] == 1; + + assert n[m[x]] == 1; + assert m[n[x]] == 1; // should not be provable }
\ No newline at end of file diff --git a/Test/test21/Coercions2.bpl b/Test/test21/Coercions2.bpl index e9a78574..a52fb0e6 100644 --- a/Test/test21/Coercions2.bpl +++ b/Test/test21/Coercions2.bpl @@ -1,30 +1,30 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-type Box, C;
-
-function box<a>(a) returns (Box);
-function unbox<a>(Box) returns (a);
-
-axiom (forall<a> x:a :: unbox(box(x)) == x);
-
-axiom (forall<a> x:Box :: {unbox(x):a} box(unbox(x):a) == x);
-
-axiom (forall x:Box :: box(unbox(x)) == x); // warning
-
-procedure P() {
- var b : Box;
- var i : C;
-
- assert unbox(box(13)) == 13;
-
- i := unbox(b);
- assert b == box(i);
-
- assert false;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +type Box, C; + +function box<a>(a) returns (Box); +function unbox<a>(Box) returns (a); + +axiom (forall<a> x:a :: unbox(box(x)) == x); + +axiom (forall<a> x:Box :: {unbox(x):a} box(unbox(x):a) == x); + +axiom (forall x:Box :: box(unbox(x)) == x); // warning + +procedure P() { + var b : Box; + var i : C; + + assert unbox(box(13)) == 13; + + i := unbox(b); + assert b == box(i); + + assert false; }
\ No newline at end of file diff --git a/Test/test21/Colors.bpl b/Test/test21/Colors.bpl index f0e12672..fdfc307f 100644 --- a/Test/test21/Colors.bpl +++ b/Test/test21/Colors.bpl @@ -1,27 +1,27 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-type Color;
-
-const Blue, Red, Green : Color;
-
-axiom (forall x : Color :: x == Blue || x == Red || x == Green);
-
-procedure P() returns () {
- var x : Color;
-
- assume x != Blue;
- assert x == Red; // should not be provable
-}
-
-procedure Q() returns () {
- var x : Color;
-
- assume x != Blue && x != Green;
- assert x == Red;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +type Color; + +const Blue, Red, Green : Color; + +axiom (forall x : Color :: x == Blue || x == Red || x == Green); + +procedure P() returns () { + var x : Color; + + assume x != Blue; + assert x == Red; // should not be provable +} + +procedure Q() returns () { + var x : Color; + + assume x != Blue && x != Green; + assert x == Red; }
\ No newline at end of file diff --git a/Test/test21/DisjointDomains.bpl b/Test/test21/DisjointDomains.bpl index 30d8a6f7..405d325c 100644 --- a/Test/test21/DisjointDomains.bpl +++ b/Test/test21/DisjointDomains.bpl @@ -1,36 +1,36 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-type C _;
-
-function f<a>(C a) returns (int);
-
-axiom (forall x : C int :: f(x) == 3);
-axiom (forall x : C bool :: f(x) == 7);
-
-procedure P() returns () {
- var a : C int, b : C bool, c : C ref;
-
- start:
- assert f(a) == 3;
- assert f(b) == 7;
- assert f(b) == 8; // should not be provable
-}
-
-procedure Q() returns () {
- var c : C ref;
-
- start:
- assert f(c) == 7; // should not be provable
-}
-
-procedure R<a>(c : C a) returns () {
-
- start:
- assert f(c) == 7; // should not be provable
-}
-
-type ref;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +type C _; + +function f<a>(C a) returns (int); + +axiom (forall x : C int :: f(x) == 3); +axiom (forall x : C bool :: f(x) == 7); + +procedure P() returns () { + var a : C int, b : C bool, c : C ref; + + start: + assert f(a) == 3; + assert f(b) == 7; + assert f(b) == 8; // should not be provable +} + +procedure Q() returns () { + var c : C ref; + + start: + assert f(c) == 7; // should not be provable +} + +procedure R<a>(c : C a) returns () { + + start: + assert f(c) == 7; // should not be provable +} + +type ref; diff --git a/Test/test21/DisjointDomains2.bpl b/Test/test21/DisjointDomains2.bpl index ae25a20e..9f9dd63e 100644 --- a/Test/test21/DisjointDomains2.bpl +++ b/Test/test21/DisjointDomains2.bpl @@ -1,70 +1,70 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-type C _;
-
-function f<a>(C a) returns (int);
-
-axiom (forall<a> x : C a :: f(x) == 42);
-
-procedure P(a : C int) returns () {
-
- start:
- assert f(a) == 42;
- assert f(a) == 43; // should not be provable
-}
-
-procedure Q<a>(c : C a) returns () {
-
- start:
- assert f(c) == 42;
- assert f(c) == 43; // should not be provable
-}
-
-function g<a,b>(a, b) returns (int);
-
-
-axiom (forall x : int, y : bool :: g(x,y) == 13);
-axiom (forall<a> x : int, y : C a :: g(x,y) == 42);
-axiom (forall<a,z> x : C z, y : C a :: g(x,y) == 43);
-
-procedure R() returns () {
-
- start:
- assert g(7, true) == 13;
- assert g(7, false) == 15; // should not be provable
-}
-
-procedure S<b>(y : C b) returns () {
-
- start:
- assert g(3, y) == f(y);
- assert g(y, false) == 15; // should not be provable
-}
-
-procedure T<a,b>(y : C b, param : a) returns () {
- var x : C a; var z : C b;
-
- start:
- assert g(y, x) == g(x, y);
- assert g(y, x) == 43;
- assert g(f(x), y) == 42;
- assert g(y, z) == 15; // should not be provable
-}
-
-
-type D _ _;
-
-procedure U() returns () {
- var u : D int bool, v : D bool int;
-
- start:
- assume (forall<a,b> x:D a b, y:b :: g(x, y) == -3);
-
- assert g(v, 32) == -3;
- assert g(v, 716371398712982312321) == -3;
- assert g(u, 1) == -3; // should not be provable
-}
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +type C _; + +function f<a>(C a) returns (int); + +axiom (forall<a> x : C a :: f(x) == 42); + +procedure P(a : C int) returns () { + + start: + assert f(a) == 42; + assert f(a) == 43; // should not be provable +} + +procedure Q<a>(c : C a) returns () { + + start: + assert f(c) == 42; + assert f(c) == 43; // should not be provable +} + +function g<a,b>(a, b) returns (int); + + +axiom (forall x : int, y : bool :: g(x,y) == 13); +axiom (forall<a> x : int, y : C a :: g(x,y) == 42); +axiom (forall<a,z> x : C z, y : C a :: g(x,y) == 43); + +procedure R() returns () { + + start: + assert g(7, true) == 13; + assert g(7, false) == 15; // should not be provable +} + +procedure S<b>(y : C b) returns () { + + start: + assert g(3, y) == f(y); + assert g(y, false) == 15; // should not be provable +} + +procedure T<a,b>(y : C b, param : a) returns () { + var x : C a; var z : C b; + + start: + assert g(y, x) == g(x, y); + assert g(y, x) == 43; + assert g(f(x), y) == 42; + assert g(y, z) == 15; // should not be provable +} + + +type D _ _; + +procedure U() returns () { + var u : D int bool, v : D bool int; + + start: + assume (forall<a,b> x:D a b, y:b :: g(x, y) == -3); + + assert g(v, 32) == -3; + assert g(v, 716371398712982312321) == -3; + assert g(u, 1) == -3; // should not be provable +} diff --git a/Test/test21/EmptyList.bpl b/Test/test21/EmptyList.bpl index 450cd064..6acd2736 100644 --- a/Test/test21/EmptyList.bpl +++ b/Test/test21/EmptyList.bpl @@ -1,53 +1,53 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-type List _;
-
-function NIL<a>() returns (List a);
-function Cons<a>(a, List a) returns (List a);
-
-function car<a>(List a) returns (a);
-function cdr<a>(List a) returns (List a);
-
-axiom (forall<a> x:a, l:List a :: car(Cons(x, l)) == x);
-axiom (forall<a> x:a, l:List a :: cdr(Cons(x, l)) == l);
-
-axiom (forall<a> x:a, l:List a :: Cons(x, l) != NIL());
-
-var l:List bool;
-
-var m:List int;
-var mar:[int](List int);
-
-procedure P() returns ()
- requires m != NIL();
- requires mar[0] == m && (forall i:int :: i > 0 ==> mar[i] == cdr(mar[i-1]));
- modifies l, m, mar; {
-
- l := Cons(true, NIL());
-
- assert l != NIL();
- l := cdr(l);
-
- assert l == NIL();
- l := Cons(true, l);
- l := Cons(false, l);
-
- assert car(mar[1]) == car(cdr(m));
- mar[0] := NIL();
- assert mar[0] != m;
-
- assert !car(l) && car(cdr(l));
- l := cdr(cdr(l));
-
- assert (forall i:int :: i > 0 ==> mar[i] == cdr(mar[i-1])); // error
-}
-
-procedure Q() returns () {
- assert Cons(NIL(), NIL()) != NIL(); // warning, but provable
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +type List _; + +function NIL<a>() returns (List a); +function Cons<a>(a, List a) returns (List a); + +function car<a>(List a) returns (a); +function cdr<a>(List a) returns (List a); + +axiom (forall<a> x:a, l:List a :: car(Cons(x, l)) == x); +axiom (forall<a> x:a, l:List a :: cdr(Cons(x, l)) == l); + +axiom (forall<a> x:a, l:List a :: Cons(x, l) != NIL()); + +var l:List bool; + +var m:List int; +var mar:[int](List int); + +procedure P() returns () + requires m != NIL(); + requires mar[0] == m && (forall i:int :: i > 0 ==> mar[i] == cdr(mar[i-1])); + modifies l, m, mar; { + + l := Cons(true, NIL()); + + assert l != NIL(); + l := cdr(l); + + assert l == NIL(); + l := Cons(true, l); + l := Cons(false, l); + + assert car(mar[1]) == car(cdr(m)); + mar[0] := NIL(); + assert mar[0] != m; + + assert !car(l) && car(cdr(l)); + l := cdr(cdr(l)); + + assert (forall i:int :: i > 0 ==> mar[i] == cdr(mar[i-1])); // error +} + +procedure Q() returns () { + assert Cons(NIL(), NIL()) != NIL(); // warning, but provable }
\ No newline at end of file diff --git a/Test/test21/EmptySetBug.bpl b/Test/test21/EmptySetBug.bpl index e3feb16c..6c25ed95 100644 --- a/Test/test21/EmptySetBug.bpl +++ b/Test/test21/EmptySetBug.bpl @@ -1,36 +1,36 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-type ref;
-
-const null: ref;
-
-type Set T = [T]bool;
-
-function Set#Empty<T>() returns (Set T);
-
-axiom (forall<T> o: T :: { Set#Empty()[o] } !Set#Empty()[o]);
-
-function Set#Singleton<T>(T) returns (Set T);
-
-axiom (forall<T> r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]);
-
-axiom (forall<T> r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o);
-
-function Set#UnionOne<T>(Set T, T) returns (Set T);
-
-axiom (forall<T> a: Set T, x: T, o: T :: { Set#UnionOne(a, x)[o] } Set#UnionOne(a, x)[o] <==> o == x || a[o]);
-
-procedure Test(this: ref)
-{
- var s: Set ref;
-
- s := Set#UnionOne(Set#Empty(), this);
- assert s[this];
- assert !Set#Empty()[this];
-
- assert Set#Singleton(this)[null]; // should not be provable
-}
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +type ref; + +const null: ref; + +type Set T = [T]bool; + +function Set#Empty<T>() returns (Set T); + +axiom (forall<T> o: T :: { Set#Empty()[o] } !Set#Empty()[o]); + +function Set#Singleton<T>(T) returns (Set T); + +axiom (forall<T> r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); + +axiom (forall<T> r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o); + +function Set#UnionOne<T>(Set T, T) returns (Set T); + +axiom (forall<T> a: Set T, x: T, o: T :: { Set#UnionOne(a, x)[o] } Set#UnionOne(a, x)[o] <==> o == x || a[o]); + +procedure Test(this: ref) +{ + var s: Set ref; + + s := Set#UnionOne(Set#Empty(), this); + assert s[this]; + assert !Set#Empty()[this]; + + assert Set#Singleton(this)[null]; // should not be provable +} diff --git a/Test/test21/Flattening.bpl b/Test/test21/Flattening.bpl index ddebd9ab..3931c573 100644 --- a/Test/test21/Flattening.bpl +++ b/Test/test21/Flattening.bpl @@ -1,19 +1,19 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-function g(int) returns (int);
-function f(bool) returns (int);
-
-
-axiom (f((exists x:int :: g(x) >= 12)) == 3);
-axiom (f((exists x:int :: g(f((forall y:int :: g(x+y) >= 0))) >= 12)) == 3);
-
-
-procedure P() returns () {
- assert false;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +function g(int) returns (int); +function f(bool) returns (int); + + +axiom (f((exists x:int :: g(x) >= 12)) == 3); +axiom (f((exists x:int :: g(f((forall y:int :: g(x+y) >= 0))) >= 12)) == 3); + + +procedure P() returns () { + assert false; }
\ No newline at end of file diff --git a/Test/test21/FunAxioms.bpl b/Test/test21/FunAxioms.bpl index 5964b4e8..2baa2169 100644 --- a/Test/test21/FunAxioms.bpl +++ b/Test/test21/FunAxioms.bpl @@ -1,46 +1,46 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-type Pair a b;
-
-function MP<a,b>(x:a, y:b) returns (Pair a b);
-function Left<a,b>(Pair a b) returns (a);
-function Right<a,b>(Pair a b) returns (b);
-
-axiom (forall<a,b> x:a, y:b :: Left(MP(x,y)) == x);
-axiom (forall<a,b> x:a, y:b :: Right(MP(x,y)) == y);
-
-type A, B;
-
-procedure P() returns () {
-
- var x:A, y:B, z:A, p : Pair A B;
-
- assert Left(MP(x,y)) == x;
- assert Right(MP(x,y)) == y;
- assert Right(MP(x,MP(x,y))) == MP(x,y);
- assert Left(MP(x,MP(x,y))) == x;
- assert Right(Right(MP(x,MP(x,y)))) == y;
-
- p := MP(x, y);
-
- p := MP(Left(p), y);
-
- assert Left(p) == x && Right(p) == y;
-
- assert Left(p) == z; // should not be provable
-
-}
-
-procedure Q() returns () {
-
- assert Left(MP(1,3)) == 1;
- assert Right(MP(1,3)) == 3;
- assert Right(MP(1,true)) == true;
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +type Pair a b; + +function MP<a,b>(x:a, y:b) returns (Pair a b); +function Left<a,b>(Pair a b) returns (a); +function Right<a,b>(Pair a b) returns (b); + +axiom (forall<a,b> x:a, y:b :: Left(MP(x,y)) == x); +axiom (forall<a,b> x:a, y:b :: Right(MP(x,y)) == y); + +type A, B; + +procedure P() returns () { + + var x:A, y:B, z:A, p : Pair A B; + + assert Left(MP(x,y)) == x; + assert Right(MP(x,y)) == y; + assert Right(MP(x,MP(x,y))) == MP(x,y); + assert Left(MP(x,MP(x,y))) == x; + assert Right(Right(MP(x,MP(x,y)))) == y; + + p := MP(x, y); + + p := MP(Left(p), y); + + assert Left(p) == x && Right(p) == y; + + assert Left(p) == z; // should not be provable + +} + +procedure Q() returns () { + + assert Left(MP(1,3)) == 1; + assert Right(MP(1,3)) == 3; + assert Right(MP(1,true)) == true; + }
\ No newline at end of file diff --git a/Test/test21/FunAxioms2.bpl b/Test/test21/FunAxioms2.bpl index 6e087baf..341807f8 100644 --- a/Test/test21/FunAxioms2.bpl +++ b/Test/test21/FunAxioms2.bpl @@ -1,27 +1,27 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-type T;
-
-function f() returns (int); // functions without arguments
-function g() returns (T);
-
-
-const c : T;
-
-axiom (f() >= 13);
-axiom (g() != c);
-
-procedure P() returns () {
- var x : int;
-
- x := f();
-
- assert x >= 0 && f() >= 7;
- assert g() != c;
- assert f() >= 20; // should not be provable
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + +type T; + +function f() returns (int); // functions without arguments +function g() returns (T); + + +const c : T; + +axiom (f() >= 13); +axiom (g() != c); + +procedure P() returns () { + var x : int; + + x := f(); + + assert x >= 0 && f() >= 7; + assert g() != c; + assert f() >= 20; // should not be provable }
\ No newline at end of file diff --git a/Test/test21/HeapAbstraction.bpl b/Test/test21/HeapAbstraction.bpl index 0fb2f007..b1abf0c0 100644 --- a/Test/test21/HeapAbstraction.bpl +++ b/Test/test21/HeapAbstraction.bpl @@ -1,25 +1,25 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-type Field a, Heap = <a>[ref, Field a]a;
-
-function f<b>(<a>[b, Field a]a) returns (int);
-
-axiom (forall x:<a>[int, Field a]a :: f(x) == 17);
-
-axiom (forall x:<a>[ref, Field a]a :: f(x) == 42);
-
-procedure P() returns () {
- var h : Heap, g : <a>[bool, Field a]a;
-
- assert f(h) == 42;
- assert f(g) >= 0; // should not be provable
-}
-
-type ref;
-const null : ref;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +type Field a, Heap = <a>[ref, Field a]a; + +function f<b>(<a>[b, Field a]a) returns (int); + +axiom (forall x:<a>[int, Field a]a :: f(x) == 17); + +axiom (forall x:<a>[ref, Field a]a :: f(x) == 42); + +procedure P() returns () { + var h : Heap, g : <a>[bool, Field a]a; + + assert f(h) == 42; + assert f(g) >= 0; // should not be provable +} + +type ref; +const null : ref; diff --git a/Test/test21/HeapAxiom.bpl b/Test/test21/HeapAxiom.bpl index 691c97f9..a49ddd36 100644 --- a/Test/test21/HeapAxiom.bpl +++ b/Test/test21/HeapAxiom.bpl @@ -1,33 +1,33 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-type Field a, Heap = <a>[ref, Field a]a;
-
-function IsHeap(Heap) returns (bool);
-const alloc : Field bool;
-
-axiom (forall H:Heap, o:ref, f:Field ref ::
- IsHeap(H) && H[o,alloc] ==> H[H[o,f], alloc]);
-
-procedure P() returns () {
- var h : Heap, o : ref, g : Field ref, i : Field ref, o2 : ref;
- assume IsHeap(h) && h[o, alloc];
-
- o2 := h[o, g];
- assert h[o2, alloc];
-
- o2 := h[o2, g];
- assert h[o2, alloc];
-
- h[o2, alloc] := false;
-
- o2 := h[o2, g];
- assert h[o2, alloc]; // should not be provable
-}
-
-type ref;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +type Field a, Heap = <a>[ref, Field a]a; + +function IsHeap(Heap) returns (bool); +const alloc : Field bool; + +axiom (forall H:Heap, o:ref, f:Field ref :: + IsHeap(H) && H[o,alloc] ==> H[H[o,f], alloc]); + +procedure P() returns () { + var h : Heap, o : ref, g : Field ref, i : Field ref, o2 : ref; + assume IsHeap(h) && h[o, alloc]; + + o2 := h[o, g]; + assert h[o2, alloc]; + + o2 := h[o2, g]; + assert h[o2, alloc]; + + h[o2, alloc] := false; + + o2 := h[o2, g]; + assert h[o2, alloc]; // should not be provable +} + +type ref; diff --git a/Test/test21/InterestingExamples0.bpl b/Test/test21/InterestingExamples0.bpl index 08ed61d4..fd79ad5c 100644 --- a/Test/test21/InterestingExamples0.bpl +++ b/Test/test21/InterestingExamples0.bpl @@ -1,14 +1,14 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-procedure P() returns () {
-var a : <t>[t]int;
-
-a[5] := 0;
-a[true] := 1;
-assert a[5] == 0;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + +procedure P() returns () { +var a : <t>[t]int; + +a[5] := 0; +a[true] := 1; +assert a[5] == 0; }
\ No newline at end of file diff --git a/Test/test21/InterestingExamples1.bpl b/Test/test21/InterestingExamples1.bpl index 247e2c5b..48b4a5dd 100644 --- a/Test/test21/InterestingExamples1.bpl +++ b/Test/test21/InterestingExamples1.bpl @@ -1,33 +1,33 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-type Set = <a> [a] bool;
-type Field a;
-type Heap = <b> [ref, Field b] b;
-
-
-const emptySet : Set;
-axiom (forall<t> x:t :: !emptySet[x]);
-
-procedure P() returns () {
- var x : Set, f : Field Set, g : Field int, heap : Heap, o : ref;
-
- x := emptySet;
- heap[o, f] := x;
- heap[o, g] := 13;
- assert heap[o, f] == emptySet && heap[o, g] == 13;
-
- heap[o, f] := heap[o, f][17 := true];
- heap[o, f] := heap[o, f][g := true];
-
- assert (forall<t> y:t :: heap[o, f][y] == (y == 17 || y == g));
- assert (forall<t> y:t :: heap[o, f][y] == (y == 16 || y == g)); // should not hold
-
-}
-
-type ref;
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + +type Set = <a> [a] bool; +type Field a; +type Heap = <b> [ref, Field b] b; + + +const emptySet : Set; +axiom (forall<t> x:t :: !emptySet[x]); + +procedure P() returns () { + var x : Set, f : Field Set, g : Field int, heap : Heap, o : ref; + + x := emptySet; + heap[o, f] := x; + heap[o, g] := 13; + assert heap[o, f] == emptySet && heap[o, g] == 13; + + heap[o, f] := heap[o, f][17 := true]; + heap[o, f] := heap[o, f][g := true]; + + assert (forall<t> y:t :: heap[o, f][y] == (y == 17 || y == g)); + assert (forall<t> y:t :: heap[o, f][y] == (y == 16 || y == g)); // should not hold + +} + +type ref; + diff --git a/Test/test21/InterestingExamples2.bpl b/Test/test21/InterestingExamples2.bpl index 6fc8d259..4c07ee68 100644 --- a/Test/test21/InterestingExamples2.bpl +++ b/Test/test21/InterestingExamples2.bpl @@ -1,20 +1,20 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-procedure P() returns () {
-var m : <a>[a]ref;
-var n : <b>[b]b;
-var o : ref;
-
-m[5] := null;
-assert m[true := o][5] == null;
-assert m[n[true] := o][5] == null;
-}
-
-type ref;
-const null : ref;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +procedure P() returns () { +var m : <a>[a]ref; +var n : <b>[b]b; +var o : ref; + +m[5] := null; +assert m[true := o][5] == null; +assert m[n[true] := o][5] == null; +} + +type ref; +const null : ref; diff --git a/Test/test21/InterestingExamples3.bpl b/Test/test21/InterestingExamples3.bpl index 24e89b2b..4990fb72 100644 --- a/Test/test21/InterestingExamples3.bpl +++ b/Test/test21/InterestingExamples3.bpl @@ -1,33 +1,33 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-procedure P() returns () {
-
- assume (forall<t> m : [t]bool :: // uses "infinitely many" map types
- (forall x : t :: m[x] == false));
-
-}
-
-
-procedure Q() returns () {
- var h : [int] bool;
-
- assume (forall<t> m : [t]bool, x : t :: m[x] == false);
- assert !h[42];
- assert false; // should really be provable
-}
-
-
-
-procedure R() returns () {
- var h : [int] bool;
-
- assume (forall<t> m : [t]bool, x : t :: m[x] == false);
- assert !h[42];
- assert !h[42 := true][42];
- assert false; // wow
-}
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + +procedure P() returns () { + + assume (forall<t> m : [t]bool :: // uses "infinitely many" map types + (forall x : t :: m[x] == false)); + +} + + +procedure Q() returns () { + var h : [int] bool; + + assume (forall<t> m : [t]bool, x : t :: m[x] == false); + assert !h[42]; + assert false; // should really be provable +} + + + +procedure R() returns () { + var h : [int] bool; + + assume (forall<t> m : [t]bool, x : t :: m[x] == false); + assert !h[42]; + assert !h[42 := true][42]; + assert false; // wow +} diff --git a/Test/test21/InterestingExamples4.bpl b/Test/test21/InterestingExamples4.bpl index 941c9020..aa8993db 100644 --- a/Test/test21/InterestingExamples4.bpl +++ b/Test/test21/InterestingExamples4.bpl @@ -1,48 +1,48 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-// a property that should hold according to the Boogie semantics
-// (but no automatic theorem prover will be able to prove it)
-
-
-type C a;
-
-function sameType<a,b>(x:a, y:b) returns (bool);
-
-axiom (forall<a,b> x:a, y:b :: sameType(x,y) == (exists z:a :: y==z));
-
-// Will be defined to hold whenever the type of y (i.e., b)
-// can be reached from the type of x (a) by applying the type
-// constructor C a finite number of times. In order words,
-// b = C^n(a)
-function rel<a,b>(x:a, y:b) returns (bool);
-
-function relHelp<a,b>(x:a, y:b, z:int) returns (bool);
-
-axiom (forall<a, b> x:a, y:b :: relHelp(x, y, 0) == sameType(x, y));
-axiom (forall<a, b> n:int, x:a, y:b ::
- (n >= 0 ==>
- relHelp(x, y, n+1) ==
- (exists<c> z:c, y' : C c :: relHelp(x, z, n) && y==y')));
-
-axiom (forall<a, b> x:a, y:b ::
- rel(x, y) == (exists n:int :: n >= 0 && relHelp(x, y, n)));
-
-// Assert that from every type we can reach a type that is
-// minimal, i.e., that cannot be reached by applying C to some
-// other type. This will only hold in well-founded type
-// hierarchies
-
-procedure P() returns () {
- var v : C int;
-
- assert relHelp(7, 13, 0);
- assert rel(7, 13);
-
- assert (forall<b> y:b :: (exists<a> x:a :: // too hard for a theorem prover
- rel(x, y) &&
- (forall<c> z:c :: (rel(z, x) ==> sameType(z, x)))));
-}
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +// a property that should hold according to the Boogie semantics +// (but no automatic theorem prover will be able to prove it) + + +type C a; + +function sameType<a,b>(x:a, y:b) returns (bool); + +axiom (forall<a,b> x:a, y:b :: sameType(x,y) == (exists z:a :: y==z)); + +// Will be defined to hold whenever the type of y (i.e., b) +// can be reached from the type of x (a) by applying the type +// constructor C a finite number of times. In order words, +// b = C^n(a) +function rel<a,b>(x:a, y:b) returns (bool); + +function relHelp<a,b>(x:a, y:b, z:int) returns (bool); + +axiom (forall<a, b> x:a, y:b :: relHelp(x, y, 0) == sameType(x, y)); +axiom (forall<a, b> n:int, x:a, y:b :: + (n >= 0 ==> + relHelp(x, y, n+1) == + (exists<c> z:c, y' : C c :: relHelp(x, z, n) && y==y'))); + +axiom (forall<a, b> x:a, y:b :: + rel(x, y) == (exists n:int :: n >= 0 && relHelp(x, y, n))); + +// Assert that from every type we can reach a type that is +// minimal, i.e., that cannot be reached by applying C to some +// other type. This will only hold in well-founded type +// hierarchies + +procedure P() returns () { + var v : C int; + + assert relHelp(7, 13, 0); + assert rel(7, 13); + + assert (forall<b> y:b :: (exists<a> x:a :: // too hard for a theorem prover + rel(x, y) && + (forall<c> z:c :: (rel(z, x) ==> sameType(z, x))))); +} diff --git a/Test/test21/InterestingExamples5.bpl b/Test/test21/InterestingExamples5.bpl index 3f4e4f34..8eadadc9 100644 --- a/Test/test21/InterestingExamples5.bpl +++ b/Test/test21/InterestingExamples5.bpl @@ -1,22 +1,22 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-type C a;
-
-function f<a>(C a) returns (int);
-
-//axiom (forall<a> x:C a :: {f(x)} (exists y:C a :: f(y) == 42));
-
-function g<a>(C a) returns (C a);
-axiom (forall<a> x:C a :: f(g(x)) == 42);
-
-procedure P() returns () {
- var z : C int;
- assume g(z) == z;
- assert (exists x : C int :: f(x) == 42);
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +type C a; + +function f<a>(C a) returns (int); + +//axiom (forall<a> x:C a :: {f(x)} (exists y:C a :: f(y) == 42)); + +function g<a>(C a) returns (C a); +axiom (forall<a> x:C a :: f(g(x)) == 42); + +procedure P() returns () { + var z : C int; + assume g(z) == z; + assert (exists x : C int :: f(x) == 42); }
\ No newline at end of file diff --git a/Test/test21/Keywords.bpl b/Test/test21/Keywords.bpl index 3be91fa8..53a323cd 100644 --- a/Test/test21/Keywords.bpl +++ b/Test/test21/Keywords.bpl @@ -1,15 +1,15 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-function NOT(x:int) returns(int);
-
-axiom (forall x:int :: NOT(x) == 1 - x);
-
-procedure P() returns () {
- assert NOT(5) == -4;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +function NOT(x:int) returns(int); + +axiom (forall x:int :: NOT(x) == 1 - x); + +procedure P() returns () { + assert NOT(5) == -4; }
\ No newline at end of file diff --git a/Test/test21/LargeLiterals0.bpl b/Test/test21/LargeLiterals0.bpl index 57877f9d..0f602910 100644 --- a/Test/test21/LargeLiterals0.bpl +++ b/Test/test21/LargeLiterals0.bpl @@ -1,26 +1,26 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-var x : int;
-
-procedure P() modifies x; {
-
- x := 1000000;
- assert x > 0 && x < 2000000;
-
- x := x + 256;
- assert x == 1000256;
-
- x := 1000000000000;
- x := x + 100100;
- x := x - 100;
- assert x == 1000000100000;
-
- assert x < -123456789; // error
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +var x : int; + +procedure P() modifies x; { + + x := 1000000; + assert x > 0 && x < 2000000; + + x := x + 256; + assert x == 1000256; + + x := 1000000000000; + x := x + 100100; + x := x - 100; + assert x == 1000000100000; + + assert x < -123456789; // error + }
\ No newline at end of file diff --git a/Test/test21/LetSorting.bpl b/Test/test21/LetSorting.bpl index c58c6242..9c76dbea 100644 --- a/Test/test21/LetSorting.bpl +++ b/Test/test21/LetSorting.bpl @@ -1,21 +1,21 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-procedure Array0() returns (z: int)
- ensures z >= 5;
-{
-L0:
- goto L1, L2;
-L1:
- z := 10;
-L2:
- z := 20;
- return;
-}
-
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +procedure Array0() returns (z: int) + ensures z >= 5; +{ +L0: + goto L1, L2; +L1: + z := 10; +L2: + z := 20; + return; +} + + diff --git a/Test/test21/MapAxiomsConsistency.bpl b/Test/test21/MapAxiomsConsistency.bpl index 4c8302a4..4020c00d 100644 --- a/Test/test21/MapAxiomsConsistency.bpl +++ b/Test/test21/MapAxiomsConsistency.bpl @@ -1,103 +1,103 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-// Dafny program verifier version 0.92, Copyright (c) 2003-2008, Microsoft.
-// Command Line Options: /trace /typeEncoding:arguments /print:test.bpl test.dfy
-
-type ref;
-
-const null: ref;
-
-type Set T = [T]bool;
-function Set#Empty<T>() returns (Set T);
-function Set#Singleton<T>(T) returns (Set T);
-function Set#UnionOne<T>(Set T, T) returns (Set T);
-function Set#Union<T>(Set T, Set T) returns (Set T);
-function Set#Intersection<T>(Set T, Set T) returns (Set T);
-function Set#Difference<T>(Set T, Set T) returns (Set T);
-function Set#Subset<T>(Set T, Set T) returns (bool);
-function Set#Equal<T>(Set T, Set T) returns (bool);
-function Set#Disjoint<T>(Set T, Set T) returns (bool);
-
-type Seq _;
-function Seq#Length<T>(Seq T) returns (int);
-function Seq#Empty<T>() returns (Seq T);
-function Seq#Singleton<T>(T) returns (Seq T);
-function Seq#Build<T>(s: Seq T, index: int, val: T, newLength: int) returns (Seq T);
-function Seq#Append<T>(Seq T, Seq T) returns (Seq T);
-function Seq#Index<T>(Seq T, int) returns (T);
-function Seq#Contains<T>(Seq T, T) returns (bool);
-function Seq#Equal<T>(Seq T, Seq T) returns (bool);
-function Seq#SameUntil<T>(Seq T, Seq T, int) returns (bool);
-function Seq#Take<T>(s:Seq T, howMany: int) returns (Seq T);
-function Seq#Drop<T>(s:Seq T, howMany: int) returns (Seq T);
-
-type Field _;
-type HeapType = <alpha>[ref,Field alpha]alpha;
-function $IsGoodHeap(HeapType) returns (bool);
-var $Heap: HeapType where $IsGoodHeap($Heap);
-const alloc: Field bool;
-function $HeapSucc(HeapType, HeapType) returns (bool);
-
-const unique Node.list: Field (Seq ref);
-const unique Node.footprint: Field [ref]bool;
-const unique Node.data: Field ref;
-const unique Node.next: Field ref;
-function Node.Valid($heap: HeapType, this: ref) returns (bool);
-
-
-
-
-axiom (forall<T> r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o);
-
-axiom (forall $Heap: HeapType, this: ref :: { Node.Valid($Heap, this) } this != null && $IsGoodHeap($Heap) ==> Node.Valid($Heap, this) == ($Heap[this, Node.footprint][this] && !$Heap[this, Node.footprint][null] && (forall n: ref :: $Heap[this, Node.footprint][n] ==> $Heap[n, Node.footprint][n] && !$Heap[n, Node.footprint][null] && Set#Subset($Heap[n, Node.footprint], $Heap[this, Node.footprint]) && ($Heap[n, Node.next] == null ==> Seq#Equal($Heap[n, Node.list], Seq#Build(Seq#Empty(), 0, $Heap[n, Node.data], 1))) && ($Heap[n, Node.next] != null ==> $Heap[n, Node.footprint][$Heap[n, Node.next]] && Set#Subset($Heap[$Heap[n, Node.next], Node.footprint], $Heap[n, Node.footprint]) && !$Heap[$Heap[n, Node.next], Node.footprint][n] && Seq#Equal($Heap[n, Node.list], Seq#Append(Seq#Build(Seq#Empty(), 0, $Heap[n, Node.data], 1), $Heap[$Heap[n, Node.next], Node.list])))) && ($Heap[this, Node.next] != null ==> Node.Valid($Heap, $Heap[this, Node.next]))));
-
-
-
-
-procedure Node.ReverseInPlace(this: ref where this != null && $Heap[this, alloc]) returns (reverse: ref where reverse == null || $Heap[reverse, alloc]);
- // user-defined preconditions
- free requires Node.Valid($Heap, this);
- requires $Heap[this, Node.footprint][this];
- requires !$Heap[this, Node.footprint][null];
- requires $Heap[this, Node.next] != null ==> Node.Valid($Heap, $Heap[this, Node.next]);
- modifies $Heap;
- // frame condition
- // boilerplate
- free ensures $HeapSucc(old($Heap), $Heap);
-
-
-
-procedure CheckWellformed$$Node.Valid(this: ref where this != null && $Heap[this, alloc]);
-
-
-
-
-
-implementation Node.ReverseInPlace(this: ref) returns (reverse: ref)
-{
- var current: ref where current == null || $Heap[current, alloc], $PreLoopHeap0: HeapType, nx: ref where nx == null || $Heap[nx, alloc];
-
- // ----- var-declaration statement ----- test.dfy(28,9)
- current := $Heap[this, Node.next];
-
-
- // ----- assignment statement ----- test.dfy(29,13)
- reverse := this;
- // ----- assignment statement ----- test.dfy(30,18)
- $Heap[reverse, Node.next] := null;
- assume $IsGoodHeap($Heap);
-
-
-
- // ----- assignment statement ----- test.dfy(31,23)
- $Heap[reverse, Node.footprint] := // Set#UnionOne(Set#Empty(), reverse);
- Set#Singleton(reverse);
-
- assert current == null;
-}
-
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +// Dafny program verifier version 0.92, Copyright (c) 2003-2008, Microsoft. +// Command Line Options: /trace /typeEncoding:arguments /print:test.bpl test.dfy + +type ref; + +const null: ref; + +type Set T = [T]bool; +function Set#Empty<T>() returns (Set T); +function Set#Singleton<T>(T) returns (Set T); +function Set#UnionOne<T>(Set T, T) returns (Set T); +function Set#Union<T>(Set T, Set T) returns (Set T); +function Set#Intersection<T>(Set T, Set T) returns (Set T); +function Set#Difference<T>(Set T, Set T) returns (Set T); +function Set#Subset<T>(Set T, Set T) returns (bool); +function Set#Equal<T>(Set T, Set T) returns (bool); +function Set#Disjoint<T>(Set T, Set T) returns (bool); + +type Seq _; +function Seq#Length<T>(Seq T) returns (int); +function Seq#Empty<T>() returns (Seq T); +function Seq#Singleton<T>(T) returns (Seq T); +function Seq#Build<T>(s: Seq T, index: int, val: T, newLength: int) returns (Seq T); +function Seq#Append<T>(Seq T, Seq T) returns (Seq T); +function Seq#Index<T>(Seq T, int) returns (T); +function Seq#Contains<T>(Seq T, T) returns (bool); +function Seq#Equal<T>(Seq T, Seq T) returns (bool); +function Seq#SameUntil<T>(Seq T, Seq T, int) returns (bool); +function Seq#Take<T>(s:Seq T, howMany: int) returns (Seq T); +function Seq#Drop<T>(s:Seq T, howMany: int) returns (Seq T); + +type Field _; +type HeapType = <alpha>[ref,Field alpha]alpha; +function $IsGoodHeap(HeapType) returns (bool); +var $Heap: HeapType where $IsGoodHeap($Heap); +const alloc: Field bool; +function $HeapSucc(HeapType, HeapType) returns (bool); + +const unique Node.list: Field (Seq ref); +const unique Node.footprint: Field [ref]bool; +const unique Node.data: Field ref; +const unique Node.next: Field ref; +function Node.Valid($heap: HeapType, this: ref) returns (bool); + + + + +axiom (forall<T> r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o); + +axiom (forall $Heap: HeapType, this: ref :: { Node.Valid($Heap, this) } this != null && $IsGoodHeap($Heap) ==> Node.Valid($Heap, this) == ($Heap[this, Node.footprint][this] && !$Heap[this, Node.footprint][null] && (forall n: ref :: $Heap[this, Node.footprint][n] ==> $Heap[n, Node.footprint][n] && !$Heap[n, Node.footprint][null] && Set#Subset($Heap[n, Node.footprint], $Heap[this, Node.footprint]) && ($Heap[n, Node.next] == null ==> Seq#Equal($Heap[n, Node.list], Seq#Build(Seq#Empty(), 0, $Heap[n, Node.data], 1))) && ($Heap[n, Node.next] != null ==> $Heap[n, Node.footprint][$Heap[n, Node.next]] && Set#Subset($Heap[$Heap[n, Node.next], Node.footprint], $Heap[n, Node.footprint]) && !$Heap[$Heap[n, Node.next], Node.footprint][n] && Seq#Equal($Heap[n, Node.list], Seq#Append(Seq#Build(Seq#Empty(), 0, $Heap[n, Node.data], 1), $Heap[$Heap[n, Node.next], Node.list])))) && ($Heap[this, Node.next] != null ==> Node.Valid($Heap, $Heap[this, Node.next])))); + + + + +procedure Node.ReverseInPlace(this: ref where this != null && $Heap[this, alloc]) returns (reverse: ref where reverse == null || $Heap[reverse, alloc]); + // user-defined preconditions + free requires Node.Valid($Heap, this); + requires $Heap[this, Node.footprint][this]; + requires !$Heap[this, Node.footprint][null]; + requires $Heap[this, Node.next] != null ==> Node.Valid($Heap, $Heap[this, Node.next]); + modifies $Heap; + // frame condition + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure CheckWellformed$$Node.Valid(this: ref where this != null && $Heap[this, alloc]); + + + + + +implementation Node.ReverseInPlace(this: ref) returns (reverse: ref) +{ + var current: ref where current == null || $Heap[current, alloc], $PreLoopHeap0: HeapType, nx: ref where nx == null || $Heap[nx, alloc]; + + // ----- var-declaration statement ----- test.dfy(28,9) + current := $Heap[this, Node.next]; + + + // ----- assignment statement ----- test.dfy(29,13) + reverse := this; + // ----- assignment statement ----- test.dfy(30,18) + $Heap[reverse, Node.next] := null; + assume $IsGoodHeap($Heap); + + + + // ----- assignment statement ----- test.dfy(31,23) + $Heap[reverse, Node.footprint] := // Set#UnionOne(Set#Empty(), reverse); + Set#Singleton(reverse); + + assert current == null; +} + + diff --git a/Test/test21/MapOutputTypeParams.bpl b/Test/test21/MapOutputTypeParams.bpl index c9304d34..484c7dc1 100644 --- a/Test/test21/MapOutputTypeParams.bpl +++ b/Test/test21/MapOutputTypeParams.bpl @@ -1,39 +1,39 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-
-var p : <a>[int]a;
-
-procedure P() returns () modifies p; {
- p[13] := 5;
- p[17] := true;
- p[13] := false;
- p[17] := 8;
-
- assert p[13] == 5 && !p[13] && p[17] == 8 && p[17];
- assert p == p[28 := p]; // error
-}
-
-var q : <a, b>[int][a]b;
-
-procedure Q() returns () modifies q; {
- q[17] := q[17][true := 13];
- q[17] := q[17][true := false];
- q[16] := q[17][true := 14];
-
- assert q[17][true] == 13 && !q[17][true];
- assert q[17][true] == 14; // error
-}
-
-procedure R() returns () modifies p; {
- p[7] := 28;
- p[5] := p[7];
-
- assert p[7] == 28;
- assert p[6] == 28; // error
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + + +var p : <a>[int]a; + +procedure P() returns () modifies p; { + p[13] := 5; + p[17] := true; + p[13] := false; + p[17] := 8; + + assert p[13] == 5 && !p[13] && p[17] == 8 && p[17]; + assert p == p[28 := p]; // error +} + +var q : <a, b>[int][a]b; + +procedure Q() returns () modifies q; { + q[17] := q[17][true := 13]; + q[17] := q[17][true := false]; + q[16] := q[17][true := 14]; + + assert q[17][true] == 13 && !q[17][true]; + assert q[17][true] == 14; // error +} + +procedure R() returns () modifies p; { + p[7] := 28; + p[5] := p[7]; + + assert p[7] == 28; + assert p[6] == 28; // error }
\ No newline at end of file diff --git a/Test/test21/Maps0.bpl b/Test/test21/Maps0.bpl index 125730ef..f64bd336 100644 --- a/Test/test21/Maps0.bpl +++ b/Test/test21/Maps0.bpl @@ -1,62 +1,62 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-const a : [int] bool;
-const b : [int, bool] int;
-
-function f<a>(a) returns (int);
-
-axiom (forall x : [int] bool :: f(x) == 7);
-axiom (forall y : [int, bool] int :: f(y) == 7);
-
-procedure P() returns () {
- var x : [int] bool;
-
- assert f(a) > 0;
- assert f(b) > 0;
-
- x := a;
- x[17] := false;
- x[16] := true;
-
- assert x[15] == a[15] && !x[17];
- assert f(x) == 7;
- assert f(x) == 8; // should not be provable
-}
-
-
-type Field a;
-
-const heap : <a>[ref, Field a] a;
-
-procedure Q() returns () {
- assert f(heap) > 0; // should not be provable
-}
-
-
-procedure R() returns () {
- var o : ref;
- var e : Field int, g : Field bool, h : Field (Field int), i : Field int;
- var heap2 : <a>[ref, Field a] a;
-
- heap2 := heap;
- heap2[o, e] := 17;
- assert heap2 == heap[o, e := 17];
-
- heap2[o, g] := true;
- assert heap2[o, e] == 17 && heap2[o, g];
-
- heap2[o, h] := e;
- assert heap2[o, heap2[o, h]] == 17;
-
- heap2[o, i] := 16;
- assert heap2[o, g];
- assert heap2[o, heap2[o, h]] == 17; // should no longer be provable
-}
-
-type ref;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +const a : [int] bool; +const b : [int, bool] int; + +function f<a>(a) returns (int); + +axiom (forall x : [int] bool :: f(x) == 7); +axiom (forall y : [int, bool] int :: f(y) == 7); + +procedure P() returns () { + var x : [int] bool; + + assert f(a) > 0; + assert f(b) > 0; + + x := a; + x[17] := false; + x[16] := true; + + assert x[15] == a[15] && !x[17]; + assert f(x) == 7; + assert f(x) == 8; // should not be provable +} + + +type Field a; + +const heap : <a>[ref, Field a] a; + +procedure Q() returns () { + assert f(heap) > 0; // should not be provable +} + + +procedure R() returns () { + var o : ref; + var e : Field int, g : Field bool, h : Field (Field int), i : Field int; + var heap2 : <a>[ref, Field a] a; + + heap2 := heap; + heap2[o, e] := 17; + assert heap2 == heap[o, e := 17]; + + heap2[o, g] := true; + assert heap2[o, e] == 17 && heap2[o, g]; + + heap2[o, h] := e; + assert heap2[o, heap2[o, h]] == 17; + + heap2[o, i] := 16; + assert heap2[o, g]; + assert heap2[o, heap2[o, h]] == 17; // should no longer be provable +} + +type ref; diff --git a/Test/test21/Maps1.bpl b/Test/test21/Maps1.bpl index 024cd50f..bcb5a9b9 100644 --- a/Test/test21/Maps1.bpl +++ b/Test/test21/Maps1.bpl @@ -1,42 +1,42 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-// different map type classes with the same arity
-
-const c : [int] bool;
-const d : [ref] bool;
-const e : <a> [a] bool;
-const f : <a> [a] a;
-
-axiom (c[17] ==> c[19]);
-axiom (forall<t> x:t :: e[x]);
-axiom (!d[null]);
-axiom (forall<t> x:t :: f[x] == x);
-
-procedure P() returns () {
-
- var x : <a> [a] bool;
-
- assume !c[19];
- assert !c[17];
-
- x := e;
- x[true] := false;
- x[17] := true;
-
- assert !x[true];
- assert !(forall<t> y:t :: x[y]);
- assert x != e;
-
- assert f[x] == x;
- assert f[17] > 17; // should not be provable
-
-}
-
-type ref;
-const null : ref;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +// different map type classes with the same arity + +const c : [int] bool; +const d : [ref] bool; +const e : <a> [a] bool; +const f : <a> [a] a; + +axiom (c[17] ==> c[19]); +axiom (forall<t> x:t :: e[x]); +axiom (!d[null]); +axiom (forall<t> x:t :: f[x] == x); + +procedure P() returns () { + + var x : <a> [a] bool; + + assume !c[19]; + assert !c[17]; + + x := e; + x[true] := false; + x[17] := true; + + assert !x[true]; + assert !(forall<t> y:t :: x[y]); + assert x != e; + + assert f[x] == x; + assert f[17] > 17; // should not be provable + +} + +type ref; +const null : ref; diff --git a/Test/test21/Maps2.bpl b/Test/test21/Maps2.bpl index 0b7980c7..9713875f 100644 --- a/Test/test21/Maps2.bpl +++ b/Test/test21/Maps2.bpl @@ -1,31 +1,31 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-// XFAIL: *
-
-type T;
-
-function f(x : [T][int]int) returns (int);
-
-axiom (forall x:[T][int]int :: {f(x)}
- (exists t:T :: x[t][13] == 42) ==> f(x) == 5);
-
-procedure P() returns () {
- var x : [T][int]int, t : T;
-
- x[t] := x[t][13 := 42];
-
- assert f(x) == 5;
-}
-
-
-type name;
-
-function Field(int) returns (name);
-function Unified([name][int]int) returns ([int]int);
-
-axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])}
- Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +// XFAIL: * + +type T; + +function f(x : [T][int]int) returns (int); + +axiom (forall x:[T][int]int :: {f(x)} + (exists t:T :: x[t][13] == 42) ==> f(x) == 5); + +procedure P() returns () { + var x : [T][int]int, t : T; + + x[t] := x[t][13 := 42]; + + assert f(x) == 5; +} + + +type name; + +function Field(int) returns (name); +function Unified([name][int]int) returns ([int]int); + +axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} + Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]); diff --git a/Test/test21/NameClash.bpl b/Test/test21/NameClash.bpl index d31a6e01..59f361a8 100644 --- a/Test/test21/NameClash.bpl +++ b/Test/test21/NameClash.bpl @@ -1,14 +1,14 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-function f(int) returns (int);
-axiom f(13) == 0;
-
-procedure P() returns () {
- assert (exists f:int :: 0 == f(f));
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +function f(int) returns (int); +axiom f(13) == 0; + +procedure P() returns () { + assert (exists f:int :: 0 == f(f)); }
\ No newline at end of file diff --git a/Test/test21/Orderings.bpl b/Test/test21/Orderings.bpl index 39361461..158f0e89 100644 --- a/Test/test21/Orderings.bpl +++ b/Test/test21/Orderings.bpl @@ -1,26 +1,26 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-const a, b:int;
-const c:int extends a, b;
-
-procedure P() returns () {
- var x:int;
-
- assert c <: a;
-
- assume c <: x && x <: a;
- assert x == c || a == x;
-
- assert x == b; // should not be provable
-}
-
-procedure Q() returns () {
- assume b <: a;
- assert b == a;
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +const a, b:int; +const c:int extends a, b; + +procedure P() returns () { + var x:int; + + assert c <: a; + + assume c <: x && x <: a; + assert x == c || a == x; + + assert x == b; // should not be provable +} + +procedure Q() returns () { + assume b <: a; + assert b == a; }
\ No newline at end of file diff --git a/Test/test21/Orderings2.bpl b/Test/test21/Orderings2.bpl index 01d3be15..c475ca79 100644 --- a/Test/test21/Orderings2.bpl +++ b/Test/test21/Orderings2.bpl @@ -1,24 +1,24 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-const b:int;
-const a:int extends b complete;
-
-const c:int extends a;
-const d:int extends a;
-
-procedure P() returns () {
- var x:int;
-
- assert c <: b && d <: a;
-
- assume x <: a && !(x <: c) && x != a;
- assert x <: d;
-
- assert b <: x; // should not be provable
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +const b:int; +const a:int extends b complete; + +const c:int extends a; +const d:int extends a; + +procedure P() returns () { + var x:int; + + assert c <: b && d <: a; + + assume x <: a && !(x <: c) && x != a; + assert x <: d; + + assert b <: x; // should not be provable }
\ No newline at end of file diff --git a/Test/test21/Orderings3.bpl b/Test/test21/Orderings3.bpl index 3036d8e6..82b619ac 100644 --- a/Test/test21/Orderings3.bpl +++ b/Test/test21/Orderings3.bpl @@ -1,44 +1,44 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-// Example from the Boogie 2 language report
-
-
-type Wicket;
-
-
-const unique a: Wicket extends complete;
-const unique b: Wicket;
-const unique c: Wicket extends a, b complete;
-const unique d: Wicket extends c;
-const unique e: Wicket;
-
-procedure P() returns () {
-
- assert !(exists x:Wicket :: a <: x && a != x);
- assert (forall x:Wicket :: x <: a ==> x == a || x <: c);
-
- assert c <: b && !(exists x:Wicket :: c <: x && x <: b && x != c && x != b);
-
- assert !(b <: a) && !(b <: c);
-
- assert c <: a && c <: b && d <: c;
- assert (forall x:Wicket :: c <: x ==> c==x || a <: x || b <: x);
- assert (forall x:Wicket :: x <: c ==> c==x || x <: d);
-
- assert d <: c;
- assert !(a <: d) && !(b <: d) && !(c <: d);
-
- assert false; // unprovable
-}
-
-procedure Q() returns () {
-
- assert (forall x:Wicket :: x <: b && x != b ==> x <: c); // unprovable
-
- assert !(exists x:Wicket :: b <: x && b != x); // unprovable
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +// Example from the Boogie 2 language report + + +type Wicket; + + +const unique a: Wicket extends complete; +const unique b: Wicket; +const unique c: Wicket extends a, b complete; +const unique d: Wicket extends c; +const unique e: Wicket; + +procedure P() returns () { + + assert !(exists x:Wicket :: a <: x && a != x); + assert (forall x:Wicket :: x <: a ==> x == a || x <: c); + + assert c <: b && !(exists x:Wicket :: c <: x && x <: b && x != c && x != b); + + assert !(b <: a) && !(b <: c); + + assert c <: a && c <: b && d <: c; + assert (forall x:Wicket :: c <: x ==> c==x || a <: x || b <: x); + assert (forall x:Wicket :: x <: c ==> c==x || x <: d); + + assert d <: c; + assert !(a <: d) && !(b <: d) && !(c <: d); + + assert false; // unprovable +} + +procedure Q() returns () { + + assert (forall x:Wicket :: x <: b && x != b ==> x <: c); // unprovable + + assert !(exists x:Wicket :: b <: x && b != x); // unprovable + }
\ No newline at end of file diff --git a/Test/test21/Orderings4.bpl b/Test/test21/Orderings4.bpl index 00da92dc..9b4bbf0a 100644 --- a/Test/test21/Orderings4.bpl +++ b/Test/test21/Orderings4.bpl @@ -1,17 +1,17 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-type Wicket;
-
-const unique r: Wicket;
-const unique s, t: Wicket extends unique r;
-
-procedure P() returns () {
- assert (forall x:Wicket, y:Wicket :: x <: s && y <: t ==> x != y);
- assert false; // unprovable
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +type Wicket; + +const unique r: Wicket; +const unique s, t: Wicket extends unique r; + +procedure P() returns () { + assert (forall x:Wicket, y:Wicket :: x <: s && y <: t ==> x != y); + assert false; // unprovable }
\ No newline at end of file diff --git a/Test/test21/ParallelAssignment.bpl b/Test/test21/ParallelAssignment.bpl index 6f7c7639..8ff3b1de 100644 --- a/Test/test21/ParallelAssignment.bpl +++ b/Test/test21/ParallelAssignment.bpl @@ -1,62 +1,62 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-// Examples from the Boogie2 language report
-
-type C, D;
-
-var x : int;
-var y : int;
-var z : int;
-var a : [int]int;
-var b : [int][C, D]int;
-
-procedure P(i:int, j:int, m:C, n:D) returns () modifies x, y, a, b; {
- var x1 : int;
- var y1 : int;
-
- x := x+1;
- a[i] := 12;
-
- assert a[i] == 12;
-
- x1 := x;
- y1 := y;
-
- x, y := y, x;
-
- assert x == y1 && y == x1;
- assert x == x1; // error
-
- x, a[i] := x+1, x;
- assert x == y1+1 && a[i] == y1;
-
- b[i][m, n] := 17;
- b[i][m, n], x := a[x], y;
-
- assert b[i][m, n] == a[y1+1];
- assert false; // error
-}
-
-procedure Q() returns () modifies x, y, z; {
-
- x, y, z := 1, 2, 3;
-
- x, y, z := y, z, x;
- x, y, z := y, z, x;
- x, y, z := y, z, x;
-
- assert x == 1 && y == 2 && z == 3;
-
- x, y, z := y+1, z+1, x+1;
- x, y, z := y+1, z+1, x+1;
- x, y, z := y+1, z+1, x+1;
-
- assert x == 4 && y == 5 && z == 6;
-
- assert a[x] == a[y]; // error
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +// Examples from the Boogie2 language report + +type C, D; + +var x : int; +var y : int; +var z : int; +var a : [int]int; +var b : [int][C, D]int; + +procedure P(i:int, j:int, m:C, n:D) returns () modifies x, y, a, b; { + var x1 : int; + var y1 : int; + + x := x+1; + a[i] := 12; + + assert a[i] == 12; + + x1 := x; + y1 := y; + + x, y := y, x; + + assert x == y1 && y == x1; + assert x == x1; // error + + x, a[i] := x+1, x; + assert x == y1+1 && a[i] == y1; + + b[i][m, n] := 17; + b[i][m, n], x := a[x], y; + + assert b[i][m, n] == a[y1+1]; + assert false; // error +} + +procedure Q() returns () modifies x, y, z; { + + x, y, z := 1, 2, 3; + + x, y, z := y, z, x; + x, y, z := y, z, x; + x, y, z := y, z, x; + + assert x == 1 && y == 2 && z == 3; + + x, y, z := y+1, z+1, x+1; + x, y, z := y+1, z+1, x+1; + x, y, z := y+1, z+1, x+1; + + assert x == 4 && y == 5 && z == 6; + + assert a[x] == a[y]; // error + }
\ No newline at end of file diff --git a/Test/test21/PolyList.bpl b/Test/test21/PolyList.bpl index 08fcd637..f7ff40d6 100644 --- a/Test/test21/PolyList.bpl +++ b/Test/test21/PolyList.bpl @@ -1,68 +1,68 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-
-type List a;
-
-function Cons<a>(x:a, y:List a) returns (List a);
-
-// we need some argument ... ugly
-function Nil<a>(a) returns (List a);
-
-function Car<a>(List a) returns (a);
-function Cdr<a>(List a) returns (List a);
-
-axiom (forall<a> x:a, y:List a :: Car(Cons(x, y)) == x);
-axiom (forall<a> x:a, y:List a :: Cdr(Cons(x, y)) == y);
-
-function Len<a>(List a) returns (int);
-
-axiom (forall <a> x:a :: Len(Nil(x)) == 0);
-axiom (forall <a> x:a, y:List a :: Len(Cons(x, y)) == 1 + Len(y));
-
-
-
-procedure P<a>(param : a) returns () {
- var x:a, NIL : List a, l : List a;
-
- NIL := Nil(x);
-
- assert Len(NIL) == 0;
- assert Len(Cons(x,Cons(x,NIL))) == 2;
-
- l := Cons(x,Cons(x,NIL));
- assert Len(l) == 2;
-
- l := Cons(x, l);
- assert Len(l) == 3 && Car(l) == x && Len(Cdr(l)) < Len(l);
- assert (forall m : List a, y : a :: Len(Cons(y, m)) > Len(m));
-
- l := Cdr(l);
- assert Len(l) == 2 && Car(l) == x;
-
- assert Len(Cons(x,Cons(x,Cons(x,NIL)))) == 2; // should not be provable
-
-}
-
-procedure Q() returns () {
- var NIL : List int, l : List int;
-
- NIL := Nil(0);
-
- assert Len(NIL) == 0;
- assert Len(Cons(1,Cons(2,NIL))) == 2;
-
- l := NIL;
- l := Cons(42, l);
- l := Cons(Car(l) + 17, Cdr(l));
-
- assert Len(l) == 1 && Car(l) == 59;
-
- assert Len(Cons(1,Cons(2,Cons(3,NIL)))) == 2; // should not be provable
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + + +type List a; + +function Cons<a>(x:a, y:List a) returns (List a); + +// we need some argument ... ugly +function Nil<a>(a) returns (List a); + +function Car<a>(List a) returns (a); +function Cdr<a>(List a) returns (List a); + +axiom (forall<a> x:a, y:List a :: Car(Cons(x, y)) == x); +axiom (forall<a> x:a, y:List a :: Cdr(Cons(x, y)) == y); + +function Len<a>(List a) returns (int); + +axiom (forall <a> x:a :: Len(Nil(x)) == 0); +axiom (forall <a> x:a, y:List a :: Len(Cons(x, y)) == 1 + Len(y)); + + + +procedure P<a>(param : a) returns () { + var x:a, NIL : List a, l : List a; + + NIL := Nil(x); + + assert Len(NIL) == 0; + assert Len(Cons(x,Cons(x,NIL))) == 2; + + l := Cons(x,Cons(x,NIL)); + assert Len(l) == 2; + + l := Cons(x, l); + assert Len(l) == 3 && Car(l) == x && Len(Cdr(l)) < Len(l); + assert (forall m : List a, y : a :: Len(Cons(y, m)) > Len(m)); + + l := Cdr(l); + assert Len(l) == 2 && Car(l) == x; + + assert Len(Cons(x,Cons(x,Cons(x,NIL)))) == 2; // should not be provable + +} + +procedure Q() returns () { + var NIL : List int, l : List int; + + NIL := Nil(0); + + assert Len(NIL) == 0; + assert Len(Cons(1,Cons(2,NIL))) == 2; + + l := NIL; + l := Cons(42, l); + l := Cons(Car(l) + 17, Cdr(l)); + + assert Len(l) == 1 && Car(l) == 59; + + assert Len(Cons(1,Cons(2,Cons(3,NIL)))) == 2; // should not be provable + }
\ No newline at end of file diff --git a/Test/test21/Real.bpl b/Test/test21/Real.bpl index eb140f77..584fb77b 100644 --- a/Test/test21/Real.bpl +++ b/Test/test21/Real.bpl @@ -1,66 +1,66 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-axiom (forall r: real :: r == 0.0 || r / r == 1.0);
-
-procedure P(a: real, b: real) returns () {
- assume a >= b && a != 0.0 && a >= 1.3579;
-
- assert 2e0 * (a + 3.0) - 0.5 >= b;
- assert 2e0 * (a + 3.0) - 0.5 > b;
- assert b <= 2e0 * (a + 3.0) - 0.5;
- assert b < 2e0 * (a + 3.0) - 0.5;
-
- assert 1/2 <= 0.65;
- assert a > 100e-2 ==> 1 / a <= a;
- assert a / 2 != a || a == 0.00;
- assert a != 0.0 ==> a / a == 1.0;
-
- assert int(a) >= 0 ==> real(3) * a > a;
-}
-
-procedure ManyDigitReals()
-{
- var x: real;
- var y: real;
- x := 15e-1;
- y := real(3);
- if (*) {
- assert x == y / 2000000000000000000000000001e-27; // error
- } else {
- assert x == y / 2000000000000000000000000000e-27;
- }
-}
-
-procedure Rounding()
-{
- assert real(3) == 3.0;
- assert int(2.2) == int(2.8);
- assert int(2.2) == 2;
- assert int(-2.2) == int(-2.8);
- if (*) {
- assert int(-2.2) == -3;
- } else {
- assert int(-2.2) == -2; // error: int truncates downward
- }
-}
-
-procedure VariousCornerCaseBigDecPrintingTests()
-{
- assert 200e-2 == 2.0;
- assert 000e-2 == 0.0;
- assert 000e-1 == 0.0;
- assert 000e-4 == 0.0;
- assert 000e0 == 0.0;
- assert 0e-300 == 0.0;
- assert 12300e-4 == 1.230;
- assert 12300e-5 == 0.123;
- assert 12300e-8 == 000.000123;
- assert 1.9850404e5 == 198504.04;
- assert 19850404e-4 == 1985.0404;
- assert 19850404e-12 == 0.00001985040400000;
- assert 19850404e0000000000000000 == 1985.0404e4;
-}
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +axiom (forall r: real :: r == 0.0 || r / r == 1.0); + +procedure P(a: real, b: real) returns () { + assume a >= b && a != 0.0 && a >= 1.3579; + + assert 2e0 * (a + 3.0) - 0.5 >= b; + assert 2e0 * (a + 3.0) - 0.5 > b; + assert b <= 2e0 * (a + 3.0) - 0.5; + assert b < 2e0 * (a + 3.0) - 0.5; + + assert 1/2 <= 0.65; + assert a > 100e-2 ==> 1 / a <= a; + assert a / 2 != a || a == 0.00; + assert a != 0.0 ==> a / a == 1.0; + + assert int(a) >= 0 ==> real(3) * a > a; +} + +procedure ManyDigitReals() +{ + var x: real; + var y: real; + x := 15e-1; + y := real(3); + if (*) { + assert x == y / 2000000000000000000000000001e-27; // error + } else { + assert x == y / 2000000000000000000000000000e-27; + } +} + +procedure Rounding() +{ + assert real(3) == 3.0; + assert int(2.2) == int(2.8); + assert int(2.2) == 2; + assert int(-2.2) == int(-2.8); + if (*) { + assert int(-2.2) == -3; + } else { + assert int(-2.2) == -2; // error: int truncates downward + } +} + +procedure VariousCornerCaseBigDecPrintingTests() +{ + assert 200e-2 == 2.0; + assert 000e-2 == 0.0; + assert 000e-1 == 0.0; + assert 000e-4 == 0.0; + assert 000e0 == 0.0; + assert 0e-300 == 0.0; + assert 12300e-4 == 1.230; + assert 12300e-5 == 0.123; + assert 12300e-8 == 000.000123; + assert 1.9850404e5 == 198504.04; + assert 19850404e-4 == 1985.0404; + assert 19850404e-12 == 0.00001985040400000; + assert 19850404e0000000000000000 == 1985.0404e4; +} diff --git a/Test/test21/Triggers0.bpl b/Test/test21/Triggers0.bpl index c3ff14d5..c4b610f2 100644 --- a/Test/test21/Triggers0.bpl +++ b/Test/test21/Triggers0.bpl @@ -1,50 +1,50 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-const ar : [int]bool;
-axiom (forall x:int :: {ar[x]} !ar[x]);
-
-type S, T, C a b;
-
-function m(T,S) returns (bool);
-function n(T,T) returns (bool);
-function f<a>(C a T, a) returns (int);
-function f2<a>(C a T, a) returns (int);
-function g(T) returns (T);
-function h<a>(a) returns (a);
-function k<a>(C a a) returns (bool);
-function l<a>(a) returns (bool);
-function o<a>(a) returns (bool);
-
-const con : T;
-const someConst : int;
-
-axiom (forall <b> x:C b b :: k(x));
-axiom (forall x:C S T, y : S :: f(x,y) == f2(x,y));
-axiom (forall x:S, y:T :: l(x) && n(y, con) == m(y,x));
-axiom (forall x:T :: {g(h(x))} {g(x)} x == x);
-axiom (forall <b> x:b :: {h(x)} x == x);
-axiom (forall <b> x:b, y:b :: {o(x), o(y)} o(x) ==> someConst == 42);
-axiom (forall <b> x:C b b :: {k(x)} k(x));
-
-procedure P() returns () {
- var v0 : C S S, v1 : C S T, v2 : S, v3 : T;
-
- assert ar[27] == false;
- assert k(v0);
- assert f(v1, v2) == f2(v1, v2);
- assert n(v3, con) == m(v3, v2);
-}
-
-procedure Q<a>(x : a) returns () {
- assert someConst == 42; // should not be provable
-
- assume o(x) == o(x);
- assert someConst == 42;
- assert someConst == 43; // should not be provable
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + +const ar : [int]bool; +axiom (forall x:int :: {ar[x]} !ar[x]); + +type S, T, C a b; + +function m(T,S) returns (bool); +function n(T,T) returns (bool); +function f<a>(C a T, a) returns (int); +function f2<a>(C a T, a) returns (int); +function g(T) returns (T); +function h<a>(a) returns (a); +function k<a>(C a a) returns (bool); +function l<a>(a) returns (bool); +function o<a>(a) returns (bool); + +const con : T; +const someConst : int; + +axiom (forall <b> x:C b b :: k(x)); +axiom (forall x:C S T, y : S :: f(x,y) == f2(x,y)); +axiom (forall x:S, y:T :: l(x) && n(y, con) == m(y,x)); +axiom (forall x:T :: {g(h(x))} {g(x)} x == x); +axiom (forall <b> x:b :: {h(x)} x == x); +axiom (forall <b> x:b, y:b :: {o(x), o(y)} o(x) ==> someConst == 42); +axiom (forall <b> x:C b b :: {k(x)} k(x)); + +procedure P() returns () { + var v0 : C S S, v1 : C S T, v2 : S, v3 : T; + + assert ar[27] == false; + assert k(v0); + assert f(v1, v2) == f2(v1, v2); + assert n(v3, con) == m(v3, v2); +} + +procedure Q<a>(x : a) returns () { + assert someConst == 42; // should not be provable + + assume o(x) == o(x); + assert someConst == 42; + assert someConst == 43; // should not be provable }
\ No newline at end of file diff --git a/Test/test21/Triggers1.bpl b/Test/test21/Triggers1.bpl index a4199040..3d8c95af 100644 --- a/Test/test21/Triggers1.bpl +++ b/Test/test21/Triggers1.bpl @@ -1,23 +1,23 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-
-
-
-function f<a>(a) returns (bool);
-function g(int) returns (bool);
-
-axiom (forall x:int :: f(x));
-axiom (forall x:int :: g(x));
-
-procedure P() returns () {
- var x : int, m : [int]int;
- assert f(x);
- assert f(m[x]);
- assert g(x);
- assert g(m[x]);
- assert f(true); // should not be provable
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" + + + +function f<a>(a) returns (bool); +function g(int) returns (bool); + +axiom (forall x:int :: f(x)); +axiom (forall x:int :: g(x)); + +procedure P() returns () { + var x : int, m : [int]int; + assert f(x); + assert f(m[x]); + assert g(x); + assert g(m[x]); + assert f(true); // should not be provable }
\ No newline at end of file diff --git a/Test/test21/test3_AddMethod_conv.bpl b/Test/test21/test3_AddMethod_conv.bpl index 89c34c45..beb848f0 100644 --- a/Test/test21/test3_AddMethod_conv.bpl +++ b/Test/test21/test3_AddMethod_conv.bpl @@ -1,1827 +1,1827 @@ -// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t"
-// RUN: %diff "%s.n.expect" "%t"
-// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t"
-// RUN: %diff "%s.p.expect" "%t"
-// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t"
-// RUN: %diff "%s.a.expect" "%t"
-// XFAIL: *
-// Spec# program verifier version 0.90, Copyright (c) 2003-2008, Microsoft.
-// Command Line Options: /print:debug.txt AddMethod.dll
-
-type real;
-
-type elements;
-
-type struct;
-
-type name;
-type any;
-
-type exposeVersionType;
-
-type Field a;
-type Heap = <x>[ref,Field x]x;
-
-var $Heap: Heap where IsHeap($Heap);
-
-type ActivityType;
-
-var $ActivityIndicator: ActivityType;
-
-function IsHeap(h: Heap) returns (bool);
-
-const unique $allocated: Field bool;
-
-const unique $elements: Field elements;
-
-function DeclType222<a>(Field a) returns (name);
-
-axiom DeclType222($elements) == System.Object;
-
-const unique $inv: Field name;
-
-const unique $localinv: Field name;
-
-const unique $exposeVersion: Field exposeVersionType;
-
-axiom DeclType222($exposeVersion) == System.Object;
-
-const unique $sharingMode: Field any;
-
-const unique $SharingMode_Unshared: any;
-
-const unique $SharingMode_LockProtected: any;
-
-const unique $ownerRef: Field ref;
-
-const unique $ownerFrame: Field name;
-
-const unique $PeerGroupPlaceholder: name;
-
-function ClassRepr(class: name) returns (ref);
-
-function ClassReprInv(ref) returns (name);
-
-axiom (forall c: name :: { ClassRepr(c) } ClassReprInv(ClassRepr(c)) == c);
-
-axiom (forall T: name :: !($typeof(ClassRepr(T)) <: System.Object));
-
-axiom (forall T: name :: ClassRepr(T) != null);
-
-axiom (forall T: name, h: Heap :: { h[ClassRepr(T), $ownerFrame] } IsHeap(h) ==> h[ClassRepr(T), $ownerFrame] == $PeerGroupPlaceholder);
-
-function IncludeInMainFrameCondition<a>(f: Field a) returns (bool);
-
-axiom IncludeInMainFrameCondition($allocated);
-
-axiom IncludeInMainFrameCondition($elements);
-
-axiom !IncludeInMainFrameCondition($inv);
-
-axiom !IncludeInMainFrameCondition($localinv);
-
-axiom IncludeInMainFrameCondition($ownerRef);
-
-axiom IncludeInMainFrameCondition($ownerFrame);
-
-axiom IncludeInMainFrameCondition($exposeVersion);
-
-axiom !IncludeInMainFrameCondition($FirstConsistentOwner);
-
-function IsStaticField<a>(f: Field a) returns (bool);
-
-axiom !IsStaticField($allocated);
-
-axiom !IsStaticField($elements);
-
-axiom !IsStaticField($inv);
-
-axiom !IsStaticField($localinv);
-
-axiom !IsStaticField($exposeVersion);
-
-function $IncludedInModifiesStar<a>(f: Field a) returns (bool);
-
-axiom !$IncludedInModifiesStar($ownerRef);
-
-axiom !$IncludedInModifiesStar($ownerFrame);
-
-axiom $IncludedInModifiesStar($exposeVersion);
-
-axiom $IncludedInModifiesStar($elements);
-
-function ValueArrayGet(elements, int) returns (any);
-
-function ValueArraySet(elements, int, any) returns (elements);
-
-function IntArrayGet(elements, int) returns (int);
-
-function IntArraySet(elements, int, int) returns (elements);
-
-function RefArrayGet(elements, int) returns (ref);
-
-function RefArraySet(elements, int, ref) returns (elements);
-
-axiom (forall A: elements, i: int, x: any :: ValueArrayGet(ValueArraySet(A, i, x), i) == x);
-
-axiom (forall A: elements, i: int, j: int, x: any :: i != j ==> ValueArrayGet(ValueArraySet(A, i, x), j) == ValueArrayGet(A, j));
-
-axiom (forall A: elements, i: int, x: int :: IntArrayGet(IntArraySet(A, i, x), i) == x);
-
-axiom (forall A: elements, i: int, j: int, x: int :: i != j ==> IntArrayGet(IntArraySet(A, i, x), j) == IntArrayGet(A, j));
-
-axiom (forall A: elements, i: int, x: ref :: RefArrayGet(RefArraySet(A, i, x), i) == x);
-
-axiom (forall A: elements, i: int, j: int, x: ref :: i != j ==> RefArrayGet(RefArraySet(A, i, x), j) == RefArrayGet(A, j));
-
-function ArrayIndex(arr: ref, dim: int, indexAtDim: int, remainingIndexContribution: int) returns (int);
-
-function ArrayIndexInvX(arrayIndex: int) returns (indexAtDim: int);
-
-function ArrayIndexInvY(arrayIndex: int) returns (remainingIndexContribution: int);
-
-axiom (forall a: ref, d: int, x: int, y: int :: { ArrayIndex(a, d, x, y) } ArrayIndexInvX(ArrayIndex(a, d, x, y)) == x);
-
-axiom (forall a: ref, d: int, x: int, y: int :: { ArrayIndex(a, d, x, y) } ArrayIndexInvY(ArrayIndex(a, d, x, y)) == y);
-
-axiom (forall a: ref, i: int, heap: Heap :: { IntArrayGet(heap[a, $elements], i) } IsHeap(heap) ==> InRange(IntArrayGet(heap[a, $elements], i), $ElementType($typeof(a))));
-
-axiom (forall a: ref, i: int, heap: Heap :: { $typeof(RefArrayGet(heap[a, $elements], i)) } IsHeap(heap) && RefArrayGet(heap[a, $elements], i) != null ==> $typeof(RefArrayGet(heap[a, $elements], i)) <: $ElementType($typeof(a)));
-
-axiom (forall a: ref, T: name, i: int, r: int, heap: Heap :: { $typeof(a) <: NonNullRefArray(T, r), RefArrayGet(heap[a, $elements], i) } IsHeap(heap) && $typeof(a) <: NonNullRefArray(T, r) ==> RefArrayGet(heap[a, $elements], i) != null);
-
-function $Rank(ref) returns (int);
-
-axiom (forall a: ref :: 1 <= $Rank(a));
-
-axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: RefArray(T, r) } a != null && $typeof(a) <: RefArray(T, r) ==> $Rank(a) == r);
-
-axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: NonNullRefArray(T, r) } a != null && $typeof(a) <: NonNullRefArray(T, r) ==> $Rank(a) == r);
-
-axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: ValueArray(T, r) } a != null && $typeof(a) <: ValueArray(T, r) ==> $Rank(a) == r);
-
-axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: IntArray(T, r) } a != null && $typeof(a) <: IntArray(T, r) ==> $Rank(a) == r);
-
-function $Length(ref) returns (int);
-
-axiom (forall a: ref :: { $Length(a) } 0 <= $Length(a) && $Length(a) <= int#2147483647);
-
-function $DimLength(ref, int) returns (int);
-
-axiom (forall a: ref, i: int :: 0 <= $DimLength(a, i));
-
-axiom (forall a: ref :: { $DimLength(a, 0) } $Rank(a) == 1 ==> $DimLength(a, 0) == $Length(a));
-
-function $LBound(ref, int) returns (int);
-
-function $UBound(ref, int) returns (int);
-
-axiom (forall a: ref, i: int :: { $LBound(a, i) } $LBound(a, i) == 0);
-
-axiom (forall a: ref, i: int :: { $UBound(a, i) } $UBound(a, i) == $DimLength(a, i) - 1);
-
-const unique $ArrayCategoryValue: name;
-
-const unique $ArrayCategoryInt: name;
-
-const unique $ArrayCategoryRef: name;
-
-const unique $ArrayCategoryNonNullRef: name;
-
-function $ArrayCategory(arrayType: name) returns (arrayCategory: name);
-
-axiom (forall T: name, ET: name, r: int :: { T <: ValueArray(ET, r) } T <: ValueArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryValue);
-
-axiom (forall T: name, ET: name, r: int :: { T <: IntArray(ET, r) } T <: IntArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryInt);
-
-axiom (forall T: name, ET: name, r: int :: { T <: RefArray(ET, r) } T <: RefArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryRef);
-
-axiom (forall T: name, ET: name, r: int :: { T <: NonNullRefArray(ET, r) } T <: NonNullRefArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryNonNullRef);
-
-const unique System.Array: name;
-
-axiom System.Array <: System.Object;
-
-function $ElementType(name) returns (name);
-
-function ValueArray(elementType: name, rank: int) returns (name);
-
-axiom (forall T: name, r: int :: { ValueArray(T, r) } ValueArray(T, r) <: ValueArray(T, r) && ValueArray(T, r) <: System.Array);
-
-function IntArray(elementType: name, rank: int) returns (name);
-
-axiom (forall T: name, r: int :: { IntArray(T, r) } IntArray(T, r) <: IntArray(T, r) && IntArray(T, r) <: System.Array);
-
-function RefArray(elementType: name, rank: int) returns (name);
-
-axiom (forall T: name, r: int :: { RefArray(T, r) } RefArray(T, r) <: RefArray(T, r) && RefArray(T, r) <: System.Array);
-
-function NonNullRefArray(elementType: name, rank: int) returns (name);
-
-axiom (forall T: name, r: int :: { NonNullRefArray(T, r) } NonNullRefArray(T, r) <: NonNullRefArray(T, r) && NonNullRefArray(T, r) <: System.Array);
-
-function NonNullRefArrayRaw(array: ref, elementType: name, rank: int) returns (bool);
-
-axiom (forall array: ref, elementType: name, rank: int :: { NonNullRefArrayRaw(array, elementType, rank) } NonNullRefArrayRaw(array, elementType, rank) ==> $typeof(array) <: System.Array && $Rank(array) == rank && elementType <: $ElementType($typeof(array)));
-
-axiom (forall T: name, U: name, r: int :: U <: T ==> RefArray(U, r) <: RefArray(T, r));
-
-axiom (forall T: name, U: name, r: int :: U <: T ==> NonNullRefArray(U, r) <: NonNullRefArray(T, r));
-
-axiom (forall A: name, r: int :: $ElementType(ValueArray(A, r)) == A);
-
-axiom (forall A: name, r: int :: $ElementType(IntArray(A, r)) == A);
-
-axiom (forall A: name, r: int :: $ElementType(RefArray(A, r)) == A);
-
-axiom (forall A: name, r: int :: $ElementType(NonNullRefArray(A, r)) == A);
-
-axiom (forall A: name, r: int, T: name :: { T <: RefArray(A, r) } T <: RefArray(A, r) ==> T != A && T == RefArray($ElementType(T), r) && $ElementType(T) <: A);
-
-axiom (forall A: name, r: int, T: name :: { T <: NonNullRefArray(A, r) } T <: NonNullRefArray(A, r) ==> T != A && T == NonNullRefArray($ElementType(T), r) && $ElementType(T) <: A);
-
-axiom (forall A: name, r: int, T: name :: { T <: ValueArray(A, r) } T <: ValueArray(A, r) ==> T == ValueArray(A, r));
-
-axiom (forall A: name, r: int, T: name :: { T <: IntArray(A, r) } T <: IntArray(A, r) ==> T == IntArray(A, r));
-
-axiom (forall A: name, r: int, T: name :: { RefArray(A, r) <: T } RefArray(A, r) <: T ==> System.Array <: T || (T == RefArray($ElementType(T), r) && A <: $ElementType(T)));
-
-axiom (forall A: name, r: int, T: name :: { NonNullRefArray(A, r) <: T } NonNullRefArray(A, r) <: T ==> System.Array <: T || (T == NonNullRefArray($ElementType(T), r) && A <: $ElementType(T)));
-
-axiom (forall A: name, r: int, T: name :: { ValueArray(A, r) <: T } ValueArray(A, r) <: T ==> System.Array <: T || T == ValueArray(A, r));
-
-axiom (forall A: name, r: int, T: name :: { IntArray(A, r) <: T } IntArray(A, r) <: T ==> System.Array <: T || T == IntArray(A, r));
-
-function $ArrayPtr(elementType: name) returns (name);
-
-function $ElementProxy(ref, int) returns (ref);
-
-function $ElementProxyStruct(struct, int) returns (ref);
-
-axiom (forall a: ref, i: int, heap: Heap :: { heap[RefArrayGet(heap[a, $elements], i), $ownerRef] } { heap[RefArrayGet(heap[a, $elements], i), $ownerFrame] } IsHeap(heap) && $typeof(a) <: System.Array ==> RefArrayGet(heap[a, $elements], i) == null || $IsImmutable($typeof(RefArrayGet(heap[a, $elements], i))) || (heap[RefArrayGet(heap[a, $elements], i), $ownerRef] == heap[$ElementProxy(a, 0 - 1), $ownerRef] && heap[RefArrayGet(heap[a, $elements], i), $ownerFrame] == heap[$ElementProxy(a, 0 - 1), $ownerFrame]));
-
-axiom (forall a: ref, heap: Heap :: { IsAllocated(heap, a) } IsHeap(heap) && IsAllocated(heap, a) && $typeof(a) <: System.Array ==> IsAllocated(heap, $ElementProxy(a, 0 - 1)));
-
-axiom (forall o: ref, pos: int :: { $typeof($ElementProxy(o, pos)) } $typeof($ElementProxy(o, pos)) == System.Object);
-
-axiom (forall o: struct, pos: int :: { $typeof($ElementProxyStruct(o, pos)) } $typeof($ElementProxyStruct(o, pos)) == System.Object);
-
-function $StructGet(struct, name) returns (any);
-
-function $StructSet(struct, name, any) returns (struct);
-
-axiom (forall s: struct, f: name, x: any :: $StructGet($StructSet(s, f, x), f) == x);
-
-axiom (forall s: struct, f: name, f': name, x: any :: f != f' ==> $StructGet($StructSet(s, f, x), f') == $StructGet(s, f'));
-
-function ZeroInit(s: struct, typ: name) returns (bool);
-
-function $typeof(ref) returns (name);
-
-function $BaseClass(sub: name) returns (base: name);
-
-axiom (forall T: name :: { $BaseClass(T) } T <: $BaseClass(T) && (T != System.Object ==> T != $BaseClass(T)));
-
-function AsDirectSubClass(sub: name, base: name) returns (sub': name);
-
-function OneClassDown(sub: name, base: name) returns (directSub: name);
-
-axiom (forall A: name, B: name, C: name :: { C <: AsDirectSubClass(B, A) } C <: AsDirectSubClass(B, A) ==> OneClassDown(C, A) == B);
-
-function $IsValueType(name) returns (bool);
-
-axiom (forall T: name :: $IsValueType(T) ==> (forall U: name :: T <: U ==> T == U) && (forall U: name :: U <: T ==> T == U));
-
-const unique System.Boolean: name;
-
-axiom $IsValueType(System.Boolean);
-
-const unique System.Object: name;
-
-function $IsTokenForType(struct, name) returns (bool);
-
-function TypeObject(name) returns (ref);
-
-const unique System.Type: name;
-
-axiom System.Type <: System.Object;
-
-axiom (forall T: name :: { TypeObject(T) } $IsNotNull(TypeObject(T), System.Type));
-
-function TypeName(ref) returns (name);
-
-axiom (forall T: name :: { TypeObject(T) } TypeName(TypeObject(T)) == T);
-
-function $Is(ref, name) returns (bool);
-
-axiom (forall o: ref, T: name :: { $Is(o, T) } $Is(o, T) <==> o == null || $typeof(o) <: T);
-
-function $IsNotNull(ref, name) returns (bool);
-
-axiom (forall o: ref, T: name :: { $IsNotNull(o, T) } $IsNotNull(o, T) <==> o != null && $Is(o, T));
-
-function $As(ref, name) returns (ref);
-
-axiom (forall o: ref, T: name :: $Is(o, T) ==> $As(o, T) == o);
-
-axiom (forall o: ref, T: name :: !$Is(o, T) ==> $As(o, T) == null);
-
-axiom (forall h: Heap, o: ref :: { $typeof(o) <: System.Array, h[o, $inv] } IsHeap(h) && o != null && $typeof(o) <: System.Array ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o));
-
-function IsAllocated<a>(h: Heap, o: a) returns (bool);
-
-axiom (forall<a> h: Heap, o: ref, f: Field a :: { IsAllocated(h, h[o, f]) } IsHeap(h) && h[o, $allocated] ==> IsAllocated(h, h[o, f]));
-
-axiom (forall h: Heap, o: ref, f: Field ref :: { h[h[o, f], $allocated] } IsHeap(h) && h[o, $allocated] ==> h[h[o, f], $allocated]);
-
-axiom (forall h: Heap, s: struct, f: name :: { IsAllocated(h, $StructGet(s, f)) } IsAllocated(h, s) ==> IsAllocated(h, $StructGet(s, f)));
-
-axiom (forall h: Heap, e: elements, i: int :: { IsAllocated(h, RefArrayGet(e, i)) } IsAllocated(h, e) ==> IsAllocated(h, RefArrayGet(e, i)));
-
-axiom (forall h: Heap, e: elements, i: int :: { IsAllocated(h, ValueArrayGet(e, i)) } IsAllocated(h, e) ==> IsAllocated(h, ValueArrayGet(e, i)));
-
-axiom (forall h: Heap, o: ref :: { h[o, $allocated] } IsAllocated(h, o) ==> h[o, $allocated]);
-
-axiom (forall h: Heap, c: name :: { h[ClassRepr(c), $allocated] } IsHeap(h) ==> h[ClassRepr(c), $allocated]);
-
-const $BeingConstructed: ref;
-
-const unique $NonNullFieldsAreInitialized: Field bool;
-
-const $PurityAxiomsCanBeAssumed: bool;
-
-axiom DeclType222($NonNullFieldsAreInitialized) == System.Object;
-
-
-
-function AsNonNullRefField(field: Field ref, T: name) returns (f: Field ref);
-
-function AsRefField(field: Field ref, T: name) returns (f: Field ref);
-
-function AsRangeField(field: Field int, T: name) returns (f: Field int);
-
-axiom (forall f: Field ref, T: name :: { AsNonNullRefField(f, T) } AsNonNullRefField(f, T) == f ==> AsRefField(f, T) == f);
-
-axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsRefField(f, T)] } IsHeap(h) ==> $Is(h[o, AsRefField(f, T)], T));
-
-axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsNonNullRefField(f, T)] } IsHeap(h) && o != null && (o != $BeingConstructed || h[$BeingConstructed, $NonNullFieldsAreInitialized] == true) ==> h[o, AsNonNullRefField(f, T)] != null);
-
-axiom (forall h: Heap, o: ref, f: Field int, T: name :: { h[o, AsRangeField(f, T)] } IsHeap(h) ==> InRange(h[o, AsRangeField(f, T)], T));
-
-function $IsMemberlessType(name) returns (bool);
-
-axiom (forall o: ref :: { $IsMemberlessType($typeof(o)) } !$IsMemberlessType($typeof(o)));
-
-function $AsInterface(name) returns (name);
-
-axiom (forall $J: name, s: any, b: ref :: { UnboxedType(Box(s, b)) <: $AsInterface($J) } $AsInterface($J) == $J && Box(s, b) == b && UnboxedType(Box(s, b)) <: $AsInterface($J) ==> $typeof(b) <: $J);
-
-function $HeapSucc(oldHeap: Heap, newHeap: Heap) returns (bool);
-
-function $IsImmutable(T: name) returns (bool);
-
-axiom !$IsImmutable(System.Object);
-
-function $AsImmutable(T: name) returns (theType: name);
-
-function $AsMutable(T: name) returns (theType: name);
-
-axiom (forall T: name, U: name :: { U <: $AsImmutable(T) } U <: $AsImmutable(T) ==> $IsImmutable(U) && $AsImmutable(U) == U);
-
-axiom (forall T: name, U: name :: { U <: $AsMutable(T) } U <: $AsMutable(T) ==> !$IsImmutable(U) && $AsMutable(U) == U);
-
-function AsOwner(string: ref, owner: ref) returns (theString: ref);
-
-axiom (forall o: ref, T: name :: { $typeof(o) <: $AsImmutable(T) } o != null && o != $BeingConstructed && $typeof(o) <: $AsImmutable(T) ==> (forall h: Heap :: { IsHeap(h) } IsHeap(h) ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o) && h[o, $ownerFrame] == $PeerGroupPlaceholder && AsOwner(o, h[o, $ownerRef]) == o && (forall t: ref :: { AsOwner(o, h[t, $ownerRef]) } AsOwner(o, h[t, $ownerRef]) == o ==> t == o || h[t, $ownerFrame] != $PeerGroupPlaceholder)));
-
-const unique System.String: name;
-
-function $StringLength(ref) returns (int);
-
-axiom (forall s: ref :: { $StringLength(s) } 0 <= $StringLength(s));
-
-function AsRepField(f: Field ref, declaringType: name) returns (theField: Field ref);
-
-axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsRepField(f, T)] } IsHeap(h) && h[o, AsRepField(f, T)] != null ==> h[h[o, AsRepField(f, T)], $ownerRef] == o && h[h[o, AsRepField(f, T)], $ownerFrame] == T);
-
-function AsPeerField(f: Field ref) returns (theField: Field ref);
-
-axiom (forall h: Heap, o: ref, f: Field ref :: { h[o, AsPeerField(f)] } IsHeap(h) && h[o, AsPeerField(f)] != null ==> h[h[o, AsPeerField(f)], $ownerRef] == h[o, $ownerRef] && h[h[o, AsPeerField(f)], $ownerFrame] == h[o, $ownerFrame]);
-
-function AsElementsRepField(f: Field ref, declaringType: name, position: int) returns (theField: Field ref);
-
-axiom (forall h: Heap, o: ref, f: Field ref, T: name, i: int :: { h[o, AsElementsRepField(f, T, i)] } IsHeap(h) && h[o, AsElementsRepField(f, T, i)] != null ==> h[$ElementProxy(h[o, AsElementsRepField(f, T, i)], i), $ownerRef] == o && h[$ElementProxy(h[o, AsElementsRepField(f, T, i)], i), $ownerFrame] == T);
-
-function AsElementsPeerField(f: Field ref, position: int) returns (theField: Field ref);
-
-axiom (forall h: Heap, o: ref, f: Field ref, i: int :: { h[o, AsElementsPeerField(f, i)] } IsHeap(h) && h[o, AsElementsPeerField(f, i)] != null ==> h[$ElementProxy(h[o, AsElementsPeerField(f, i)], i), $ownerRef] == h[o, $ownerRef] && h[$ElementProxy(h[o, AsElementsPeerField(f, i)], i), $ownerFrame] == h[o, $ownerFrame]);
-
-axiom (forall h: Heap, o: ref :: { h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] } IsHeap(h) && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o));
-
-procedure $SetOwner(o: ref, ow: ref, fr: name);
- modifies $Heap;
- ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[o, $ownerRef]) || old($Heap[p, $ownerFrame] != $Heap[o, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]);
- ensures (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[o, $ownerRef]) && old($Heap[p, $ownerFrame] == $Heap[o, $ownerFrame]) ==> $Heap[p, $ownerRef] == ow && $Heap[p, $ownerFrame] == fr);
- free ensures $HeapSucc(old($Heap), $Heap);
-
-
-
-procedure $UpdateOwnersForRep(o: ref, T: name, e: ref);
- modifies $Heap;
- ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[e, $ownerRef]) || old($Heap[p, $ownerFrame] != $Heap[e, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]);
- ensures e == null ==> $Heap == old($Heap);
- ensures e != null ==> (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[e, $ownerRef]) && old($Heap[p, $ownerFrame] == $Heap[e, $ownerFrame]) ==> $Heap[p, $ownerRef] == o && $Heap[p, $ownerFrame] == T);
- free ensures $HeapSucc(old($Heap), $Heap);
-
-
-
-procedure $UpdateOwnersForPeer(c: ref, d: ref);
- modifies $Heap;
- ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[d, $ownerRef] || $Heap[p, $ownerFrame] != $Heap[d, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]);
- ensures d == null ==> $Heap == old($Heap);
- ensures d != null ==> (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[d, $ownerRef] && $Heap[p, $ownerFrame] == $Heap[d, $ownerFrame]) ==> $Heap[p, $ownerRef] == old($Heap)[c, $ownerRef] && $Heap[p, $ownerFrame] == old($Heap)[c, $ownerFrame]);
- free ensures $HeapSucc(old($Heap), $Heap);
-
-
-
-const unique $FirstConsistentOwner: Field ref;
-
-function $AsPureObject(ref) returns (ref);
-
-function ##FieldDependsOnFCO<a>(o: ref, f: Field a, ev: exposeVersionType) returns (value: any);
-
-axiom (forall<a> o: ref, f: Field a, h: Heap :: { h[$AsPureObject(o), f] } IsHeap(h) && o != null && h[o, $allocated] == true && $AsPureObject(o) == o && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, f] == ##FieldDependsOnFCO(o, f, h[h[o, $FirstConsistentOwner], $exposeVersion]));
-
-axiom (forall o: ref, h: Heap :: { h[o, $FirstConsistentOwner] } IsHeap(h) && o != null && h[o, $allocated] == true && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, $FirstConsistentOwner] != null && h[h[o, $FirstConsistentOwner], $allocated] == true && (h[h[o, $FirstConsistentOwner], $ownerFrame] == $PeerGroupPlaceholder || !(h[h[h[o, $FirstConsistentOwner], $ownerRef], $inv] <: h[h[o, $FirstConsistentOwner], $ownerFrame]) || h[h[h[o, $FirstConsistentOwner], $ownerRef], $localinv] == $BaseClass(h[h[o, $FirstConsistentOwner], $ownerFrame])));
-
-function Box<a>(a, ref) returns (ref);
-
-function Unbox(ref) returns (any);
-
-type NondetType;
-
-function MeldNondets(NondetType, any) returns (NondetType);
-
-function BoxFunc<a>(value: a, typ: name) returns (boxedValue: ref);
-
-function AllocFunc(typ: name) returns (newValue: ref);
-
-function NewInstance(object: ref, occurrence: NondetType, activity: ActivityType) returns (newInstance: ref);
-
-axiom (forall value: any, typ: name, occurrence: NondetType, activity: ActivityType :: { NewInstance(BoxFunc(value, typ), occurrence, activity) } Box(value, NewInstance(BoxFunc(value, typ), occurrence, activity)) == NewInstance(BoxFunc(value, typ), occurrence, activity) && UnboxedType(NewInstance(BoxFunc(value, typ), occurrence, activity)) == typ);
-
-axiom (forall x: ref, typ: name, occurrence: NondetType, activity: ActivityType :: !$IsValueType(UnboxedType(x)) ==> NewInstance(BoxFunc(x, typ), occurrence, activity) == x);
-
-axiom (forall x: any, p: ref :: { Unbox(Box(x, p)) } Unbox(Box(x, p)) == x);
-
-function UnboxedType(ref) returns (name);
-
-axiom (forall p: ref :: { $IsValueType(UnboxedType(p)) } $IsValueType(UnboxedType(p)) ==> (forall heap: Heap, x: any :: { heap[Box(x, p), $inv] } IsHeap(heap) ==> heap[Box(x, p), $inv] == $typeof(Box(x, p)) && heap[Box(x, p), $localinv] == $typeof(Box(x, p))));
-
-axiom (forall<a> x: a, p: ref :: { UnboxedType(Box(x, p)) <: System.Object } UnboxedType(Box(x, p)) <: System.Object && Box(x, p) == p ==> x == p);
-
-function BoxTester(p: ref, typ: name) returns (ref);
-
-axiom (forall p: ref, typ: name :: { BoxTester(p, typ) } UnboxedType(p) == typ <==> BoxTester(p, typ) != null);
-
-axiom (forall p: ref, typ: name :: { BoxTester(p, typ) } BoxTester(p, typ) != null ==> Box(Unbox(p), p) == p);
-
-axiom (forall typ: name, occurrence: NondetType, activity: ActivityType :: { NewInstance(AllocFunc(typ), occurrence, activity) } $typeof(NewInstance(AllocFunc(typ), occurrence, activity)) == typ && NewInstance(AllocFunc(typ), occurrence, activity) != null);
-
-axiom (forall typ: name, occurrence: NondetType, activity: ActivityType, heap: Heap :: { heap[NewInstance(AllocFunc(typ), occurrence, activity), $allocated] } IsHeap(heap) ==> heap[NewInstance(AllocFunc(typ), occurrence, activity), $allocated]);
-
-const unique System.SByte: name;
-
-axiom $IsValueType(System.SByte);
-
-const unique System.Byte: name;
-
-axiom $IsValueType(System.Byte);
-
-const unique System.Int16: name;
-
-axiom $IsValueType(System.Int16);
-
-const unique System.UInt16: name;
-
-axiom $IsValueType(System.UInt16);
-
-const unique System.Int32: name;
-
-axiom $IsValueType(System.Int32);
-
-const unique System.UInt32: name;
-
-axiom $IsValueType(System.UInt32);
-
-const unique System.Int64: name;
-
-axiom $IsValueType(System.Int64);
-
-const unique System.UInt64: name;
-
-axiom $IsValueType(System.UInt64);
-
-const unique System.Char: name;
-
-axiom $IsValueType(System.Char);
-
-const unique System.UIntPtr: name;
-
-axiom $IsValueType(System.UIntPtr);
-
-const unique System.IntPtr: name;
-
-axiom $IsValueType(System.IntPtr);
-
-const int#m2147483648: int;
-
-const int#2147483647: int;
-
-const int#4294967295: int;
-
-const int#m9223372036854775808: int;
-
-const int#9223372036854775807: int;
-
-const int#18446744073709551615: int;
-
-axiom int#m9223372036854775808 < int#m2147483648;
-
-axiom int#m2147483648 < 0 - 100000;
-
-axiom 100000 < int#2147483647;
-
-axiom int#2147483647 < int#4294967295;
-
-axiom int#4294967295 < int#9223372036854775807;
-
-axiom int#9223372036854775807 < int#18446744073709551615;
-
-axiom int#m9223372036854775808 + 1 == 0 - int#9223372036854775807;
-
-axiom int#m2147483648 + 1 == 0 - int#2147483647;
-
-function InRange(i: int, T: name) returns (bool);
-
-axiom (forall i: int :: InRange(i, System.SByte) <==> 0 - 128 <= i && i < 128);
-
-axiom (forall i: int :: InRange(i, System.Byte) <==> 0 <= i && i < 256);
-
-axiom (forall i: int :: InRange(i, System.Int16) <==> 0 - 32768 <= i && i < 32768);
-
-axiom (forall i: int :: InRange(i, System.UInt16) <==> 0 <= i && i < 65536);
-
-axiom (forall i: int :: InRange(i, System.Int32) <==> int#m2147483648 <= i && i <= int#2147483647);
-
-axiom (forall i: int :: InRange(i, System.UInt32) <==> 0 <= i && i <= int#4294967295);
-
-axiom (forall i: int :: InRange(i, System.Int64) <==> int#m9223372036854775808 <= i && i <= int#9223372036854775807);
-
-axiom (forall i: int :: InRange(i, System.UInt64) <==> 0 <= i && i <= int#18446744073709551615);
-
-axiom (forall i: int :: InRange(i, System.Char) <==> 0 <= i && i < 65536);
-
-function $IntToInt(val: int, fromType: name, toType: name) returns (int);
-
-function $IntToReal(int, fromType: name, toType: name) returns (real);
-
-function $RealToInt(real, fromType: name, toType: name) returns (int);
-
-function $RealToReal(val: real, fromType: name, toType: name) returns (real);
-
-axiom (forall z: int, B: name, C: name :: InRange(z, C) ==> $IntToInt(z, B, C) == z);
-
-function $SizeIs(name, int) returns (bool);
-
-function $IfThenElse(bool, any, any) returns (any);
-
-axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } b ==> $IfThenElse(b, x, y) == x);
-
-axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } !b ==> $IfThenElse(b, x, y) == y);
-
-function #neg(int) returns (int);
-
-function #and(int, int) returns (int);
-
-function #or(int, int) returns (int);
-
-function #xor(int, int) returns (int);
-
-function #shl(int, int) returns (int);
-
-function #shr(int, int) returns (int);
-
-function #rneg(real) returns (real);
-
-function #radd(real, real) returns (real);
-
-function #rsub(real, real) returns (real);
-
-function #rmul(real, real) returns (real);
-
-function #rdiv(real, real) returns (real);
-
-function #rmod(real, real) returns (real);
-
-function #rLess(real, real) returns (bool);
-
-function #rAtmost(real, real) returns (bool);
-
-function #rEq(real, real) returns (bool);
-
-function #rNeq(real, real) returns (bool);
-
-function #rAtleast(real, real) returns (bool);
-
-function #rGreater(real, real) returns (bool);
-
-axiom (forall x: int, y: int :: { x % y } { x / y } x % y == x - x / y * y);
-
-axiom (forall x: int, y: int :: { x % y } 0 <= x && 0 < y ==> 0 <= x % y && x % y < y);
-
-axiom (forall x: int, y: int :: { x % y } 0 <= x && y < 0 ==> 0 <= x % y && x % y < 0 - y);
-
-axiom (forall x: int, y: int :: { x % y } x <= 0 && 0 < y ==> 0 - y < x % y && x % y <= 0);
-
-axiom (forall x: int, y: int :: { x % y } x <= 0 && y < 0 ==> y < x % y && x % y <= 0);
-
-axiom (forall x: int, y: int :: { (x + y) % y } 0 <= x && 0 <= y ==> (x + y) % y == x % y);
-
-axiom (forall x: int, y: int :: { (y + x) % y } 0 <= x && 0 <= y ==> (y + x) % y == x % y);
-
-axiom (forall x: int, y: int :: { (x - y) % y } 0 <= x - y && 0 <= y ==> (x - y) % y == x % y);
-
-axiom (forall a: int, b: int, d: int :: { a % d, b % d } 2 <= d && a % d == b % d && a < b ==> a + d <= b);
-
-axiom (forall x: int, y: int :: { #and(x, y) } 0 <= x || 0 <= y ==> 0 <= #and(x, y));
-
-axiom (forall x: int, y: int :: { #or(x, y) } 0 <= x && 0 <= y ==> 0 <= #or(x, y) && #or(x, y) <= x + y);
-
-axiom (forall i: int :: { #shl(i, 0) } #shl(i, 0) == i);
-
-axiom (forall i: int, j: int :: { #shl(i, j) } 1 <= j ==> #shl(i, j) == #shl(i, j - 1) * 2);
-
-axiom (forall i: int, j: int :: { #shl(i, j) } 0 <= i && i < 32768 && 0 <= j && j <= 16 ==> 0 <= #shl(i, j) && #shl(i, j) <= int#2147483647);
-
-axiom (forall i: int :: { #shr(i, 0) } #shr(i, 0) == i);
-
-axiom (forall i: int, j: int :: { #shr(i, j) } 1 <= j ==> #shr(i, j) == #shr(i, j - 1) / 2);
-
-function #min(int, int) returns (int);
-
-function #max(int, int) returns (int);
-
-axiom (forall x: int, y: int :: { #min(x, y) } (#min(x, y) == x || #min(x, y) == y) && #min(x, y) <= x && #min(x, y) <= y);
-
-axiom (forall x: int, y: int :: { #max(x, y) } (#max(x, y) == x || #max(x, y) == y) && x <= #max(x, y) && y <= #max(x, y));
-
-function #System.String.IsInterned$System.String$notnull(Heap, ref) returns (ref);
-
-function #System.String.Equals$System.String(Heap, ref, ref) returns (bool);
-
-function #System.String.Equals$System.String$System.String(Heap, ref, ref) returns (bool);
-
-function ##StringEquals(ref, ref) returns (bool);
-
-axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String(h, a, b) } #System.String.Equals$System.String(h, a, b) == #System.String.Equals$System.String$System.String(h, a, b));
-
-axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String$System.String(h, a, b) } #System.String.Equals$System.String$System.String(h, a, b) == ##StringEquals(a, b) && #System.String.Equals$System.String$System.String(h, a, b) == ##StringEquals(b, a) && (a == b ==> ##StringEquals(a, b)));
-
-axiom (forall a: ref, b: ref, c: ref :: ##StringEquals(a, b) && ##StringEquals(b, c) ==> ##StringEquals(a, c));
-
-axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String$System.String(h, a, b) } a != null && b != null && #System.String.Equals$System.String$System.String(h, a, b) ==> #System.String.IsInterned$System.String$notnull(h, a) == #System.String.IsInterned$System.String$notnull(h, b));
-
-const $UnknownRef: ref;
-
-const unique Bag.a: Field ref;
-
-const unique Bag.n: Field int;
-
-const unique Microsoft.Contracts.GuardException: name;
-
-const unique System.ICloneable: name;
-
-const unique Microsoft.Contracts.ObjectInvariantException: name;
-
-const unique System.Exception: name;
-
-const unique System.Collections.IEnumerable: name;
-
-const unique System.Collections.IList: name;
-
-const unique Microsoft.Contracts.ICheckedException: name;
-
-const unique System.Reflection.MemberInfo: name;
-
-const unique Bag: name;
-
-const unique System.Reflection.IReflect: name;
-
-const unique System.Runtime.InteropServices._MemberInfo: name;
-
-const unique System.Runtime.InteropServices._Type: name;
-
-const unique System.Collections.ICollection: name;
-
-const unique System.Runtime.InteropServices._Exception: name;
-
-const unique System.Runtime.Serialization.ISerializable: name;
-
-const unique System.Reflection.ICustomAttributeProvider: name;
-
-axiom !IsStaticField(Bag.n);
-
-axiom IncludeInMainFrameCondition(Bag.n);
-
-axiom $IncludedInModifiesStar(Bag.n);
-
-axiom DeclType222(Bag.n) == Bag;
-
-axiom AsRangeField(Bag.n, System.Int32) == Bag.n;
-
-axiom !IsStaticField(Bag.a);
-
-axiom IncludeInMainFrameCondition(Bag.a);
-
-axiom $IncludedInModifiesStar(Bag.a);
-
-axiom AsRepField(Bag.a, Bag) == Bag.a;
-
-axiom DeclType222(Bag.a) == Bag;
-
-axiom AsNonNullRefField(Bag.a, IntArray(System.Int32, 1)) == Bag.a;
-
-axiom Bag <: Bag;
-
-axiom $BaseClass(Bag) == System.Object && AsDirectSubClass(Bag, $BaseClass(Bag)) == Bag;
-
-axiom !$IsImmutable(Bag) && $AsMutable(Bag) == Bag;
-
-axiom System.Array <: System.Array;
-
-axiom $BaseClass(System.Array) == System.Object && AsDirectSubClass(System.Array, $BaseClass(System.Array)) == System.Array;
-
-axiom !$IsImmutable(System.Array) && $AsMutable(System.Array) == System.Array;
-
-axiom System.ICloneable <: System.ICloneable;
-
-axiom System.ICloneable <: System.Object;
-
-axiom $IsMemberlessType(System.ICloneable);
-
-axiom $AsInterface(System.ICloneable) == System.ICloneable;
-
-axiom System.Array <: System.ICloneable;
-
-axiom System.Collections.IList <: System.Collections.IList;
-
-axiom System.Collections.IList <: System.Object;
-
-axiom System.Collections.ICollection <: System.Collections.ICollection;
-
-axiom System.Collections.ICollection <: System.Object;
-
-axiom System.Collections.IEnumerable <: System.Collections.IEnumerable;
-
-axiom System.Collections.IEnumerable <: System.Object;
-
-axiom $IsMemberlessType(System.Collections.IEnumerable);
-
-axiom $AsInterface(System.Collections.IEnumerable) == System.Collections.IEnumerable;
-
-axiom System.Collections.ICollection <: System.Collections.IEnumerable;
-
-axiom $IsMemberlessType(System.Collections.ICollection);
-
-axiom $AsInterface(System.Collections.ICollection) == System.Collections.ICollection;
-
-axiom System.Collections.IList <: System.Collections.ICollection;
-
-axiom System.Collections.IList <: System.Collections.IEnumerable;
-
-axiom $IsMemberlessType(System.Collections.IList);
-
-axiom $AsInterface(System.Collections.IList) == System.Collections.IList;
-
-axiom System.Array <: System.Collections.IList;
-
-axiom System.Array <: System.Collections.ICollection;
-
-axiom System.Array <: System.Collections.IEnumerable;
-
-axiom $IsMemberlessType(System.Array);
-
-// System.Array object invariant
-axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Array } IsHeap($h) && $h[$oi, $inv] <: System.Array && $h[$oi, $localinv] != $BaseClass(System.Array) ==> true);
-
-// Bag object invariant
-axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Bag } IsHeap($h) && $h[$oi, $inv] <: Bag && $h[$oi, $localinv] != $BaseClass(Bag) ==> 0 <= $h[$oi, Bag.n] && $h[$oi, Bag.n] <= $Length($h[$oi, Bag.a]));
-
-procedure Bag.SpecSharp.CheckInvariant$System.Boolean(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], throwException$in: bool where true) returns ($result: bool where true);
- // user-declared preconditions
- requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this) && (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == this && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p));
- free requires $BeingConstructed == null;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-implementation Bag.SpecSharp.CheckInvariant$System.Boolean(this: ref, throwException$in: bool) returns ($result: bool)
-{
- var throwException: bool where true, stack0i: int, stack1i: int, stack0b: bool, stack1o: ref, return.value: bool where true, stack50000o: ref, stack0o: ref, SS$Display.Return.Local: bool where true;
-
- entry:
- throwException := throwException$in;
- goto block2380;
-
- block2380:
- goto block2482;
-
- block2482:
- // ----- nop
- // ----- load constant 0
- stack0i := 0;
- // ----- load field
- assert this != null;
- stack1i := $Heap[this, Bag.n];
- // ----- binary operator
- // ----- branch
- goto true2482to2550, false2482to2414;
-
- true2482to2550:
- assume stack0i > stack1i;
- goto block2550;
-
- false2482to2414:
- assume stack0i <= stack1i;
- goto block2414;
-
- block2550:
- // ----- copy
- stack0b := throwException;
- // ----- unary operator
- // ----- branch
- goto true2550to2584, false2550to2601;
-
- block2414:
- // ----- load field
- assert this != null;
- stack0i := $Heap[this, Bag.n];
- // ----- load field
- assert this != null;
- stack1o := $Heap[this, Bag.a];
- // ----- unary operator
- assert stack1o != null;
- stack1i := $Length(stack1o);
- // ----- unary operator
- stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
- // ----- binary operator
- // ----- branch
- goto true2414to2550, false2414to2465;
-
- true2414to2550:
- assume stack0i > stack1i;
- goto block2550;
-
- false2414to2465:
- assume stack0i <= stack1i;
- goto block2465;
-
- block2465:
- // ----- branch
- goto block2448;
-
- true2550to2584:
- assume !stack0b;
- goto block2584;
-
- false2550to2601:
- assume stack0b;
- goto block2601;
-
- block2584:
- // ----- load constant 0
- return.value := false;
- // ----- branch
- goto block2567;
-
- block2601:
- assume false;
- // ----- new object
- havoc stack50000o;
- assume $Heap[stack50000o, $allocated] == false && stack50000o != null && $typeof(stack50000o) == Microsoft.Contracts.ObjectInvariantException;
- assume $Heap[stack50000o, $ownerRef] == stack50000o && $Heap[stack50000o, $ownerFrame] == $PeerGroupPlaceholder;
- // ----- call
- assert stack50000o != null;
- call Microsoft.Contracts.ObjectInvariantException..ctor(stack50000o);
- // ----- copy
- stack0o := stack50000o;
- // ----- throw
- assert stack0o != null;
- assume false;
- return;
-
- block2448:
- // ----- load constant 1
- return.value := true;
- // ----- branch
- goto block2567;
-
- block2567:
- // ----- copy
- SS$Display.Return.Local := return.value;
- // ----- copy
- stack0b := return.value;
- // ----- return
- $result := stack0b;
- return;
-}
-
-
-
-axiom Microsoft.Contracts.ObjectInvariantException <: Microsoft.Contracts.ObjectInvariantException;
-
-axiom Microsoft.Contracts.GuardException <: Microsoft.Contracts.GuardException;
-
-axiom System.Exception <: System.Exception;
-
-axiom $BaseClass(System.Exception) == System.Object && AsDirectSubClass(System.Exception, $BaseClass(System.Exception)) == System.Exception;
-
-axiom !$IsImmutable(System.Exception) && $AsMutable(System.Exception) == System.Exception;
-
-axiom System.Runtime.Serialization.ISerializable <: System.Runtime.Serialization.ISerializable;
-
-axiom System.Runtime.Serialization.ISerializable <: System.Object;
-
-axiom $IsMemberlessType(System.Runtime.Serialization.ISerializable);
-
-axiom $AsInterface(System.Runtime.Serialization.ISerializable) == System.Runtime.Serialization.ISerializable;
-
-axiom System.Exception <: System.Runtime.Serialization.ISerializable;
-
-axiom System.Runtime.InteropServices._Exception <: System.Runtime.InteropServices._Exception;
-
-axiom System.Runtime.InteropServices._Exception <: System.Object;
-
-axiom $IsMemberlessType(System.Runtime.InteropServices._Exception);
-
-axiom $AsInterface(System.Runtime.InteropServices._Exception) == System.Runtime.InteropServices._Exception;
-
-axiom System.Exception <: System.Runtime.InteropServices._Exception;
-
-// System.Exception object invariant
-axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Exception } IsHeap($h) && $h[$oi, $inv] <: System.Exception && $h[$oi, $localinv] != $BaseClass(System.Exception) ==> true);
-
-axiom $BaseClass(Microsoft.Contracts.GuardException) == System.Exception && AsDirectSubClass(Microsoft.Contracts.GuardException, $BaseClass(Microsoft.Contracts.GuardException)) == Microsoft.Contracts.GuardException;
-
-axiom !$IsImmutable(Microsoft.Contracts.GuardException) && $AsMutable(Microsoft.Contracts.GuardException) == Microsoft.Contracts.GuardException;
-
-// Microsoft.Contracts.GuardException object invariant
-axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Microsoft.Contracts.GuardException } IsHeap($h) && $h[$oi, $inv] <: Microsoft.Contracts.GuardException && $h[$oi, $localinv] != $BaseClass(Microsoft.Contracts.GuardException) ==> true);
-
-axiom $BaseClass(Microsoft.Contracts.ObjectInvariantException) == Microsoft.Contracts.GuardException && AsDirectSubClass(Microsoft.Contracts.ObjectInvariantException, $BaseClass(Microsoft.Contracts.ObjectInvariantException)) == Microsoft.Contracts.ObjectInvariantException;
-
-axiom !$IsImmutable(Microsoft.Contracts.ObjectInvariantException) && $AsMutable(Microsoft.Contracts.ObjectInvariantException) == Microsoft.Contracts.ObjectInvariantException;
-
-// Microsoft.Contracts.ObjectInvariantException object invariant
-axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Microsoft.Contracts.ObjectInvariantException } IsHeap($h) && $h[$oi, $inv] <: Microsoft.Contracts.ObjectInvariantException && $h[$oi, $localinv] != $BaseClass(Microsoft.Contracts.ObjectInvariantException) ==> true);
-
-procedure Microsoft.Contracts.ObjectInvariantException..ctor(this: ref where $IsNotNull(this, Microsoft.Contracts.ObjectInvariantException) && $Heap[this, $allocated]);
- // object is fully unpacked: this.inv == Object
- free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this);
- // nothing is owned by [this,*] and 'this' is alone in its own peer group
- free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder;
- free requires $BeingConstructed == this;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // target object is allocated upon return
- free ensures $Heap[this, $allocated];
- // target object is additively exposable for Microsoft.Contracts.ObjectInvariantException
- ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == Microsoft.Contracts.ObjectInvariantException && $Heap[this, $localinv] == $typeof(this);
- ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame];
- ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(Microsoft.Contracts.ObjectInvariantException <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-procedure Bag..ctor$System.Int32.array$notnull(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], initialElements$in: ref where $IsNotNull(initialElements$in, IntArray(System.Int32, 1)) && $Heap[initialElements$in, $allocated]);
- // object is fully unpacked: this.inv == Object
- free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this);
- // initialElements is peer consistent
- requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[initialElements$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[initialElements$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- // initialElements is peer consistent (owner must not be valid)
- requires $Heap[initialElements$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[initialElements$in, $ownerRef], $inv] <: $Heap[initialElements$in, $ownerFrame]) || $Heap[$Heap[initialElements$in, $ownerRef], $localinv] == $BaseClass($Heap[initialElements$in, $ownerFrame]);
- // nothing is owned by [this,*] and 'this' is alone in its own peer group
- free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder;
- free requires $BeingConstructed == this;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // target object is allocated upon return
- free ensures $Heap[this, $allocated];
- // target object is additively exposable for Bag
- ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == Bag && $Heap[this, $localinv] == $typeof(this);
- ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame];
- ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(Bag <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-implementation Bag..ctor$System.Int32.array$notnull(this: ref, initialElements$in: ref)
-{
- var initialElements: ref where $IsNotNull(initialElements, IntArray(System.Int32, 1)) && $Heap[initialElements, $allocated], stack0o: ref, stack0i: int, temp0: exposeVersionType, temp1: ref, temp2: exposeVersionType, stack1i: int, temp3: ref;
-
- entry:
- initialElements := initialElements$in;
- assume $Heap[this, Bag.n] == 0;
- goto block3332;
-
- block3332:
- goto block3468;
-
- block3468:
- // ----- nop
- // ----- copy ----- AddMethod.ssc(13,5)
- stack0o := initialElements;
- // ----- unary operator ----- AddMethod.ssc(13,5)
- assert stack0o != null;
- stack0i := $Length(stack0o);
- // ----- unary operator ----- AddMethod.ssc(13,5)
- stack0i := $IntToInt(stack0i, System.UIntPtr, System.Int32);
- // ----- store field ----- AddMethod.ssc(13,5)
- assert this != null;
- assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- havoc temp0;
- $Heap[this, $exposeVersion] := temp0;
- $Heap[this, Bag.n] := stack0i;
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
- assume IsHeap($Heap);
- // ----- copy ----- AddMethod.ssc(14,5)
- stack0o := initialElements;
- // ----- unary operator ----- AddMethod.ssc(14,5)
- assert stack0o != null;
- stack0i := $Length(stack0o);
- // ----- unary operator ----- AddMethod.ssc(14,5)
- stack0i := $IntToInt(stack0i, System.UIntPtr, System.Int32);
- // ----- new array ----- AddMethod.ssc(14,5)
- assert 0 <= stack0i;
- havoc temp1;
- assume $Heap[temp1, $allocated] == false && $Length(temp1) == stack0i;
- assume $Heap[$ElementProxy(temp1, -1), $allocated] == false && $ElementProxy(temp1, -1) != temp1 && $ElementProxy(temp1, -1) != null;
- assume temp1 != null;
- assume $typeof(temp1) == IntArray(System.Int32, 1);
- assume $Heap[temp1, $ownerRef] == temp1 && $Heap[temp1, $ownerFrame] == $PeerGroupPlaceholder;
- assume $Heap[$ElementProxy(temp1, -1), $ownerRef] == $ElementProxy(temp1, -1) && $Heap[$ElementProxy(temp1, -1), $ownerFrame] == $PeerGroupPlaceholder;
- assume $Heap[temp1, $inv] == $typeof(temp1) && $Heap[temp1, $localinv] == $typeof(temp1);
- assume (forall $i: int :: IntArrayGet($Heap[temp1, $elements], $i) == 0);
- $Heap[temp1, $allocated] := true;
- call System.Object..ctor($ElementProxy(temp1, -1));
- stack0o := temp1;
- assume IsHeap($Heap);
- // ----- store field ----- AddMethod.ssc(14,5)
- assert this != null;
- assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- assert ($Heap[stack0o, $ownerRef] == this && $Heap[stack0o, $ownerFrame] == Bag) || $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder;
- assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[stack0o, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[stack0o, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[stack0o, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[stack0o, $ownerFrame];
- call $UpdateOwnersForRep(this, Bag, stack0o);
- havoc temp2;
- $Heap[this, $exposeVersion] := temp2;
- $Heap[this, Bag.a] := stack0o;
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
- assume IsHeap($Heap);
- // ----- call ----- AddMethod.ssc(15,5)
- assert this != null;
- call System.Object..ctor(this);
- $Heap[this, $NonNullFieldsAreInitialized] := true;
- assume IsHeap($Heap);
- goto block3417;
-
- block3417:
- // ----- load field ----- AddMethod.ssc(16,5)
- assert this != null;
- stack0o := $Heap[this, Bag.a];
- // ----- load constant 0 ----- AddMethod.ssc(16,5)
- stack1i := 0;
- // ----- call ----- AddMethod.ssc(16,5)
- assert initialElements != null;
- call System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(initialElements, stack0o, stack1i);
- // ----- FrameGuard processing ----- AddMethod.ssc(17,3)
- temp3 := this;
- // ----- classic pack ----- AddMethod.ssc(17,3)
- assert temp3 != null;
- assert $Heap[temp3, $inv] == System.Object && $Heap[temp3, $localinv] == $typeof(temp3);
- assert 0 <= $Heap[temp3, Bag.n];
- assert $Heap[temp3, Bag.n] <= $Length($Heap[temp3, Bag.a]);
- assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp3 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p));
- $Heap[temp3, $inv] := Bag;
- assume IsHeap($Heap);
- // ----- return
- return;
-}
-
-
-
-procedure System.Object..ctor(this: ref where $IsNotNull(this, System.Object) && $Heap[this, $allocated]);
- // object is fully unpacked: this.inv == Object
- free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this);
- // nothing is owned by [this,*] and 'this' is alone in its own peer group
- free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder;
- free requires $BeingConstructed == this;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // target object is allocated upon return
- free ensures $Heap[this, $allocated];
- // target object is additively exposable for System.Object
- ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this);
- ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame];
- ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(System.Object <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-procedure System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(this: ref where $IsNotNull(this, System.Array) && $Heap[this, $allocated], array$in: ref where $IsNotNull(array$in, System.Array) && $Heap[array$in, $allocated], index$in: int where InRange(index$in, System.Int32));
- // user-declared preconditions
- requires array$in != null;
- requires $LBound(array$in, 0) <= index$in;
- requires $Rank(this) == 1;
- requires $Rank(array$in) == 1;
- requires $Length(this) <= $UBound(array$in, 0) + 1 - index$in;
- // target object is peer consistent
- requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- // target object is peer consistent (owner must not be valid)
- requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- // array is peer consistent
- requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[array$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[array$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- // array is peer consistent (owner must not be valid)
- requires $Heap[array$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[array$in, $ownerRef], $inv] <: $Heap[array$in, $ownerFrame]) || $Heap[$Heap[array$in, $ownerRef], $localinv] == $BaseClass($Heap[array$in, $ownerFrame]);
- free requires $BeingConstructed == null;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // hard-coded postcondition
- ensures (forall $k: int :: { ValueArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(ValueArrayGet($Heap[this, $elements], $k + 0 - index$in)) == ValueArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(ValueArrayGet($Heap[array$in, $elements], $k)) == ValueArrayGet($Heap[array$in, $elements], $k)));
- ensures (forall $k: int :: { IntArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(IntArrayGet($Heap[this, $elements], $k + 0 - index$in)) == IntArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(IntArrayGet($Heap[array$in, $elements], $k)) == IntArrayGet($Heap[array$in, $elements], $k)));
- ensures (forall $k: int :: { RefArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(RefArrayGet($Heap[this, $elements], $k + 0 - index$in)) == RefArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(RefArrayGet($Heap[array$in, $elements], $k)) == RefArrayGet($Heap[array$in, $elements], $k)));
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != array$in || !($typeof(array$in) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != array$in || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-procedure Bag.Add$System.Int32(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], x$in: int where InRange(x$in, System.Int32));
- // target object is peer consistent
- requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- // target object is peer consistent (owner must not be valid)
- requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- free requires $BeingConstructed == null;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != this || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-implementation Bag.Add$System.Int32(this: ref, x$in: int)
-{
- var x: int where InRange(x, System.Int32), temp0: ref, stack1s: struct, stack1o: ref, temp1: exposeVersionType, local2: ref where $Is(local2, System.Exception) && $Heap[local2, $allocated], stack0i: int, stack1i: int, stack0b: bool, b: ref where $Is(b, IntArray(System.Int32, 1)) && $Heap[b, $allocated], temp2: ref, stack0o: ref, stack2o: ref, stack3i: int, stack4o: ref, stack4i: int, temp3: exposeVersionType, local4: int where InRange(local4, System.Int32), temp4: exposeVersionType, stack0s: struct;
-
- entry:
- x := x$in;
- goto block4335;
-
- block4335:
- goto block4488;
-
- block4488:
- // ----- nop
- // ----- FrameGuard processing ----- AddMethod.ssc(22,13)
- temp0 := this;
- // ----- load token ----- AddMethod.ssc(22,13)
- havoc stack1s;
- assume $IsTokenForType(stack1s, Bag);
- // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(22,13)
- stack1o := TypeObject(Bag);
- // ----- local unpack ----- AddMethod.ssc(22,13)
- assert temp0 != null;
- assert ($Heap[temp0, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[temp0, $ownerRef], $inv] <: $Heap[temp0, $ownerFrame]) || $Heap[$Heap[temp0, $ownerRef], $localinv] == $BaseClass($Heap[temp0, $ownerFrame])) && $Heap[temp0, $inv] <: Bag && $Heap[temp0, $localinv] == $typeof(temp0);
- $Heap[temp0, $localinv] := System.Object;
- havoc temp1;
- $Heap[temp0, $exposeVersion] := temp1;
- assume IsHeap($Heap);
- local2 := null;
- goto block4505;
-
- block4505:
- // ----- load field ----- AddMethod.ssc(24,7)
- assert this != null;
- stack0i := $Heap[this, Bag.n];
- // ----- load field ----- AddMethod.ssc(24,7)
- assert this != null;
- stack1o := $Heap[this, Bag.a];
- // ----- unary operator ----- AddMethod.ssc(24,7)
- assert stack1o != null;
- stack1i := $Length(stack1o);
- // ----- unary operator ----- AddMethod.ssc(24,7)
- stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
- // ----- binary operator ----- AddMethod.ssc(24,7)
- // ----- branch ----- AddMethod.ssc(24,7)
- goto true4505to4539, false4505to4522;
-
- true4505to4539:
- assume stack0i != stack1i;
- goto block4539;
-
- false4505to4522:
- assume stack0i == stack1i;
- goto block4522;
-
- block4539:
- // ----- load field ----- AddMethod.ssc(30,7)
- assert this != null;
- stack0o := $Heap[this, Bag.a];
- // ----- load field ----- AddMethod.ssc(30,7)
- assert this != null;
- stack1i := $Heap[this, Bag.n];
- // ----- store element ----- AddMethod.ssc(30,7)
- assert stack0o != null;
- assert 0 <= stack1i;
- assert stack1i < $Length(stack0o);
- assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[stack0o, $ownerRef], $inv] <: $Heap[stack0o, $ownerFrame]) || $Heap[$Heap[stack0o, $ownerRef], $localinv] == $BaseClass($Heap[stack0o, $ownerFrame]);
- $Heap[stack0o, $elements] := IntArraySet($Heap[stack0o, $elements], stack1i, x);
- assume IsHeap($Heap);
- // ----- load field ----- AddMethod.ssc(31,7)
- assert this != null;
- local4 := $Heap[this, Bag.n];
- // ----- load constant 1 ----- AddMethod.ssc(31,7)
- stack0i := 1;
- // ----- binary operator ----- AddMethod.ssc(31,7)
- stack0i := local4 + stack0i;
- // ----- store field ----- AddMethod.ssc(31,7)
- assert this != null;
- assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- havoc temp4;
- $Heap[this, $exposeVersion] := temp4;
- $Heap[this, Bag.n] := stack0i;
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
- assume IsHeap($Heap);
- // ----- copy
- stack0i := local4;
- // ----- branch
- goto block4658;
-
- block4522:
- // ----- load constant 2 ----- AddMethod.ssc(26,15)
- stack0i := 2;
- // ----- load field ----- AddMethod.ssc(26,15)
- assert this != null;
- stack1o := $Heap[this, Bag.a];
- // ----- unary operator ----- AddMethod.ssc(26,15)
- assert stack1o != null;
- stack1i := $Length(stack1o);
- // ----- unary operator ----- AddMethod.ssc(26,15)
- stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
- // ----- binary operator ----- AddMethod.ssc(26,15)
- stack0i := stack0i * stack1i;
- // ----- load constant 1 ----- AddMethod.ssc(26,15)
- stack1i := 1;
- // ----- binary operator ----- AddMethod.ssc(26,15)
- stack0i := stack0i + stack1i;
- // ----- new array ----- AddMethod.ssc(26,15)
- assert 0 <= stack0i;
- havoc temp2;
- assume $Heap[temp2, $allocated] == false && $Length(temp2) == stack0i;
- assume $Heap[$ElementProxy(temp2, -1), $allocated] == false && $ElementProxy(temp2, -1) != temp2 && $ElementProxy(temp2, -1) != null;
- assume temp2 != null;
- assume $typeof(temp2) == IntArray(System.Int32, 1);
- assume $Heap[temp2, $ownerRef] == temp2 && $Heap[temp2, $ownerFrame] == $PeerGroupPlaceholder;
- assume $Heap[$ElementProxy(temp2, -1), $ownerRef] == $ElementProxy(temp2, -1) && $Heap[$ElementProxy(temp2, -1), $ownerFrame] == $PeerGroupPlaceholder;
- assume $Heap[temp2, $inv] == $typeof(temp2) && $Heap[temp2, $localinv] == $typeof(temp2);
- assume (forall $i: int :: IntArrayGet($Heap[temp2, $elements], $i) == 0);
- $Heap[temp2, $allocated] := true;
- call System.Object..ctor($ElementProxy(temp2, -1));
- b := temp2;
- assume IsHeap($Heap);
- // ----- load field ----- AddMethod.ssc(27,9)
- assert this != null;
- stack0o := $Heap[this, Bag.a];
- // ----- load constant 0 ----- AddMethod.ssc(27,9)
- stack1i := 0;
- // ----- copy ----- AddMethod.ssc(27,9)
- stack2o := b;
- // ----- load constant 0 ----- AddMethod.ssc(27,9)
- stack3i := 0;
- // ----- load field ----- AddMethod.ssc(27,9)
- assert this != null;
- stack4o := $Heap[this, Bag.a];
- // ----- unary operator ----- AddMethod.ssc(27,9)
- assert stack4o != null;
- stack4i := $Length(stack4o);
- // ----- unary operator ----- AddMethod.ssc(27,9)
- stack4i := $IntToInt(stack4i, System.UIntPtr, System.Int32);
- // ----- call ----- AddMethod.ssc(27,9)
- call System.Array.Copy$System.Array$notnull$System.Int32$System.Array$notnull$System.Int32$System.Int32(stack0o, stack1i, stack2o, stack3i, stack4i);
- // ----- store field ----- AddMethod.ssc(28,9)
- assert this != null;
- assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- assert ($Heap[b, $ownerRef] == this && $Heap[b, $ownerFrame] == Bag) || $Heap[b, $ownerFrame] == $PeerGroupPlaceholder;
- assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[b, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[b, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[b, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[b, $ownerFrame];
- call $UpdateOwnersForRep(this, Bag, b);
- havoc temp3;
- $Heap[this, $exposeVersion] := temp3;
- $Heap[this, Bag.a] := b;
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
- assume IsHeap($Heap);
- goto block4539;
-
- block4658:
- stack0o := null;
- // ----- binary operator
- // ----- branch
- goto true4658to4624, false4658to4641;
-
- true4658to4624:
- assume local2 == stack0o;
- goto block4624;
-
- false4658to4641:
- assume local2 != stack0o;
- goto block4641;
-
- block4624:
- // ----- load token ----- AddMethod.ssc(32,5)
- havoc stack0s;
- assume $IsTokenForType(stack0s, Bag);
- // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(32,5)
- stack0o := TypeObject(Bag);
- // ----- local pack ----- AddMethod.ssc(32,5)
- assert temp0 != null;
- assert $Heap[temp0, $localinv] == System.Object;
- assert 0 <= $Heap[temp0, Bag.n];
- assert $Heap[temp0, Bag.n] <= $Length($Heap[temp0, Bag.a]);
- assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp0 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p));
- $Heap[temp0, $localinv] := $typeof(temp0);
- assume IsHeap($Heap);
- goto block4726;
-
- block4641:
- // ----- is instance
- // ----- branch
- goto true4641to4624, false4641to4692;
-
- true4641to4624:
- assume $As(local2, Microsoft.Contracts.ICheckedException) != null;
- goto block4624;
-
- false4641to4692:
- assume $As(local2, Microsoft.Contracts.ICheckedException) == null;
- goto block4692;
-
- block4692:
- // ----- branch
- goto block4726;
-
- block4726:
- // ----- nop
- // ----- branch
- goto block4590;
-
- block4590:
- // ----- return
- return;
-}
-
-
-
-axiom System.Type <: System.Type;
-
-axiom System.Reflection.MemberInfo <: System.Reflection.MemberInfo;
-
-axiom $BaseClass(System.Reflection.MemberInfo) == System.Object && AsDirectSubClass(System.Reflection.MemberInfo, $BaseClass(System.Reflection.MemberInfo)) == System.Reflection.MemberInfo;
-
-axiom $IsImmutable(System.Reflection.MemberInfo) && $AsImmutable(System.Reflection.MemberInfo) == System.Reflection.MemberInfo;
-
-axiom System.Reflection.ICustomAttributeProvider <: System.Reflection.ICustomAttributeProvider;
-
-axiom System.Reflection.ICustomAttributeProvider <: System.Object;
-
-axiom $IsMemberlessType(System.Reflection.ICustomAttributeProvider);
-
-axiom $AsInterface(System.Reflection.ICustomAttributeProvider) == System.Reflection.ICustomAttributeProvider;
-
-axiom System.Reflection.MemberInfo <: System.Reflection.ICustomAttributeProvider;
-
-axiom System.Runtime.InteropServices._MemberInfo <: System.Runtime.InteropServices._MemberInfo;
-
-axiom System.Runtime.InteropServices._MemberInfo <: System.Object;
-
-axiom $IsMemberlessType(System.Runtime.InteropServices._MemberInfo);
-
-axiom $AsInterface(System.Runtime.InteropServices._MemberInfo) == System.Runtime.InteropServices._MemberInfo;
-
-axiom System.Reflection.MemberInfo <: System.Runtime.InteropServices._MemberInfo;
-
-axiom $IsMemberlessType(System.Reflection.MemberInfo);
-
-// System.Reflection.MemberInfo object invariant
-axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Reflection.MemberInfo } IsHeap($h) && $h[$oi, $inv] <: System.Reflection.MemberInfo && $h[$oi, $localinv] != $BaseClass(System.Reflection.MemberInfo) ==> true);
-
-axiom $BaseClass(System.Type) == System.Reflection.MemberInfo && AsDirectSubClass(System.Type, $BaseClass(System.Type)) == System.Type;
-
-axiom $IsImmutable(System.Type) && $AsImmutable(System.Type) == System.Type;
-
-axiom System.Runtime.InteropServices._Type <: System.Runtime.InteropServices._Type;
-
-axiom System.Runtime.InteropServices._Type <: System.Object;
-
-axiom $IsMemberlessType(System.Runtime.InteropServices._Type);
-
-axiom $AsInterface(System.Runtime.InteropServices._Type) == System.Runtime.InteropServices._Type;
-
-axiom System.Type <: System.Runtime.InteropServices._Type;
-
-axiom System.Reflection.IReflect <: System.Reflection.IReflect;
-
-axiom System.Reflection.IReflect <: System.Object;
-
-axiom $IsMemberlessType(System.Reflection.IReflect);
-
-axiom $AsInterface(System.Reflection.IReflect) == System.Reflection.IReflect;
-
-axiom System.Type <: System.Reflection.IReflect;
-
-axiom $IsMemberlessType(System.Type);
-
-// System.Type object invariant
-axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Type } IsHeap($h) && $h[$oi, $inv] <: System.Type && $h[$oi, $localinv] != $BaseClass(System.Type) ==> true);
-
-procedure System.Array.Copy$System.Array$notnull$System.Int32$System.Array$notnull$System.Int32$System.Int32(sourceArray$in: ref where $IsNotNull(sourceArray$in, System.Array) && $Heap[sourceArray$in, $allocated], sourceIndex$in: int where InRange(sourceIndex$in, System.Int32), destinationArray$in: ref where $IsNotNull(destinationArray$in, System.Array) && $Heap[destinationArray$in, $allocated], destinationIndex$in: int where InRange(destinationIndex$in, System.Int32), length$in: int where InRange(length$in, System.Int32));
- // user-declared preconditions
- requires sourceArray$in != null;
- requires destinationArray$in != null;
- requires $Rank(sourceArray$in) == $Rank(destinationArray$in);
- requires sourceIndex$in >= $LBound(sourceArray$in, 0);
- requires destinationIndex$in >= $LBound(destinationArray$in, 0);
- requires length$in >= 0;
- requires sourceIndex$in + length$in <= $LBound(sourceArray$in, 0) + $Length(sourceArray$in);
- requires destinationIndex$in + length$in <= $LBound(destinationArray$in, 0) + $Length(destinationArray$in);
- // sourceArray is peer consistent
- requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[sourceArray$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[sourceArray$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- // sourceArray is peer consistent (owner must not be valid)
- requires $Heap[sourceArray$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[sourceArray$in, $ownerRef], $inv] <: $Heap[sourceArray$in, $ownerFrame]) || $Heap[$Heap[sourceArray$in, $ownerRef], $localinv] == $BaseClass($Heap[sourceArray$in, $ownerFrame]);
- // destinationArray is peer consistent
- requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[destinationArray$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[destinationArray$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- // destinationArray is peer consistent (owner must not be valid)
- requires $Heap[destinationArray$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[destinationArray$in, $ownerRef], $inv] <: $Heap[destinationArray$in, $ownerFrame]) || $Heap[$Heap[destinationArray$in, $ownerRef], $localinv] == $BaseClass($Heap[destinationArray$in, $ownerFrame]);
- free requires $BeingConstructed == null;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // hard-coded postcondition
- ensures (forall $k: int :: { ValueArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(ValueArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == ValueArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(ValueArrayGet($Heap[destinationArray$in, $elements], $k)) == ValueArrayGet($Heap[destinationArray$in, $elements], $k)));
- ensures (forall $k: int :: { IntArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(IntArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == IntArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(IntArrayGet($Heap[destinationArray$in, $elements], $k)) == IntArrayGet($Heap[destinationArray$in, $elements], $k)));
- ensures (forall $k: int :: { RefArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(RefArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == RefArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(RefArrayGet($Heap[destinationArray$in, $elements], $k)) == RefArrayGet($Heap[destinationArray$in, $elements], $k)));
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != destinationArray$in || !($typeof(destinationArray$in) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != destinationArray$in || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-axiom Microsoft.Contracts.ICheckedException <: Microsoft.Contracts.ICheckedException;
-
-axiom Microsoft.Contracts.ICheckedException <: System.Object;
-
-axiom $IsMemberlessType(Microsoft.Contracts.ICheckedException);
-
-axiom $AsInterface(Microsoft.Contracts.ICheckedException) == Microsoft.Contracts.ICheckedException;
-
-procedure Bag.AddAgain$System.Int32(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], x$in: int where InRange(x$in, System.Int32));
- // target object is peer consistent
- requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- // target object is peer consistent (owner must not be valid)
- requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- free requires $BeingConstructed == null;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != this || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-implementation Bag.AddAgain$System.Int32(this: ref, x$in: int)
-{
- var x: int where InRange(x, System.Int32), temp0: ref, stack1s: struct, stack1o: ref, temp1: exposeVersionType, local2: ref where $Is(local2, System.Exception) && $Heap[local2, $allocated], stack0i: int, stack1i: int, stack0b: bool, stack0o: ref, local4: int where InRange(local4, System.Int32), temp2: exposeVersionType, b: ref where $Is(b, IntArray(System.Int32, 1)) && $Heap[b, $allocated], temp3: ref, stack2i: int, temp4: exposeVersionType, stack0s: struct;
-
- entry:
- x := x$in;
- goto block6188;
-
- block6188:
- goto block6341;
-
- block6341:
- // ----- nop
- // ----- FrameGuard processing ----- AddMethod.ssc(38,13)
- temp0 := this;
- // ----- load token ----- AddMethod.ssc(38,13)
- havoc stack1s;
- assume $IsTokenForType(stack1s, Bag);
- // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(38,13)
- stack1o := TypeObject(Bag);
- // ----- local unpack ----- AddMethod.ssc(38,13)
- assert temp0 != null;
- assert ($Heap[temp0, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[temp0, $ownerRef], $inv] <: $Heap[temp0, $ownerFrame]) || $Heap[$Heap[temp0, $ownerRef], $localinv] == $BaseClass($Heap[temp0, $ownerFrame])) && $Heap[temp0, $inv] <: Bag && $Heap[temp0, $localinv] == $typeof(temp0);
- $Heap[temp0, $localinv] := System.Object;
- havoc temp1;
- $Heap[temp0, $exposeVersion] := temp1;
- assume IsHeap($Heap);
- local2 := null;
- goto block6358;
-
- block6358:
- // ----- load field ----- AddMethod.ssc(40,7)
- assert this != null;
- stack0i := $Heap[this, Bag.n];
- // ----- load field ----- AddMethod.ssc(40,7)
- assert this != null;
- stack1o := $Heap[this, Bag.a];
- // ----- unary operator ----- AddMethod.ssc(40,7)
- assert stack1o != null;
- stack1i := $Length(stack1o);
- // ----- unary operator ----- AddMethod.ssc(40,7)
- stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
- // ----- binary operator ----- AddMethod.ssc(40,7)
- // ----- branch ----- AddMethod.ssc(40,7)
- goto true6358to6392, false6358to6375;
-
- true6358to6392:
- assume stack0i != stack1i;
- goto block6392;
-
- false6358to6375:
- assume stack0i == stack1i;
- goto block6375;
-
- block6392:
- // ----- load field ----- AddMethod.ssc(46,7)
- assert this != null;
- stack0o := $Heap[this, Bag.a];
- // ----- load field ----- AddMethod.ssc(46,7)
- assert this != null;
- stack1i := $Heap[this, Bag.n];
- // ----- store element ----- AddMethod.ssc(46,7)
- assert stack0o != null;
- assert 0 <= stack1i;
- assert stack1i < $Length(stack0o);
- assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[stack0o, $ownerRef], $inv] <: $Heap[stack0o, $ownerFrame]) || $Heap[$Heap[stack0o, $ownerRef], $localinv] == $BaseClass($Heap[stack0o, $ownerFrame]);
- $Heap[stack0o, $elements] := IntArraySet($Heap[stack0o, $elements], stack1i, x);
- assume IsHeap($Heap);
- // ----- load field ----- AddMethod.ssc(47,7)
- assert this != null;
- local4 := $Heap[this, Bag.n];
- // ----- load constant 1 ----- AddMethod.ssc(47,7)
- stack0i := 1;
- // ----- binary operator ----- AddMethod.ssc(47,7)
- stack0i := local4 + stack0i;
- // ----- store field ----- AddMethod.ssc(47,7)
- assert this != null;
- assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- havoc temp2;
- $Heap[this, $exposeVersion] := temp2;
- $Heap[this, Bag.n] := stack0i;
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
- assume IsHeap($Heap);
- // ----- copy
- stack0i := local4;
- // ----- branch
- goto block6562;
-
- block6375:
- // ----- load constant 2 ----- AddMethod.ssc(42,15)
- stack0i := 2;
- // ----- load field ----- AddMethod.ssc(42,15)
- assert this != null;
- stack1o := $Heap[this, Bag.a];
- // ----- unary operator ----- AddMethod.ssc(42,15)
- assert stack1o != null;
- stack1i := $Length(stack1o);
- // ----- unary operator ----- AddMethod.ssc(42,15)
- stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
- // ----- binary operator ----- AddMethod.ssc(42,15)
- stack0i := stack0i * stack1i;
- // ----- load constant 1 ----- AddMethod.ssc(42,15)
- stack1i := 1;
- // ----- binary operator ----- AddMethod.ssc(42,15)
- stack0i := stack0i + stack1i;
- // ----- new array ----- AddMethod.ssc(42,15)
- assert 0 <= stack0i;
- havoc temp3;
- assume $Heap[temp3, $allocated] == false && $Length(temp3) == stack0i;
- assume $Heap[$ElementProxy(temp3, -1), $allocated] == false && $ElementProxy(temp3, -1) != temp3 && $ElementProxy(temp3, -1) != null;
- assume temp3 != null;
- assume $typeof(temp3) == IntArray(System.Int32, 1);
- assume $Heap[temp3, $ownerRef] == temp3 && $Heap[temp3, $ownerFrame] == $PeerGroupPlaceholder;
- assume $Heap[$ElementProxy(temp3, -1), $ownerRef] == $ElementProxy(temp3, -1) && $Heap[$ElementProxy(temp3, -1), $ownerFrame] == $PeerGroupPlaceholder;
- assume $Heap[temp3, $inv] == $typeof(temp3) && $Heap[temp3, $localinv] == $typeof(temp3);
- assume (forall $i: int :: IntArrayGet($Heap[temp3, $elements], $i) == 0);
- $Heap[temp3, $allocated] := true;
- call System.Object..ctor($ElementProxy(temp3, -1));
- b := temp3;
- assume IsHeap($Heap);
- // ----- load field ----- AddMethod.ssc(43,9)
- assert this != null;
- stack0o := $Heap[this, Bag.a];
- // ----- copy ----- AddMethod.ssc(43,9)
- stack1o := b;
- // ----- load constant 0 ----- AddMethod.ssc(43,9)
- stack2i := 0;
- // ----- call ----- AddMethod.ssc(43,9)
- assert stack0o != null;
- call System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(stack0o, stack1o, stack2i);
- // ----- store field ----- AddMethod.ssc(44,9)
- assert this != null;
- assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
- assert ($Heap[b, $ownerRef] == this && $Heap[b, $ownerFrame] == Bag) || $Heap[b, $ownerFrame] == $PeerGroupPlaceholder;
- assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[b, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[b, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
- assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[b, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[b, $ownerFrame];
- call $UpdateOwnersForRep(this, Bag, b);
- havoc temp4;
- $Heap[this, $exposeVersion] := temp4;
- $Heap[this, Bag.a] := b;
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
- assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
- assume IsHeap($Heap);
- goto block6392;
-
- block6562:
- stack0o := null;
- // ----- binary operator
- // ----- branch
- goto true6562to6477, false6562to6579;
-
- true6562to6477:
- assume local2 == stack0o;
- goto block6477;
-
- false6562to6579:
- assume local2 != stack0o;
- goto block6579;
-
- block6477:
- // ----- load token ----- AddMethod.ssc(48,5)
- havoc stack0s;
- assume $IsTokenForType(stack0s, Bag);
- // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(48,5)
- stack0o := TypeObject(Bag);
- // ----- local pack ----- AddMethod.ssc(48,5)
- assert temp0 != null;
- assert $Heap[temp0, $localinv] == System.Object;
- assert 0 <= $Heap[temp0, Bag.n];
- assert $Heap[temp0, Bag.n] <= $Length($Heap[temp0, Bag.a]);
- assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp0 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p));
- $Heap[temp0, $localinv] := $typeof(temp0);
- assume IsHeap($Heap);
- goto block6545;
-
- block6579:
- // ----- is instance
- // ----- branch
- goto true6579to6477, false6579to6528;
-
- true6579to6477:
- assume $As(local2, Microsoft.Contracts.ICheckedException) != null;
- goto block6477;
-
- false6579to6528:
- assume $As(local2, Microsoft.Contracts.ICheckedException) == null;
- goto block6528;
-
- block6528:
- // ----- branch
- goto block6545;
-
- block6545:
- // ----- nop
- // ----- branch
- goto block6443;
-
- block6443:
- // ----- return
- return;
-}
-
-
-
-procedure Bag..cctor();
- free requires $BeingConstructed == null;
- free requires $PurityAxiomsCanBeAssumed;
- modifies $Heap, $ActivityIndicator;
- // newly allocated objects are fully valid
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
- // first consistent owner unchanged if its exposeVersion is
- free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
- // frame condition
- ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
- free ensures $HeapSucc(old($Heap), $Heap);
- // inv/localinv change only in blocks
- free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
- free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
- free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
-
-
-
-implementation Bag..cctor()
-{
-
- entry:
- goto block7650;
-
- block7650:
- goto block7701;
-
- block7701:
- // ----- nop
- // ----- return
- return;
-}
-
-
+// RUN: %boogie -typeEncoding:n -logPrefix:0n "%s" > "%t" +// RUN: %diff "%s.n.expect" "%t" +// RUN: %boogie -typeEncoding:p -logPrefix:0p "%s" > "%t" +// RUN: %diff "%s.p.expect" "%t" +// RUN: %boogie -typeEncoding:a -logPrefix:0a "%s" > "%t" +// RUN: %diff "%s.a.expect" "%t" +// XFAIL: * +// Spec# program verifier version 0.90, Copyright (c) 2003-2008, Microsoft. +// Command Line Options: /print:debug.txt AddMethod.dll + +type real; + +type elements; + +type struct; + +type name; +type any; + +type exposeVersionType; + +type Field a; +type Heap = <x>[ref,Field x]x; + +var $Heap: Heap where IsHeap($Heap); + +type ActivityType; + +var $ActivityIndicator: ActivityType; + +function IsHeap(h: Heap) returns (bool); + +const unique $allocated: Field bool; + +const unique $elements: Field elements; + +function DeclType222<a>(Field a) returns (name); + +axiom DeclType222($elements) == System.Object; + +const unique $inv: Field name; + +const unique $localinv: Field name; + +const unique $exposeVersion: Field exposeVersionType; + +axiom DeclType222($exposeVersion) == System.Object; + +const unique $sharingMode: Field any; + +const unique $SharingMode_Unshared: any; + +const unique $SharingMode_LockProtected: any; + +const unique $ownerRef: Field ref; + +const unique $ownerFrame: Field name; + +const unique $PeerGroupPlaceholder: name; + +function ClassRepr(class: name) returns (ref); + +function ClassReprInv(ref) returns (name); + +axiom (forall c: name :: { ClassRepr(c) } ClassReprInv(ClassRepr(c)) == c); + +axiom (forall T: name :: !($typeof(ClassRepr(T)) <: System.Object)); + +axiom (forall T: name :: ClassRepr(T) != null); + +axiom (forall T: name, h: Heap :: { h[ClassRepr(T), $ownerFrame] } IsHeap(h) ==> h[ClassRepr(T), $ownerFrame] == $PeerGroupPlaceholder); + +function IncludeInMainFrameCondition<a>(f: Field a) returns (bool); + +axiom IncludeInMainFrameCondition($allocated); + +axiom IncludeInMainFrameCondition($elements); + +axiom !IncludeInMainFrameCondition($inv); + +axiom !IncludeInMainFrameCondition($localinv); + +axiom IncludeInMainFrameCondition($ownerRef); + +axiom IncludeInMainFrameCondition($ownerFrame); + +axiom IncludeInMainFrameCondition($exposeVersion); + +axiom !IncludeInMainFrameCondition($FirstConsistentOwner); + +function IsStaticField<a>(f: Field a) returns (bool); + +axiom !IsStaticField($allocated); + +axiom !IsStaticField($elements); + +axiom !IsStaticField($inv); + +axiom !IsStaticField($localinv); + +axiom !IsStaticField($exposeVersion); + +function $IncludedInModifiesStar<a>(f: Field a) returns (bool); + +axiom !$IncludedInModifiesStar($ownerRef); + +axiom !$IncludedInModifiesStar($ownerFrame); + +axiom $IncludedInModifiesStar($exposeVersion); + +axiom $IncludedInModifiesStar($elements); + +function ValueArrayGet(elements, int) returns (any); + +function ValueArraySet(elements, int, any) returns (elements); + +function IntArrayGet(elements, int) returns (int); + +function IntArraySet(elements, int, int) returns (elements); + +function RefArrayGet(elements, int) returns (ref); + +function RefArraySet(elements, int, ref) returns (elements); + +axiom (forall A: elements, i: int, x: any :: ValueArrayGet(ValueArraySet(A, i, x), i) == x); + +axiom (forall A: elements, i: int, j: int, x: any :: i != j ==> ValueArrayGet(ValueArraySet(A, i, x), j) == ValueArrayGet(A, j)); + +axiom (forall A: elements, i: int, x: int :: IntArrayGet(IntArraySet(A, i, x), i) == x); + +axiom (forall A: elements, i: int, j: int, x: int :: i != j ==> IntArrayGet(IntArraySet(A, i, x), j) == IntArrayGet(A, j)); + +axiom (forall A: elements, i: int, x: ref :: RefArrayGet(RefArraySet(A, i, x), i) == x); + +axiom (forall A: elements, i: int, j: int, x: ref :: i != j ==> RefArrayGet(RefArraySet(A, i, x), j) == RefArrayGet(A, j)); + +function ArrayIndex(arr: ref, dim: int, indexAtDim: int, remainingIndexContribution: int) returns (int); + +function ArrayIndexInvX(arrayIndex: int) returns (indexAtDim: int); + +function ArrayIndexInvY(arrayIndex: int) returns (remainingIndexContribution: int); + +axiom (forall a: ref, d: int, x: int, y: int :: { ArrayIndex(a, d, x, y) } ArrayIndexInvX(ArrayIndex(a, d, x, y)) == x); + +axiom (forall a: ref, d: int, x: int, y: int :: { ArrayIndex(a, d, x, y) } ArrayIndexInvY(ArrayIndex(a, d, x, y)) == y); + +axiom (forall a: ref, i: int, heap: Heap :: { IntArrayGet(heap[a, $elements], i) } IsHeap(heap) ==> InRange(IntArrayGet(heap[a, $elements], i), $ElementType($typeof(a)))); + +axiom (forall a: ref, i: int, heap: Heap :: { $typeof(RefArrayGet(heap[a, $elements], i)) } IsHeap(heap) && RefArrayGet(heap[a, $elements], i) != null ==> $typeof(RefArrayGet(heap[a, $elements], i)) <: $ElementType($typeof(a))); + +axiom (forall a: ref, T: name, i: int, r: int, heap: Heap :: { $typeof(a) <: NonNullRefArray(T, r), RefArrayGet(heap[a, $elements], i) } IsHeap(heap) && $typeof(a) <: NonNullRefArray(T, r) ==> RefArrayGet(heap[a, $elements], i) != null); + +function $Rank(ref) returns (int); + +axiom (forall a: ref :: 1 <= $Rank(a)); + +axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: RefArray(T, r) } a != null && $typeof(a) <: RefArray(T, r) ==> $Rank(a) == r); + +axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: NonNullRefArray(T, r) } a != null && $typeof(a) <: NonNullRefArray(T, r) ==> $Rank(a) == r); + +axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: ValueArray(T, r) } a != null && $typeof(a) <: ValueArray(T, r) ==> $Rank(a) == r); + +axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: IntArray(T, r) } a != null && $typeof(a) <: IntArray(T, r) ==> $Rank(a) == r); + +function $Length(ref) returns (int); + +axiom (forall a: ref :: { $Length(a) } 0 <= $Length(a) && $Length(a) <= int#2147483647); + +function $DimLength(ref, int) returns (int); + +axiom (forall a: ref, i: int :: 0 <= $DimLength(a, i)); + +axiom (forall a: ref :: { $DimLength(a, 0) } $Rank(a) == 1 ==> $DimLength(a, 0) == $Length(a)); + +function $LBound(ref, int) returns (int); + +function $UBound(ref, int) returns (int); + +axiom (forall a: ref, i: int :: { $LBound(a, i) } $LBound(a, i) == 0); + +axiom (forall a: ref, i: int :: { $UBound(a, i) } $UBound(a, i) == $DimLength(a, i) - 1); + +const unique $ArrayCategoryValue: name; + +const unique $ArrayCategoryInt: name; + +const unique $ArrayCategoryRef: name; + +const unique $ArrayCategoryNonNullRef: name; + +function $ArrayCategory(arrayType: name) returns (arrayCategory: name); + +axiom (forall T: name, ET: name, r: int :: { T <: ValueArray(ET, r) } T <: ValueArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryValue); + +axiom (forall T: name, ET: name, r: int :: { T <: IntArray(ET, r) } T <: IntArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryInt); + +axiom (forall T: name, ET: name, r: int :: { T <: RefArray(ET, r) } T <: RefArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryRef); + +axiom (forall T: name, ET: name, r: int :: { T <: NonNullRefArray(ET, r) } T <: NonNullRefArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryNonNullRef); + +const unique System.Array: name; + +axiom System.Array <: System.Object; + +function $ElementType(name) returns (name); + +function ValueArray(elementType: name, rank: int) returns (name); + +axiom (forall T: name, r: int :: { ValueArray(T, r) } ValueArray(T, r) <: ValueArray(T, r) && ValueArray(T, r) <: System.Array); + +function IntArray(elementType: name, rank: int) returns (name); + +axiom (forall T: name, r: int :: { IntArray(T, r) } IntArray(T, r) <: IntArray(T, r) && IntArray(T, r) <: System.Array); + +function RefArray(elementType: name, rank: int) returns (name); + +axiom (forall T: name, r: int :: { RefArray(T, r) } RefArray(T, r) <: RefArray(T, r) && RefArray(T, r) <: System.Array); + +function NonNullRefArray(elementType: name, rank: int) returns (name); + +axiom (forall T: name, r: int :: { NonNullRefArray(T, r) } NonNullRefArray(T, r) <: NonNullRefArray(T, r) && NonNullRefArray(T, r) <: System.Array); + +function NonNullRefArrayRaw(array: ref, elementType: name, rank: int) returns (bool); + +axiom (forall array: ref, elementType: name, rank: int :: { NonNullRefArrayRaw(array, elementType, rank) } NonNullRefArrayRaw(array, elementType, rank) ==> $typeof(array) <: System.Array && $Rank(array) == rank && elementType <: $ElementType($typeof(array))); + +axiom (forall T: name, U: name, r: int :: U <: T ==> RefArray(U, r) <: RefArray(T, r)); + +axiom (forall T: name, U: name, r: int :: U <: T ==> NonNullRefArray(U, r) <: NonNullRefArray(T, r)); + +axiom (forall A: name, r: int :: $ElementType(ValueArray(A, r)) == A); + +axiom (forall A: name, r: int :: $ElementType(IntArray(A, r)) == A); + +axiom (forall A: name, r: int :: $ElementType(RefArray(A, r)) == A); + +axiom (forall A: name, r: int :: $ElementType(NonNullRefArray(A, r)) == A); + +axiom (forall A: name, r: int, T: name :: { T <: RefArray(A, r) } T <: RefArray(A, r) ==> T != A && T == RefArray($ElementType(T), r) && $ElementType(T) <: A); + +axiom (forall A: name, r: int, T: name :: { T <: NonNullRefArray(A, r) } T <: NonNullRefArray(A, r) ==> T != A && T == NonNullRefArray($ElementType(T), r) && $ElementType(T) <: A); + +axiom (forall A: name, r: int, T: name :: { T <: ValueArray(A, r) } T <: ValueArray(A, r) ==> T == ValueArray(A, r)); + +axiom (forall A: name, r: int, T: name :: { T <: IntArray(A, r) } T <: IntArray(A, r) ==> T == IntArray(A, r)); + +axiom (forall A: name, r: int, T: name :: { RefArray(A, r) <: T } RefArray(A, r) <: T ==> System.Array <: T || (T == RefArray($ElementType(T), r) && A <: $ElementType(T))); + +axiom (forall A: name, r: int, T: name :: { NonNullRefArray(A, r) <: T } NonNullRefArray(A, r) <: T ==> System.Array <: T || (T == NonNullRefArray($ElementType(T), r) && A <: $ElementType(T))); + +axiom (forall A: name, r: int, T: name :: { ValueArray(A, r) <: T } ValueArray(A, r) <: T ==> System.Array <: T || T == ValueArray(A, r)); + +axiom (forall A: name, r: int, T: name :: { IntArray(A, r) <: T } IntArray(A, r) <: T ==> System.Array <: T || T == IntArray(A, r)); + +function $ArrayPtr(elementType: name) returns (name); + +function $ElementProxy(ref, int) returns (ref); + +function $ElementProxyStruct(struct, int) returns (ref); + +axiom (forall a: ref, i: int, heap: Heap :: { heap[RefArrayGet(heap[a, $elements], i), $ownerRef] } { heap[RefArrayGet(heap[a, $elements], i), $ownerFrame] } IsHeap(heap) && $typeof(a) <: System.Array ==> RefArrayGet(heap[a, $elements], i) == null || $IsImmutable($typeof(RefArrayGet(heap[a, $elements], i))) || (heap[RefArrayGet(heap[a, $elements], i), $ownerRef] == heap[$ElementProxy(a, 0 - 1), $ownerRef] && heap[RefArrayGet(heap[a, $elements], i), $ownerFrame] == heap[$ElementProxy(a, 0 - 1), $ownerFrame])); + +axiom (forall a: ref, heap: Heap :: { IsAllocated(heap, a) } IsHeap(heap) && IsAllocated(heap, a) && $typeof(a) <: System.Array ==> IsAllocated(heap, $ElementProxy(a, 0 - 1))); + +axiom (forall o: ref, pos: int :: { $typeof($ElementProxy(o, pos)) } $typeof($ElementProxy(o, pos)) == System.Object); + +axiom (forall o: struct, pos: int :: { $typeof($ElementProxyStruct(o, pos)) } $typeof($ElementProxyStruct(o, pos)) == System.Object); + +function $StructGet(struct, name) returns (any); + +function $StructSet(struct, name, any) returns (struct); + +axiom (forall s: struct, f: name, x: any :: $StructGet($StructSet(s, f, x), f) == x); + +axiom (forall s: struct, f: name, f': name, x: any :: f != f' ==> $StructGet($StructSet(s, f, x), f') == $StructGet(s, f')); + +function ZeroInit(s: struct, typ: name) returns (bool); + +function $typeof(ref) returns (name); + +function $BaseClass(sub: name) returns (base: name); + +axiom (forall T: name :: { $BaseClass(T) } T <: $BaseClass(T) && (T != System.Object ==> T != $BaseClass(T))); + +function AsDirectSubClass(sub: name, base: name) returns (sub': name); + +function OneClassDown(sub: name, base: name) returns (directSub: name); + +axiom (forall A: name, B: name, C: name :: { C <: AsDirectSubClass(B, A) } C <: AsDirectSubClass(B, A) ==> OneClassDown(C, A) == B); + +function $IsValueType(name) returns (bool); + +axiom (forall T: name :: $IsValueType(T) ==> (forall U: name :: T <: U ==> T == U) && (forall U: name :: U <: T ==> T == U)); + +const unique System.Boolean: name; + +axiom $IsValueType(System.Boolean); + +const unique System.Object: name; + +function $IsTokenForType(struct, name) returns (bool); + +function TypeObject(name) returns (ref); + +const unique System.Type: name; + +axiom System.Type <: System.Object; + +axiom (forall T: name :: { TypeObject(T) } $IsNotNull(TypeObject(T), System.Type)); + +function TypeName(ref) returns (name); + +axiom (forall T: name :: { TypeObject(T) } TypeName(TypeObject(T)) == T); + +function $Is(ref, name) returns (bool); + +axiom (forall o: ref, T: name :: { $Is(o, T) } $Is(o, T) <==> o == null || $typeof(o) <: T); + +function $IsNotNull(ref, name) returns (bool); + +axiom (forall o: ref, T: name :: { $IsNotNull(o, T) } $IsNotNull(o, T) <==> o != null && $Is(o, T)); + +function $As(ref, name) returns (ref); + +axiom (forall o: ref, T: name :: $Is(o, T) ==> $As(o, T) == o); + +axiom (forall o: ref, T: name :: !$Is(o, T) ==> $As(o, T) == null); + +axiom (forall h: Heap, o: ref :: { $typeof(o) <: System.Array, h[o, $inv] } IsHeap(h) && o != null && $typeof(o) <: System.Array ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o)); + +function IsAllocated<a>(h: Heap, o: a) returns (bool); + +axiom (forall<a> h: Heap, o: ref, f: Field a :: { IsAllocated(h, h[o, f]) } IsHeap(h) && h[o, $allocated] ==> IsAllocated(h, h[o, f])); + +axiom (forall h: Heap, o: ref, f: Field ref :: { h[h[o, f], $allocated] } IsHeap(h) && h[o, $allocated] ==> h[h[o, f], $allocated]); + +axiom (forall h: Heap, s: struct, f: name :: { IsAllocated(h, $StructGet(s, f)) } IsAllocated(h, s) ==> IsAllocated(h, $StructGet(s, f))); + +axiom (forall h: Heap, e: elements, i: int :: { IsAllocated(h, RefArrayGet(e, i)) } IsAllocated(h, e) ==> IsAllocated(h, RefArrayGet(e, i))); + +axiom (forall h: Heap, e: elements, i: int :: { IsAllocated(h, ValueArrayGet(e, i)) } IsAllocated(h, e) ==> IsAllocated(h, ValueArrayGet(e, i))); + +axiom (forall h: Heap, o: ref :: { h[o, $allocated] } IsAllocated(h, o) ==> h[o, $allocated]); + +axiom (forall h: Heap, c: name :: { h[ClassRepr(c), $allocated] } IsHeap(h) ==> h[ClassRepr(c), $allocated]); + +const $BeingConstructed: ref; + +const unique $NonNullFieldsAreInitialized: Field bool; + +const $PurityAxiomsCanBeAssumed: bool; + +axiom DeclType222($NonNullFieldsAreInitialized) == System.Object; + + + +function AsNonNullRefField(field: Field ref, T: name) returns (f: Field ref); + +function AsRefField(field: Field ref, T: name) returns (f: Field ref); + +function AsRangeField(field: Field int, T: name) returns (f: Field int); + +axiom (forall f: Field ref, T: name :: { AsNonNullRefField(f, T) } AsNonNullRefField(f, T) == f ==> AsRefField(f, T) == f); + +axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsRefField(f, T)] } IsHeap(h) ==> $Is(h[o, AsRefField(f, T)], T)); + +axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsNonNullRefField(f, T)] } IsHeap(h) && o != null && (o != $BeingConstructed || h[$BeingConstructed, $NonNullFieldsAreInitialized] == true) ==> h[o, AsNonNullRefField(f, T)] != null); + +axiom (forall h: Heap, o: ref, f: Field int, T: name :: { h[o, AsRangeField(f, T)] } IsHeap(h) ==> InRange(h[o, AsRangeField(f, T)], T)); + +function $IsMemberlessType(name) returns (bool); + +axiom (forall o: ref :: { $IsMemberlessType($typeof(o)) } !$IsMemberlessType($typeof(o))); + +function $AsInterface(name) returns (name); + +axiom (forall $J: name, s: any, b: ref :: { UnboxedType(Box(s, b)) <: $AsInterface($J) } $AsInterface($J) == $J && Box(s, b) == b && UnboxedType(Box(s, b)) <: $AsInterface($J) ==> $typeof(b) <: $J); + +function $HeapSucc(oldHeap: Heap, newHeap: Heap) returns (bool); + +function $IsImmutable(T: name) returns (bool); + +axiom !$IsImmutable(System.Object); + +function $AsImmutable(T: name) returns (theType: name); + +function $AsMutable(T: name) returns (theType: name); + +axiom (forall T: name, U: name :: { U <: $AsImmutable(T) } U <: $AsImmutable(T) ==> $IsImmutable(U) && $AsImmutable(U) == U); + +axiom (forall T: name, U: name :: { U <: $AsMutable(T) } U <: $AsMutable(T) ==> !$IsImmutable(U) && $AsMutable(U) == U); + +function AsOwner(string: ref, owner: ref) returns (theString: ref); + +axiom (forall o: ref, T: name :: { $typeof(o) <: $AsImmutable(T) } o != null && o != $BeingConstructed && $typeof(o) <: $AsImmutable(T) ==> (forall h: Heap :: { IsHeap(h) } IsHeap(h) ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o) && h[o, $ownerFrame] == $PeerGroupPlaceholder && AsOwner(o, h[o, $ownerRef]) == o && (forall t: ref :: { AsOwner(o, h[t, $ownerRef]) } AsOwner(o, h[t, $ownerRef]) == o ==> t == o || h[t, $ownerFrame] != $PeerGroupPlaceholder))); + +const unique System.String: name; + +function $StringLength(ref) returns (int); + +axiom (forall s: ref :: { $StringLength(s) } 0 <= $StringLength(s)); + +function AsRepField(f: Field ref, declaringType: name) returns (theField: Field ref); + +axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsRepField(f, T)] } IsHeap(h) && h[o, AsRepField(f, T)] != null ==> h[h[o, AsRepField(f, T)], $ownerRef] == o && h[h[o, AsRepField(f, T)], $ownerFrame] == T); + +function AsPeerField(f: Field ref) returns (theField: Field ref); + +axiom (forall h: Heap, o: ref, f: Field ref :: { h[o, AsPeerField(f)] } IsHeap(h) && h[o, AsPeerField(f)] != null ==> h[h[o, AsPeerField(f)], $ownerRef] == h[o, $ownerRef] && h[h[o, AsPeerField(f)], $ownerFrame] == h[o, $ownerFrame]); + +function AsElementsRepField(f: Field ref, declaringType: name, position: int) returns (theField: Field ref); + +axiom (forall h: Heap, o: ref, f: Field ref, T: name, i: int :: { h[o, AsElementsRepField(f, T, i)] } IsHeap(h) && h[o, AsElementsRepField(f, T, i)] != null ==> h[$ElementProxy(h[o, AsElementsRepField(f, T, i)], i), $ownerRef] == o && h[$ElementProxy(h[o, AsElementsRepField(f, T, i)], i), $ownerFrame] == T); + +function AsElementsPeerField(f: Field ref, position: int) returns (theField: Field ref); + +axiom (forall h: Heap, o: ref, f: Field ref, i: int :: { h[o, AsElementsPeerField(f, i)] } IsHeap(h) && h[o, AsElementsPeerField(f, i)] != null ==> h[$ElementProxy(h[o, AsElementsPeerField(f, i)], i), $ownerRef] == h[o, $ownerRef] && h[$ElementProxy(h[o, AsElementsPeerField(f, i)], i), $ownerFrame] == h[o, $ownerFrame]); + +axiom (forall h: Heap, o: ref :: { h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] } IsHeap(h) && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o)); + +procedure $SetOwner(o: ref, ow: ref, fr: name); + modifies $Heap; + ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[o, $ownerRef]) || old($Heap[p, $ownerFrame] != $Heap[o, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]); + ensures (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[o, $ownerRef]) && old($Heap[p, $ownerFrame] == $Heap[o, $ownerFrame]) ==> $Heap[p, $ownerRef] == ow && $Heap[p, $ownerFrame] == fr); + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $UpdateOwnersForRep(o: ref, T: name, e: ref); + modifies $Heap; + ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[e, $ownerRef]) || old($Heap[p, $ownerFrame] != $Heap[e, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]); + ensures e == null ==> $Heap == old($Heap); + ensures e != null ==> (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[e, $ownerRef]) && old($Heap[p, $ownerFrame] == $Heap[e, $ownerFrame]) ==> $Heap[p, $ownerRef] == o && $Heap[p, $ownerFrame] == T); + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $UpdateOwnersForPeer(c: ref, d: ref); + modifies $Heap; + ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[d, $ownerRef] || $Heap[p, $ownerFrame] != $Heap[d, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]); + ensures d == null ==> $Heap == old($Heap); + ensures d != null ==> (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[d, $ownerRef] && $Heap[p, $ownerFrame] == $Heap[d, $ownerFrame]) ==> $Heap[p, $ownerRef] == old($Heap)[c, $ownerRef] && $Heap[p, $ownerFrame] == old($Heap)[c, $ownerFrame]); + free ensures $HeapSucc(old($Heap), $Heap); + + + +const unique $FirstConsistentOwner: Field ref; + +function $AsPureObject(ref) returns (ref); + +function ##FieldDependsOnFCO<a>(o: ref, f: Field a, ev: exposeVersionType) returns (value: any); + +axiom (forall<a> o: ref, f: Field a, h: Heap :: { h[$AsPureObject(o), f] } IsHeap(h) && o != null && h[o, $allocated] == true && $AsPureObject(o) == o && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, f] == ##FieldDependsOnFCO(o, f, h[h[o, $FirstConsistentOwner], $exposeVersion])); + +axiom (forall o: ref, h: Heap :: { h[o, $FirstConsistentOwner] } IsHeap(h) && o != null && h[o, $allocated] == true && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, $FirstConsistentOwner] != null && h[h[o, $FirstConsistentOwner], $allocated] == true && (h[h[o, $FirstConsistentOwner], $ownerFrame] == $PeerGroupPlaceholder || !(h[h[h[o, $FirstConsistentOwner], $ownerRef], $inv] <: h[h[o, $FirstConsistentOwner], $ownerFrame]) || h[h[h[o, $FirstConsistentOwner], $ownerRef], $localinv] == $BaseClass(h[h[o, $FirstConsistentOwner], $ownerFrame]))); + +function Box<a>(a, ref) returns (ref); + +function Unbox(ref) returns (any); + +type NondetType; + +function MeldNondets(NondetType, any) returns (NondetType); + +function BoxFunc<a>(value: a, typ: name) returns (boxedValue: ref); + +function AllocFunc(typ: name) returns (newValue: ref); + +function NewInstance(object: ref, occurrence: NondetType, activity: ActivityType) returns (newInstance: ref); + +axiom (forall value: any, typ: name, occurrence: NondetType, activity: ActivityType :: { NewInstance(BoxFunc(value, typ), occurrence, activity) } Box(value, NewInstance(BoxFunc(value, typ), occurrence, activity)) == NewInstance(BoxFunc(value, typ), occurrence, activity) && UnboxedType(NewInstance(BoxFunc(value, typ), occurrence, activity)) == typ); + +axiom (forall x: ref, typ: name, occurrence: NondetType, activity: ActivityType :: !$IsValueType(UnboxedType(x)) ==> NewInstance(BoxFunc(x, typ), occurrence, activity) == x); + +axiom (forall x: any, p: ref :: { Unbox(Box(x, p)) } Unbox(Box(x, p)) == x); + +function UnboxedType(ref) returns (name); + +axiom (forall p: ref :: { $IsValueType(UnboxedType(p)) } $IsValueType(UnboxedType(p)) ==> (forall heap: Heap, x: any :: { heap[Box(x, p), $inv] } IsHeap(heap) ==> heap[Box(x, p), $inv] == $typeof(Box(x, p)) && heap[Box(x, p), $localinv] == $typeof(Box(x, p)))); + +axiom (forall<a> x: a, p: ref :: { UnboxedType(Box(x, p)) <: System.Object } UnboxedType(Box(x, p)) <: System.Object && Box(x, p) == p ==> x == p); + +function BoxTester(p: ref, typ: name) returns (ref); + +axiom (forall p: ref, typ: name :: { BoxTester(p, typ) } UnboxedType(p) == typ <==> BoxTester(p, typ) != null); + +axiom (forall p: ref, typ: name :: { BoxTester(p, typ) } BoxTester(p, typ) != null ==> Box(Unbox(p), p) == p); + +axiom (forall typ: name, occurrence: NondetType, activity: ActivityType :: { NewInstance(AllocFunc(typ), occurrence, activity) } $typeof(NewInstance(AllocFunc(typ), occurrence, activity)) == typ && NewInstance(AllocFunc(typ), occurrence, activity) != null); + +axiom (forall typ: name, occurrence: NondetType, activity: ActivityType, heap: Heap :: { heap[NewInstance(AllocFunc(typ), occurrence, activity), $allocated] } IsHeap(heap) ==> heap[NewInstance(AllocFunc(typ), occurrence, activity), $allocated]); + +const unique System.SByte: name; + +axiom $IsValueType(System.SByte); + +const unique System.Byte: name; + +axiom $IsValueType(System.Byte); + +const unique System.Int16: name; + +axiom $IsValueType(System.Int16); + +const unique System.UInt16: name; + +axiom $IsValueType(System.UInt16); + +const unique System.Int32: name; + +axiom $IsValueType(System.Int32); + +const unique System.UInt32: name; + +axiom $IsValueType(System.UInt32); + +const unique System.Int64: name; + +axiom $IsValueType(System.Int64); + +const unique System.UInt64: name; + +axiom $IsValueType(System.UInt64); + +const unique System.Char: name; + +axiom $IsValueType(System.Char); + +const unique System.UIntPtr: name; + +axiom $IsValueType(System.UIntPtr); + +const unique System.IntPtr: name; + +axiom $IsValueType(System.IntPtr); + +const int#m2147483648: int; + +const int#2147483647: int; + +const int#4294967295: int; + +const int#m9223372036854775808: int; + +const int#9223372036854775807: int; + +const int#18446744073709551615: int; + +axiom int#m9223372036854775808 < int#m2147483648; + +axiom int#m2147483648 < 0 - 100000; + +axiom 100000 < int#2147483647; + +axiom int#2147483647 < int#4294967295; + +axiom int#4294967295 < int#9223372036854775807; + +axiom int#9223372036854775807 < int#18446744073709551615; + +axiom int#m9223372036854775808 + 1 == 0 - int#9223372036854775807; + +axiom int#m2147483648 + 1 == 0 - int#2147483647; + +function InRange(i: int, T: name) returns (bool); + +axiom (forall i: int :: InRange(i, System.SByte) <==> 0 - 128 <= i && i < 128); + +axiom (forall i: int :: InRange(i, System.Byte) <==> 0 <= i && i < 256); + +axiom (forall i: int :: InRange(i, System.Int16) <==> 0 - 32768 <= i && i < 32768); + +axiom (forall i: int :: InRange(i, System.UInt16) <==> 0 <= i && i < 65536); + +axiom (forall i: int :: InRange(i, System.Int32) <==> int#m2147483648 <= i && i <= int#2147483647); + +axiom (forall i: int :: InRange(i, System.UInt32) <==> 0 <= i && i <= int#4294967295); + +axiom (forall i: int :: InRange(i, System.Int64) <==> int#m9223372036854775808 <= i && i <= int#9223372036854775807); + +axiom (forall i: int :: InRange(i, System.UInt64) <==> 0 <= i && i <= int#18446744073709551615); + +axiom (forall i: int :: InRange(i, System.Char) <==> 0 <= i && i < 65536); + +function $IntToInt(val: int, fromType: name, toType: name) returns (int); + +function $IntToReal(int, fromType: name, toType: name) returns (real); + +function $RealToInt(real, fromType: name, toType: name) returns (int); + +function $RealToReal(val: real, fromType: name, toType: name) returns (real); + +axiom (forall z: int, B: name, C: name :: InRange(z, C) ==> $IntToInt(z, B, C) == z); + +function $SizeIs(name, int) returns (bool); + +function $IfThenElse(bool, any, any) returns (any); + +axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } b ==> $IfThenElse(b, x, y) == x); + +axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } !b ==> $IfThenElse(b, x, y) == y); + +function #neg(int) returns (int); + +function #and(int, int) returns (int); + +function #or(int, int) returns (int); + +function #xor(int, int) returns (int); + +function #shl(int, int) returns (int); + +function #shr(int, int) returns (int); + +function #rneg(real) returns (real); + +function #radd(real, real) returns (real); + +function #rsub(real, real) returns (real); + +function #rmul(real, real) returns (real); + +function #rdiv(real, real) returns (real); + +function #rmod(real, real) returns (real); + +function #rLess(real, real) returns (bool); + +function #rAtmost(real, real) returns (bool); + +function #rEq(real, real) returns (bool); + +function #rNeq(real, real) returns (bool); + +function #rAtleast(real, real) returns (bool); + +function #rGreater(real, real) returns (bool); + +axiom (forall x: int, y: int :: { x % y } { x / y } x % y == x - x / y * y); + +axiom (forall x: int, y: int :: { x % y } 0 <= x && 0 < y ==> 0 <= x % y && x % y < y); + +axiom (forall x: int, y: int :: { x % y } 0 <= x && y < 0 ==> 0 <= x % y && x % y < 0 - y); + +axiom (forall x: int, y: int :: { x % y } x <= 0 && 0 < y ==> 0 - y < x % y && x % y <= 0); + +axiom (forall x: int, y: int :: { x % y } x <= 0 && y < 0 ==> y < x % y && x % y <= 0); + +axiom (forall x: int, y: int :: { (x + y) % y } 0 <= x && 0 <= y ==> (x + y) % y == x % y); + +axiom (forall x: int, y: int :: { (y + x) % y } 0 <= x && 0 <= y ==> (y + x) % y == x % y); + +axiom (forall x: int, y: int :: { (x - y) % y } 0 <= x - y && 0 <= y ==> (x - y) % y == x % y); + +axiom (forall a: int, b: int, d: int :: { a % d, b % d } 2 <= d && a % d == b % d && a < b ==> a + d <= b); + +axiom (forall x: int, y: int :: { #and(x, y) } 0 <= x || 0 <= y ==> 0 <= #and(x, y)); + +axiom (forall x: int, y: int :: { #or(x, y) } 0 <= x && 0 <= y ==> 0 <= #or(x, y) && #or(x, y) <= x + y); + +axiom (forall i: int :: { #shl(i, 0) } #shl(i, 0) == i); + +axiom (forall i: int, j: int :: { #shl(i, j) } 1 <= j ==> #shl(i, j) == #shl(i, j - 1) * 2); + +axiom (forall i: int, j: int :: { #shl(i, j) } 0 <= i && i < 32768 && 0 <= j && j <= 16 ==> 0 <= #shl(i, j) && #shl(i, j) <= int#2147483647); + +axiom (forall i: int :: { #shr(i, 0) } #shr(i, 0) == i); + +axiom (forall i: int, j: int :: { #shr(i, j) } 1 <= j ==> #shr(i, j) == #shr(i, j - 1) / 2); + +function #min(int, int) returns (int); + +function #max(int, int) returns (int); + +axiom (forall x: int, y: int :: { #min(x, y) } (#min(x, y) == x || #min(x, y) == y) && #min(x, y) <= x && #min(x, y) <= y); + +axiom (forall x: int, y: int :: { #max(x, y) } (#max(x, y) == x || #max(x, y) == y) && x <= #max(x, y) && y <= #max(x, y)); + +function #System.String.IsInterned$System.String$notnull(Heap, ref) returns (ref); + +function #System.String.Equals$System.String(Heap, ref, ref) returns (bool); + +function #System.String.Equals$System.String$System.String(Heap, ref, ref) returns (bool); + +function ##StringEquals(ref, ref) returns (bool); + +axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String(h, a, b) } #System.String.Equals$System.String(h, a, b) == #System.String.Equals$System.String$System.String(h, a, b)); + +axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String$System.String(h, a, b) } #System.String.Equals$System.String$System.String(h, a, b) == ##StringEquals(a, b) && #System.String.Equals$System.String$System.String(h, a, b) == ##StringEquals(b, a) && (a == b ==> ##StringEquals(a, b))); + +axiom (forall a: ref, b: ref, c: ref :: ##StringEquals(a, b) && ##StringEquals(b, c) ==> ##StringEquals(a, c)); + +axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String$System.String(h, a, b) } a != null && b != null && #System.String.Equals$System.String$System.String(h, a, b) ==> #System.String.IsInterned$System.String$notnull(h, a) == #System.String.IsInterned$System.String$notnull(h, b)); + +const $UnknownRef: ref; + +const unique Bag.a: Field ref; + +const unique Bag.n: Field int; + +const unique Microsoft.Contracts.GuardException: name; + +const unique System.ICloneable: name; + +const unique Microsoft.Contracts.ObjectInvariantException: name; + +const unique System.Exception: name; + +const unique System.Collections.IEnumerable: name; + +const unique System.Collections.IList: name; + +const unique Microsoft.Contracts.ICheckedException: name; + +const unique System.Reflection.MemberInfo: name; + +const unique Bag: name; + +const unique System.Reflection.IReflect: name; + +const unique System.Runtime.InteropServices._MemberInfo: name; + +const unique System.Runtime.InteropServices._Type: name; + +const unique System.Collections.ICollection: name; + +const unique System.Runtime.InteropServices._Exception: name; + +const unique System.Runtime.Serialization.ISerializable: name; + +const unique System.Reflection.ICustomAttributeProvider: name; + +axiom !IsStaticField(Bag.n); + +axiom IncludeInMainFrameCondition(Bag.n); + +axiom $IncludedInModifiesStar(Bag.n); + +axiom DeclType222(Bag.n) == Bag; + +axiom AsRangeField(Bag.n, System.Int32) == Bag.n; + +axiom !IsStaticField(Bag.a); + +axiom IncludeInMainFrameCondition(Bag.a); + +axiom $IncludedInModifiesStar(Bag.a); + +axiom AsRepField(Bag.a, Bag) == Bag.a; + +axiom DeclType222(Bag.a) == Bag; + +axiom AsNonNullRefField(Bag.a, IntArray(System.Int32, 1)) == Bag.a; + +axiom Bag <: Bag; + +axiom $BaseClass(Bag) == System.Object && AsDirectSubClass(Bag, $BaseClass(Bag)) == Bag; + +axiom !$IsImmutable(Bag) && $AsMutable(Bag) == Bag; + +axiom System.Array <: System.Array; + +axiom $BaseClass(System.Array) == System.Object && AsDirectSubClass(System.Array, $BaseClass(System.Array)) == System.Array; + +axiom !$IsImmutable(System.Array) && $AsMutable(System.Array) == System.Array; + +axiom System.ICloneable <: System.ICloneable; + +axiom System.ICloneable <: System.Object; + +axiom $IsMemberlessType(System.ICloneable); + +axiom $AsInterface(System.ICloneable) == System.ICloneable; + +axiom System.Array <: System.ICloneable; + +axiom System.Collections.IList <: System.Collections.IList; + +axiom System.Collections.IList <: System.Object; + +axiom System.Collections.ICollection <: System.Collections.ICollection; + +axiom System.Collections.ICollection <: System.Object; + +axiom System.Collections.IEnumerable <: System.Collections.IEnumerable; + +axiom System.Collections.IEnumerable <: System.Object; + +axiom $IsMemberlessType(System.Collections.IEnumerable); + +axiom $AsInterface(System.Collections.IEnumerable) == System.Collections.IEnumerable; + +axiom System.Collections.ICollection <: System.Collections.IEnumerable; + +axiom $IsMemberlessType(System.Collections.ICollection); + +axiom $AsInterface(System.Collections.ICollection) == System.Collections.ICollection; + +axiom System.Collections.IList <: System.Collections.ICollection; + +axiom System.Collections.IList <: System.Collections.IEnumerable; + +axiom $IsMemberlessType(System.Collections.IList); + +axiom $AsInterface(System.Collections.IList) == System.Collections.IList; + +axiom System.Array <: System.Collections.IList; + +axiom System.Array <: System.Collections.ICollection; + +axiom System.Array <: System.Collections.IEnumerable; + +axiom $IsMemberlessType(System.Array); + +// System.Array object invariant +axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Array } IsHeap($h) && $h[$oi, $inv] <: System.Array && $h[$oi, $localinv] != $BaseClass(System.Array) ==> true); + +// Bag object invariant +axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Bag } IsHeap($h) && $h[$oi, $inv] <: Bag && $h[$oi, $localinv] != $BaseClass(Bag) ==> 0 <= $h[$oi, Bag.n] && $h[$oi, Bag.n] <= $Length($h[$oi, Bag.a])); + +procedure Bag.SpecSharp.CheckInvariant$System.Boolean(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], throwException$in: bool where true) returns ($result: bool where true); + // user-declared preconditions + requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this) && (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == this && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p)); + free requires $BeingConstructed == null; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +implementation Bag.SpecSharp.CheckInvariant$System.Boolean(this: ref, throwException$in: bool) returns ($result: bool) +{ + var throwException: bool where true, stack0i: int, stack1i: int, stack0b: bool, stack1o: ref, return.value: bool where true, stack50000o: ref, stack0o: ref, SS$Display.Return.Local: bool where true; + + entry: + throwException := throwException$in; + goto block2380; + + block2380: + goto block2482; + + block2482: + // ----- nop + // ----- load constant 0 + stack0i := 0; + // ----- load field + assert this != null; + stack1i := $Heap[this, Bag.n]; + // ----- binary operator + // ----- branch + goto true2482to2550, false2482to2414; + + true2482to2550: + assume stack0i > stack1i; + goto block2550; + + false2482to2414: + assume stack0i <= stack1i; + goto block2414; + + block2550: + // ----- copy + stack0b := throwException; + // ----- unary operator + // ----- branch + goto true2550to2584, false2550to2601; + + block2414: + // ----- load field + assert this != null; + stack0i := $Heap[this, Bag.n]; + // ----- load field + assert this != null; + stack1o := $Heap[this, Bag.a]; + // ----- unary operator + assert stack1o != null; + stack1i := $Length(stack1o); + // ----- unary operator + stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32); + // ----- binary operator + // ----- branch + goto true2414to2550, false2414to2465; + + true2414to2550: + assume stack0i > stack1i; + goto block2550; + + false2414to2465: + assume stack0i <= stack1i; + goto block2465; + + block2465: + // ----- branch + goto block2448; + + true2550to2584: + assume !stack0b; + goto block2584; + + false2550to2601: + assume stack0b; + goto block2601; + + block2584: + // ----- load constant 0 + return.value := false; + // ----- branch + goto block2567; + + block2601: + assume false; + // ----- new object + havoc stack50000o; + assume $Heap[stack50000o, $allocated] == false && stack50000o != null && $typeof(stack50000o) == Microsoft.Contracts.ObjectInvariantException; + assume $Heap[stack50000o, $ownerRef] == stack50000o && $Heap[stack50000o, $ownerFrame] == $PeerGroupPlaceholder; + // ----- call + assert stack50000o != null; + call Microsoft.Contracts.ObjectInvariantException..ctor(stack50000o); + // ----- copy + stack0o := stack50000o; + // ----- throw + assert stack0o != null; + assume false; + return; + + block2448: + // ----- load constant 1 + return.value := true; + // ----- branch + goto block2567; + + block2567: + // ----- copy + SS$Display.Return.Local := return.value; + // ----- copy + stack0b := return.value; + // ----- return + $result := stack0b; + return; +} + + + +axiom Microsoft.Contracts.ObjectInvariantException <: Microsoft.Contracts.ObjectInvariantException; + +axiom Microsoft.Contracts.GuardException <: Microsoft.Contracts.GuardException; + +axiom System.Exception <: System.Exception; + +axiom $BaseClass(System.Exception) == System.Object && AsDirectSubClass(System.Exception, $BaseClass(System.Exception)) == System.Exception; + +axiom !$IsImmutable(System.Exception) && $AsMutable(System.Exception) == System.Exception; + +axiom System.Runtime.Serialization.ISerializable <: System.Runtime.Serialization.ISerializable; + +axiom System.Runtime.Serialization.ISerializable <: System.Object; + +axiom $IsMemberlessType(System.Runtime.Serialization.ISerializable); + +axiom $AsInterface(System.Runtime.Serialization.ISerializable) == System.Runtime.Serialization.ISerializable; + +axiom System.Exception <: System.Runtime.Serialization.ISerializable; + +axiom System.Runtime.InteropServices._Exception <: System.Runtime.InteropServices._Exception; + +axiom System.Runtime.InteropServices._Exception <: System.Object; + +axiom $IsMemberlessType(System.Runtime.InteropServices._Exception); + +axiom $AsInterface(System.Runtime.InteropServices._Exception) == System.Runtime.InteropServices._Exception; + +axiom System.Exception <: System.Runtime.InteropServices._Exception; + +// System.Exception object invariant +axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Exception } IsHeap($h) && $h[$oi, $inv] <: System.Exception && $h[$oi, $localinv] != $BaseClass(System.Exception) ==> true); + +axiom $BaseClass(Microsoft.Contracts.GuardException) == System.Exception && AsDirectSubClass(Microsoft.Contracts.GuardException, $BaseClass(Microsoft.Contracts.GuardException)) == Microsoft.Contracts.GuardException; + +axiom !$IsImmutable(Microsoft.Contracts.GuardException) && $AsMutable(Microsoft.Contracts.GuardException) == Microsoft.Contracts.GuardException; + +// Microsoft.Contracts.GuardException object invariant +axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Microsoft.Contracts.GuardException } IsHeap($h) && $h[$oi, $inv] <: Microsoft.Contracts.GuardException && $h[$oi, $localinv] != $BaseClass(Microsoft.Contracts.GuardException) ==> true); + +axiom $BaseClass(Microsoft.Contracts.ObjectInvariantException) == Microsoft.Contracts.GuardException && AsDirectSubClass(Microsoft.Contracts.ObjectInvariantException, $BaseClass(Microsoft.Contracts.ObjectInvariantException)) == Microsoft.Contracts.ObjectInvariantException; + +axiom !$IsImmutable(Microsoft.Contracts.ObjectInvariantException) && $AsMutable(Microsoft.Contracts.ObjectInvariantException) == Microsoft.Contracts.ObjectInvariantException; + +// Microsoft.Contracts.ObjectInvariantException object invariant +axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Microsoft.Contracts.ObjectInvariantException } IsHeap($h) && $h[$oi, $inv] <: Microsoft.Contracts.ObjectInvariantException && $h[$oi, $localinv] != $BaseClass(Microsoft.Contracts.ObjectInvariantException) ==> true); + +procedure Microsoft.Contracts.ObjectInvariantException..ctor(this: ref where $IsNotNull(this, Microsoft.Contracts.ObjectInvariantException) && $Heap[this, $allocated]); + // object is fully unpacked: this.inv == Object + free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this); + // nothing is owned by [this,*] and 'this' is alone in its own peer group + free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder; + free requires $BeingConstructed == this; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // target object is allocated upon return + free ensures $Heap[this, $allocated]; + // target object is additively exposable for Microsoft.Contracts.ObjectInvariantException + ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == Microsoft.Contracts.ObjectInvariantException && $Heap[this, $localinv] == $typeof(this); + ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame]; + ensures $Heap[this, $sharingMode] == $SharingMode_Unshared; + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(Microsoft.Contracts.ObjectInvariantException <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +procedure Bag..ctor$System.Int32.array$notnull(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], initialElements$in: ref where $IsNotNull(initialElements$in, IntArray(System.Int32, 1)) && $Heap[initialElements$in, $allocated]); + // object is fully unpacked: this.inv == Object + free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this); + // initialElements is peer consistent + requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[initialElements$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[initialElements$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + // initialElements is peer consistent (owner must not be valid) + requires $Heap[initialElements$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[initialElements$in, $ownerRef], $inv] <: $Heap[initialElements$in, $ownerFrame]) || $Heap[$Heap[initialElements$in, $ownerRef], $localinv] == $BaseClass($Heap[initialElements$in, $ownerFrame]); + // nothing is owned by [this,*] and 'this' is alone in its own peer group + free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder; + free requires $BeingConstructed == this; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // target object is allocated upon return + free ensures $Heap[this, $allocated]; + // target object is additively exposable for Bag + ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == Bag && $Heap[this, $localinv] == $typeof(this); + ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame]; + ensures $Heap[this, $sharingMode] == $SharingMode_Unshared; + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(Bag <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +implementation Bag..ctor$System.Int32.array$notnull(this: ref, initialElements$in: ref) +{ + var initialElements: ref where $IsNotNull(initialElements, IntArray(System.Int32, 1)) && $Heap[initialElements, $allocated], stack0o: ref, stack0i: int, temp0: exposeVersionType, temp1: ref, temp2: exposeVersionType, stack1i: int, temp3: ref; + + entry: + initialElements := initialElements$in; + assume $Heap[this, Bag.n] == 0; + goto block3332; + + block3332: + goto block3468; + + block3468: + // ----- nop + // ----- copy ----- AddMethod.ssc(13,5) + stack0o := initialElements; + // ----- unary operator ----- AddMethod.ssc(13,5) + assert stack0o != null; + stack0i := $Length(stack0o); + // ----- unary operator ----- AddMethod.ssc(13,5) + stack0i := $IntToInt(stack0i, System.UIntPtr, System.Int32); + // ----- store field ----- AddMethod.ssc(13,5) + assert this != null; + assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + havoc temp0; + $Heap[this, $exposeVersion] := temp0; + $Heap[this, Bag.n] := stack0i; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n]; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]); + assume IsHeap($Heap); + // ----- copy ----- AddMethod.ssc(14,5) + stack0o := initialElements; + // ----- unary operator ----- AddMethod.ssc(14,5) + assert stack0o != null; + stack0i := $Length(stack0o); + // ----- unary operator ----- AddMethod.ssc(14,5) + stack0i := $IntToInt(stack0i, System.UIntPtr, System.Int32); + // ----- new array ----- AddMethod.ssc(14,5) + assert 0 <= stack0i; + havoc temp1; + assume $Heap[temp1, $allocated] == false && $Length(temp1) == stack0i; + assume $Heap[$ElementProxy(temp1, -1), $allocated] == false && $ElementProxy(temp1, -1) != temp1 && $ElementProxy(temp1, -1) != null; + assume temp1 != null; + assume $typeof(temp1) == IntArray(System.Int32, 1); + assume $Heap[temp1, $ownerRef] == temp1 && $Heap[temp1, $ownerFrame] == $PeerGroupPlaceholder; + assume $Heap[$ElementProxy(temp1, -1), $ownerRef] == $ElementProxy(temp1, -1) && $Heap[$ElementProxy(temp1, -1), $ownerFrame] == $PeerGroupPlaceholder; + assume $Heap[temp1, $inv] == $typeof(temp1) && $Heap[temp1, $localinv] == $typeof(temp1); + assume (forall $i: int :: IntArrayGet($Heap[temp1, $elements], $i) == 0); + $Heap[temp1, $allocated] := true; + call System.Object..ctor($ElementProxy(temp1, -1)); + stack0o := temp1; + assume IsHeap($Heap); + // ----- store field ----- AddMethod.ssc(14,5) + assert this != null; + assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + assert ($Heap[stack0o, $ownerRef] == this && $Heap[stack0o, $ownerFrame] == Bag) || $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder; + assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[stack0o, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[stack0o, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[stack0o, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[stack0o, $ownerFrame]; + call $UpdateOwnersForRep(this, Bag, stack0o); + havoc temp2; + $Heap[this, $exposeVersion] := temp2; + $Heap[this, Bag.a] := stack0o; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n]; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]); + assume IsHeap($Heap); + // ----- call ----- AddMethod.ssc(15,5) + assert this != null; + call System.Object..ctor(this); + $Heap[this, $NonNullFieldsAreInitialized] := true; + assume IsHeap($Heap); + goto block3417; + + block3417: + // ----- load field ----- AddMethod.ssc(16,5) + assert this != null; + stack0o := $Heap[this, Bag.a]; + // ----- load constant 0 ----- AddMethod.ssc(16,5) + stack1i := 0; + // ----- call ----- AddMethod.ssc(16,5) + assert initialElements != null; + call System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(initialElements, stack0o, stack1i); + // ----- FrameGuard processing ----- AddMethod.ssc(17,3) + temp3 := this; + // ----- classic pack ----- AddMethod.ssc(17,3) + assert temp3 != null; + assert $Heap[temp3, $inv] == System.Object && $Heap[temp3, $localinv] == $typeof(temp3); + assert 0 <= $Heap[temp3, Bag.n]; + assert $Heap[temp3, Bag.n] <= $Length($Heap[temp3, Bag.a]); + assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp3 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p)); + $Heap[temp3, $inv] := Bag; + assume IsHeap($Heap); + // ----- return + return; +} + + + +procedure System.Object..ctor(this: ref where $IsNotNull(this, System.Object) && $Heap[this, $allocated]); + // object is fully unpacked: this.inv == Object + free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this); + // nothing is owned by [this,*] and 'this' is alone in its own peer group + free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder; + free requires $BeingConstructed == this; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // target object is allocated upon return + free ensures $Heap[this, $allocated]; + // target object is additively exposable for System.Object + ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this); + ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame]; + ensures $Heap[this, $sharingMode] == $SharingMode_Unshared; + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(System.Object <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +procedure System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(this: ref where $IsNotNull(this, System.Array) && $Heap[this, $allocated], array$in: ref where $IsNotNull(array$in, System.Array) && $Heap[array$in, $allocated], index$in: int where InRange(index$in, System.Int32)); + // user-declared preconditions + requires array$in != null; + requires $LBound(array$in, 0) <= index$in; + requires $Rank(this) == 1; + requires $Rank(array$in) == 1; + requires $Length(this) <= $UBound(array$in, 0) + 1 - index$in; + // target object is peer consistent + requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + // target object is peer consistent (owner must not be valid) + requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + // array is peer consistent + requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[array$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[array$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + // array is peer consistent (owner must not be valid) + requires $Heap[array$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[array$in, $ownerRef], $inv] <: $Heap[array$in, $ownerFrame]) || $Heap[$Heap[array$in, $ownerRef], $localinv] == $BaseClass($Heap[array$in, $ownerFrame]); + free requires $BeingConstructed == null; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // hard-coded postcondition + ensures (forall $k: int :: { ValueArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(ValueArrayGet($Heap[this, $elements], $k + 0 - index$in)) == ValueArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(ValueArrayGet($Heap[array$in, $elements], $k)) == ValueArrayGet($Heap[array$in, $elements], $k))); + ensures (forall $k: int :: { IntArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(IntArrayGet($Heap[this, $elements], $k + 0 - index$in)) == IntArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(IntArrayGet($Heap[array$in, $elements], $k)) == IntArrayGet($Heap[array$in, $elements], $k))); + ensures (forall $k: int :: { RefArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(RefArrayGet($Heap[this, $elements], $k + 0 - index$in)) == RefArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(RefArrayGet($Heap[array$in, $elements], $k)) == RefArrayGet($Heap[array$in, $elements], $k))); + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != array$in || !($typeof(array$in) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != array$in || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +procedure Bag.Add$System.Int32(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], x$in: int where InRange(x$in, System.Int32)); + // target object is peer consistent + requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + // target object is peer consistent (owner must not be valid) + requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + free requires $BeingConstructed == null; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != this || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +implementation Bag.Add$System.Int32(this: ref, x$in: int) +{ + var x: int where InRange(x, System.Int32), temp0: ref, stack1s: struct, stack1o: ref, temp1: exposeVersionType, local2: ref where $Is(local2, System.Exception) && $Heap[local2, $allocated], stack0i: int, stack1i: int, stack0b: bool, b: ref where $Is(b, IntArray(System.Int32, 1)) && $Heap[b, $allocated], temp2: ref, stack0o: ref, stack2o: ref, stack3i: int, stack4o: ref, stack4i: int, temp3: exposeVersionType, local4: int where InRange(local4, System.Int32), temp4: exposeVersionType, stack0s: struct; + + entry: + x := x$in; + goto block4335; + + block4335: + goto block4488; + + block4488: + // ----- nop + // ----- FrameGuard processing ----- AddMethod.ssc(22,13) + temp0 := this; + // ----- load token ----- AddMethod.ssc(22,13) + havoc stack1s; + assume $IsTokenForType(stack1s, Bag); + // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(22,13) + stack1o := TypeObject(Bag); + // ----- local unpack ----- AddMethod.ssc(22,13) + assert temp0 != null; + assert ($Heap[temp0, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[temp0, $ownerRef], $inv] <: $Heap[temp0, $ownerFrame]) || $Heap[$Heap[temp0, $ownerRef], $localinv] == $BaseClass($Heap[temp0, $ownerFrame])) && $Heap[temp0, $inv] <: Bag && $Heap[temp0, $localinv] == $typeof(temp0); + $Heap[temp0, $localinv] := System.Object; + havoc temp1; + $Heap[temp0, $exposeVersion] := temp1; + assume IsHeap($Heap); + local2 := null; + goto block4505; + + block4505: + // ----- load field ----- AddMethod.ssc(24,7) + assert this != null; + stack0i := $Heap[this, Bag.n]; + // ----- load field ----- AddMethod.ssc(24,7) + assert this != null; + stack1o := $Heap[this, Bag.a]; + // ----- unary operator ----- AddMethod.ssc(24,7) + assert stack1o != null; + stack1i := $Length(stack1o); + // ----- unary operator ----- AddMethod.ssc(24,7) + stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32); + // ----- binary operator ----- AddMethod.ssc(24,7) + // ----- branch ----- AddMethod.ssc(24,7) + goto true4505to4539, false4505to4522; + + true4505to4539: + assume stack0i != stack1i; + goto block4539; + + false4505to4522: + assume stack0i == stack1i; + goto block4522; + + block4539: + // ----- load field ----- AddMethod.ssc(30,7) + assert this != null; + stack0o := $Heap[this, Bag.a]; + // ----- load field ----- AddMethod.ssc(30,7) + assert this != null; + stack1i := $Heap[this, Bag.n]; + // ----- store element ----- AddMethod.ssc(30,7) + assert stack0o != null; + assert 0 <= stack1i; + assert stack1i < $Length(stack0o); + assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[stack0o, $ownerRef], $inv] <: $Heap[stack0o, $ownerFrame]) || $Heap[$Heap[stack0o, $ownerRef], $localinv] == $BaseClass($Heap[stack0o, $ownerFrame]); + $Heap[stack0o, $elements] := IntArraySet($Heap[stack0o, $elements], stack1i, x); + assume IsHeap($Heap); + // ----- load field ----- AddMethod.ssc(31,7) + assert this != null; + local4 := $Heap[this, Bag.n]; + // ----- load constant 1 ----- AddMethod.ssc(31,7) + stack0i := 1; + // ----- binary operator ----- AddMethod.ssc(31,7) + stack0i := local4 + stack0i; + // ----- store field ----- AddMethod.ssc(31,7) + assert this != null; + assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + havoc temp4; + $Heap[this, $exposeVersion] := temp4; + $Heap[this, Bag.n] := stack0i; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n]; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]); + assume IsHeap($Heap); + // ----- copy + stack0i := local4; + // ----- branch + goto block4658; + + block4522: + // ----- load constant 2 ----- AddMethod.ssc(26,15) + stack0i := 2; + // ----- load field ----- AddMethod.ssc(26,15) + assert this != null; + stack1o := $Heap[this, Bag.a]; + // ----- unary operator ----- AddMethod.ssc(26,15) + assert stack1o != null; + stack1i := $Length(stack1o); + // ----- unary operator ----- AddMethod.ssc(26,15) + stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32); + // ----- binary operator ----- AddMethod.ssc(26,15) + stack0i := stack0i * stack1i; + // ----- load constant 1 ----- AddMethod.ssc(26,15) + stack1i := 1; + // ----- binary operator ----- AddMethod.ssc(26,15) + stack0i := stack0i + stack1i; + // ----- new array ----- AddMethod.ssc(26,15) + assert 0 <= stack0i; + havoc temp2; + assume $Heap[temp2, $allocated] == false && $Length(temp2) == stack0i; + assume $Heap[$ElementProxy(temp2, -1), $allocated] == false && $ElementProxy(temp2, -1) != temp2 && $ElementProxy(temp2, -1) != null; + assume temp2 != null; + assume $typeof(temp2) == IntArray(System.Int32, 1); + assume $Heap[temp2, $ownerRef] == temp2 && $Heap[temp2, $ownerFrame] == $PeerGroupPlaceholder; + assume $Heap[$ElementProxy(temp2, -1), $ownerRef] == $ElementProxy(temp2, -1) && $Heap[$ElementProxy(temp2, -1), $ownerFrame] == $PeerGroupPlaceholder; + assume $Heap[temp2, $inv] == $typeof(temp2) && $Heap[temp2, $localinv] == $typeof(temp2); + assume (forall $i: int :: IntArrayGet($Heap[temp2, $elements], $i) == 0); + $Heap[temp2, $allocated] := true; + call System.Object..ctor($ElementProxy(temp2, -1)); + b := temp2; + assume IsHeap($Heap); + // ----- load field ----- AddMethod.ssc(27,9) + assert this != null; + stack0o := $Heap[this, Bag.a]; + // ----- load constant 0 ----- AddMethod.ssc(27,9) + stack1i := 0; + // ----- copy ----- AddMethod.ssc(27,9) + stack2o := b; + // ----- load constant 0 ----- AddMethod.ssc(27,9) + stack3i := 0; + // ----- load field ----- AddMethod.ssc(27,9) + assert this != null; + stack4o := $Heap[this, Bag.a]; + // ----- unary operator ----- AddMethod.ssc(27,9) + assert stack4o != null; + stack4i := $Length(stack4o); + // ----- unary operator ----- AddMethod.ssc(27,9) + stack4i := $IntToInt(stack4i, System.UIntPtr, System.Int32); + // ----- call ----- AddMethod.ssc(27,9) + call System.Array.Copy$System.Array$notnull$System.Int32$System.Array$notnull$System.Int32$System.Int32(stack0o, stack1i, stack2o, stack3i, stack4i); + // ----- store field ----- AddMethod.ssc(28,9) + assert this != null; + assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + assert ($Heap[b, $ownerRef] == this && $Heap[b, $ownerFrame] == Bag) || $Heap[b, $ownerFrame] == $PeerGroupPlaceholder; + assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[b, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[b, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[b, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[b, $ownerFrame]; + call $UpdateOwnersForRep(this, Bag, b); + havoc temp3; + $Heap[this, $exposeVersion] := temp3; + $Heap[this, Bag.a] := b; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n]; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]); + assume IsHeap($Heap); + goto block4539; + + block4658: + stack0o := null; + // ----- binary operator + // ----- branch + goto true4658to4624, false4658to4641; + + true4658to4624: + assume local2 == stack0o; + goto block4624; + + false4658to4641: + assume local2 != stack0o; + goto block4641; + + block4624: + // ----- load token ----- AddMethod.ssc(32,5) + havoc stack0s; + assume $IsTokenForType(stack0s, Bag); + // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(32,5) + stack0o := TypeObject(Bag); + // ----- local pack ----- AddMethod.ssc(32,5) + assert temp0 != null; + assert $Heap[temp0, $localinv] == System.Object; + assert 0 <= $Heap[temp0, Bag.n]; + assert $Heap[temp0, Bag.n] <= $Length($Heap[temp0, Bag.a]); + assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp0 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p)); + $Heap[temp0, $localinv] := $typeof(temp0); + assume IsHeap($Heap); + goto block4726; + + block4641: + // ----- is instance + // ----- branch + goto true4641to4624, false4641to4692; + + true4641to4624: + assume $As(local2, Microsoft.Contracts.ICheckedException) != null; + goto block4624; + + false4641to4692: + assume $As(local2, Microsoft.Contracts.ICheckedException) == null; + goto block4692; + + block4692: + // ----- branch + goto block4726; + + block4726: + // ----- nop + // ----- branch + goto block4590; + + block4590: + // ----- return + return; +} + + + +axiom System.Type <: System.Type; + +axiom System.Reflection.MemberInfo <: System.Reflection.MemberInfo; + +axiom $BaseClass(System.Reflection.MemberInfo) == System.Object && AsDirectSubClass(System.Reflection.MemberInfo, $BaseClass(System.Reflection.MemberInfo)) == System.Reflection.MemberInfo; + +axiom $IsImmutable(System.Reflection.MemberInfo) && $AsImmutable(System.Reflection.MemberInfo) == System.Reflection.MemberInfo; + +axiom System.Reflection.ICustomAttributeProvider <: System.Reflection.ICustomAttributeProvider; + +axiom System.Reflection.ICustomAttributeProvider <: System.Object; + +axiom $IsMemberlessType(System.Reflection.ICustomAttributeProvider); + +axiom $AsInterface(System.Reflection.ICustomAttributeProvider) == System.Reflection.ICustomAttributeProvider; + +axiom System.Reflection.MemberInfo <: System.Reflection.ICustomAttributeProvider; + +axiom System.Runtime.InteropServices._MemberInfo <: System.Runtime.InteropServices._MemberInfo; + +axiom System.Runtime.InteropServices._MemberInfo <: System.Object; + +axiom $IsMemberlessType(System.Runtime.InteropServices._MemberInfo); + +axiom $AsInterface(System.Runtime.InteropServices._MemberInfo) == System.Runtime.InteropServices._MemberInfo; + +axiom System.Reflection.MemberInfo <: System.Runtime.InteropServices._MemberInfo; + +axiom $IsMemberlessType(System.Reflection.MemberInfo); + +// System.Reflection.MemberInfo object invariant +axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Reflection.MemberInfo } IsHeap($h) && $h[$oi, $inv] <: System.Reflection.MemberInfo && $h[$oi, $localinv] != $BaseClass(System.Reflection.MemberInfo) ==> true); + +axiom $BaseClass(System.Type) == System.Reflection.MemberInfo && AsDirectSubClass(System.Type, $BaseClass(System.Type)) == System.Type; + +axiom $IsImmutable(System.Type) && $AsImmutable(System.Type) == System.Type; + +axiom System.Runtime.InteropServices._Type <: System.Runtime.InteropServices._Type; + +axiom System.Runtime.InteropServices._Type <: System.Object; + +axiom $IsMemberlessType(System.Runtime.InteropServices._Type); + +axiom $AsInterface(System.Runtime.InteropServices._Type) == System.Runtime.InteropServices._Type; + +axiom System.Type <: System.Runtime.InteropServices._Type; + +axiom System.Reflection.IReflect <: System.Reflection.IReflect; + +axiom System.Reflection.IReflect <: System.Object; + +axiom $IsMemberlessType(System.Reflection.IReflect); + +axiom $AsInterface(System.Reflection.IReflect) == System.Reflection.IReflect; + +axiom System.Type <: System.Reflection.IReflect; + +axiom $IsMemberlessType(System.Type); + +// System.Type object invariant +axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Type } IsHeap($h) && $h[$oi, $inv] <: System.Type && $h[$oi, $localinv] != $BaseClass(System.Type) ==> true); + +procedure System.Array.Copy$System.Array$notnull$System.Int32$System.Array$notnull$System.Int32$System.Int32(sourceArray$in: ref where $IsNotNull(sourceArray$in, System.Array) && $Heap[sourceArray$in, $allocated], sourceIndex$in: int where InRange(sourceIndex$in, System.Int32), destinationArray$in: ref where $IsNotNull(destinationArray$in, System.Array) && $Heap[destinationArray$in, $allocated], destinationIndex$in: int where InRange(destinationIndex$in, System.Int32), length$in: int where InRange(length$in, System.Int32)); + // user-declared preconditions + requires sourceArray$in != null; + requires destinationArray$in != null; + requires $Rank(sourceArray$in) == $Rank(destinationArray$in); + requires sourceIndex$in >= $LBound(sourceArray$in, 0); + requires destinationIndex$in >= $LBound(destinationArray$in, 0); + requires length$in >= 0; + requires sourceIndex$in + length$in <= $LBound(sourceArray$in, 0) + $Length(sourceArray$in); + requires destinationIndex$in + length$in <= $LBound(destinationArray$in, 0) + $Length(destinationArray$in); + // sourceArray is peer consistent + requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[sourceArray$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[sourceArray$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + // sourceArray is peer consistent (owner must not be valid) + requires $Heap[sourceArray$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[sourceArray$in, $ownerRef], $inv] <: $Heap[sourceArray$in, $ownerFrame]) || $Heap[$Heap[sourceArray$in, $ownerRef], $localinv] == $BaseClass($Heap[sourceArray$in, $ownerFrame]); + // destinationArray is peer consistent + requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[destinationArray$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[destinationArray$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + // destinationArray is peer consistent (owner must not be valid) + requires $Heap[destinationArray$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[destinationArray$in, $ownerRef], $inv] <: $Heap[destinationArray$in, $ownerFrame]) || $Heap[$Heap[destinationArray$in, $ownerRef], $localinv] == $BaseClass($Heap[destinationArray$in, $ownerFrame]); + free requires $BeingConstructed == null; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // hard-coded postcondition + ensures (forall $k: int :: { ValueArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(ValueArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == ValueArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(ValueArrayGet($Heap[destinationArray$in, $elements], $k)) == ValueArrayGet($Heap[destinationArray$in, $elements], $k))); + ensures (forall $k: int :: { IntArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(IntArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == IntArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(IntArrayGet($Heap[destinationArray$in, $elements], $k)) == IntArrayGet($Heap[destinationArray$in, $elements], $k))); + ensures (forall $k: int :: { RefArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(RefArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == RefArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(RefArrayGet($Heap[destinationArray$in, $elements], $k)) == RefArrayGet($Heap[destinationArray$in, $elements], $k))); + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != destinationArray$in || !($typeof(destinationArray$in) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != destinationArray$in || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +axiom Microsoft.Contracts.ICheckedException <: Microsoft.Contracts.ICheckedException; + +axiom Microsoft.Contracts.ICheckedException <: System.Object; + +axiom $IsMemberlessType(Microsoft.Contracts.ICheckedException); + +axiom $AsInterface(Microsoft.Contracts.ICheckedException) == Microsoft.Contracts.ICheckedException; + +procedure Bag.AddAgain$System.Int32(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], x$in: int where InRange(x$in, System.Int32)); + // target object is peer consistent + requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + // target object is peer consistent (owner must not be valid) + requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + free requires $BeingConstructed == null; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != this || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +implementation Bag.AddAgain$System.Int32(this: ref, x$in: int) +{ + var x: int where InRange(x, System.Int32), temp0: ref, stack1s: struct, stack1o: ref, temp1: exposeVersionType, local2: ref where $Is(local2, System.Exception) && $Heap[local2, $allocated], stack0i: int, stack1i: int, stack0b: bool, stack0o: ref, local4: int where InRange(local4, System.Int32), temp2: exposeVersionType, b: ref where $Is(b, IntArray(System.Int32, 1)) && $Heap[b, $allocated], temp3: ref, stack2i: int, temp4: exposeVersionType, stack0s: struct; + + entry: + x := x$in; + goto block6188; + + block6188: + goto block6341; + + block6341: + // ----- nop + // ----- FrameGuard processing ----- AddMethod.ssc(38,13) + temp0 := this; + // ----- load token ----- AddMethod.ssc(38,13) + havoc stack1s; + assume $IsTokenForType(stack1s, Bag); + // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(38,13) + stack1o := TypeObject(Bag); + // ----- local unpack ----- AddMethod.ssc(38,13) + assert temp0 != null; + assert ($Heap[temp0, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[temp0, $ownerRef], $inv] <: $Heap[temp0, $ownerFrame]) || $Heap[$Heap[temp0, $ownerRef], $localinv] == $BaseClass($Heap[temp0, $ownerFrame])) && $Heap[temp0, $inv] <: Bag && $Heap[temp0, $localinv] == $typeof(temp0); + $Heap[temp0, $localinv] := System.Object; + havoc temp1; + $Heap[temp0, $exposeVersion] := temp1; + assume IsHeap($Heap); + local2 := null; + goto block6358; + + block6358: + // ----- load field ----- AddMethod.ssc(40,7) + assert this != null; + stack0i := $Heap[this, Bag.n]; + // ----- load field ----- AddMethod.ssc(40,7) + assert this != null; + stack1o := $Heap[this, Bag.a]; + // ----- unary operator ----- AddMethod.ssc(40,7) + assert stack1o != null; + stack1i := $Length(stack1o); + // ----- unary operator ----- AddMethod.ssc(40,7) + stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32); + // ----- binary operator ----- AddMethod.ssc(40,7) + // ----- branch ----- AddMethod.ssc(40,7) + goto true6358to6392, false6358to6375; + + true6358to6392: + assume stack0i != stack1i; + goto block6392; + + false6358to6375: + assume stack0i == stack1i; + goto block6375; + + block6392: + // ----- load field ----- AddMethod.ssc(46,7) + assert this != null; + stack0o := $Heap[this, Bag.a]; + // ----- load field ----- AddMethod.ssc(46,7) + assert this != null; + stack1i := $Heap[this, Bag.n]; + // ----- store element ----- AddMethod.ssc(46,7) + assert stack0o != null; + assert 0 <= stack1i; + assert stack1i < $Length(stack0o); + assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[stack0o, $ownerRef], $inv] <: $Heap[stack0o, $ownerFrame]) || $Heap[$Heap[stack0o, $ownerRef], $localinv] == $BaseClass($Heap[stack0o, $ownerFrame]); + $Heap[stack0o, $elements] := IntArraySet($Heap[stack0o, $elements], stack1i, x); + assume IsHeap($Heap); + // ----- load field ----- AddMethod.ssc(47,7) + assert this != null; + local4 := $Heap[this, Bag.n]; + // ----- load constant 1 ----- AddMethod.ssc(47,7) + stack0i := 1; + // ----- binary operator ----- AddMethod.ssc(47,7) + stack0i := local4 + stack0i; + // ----- store field ----- AddMethod.ssc(47,7) + assert this != null; + assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + havoc temp2; + $Heap[this, $exposeVersion] := temp2; + $Heap[this, Bag.n] := stack0i; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n]; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]); + assume IsHeap($Heap); + // ----- copy + stack0i := local4; + // ----- branch + goto block6562; + + block6375: + // ----- load constant 2 ----- AddMethod.ssc(42,15) + stack0i := 2; + // ----- load field ----- AddMethod.ssc(42,15) + assert this != null; + stack1o := $Heap[this, Bag.a]; + // ----- unary operator ----- AddMethod.ssc(42,15) + assert stack1o != null; + stack1i := $Length(stack1o); + // ----- unary operator ----- AddMethod.ssc(42,15) + stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32); + // ----- binary operator ----- AddMethod.ssc(42,15) + stack0i := stack0i * stack1i; + // ----- load constant 1 ----- AddMethod.ssc(42,15) + stack1i := 1; + // ----- binary operator ----- AddMethod.ssc(42,15) + stack0i := stack0i + stack1i; + // ----- new array ----- AddMethod.ssc(42,15) + assert 0 <= stack0i; + havoc temp3; + assume $Heap[temp3, $allocated] == false && $Length(temp3) == stack0i; + assume $Heap[$ElementProxy(temp3, -1), $allocated] == false && $ElementProxy(temp3, -1) != temp3 && $ElementProxy(temp3, -1) != null; + assume temp3 != null; + assume $typeof(temp3) == IntArray(System.Int32, 1); + assume $Heap[temp3, $ownerRef] == temp3 && $Heap[temp3, $ownerFrame] == $PeerGroupPlaceholder; + assume $Heap[$ElementProxy(temp3, -1), $ownerRef] == $ElementProxy(temp3, -1) && $Heap[$ElementProxy(temp3, -1), $ownerFrame] == $PeerGroupPlaceholder; + assume $Heap[temp3, $inv] == $typeof(temp3) && $Heap[temp3, $localinv] == $typeof(temp3); + assume (forall $i: int :: IntArrayGet($Heap[temp3, $elements], $i) == 0); + $Heap[temp3, $allocated] := true; + call System.Object..ctor($ElementProxy(temp3, -1)); + b := temp3; + assume IsHeap($Heap); + // ----- load field ----- AddMethod.ssc(43,9) + assert this != null; + stack0o := $Heap[this, Bag.a]; + // ----- copy ----- AddMethod.ssc(43,9) + stack1o := b; + // ----- load constant 0 ----- AddMethod.ssc(43,9) + stack2i := 0; + // ----- call ----- AddMethod.ssc(43,9) + assert stack0o != null; + call System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(stack0o, stack1o, stack2i); + // ----- store field ----- AddMethod.ssc(44,9) + assert this != null; + assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]); + assert ($Heap[b, $ownerRef] == this && $Heap[b, $ownerFrame] == Bag) || $Heap[b, $ownerFrame] == $PeerGroupPlaceholder; + assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[b, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[b, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); + assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[b, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[b, $ownerFrame]; + call $UpdateOwnersForRep(this, Bag, b); + havoc temp4; + $Heap[this, $exposeVersion] := temp4; + $Heap[this, Bag.a] := b; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n]; + assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]); + assume IsHeap($Heap); + goto block6392; + + block6562: + stack0o := null; + // ----- binary operator + // ----- branch + goto true6562to6477, false6562to6579; + + true6562to6477: + assume local2 == stack0o; + goto block6477; + + false6562to6579: + assume local2 != stack0o; + goto block6579; + + block6477: + // ----- load token ----- AddMethod.ssc(48,5) + havoc stack0s; + assume $IsTokenForType(stack0s, Bag); + // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(48,5) + stack0o := TypeObject(Bag); + // ----- local pack ----- AddMethod.ssc(48,5) + assert temp0 != null; + assert $Heap[temp0, $localinv] == System.Object; + assert 0 <= $Heap[temp0, Bag.n]; + assert $Heap[temp0, Bag.n] <= $Length($Heap[temp0, Bag.a]); + assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp0 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p)); + $Heap[temp0, $localinv] := $typeof(temp0); + assume IsHeap($Heap); + goto block6545; + + block6579: + // ----- is instance + // ----- branch + goto true6579to6477, false6579to6528; + + true6579to6477: + assume $As(local2, Microsoft.Contracts.ICheckedException) != null; + goto block6477; + + false6579to6528: + assume $As(local2, Microsoft.Contracts.ICheckedException) == null; + goto block6528; + + block6528: + // ----- branch + goto block6545; + + block6545: + // ----- nop + // ----- branch + goto block6443; + + block6443: + // ----- return + return; +} + + + +procedure Bag..cctor(); + free requires $BeingConstructed == null; + free requires $PurityAxiomsCanBeAssumed; + modifies $Heap, $ActivityIndicator; + // newly allocated objects are fully valid + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); + // first consistent owner unchanged if its exposeVersion is + free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); + // frame condition + ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]); + free ensures $HeapSucc(old($Heap), $Heap); + // inv/localinv change only in blocks + free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); + free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized]; + free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]); + + + +implementation Bag..cctor() +{ + + entry: + goto block7650; + + block7650: + goto block7701; + + block7701: + // ----- nop + // ----- return + return; +} + + |