summaryrefslogtreecommitdiff
path: root/Test
diff options
context:
space:
mode:
Diffstat (limited to 'Test')
-rw-r--r--Test/CollectBenchmarks.py295
-rw-r--r--Test/CompareAll22
-rw-r--r--Test/aitest0/Answer111
-rw-r--r--Test/aitest0/Output111
-rw-r--r--Test/aitest0/constants.bpl69
-rw-r--r--Test/aitest0/runtest.bat6
-rw-r--r--Test/aitest1/Answer510
-rw-r--r--Test/aitest1/Bound.bpl28
-rw-r--r--Test/aitest1/Linear0.bpl10
-rw-r--r--Test/aitest1/Linear1.bpl11
-rw-r--r--Test/aitest1/Linear2.bpl11
-rw-r--r--Test/aitest1/Linear3.bpl11
-rw-r--r--Test/aitest1/Linear4.bpl15
-rw-r--r--Test/aitest1/Linear5.bpl21
-rw-r--r--Test/aitest1/Linear6.bpl21
-rw-r--r--Test/aitest1/Linear7.bpl19
-rw-r--r--Test/aitest1/Linear8.bpl42
-rw-r--r--Test/aitest1/Linear9.bpl29
-rw-r--r--Test/aitest1/Output510
-rw-r--r--Test/aitest1/ineq.bpl81
-rw-r--r--Test/aitest1/runtest.bat17
-rw-r--r--Test/aitest9/Output26
-rw-r--r--Test/aitest9/TestIntervals.bpl24
-rw-r--r--Test/aitest9/VarMapFixpoint.bpl58
-rw-r--r--Test/aitest9/answer26
-rw-r--r--Test/aitest9/runtest.bat11
-rw-r--r--Test/alltests.txt22
-rw-r--r--Test/bitvectors/Answer62
-rw-r--r--Test/bitvectors/Output62
-rw-r--r--Test/bitvectors/arrays.bpl41
-rw-r--r--Test/bitvectors/bv0.bpl13
-rw-r--r--Test/bitvectors/bv1.bpl17
-rw-r--r--Test/bitvectors/bv2.bpl11
-rw-r--r--Test/bitvectors/bv3.bpl3
-rw-r--r--Test/bitvectors/bv4.bpl23
-rw-r--r--Test/bitvectors/bv5.bpl11
-rw-r--r--Test/bitvectors/bv6.bpl9
-rw-r--r--Test/bitvectors/bv7.bpl9
-rw-r--r--Test/bitvectors/runtest.bat21
-rw-r--r--Test/bitvectors/vcc0.bpl883
-rw-r--r--Test/ccnet.runtestall.bat2
-rw-r--r--Test/dafny0/Answer100
-rw-r--r--Test/dafny0/BQueue.bpl430
-rw-r--r--Test/dafny0/BinaryTree.dfy245
-rw-r--r--Test/dafny0/DTypes.dfy74
-rw-r--r--Test/dafny0/ListContents.dfy92
-rw-r--r--Test/dafny0/ListCopy.dfy54
-rw-r--r--Test/dafny0/ListReverse.dfy26
-rw-r--r--Test/dafny0/Output100
-rw-r--r--Test/dafny0/Queue.dfy205
-rw-r--r--Test/dafny0/SchorrWaite.dfy229
-rw-r--r--Test/dafny0/Simple.dfy29
-rw-r--r--Test/dafny0/SmallTests.dfy26
-rw-r--r--Test/dafny0/Termination.dfy80
-rw-r--r--Test/dafny0/TypeParameters.dfy22
-rw-r--r--Test/dafny0/Use.dfy70
-rw-r--r--Test/dafny0/runtest.bat27
-rw-r--r--Test/filter.pl38
-rw-r--r--Test/havoc0/Answer12
-rw-r--r--Test/havoc0/KbdCreateClassObject.bpl5155
-rw-r--r--Test/havoc0/KeyboardClassFindMorePorts.bpl3780
-rw-r--r--Test/havoc0/KeyboardClassUnload.bpl3333
-rw-r--r--Test/havoc0/MouCreateClassObject.bpl4918
-rw-r--r--Test/havoc0/MouseClassFindMorePorts.bpl3837
-rw-r--r--Test/havoc0/MouseClassUnload.bpl3369
-rw-r--r--Test/havoc0/Output12
-rw-r--r--Test/havoc0/runtest.bat13
-rw-r--r--Test/houdini/Answer78
-rw-r--r--Test/houdini/houd1.bpl19
-rw-r--r--Test/houdini/houd10.bpl23
-rw-r--r--Test/houdini/houd11.bpl13
-rw-r--r--Test/houdini/houd12.bpl58
-rw-r--r--Test/houdini/houd2.bpl27
-rw-r--r--Test/houdini/houd3.bpl27
-rw-r--r--Test/houdini/houd4.bpl27
-rw-r--r--Test/houdini/houd5.bpl29
-rw-r--r--Test/houdini/houd6.bpl44
-rw-r--r--Test/houdini/houd7.bpl35
-rw-r--r--Test/houdini/houd8.bpl30
-rw-r--r--Test/houdini/houd9.bpl32
-rw-r--r--Test/houdini/runtest.bat11
-rw-r--r--Test/inline/Answer983
-rw-r--r--Test/inline/Elevator.asml56
-rw-r--r--Test/inline/Elevator.bpl153
-rw-r--r--Test/inline/Output983
-rw-r--r--Test/inline/expansion.bpl33
-rw-r--r--Test/inline/expansion2.bpl14
-rw-r--r--Test/inline/expansion2.sx178
-rw-r--r--Test/inline/expansion3.bpl19
-rw-r--r--Test/inline/expansion4.bpl31
-rw-r--r--Test/inline/fundef.bpl6
-rw-r--r--Test/inline/fundef2.bpl7
-rw-r--r--Test/inline/polyInline.bpl40
-rw-r--r--Test/inline/runtest.bat30
-rw-r--r--Test/inline/test1.bpl45
-rw-r--r--Test/inline/test2.bpl31
-rw-r--r--Test/inline/test3.bpl28
-rw-r--r--Test/inline/test4.bpl53
-rw-r--r--Test/inline/test5.bpl20
-rw-r--r--Test/inline/test6.bpl37
-rw-r--r--Test/lock/Answer8
-rw-r--r--Test/lock/Lock.bpl122
-rw-r--r--Test/lock/LockIncorrect.bpl51
-rw-r--r--Test/lock/Output8
-rw-r--r--Test/lock/runtest.bat7
-rw-r--r--Test/rtest25
-rw-r--r--Test/rtestall32
-rw-r--r--Test/runtest.bat36
-rw-r--r--Test/runtestall.bat24
-rw-r--r--Test/smoke/Answer25
-rw-r--r--Test/smoke/Output25
-rw-r--r--Test/smoke/runtest.bat11
-rw-r--r--Test/smoke/smoke0.bpl53
-rw-r--r--Test/test0/Answer252
-rw-r--r--Test/test0/Arrays0.bpl3
-rw-r--r--Test/test0/Arrays1.bpl16
-rw-r--r--Test/test0/AttributeParsing.bpl25
-rw-r--r--Test/test0/AttributeParsingErr.bpl23
-rw-r--r--Test/test0/AttributeResolution.bpl38
-rw-r--r--Test/test0/BadLabels0.bpl13
-rw-r--r--Test/test0/BadLabels1.bpl81
-rw-r--r--Test/test0/BadQuantifier.bpl3
-rw-r--r--Test/test0/EmptyCallArgs.bpl33
-rw-r--r--Test/test0/LargeLiterals0.bpl7
-rw-r--r--Test/test0/LineParse.bpl12
-rw-r--r--Test/test0/LineResolve.bpl38
-rw-r--r--Test/test0/MapsResolutionErrors.bpl28
-rw-r--r--Test/test0/ModifiedBag.bpl371
-rw-r--r--Test/test0/Orderings.bpl20
-rw-r--r--Test/test0/Output252
-rw-r--r--Test/test0/PrettyPrint.bpl40
-rw-r--r--Test/test0/Prog0.bpl51
-rw-r--r--Test/test0/Quoting.bpl16
-rw-r--r--Test/test0/Triggers0.bpl15
-rw-r--r--Test/test0/Triggers1.bpl127
-rw-r--r--Test/test0/Types0.bpl8
-rw-r--r--Test/test0/Types1.bpl7
-rw-r--r--Test/test0/WhereParsing.bpl25
-rw-r--r--Test/test0/WhereParsing0.bpl28
-rw-r--r--Test/test0/WhereParsing1.bpl15
-rw-r--r--Test/test0/WhereParsing2.bpl2
-rw-r--r--Test/test0/WhereResolution.bpl62
-rw-r--r--Test/test0/runtest.bat33
-rw-r--r--Test/test1/Answer137
-rw-r--r--Test/test1/Arrays.bpl224
-rw-r--r--Test/test1/AttributeTyping.bpl36
-rw-r--r--Test/test1/CallForallResolve.bpl23
-rw-r--r--Test/test1/EmptyCallArgs.bpl31
-rw-r--r--Test/test1/Family.bpl47
-rw-r--r--Test/test1/Frame0.bpl15
-rw-r--r--Test/test1/Frame1.bpl97
-rw-r--r--Test/test1/FunBody.bpl13
-rw-r--r--Test/test1/LogicalExprs.bpl6
-rw-r--r--Test/test1/MapsTypeErrors.bpl127
-rw-r--r--Test/test1/Orderings.bpl8
-rw-r--r--Test/test1/Output137
-rw-r--r--Test/test1/UpdateExprTyping.bpl43
-rw-r--r--Test/test1/WhereTyping.bpl45
-rw-r--r--Test/test1/runtest.bat19
-rw-r--r--Test/test13/Answer15
-rw-r--r--Test/test13/ErrorTraceTestLoopInvViolationBPL.bpl30
-rw-r--r--Test/test13/Output15
-rw-r--r--Test/test13/runtest.bat11
-rw-r--r--Test/test15/Answer177
-rw-r--r--Test/test15/IntInModel.bpl3
-rw-r--r--Test/test15/InterpretedFunctionTests.bpl17
-rw-r--r--Test/test15/ModelTest.bpl10
-rw-r--r--Test/test15/NullInModel.bpl5
-rw-r--r--Test/test15/Output177
-rw-r--r--Test/test15/runtest.bat16
-rw-r--r--Test/test16/Answer23
-rw-r--r--Test/test16/LoopUnroll.bpl79
-rw-r--r--Test/test16/Output23
-rw-r--r--Test/test16/runtest.bat13
-rw-r--r--Test/test17/Answer8
-rw-r--r--Test/test17/contractinfer.bpl24
-rw-r--r--Test/test17/flpydisk.bpl2295
-rw-r--r--Test/test17/runtest.bat12
-rw-r--r--Test/test2/Answer359
-rw-r--r--Test/test2/Arrays.bpl180
-rw-r--r--Test/test2/AssumeEnsures.bpl69
-rw-r--r--Test/test2/Axioms.bpl29
-rw-r--r--Test/test2/B.bpl86
-rw-r--r--Test/test2/Call.bpl60
-rw-r--r--Test/test2/CallForall.bpl134
-rw-r--r--Test/test2/CutBackEdge.bpl14
-rw-r--r--Test/test2/Ensures.bpl75
-rw-r--r--Test/test2/False.bpl16
-rw-r--r--Test/test2/FormulaTerm.bpl139
-rw-r--r--Test/test2/FormulaTerm2.bpl49
-rw-r--r--Test/test2/Implies.bpl16
-rw-r--r--Test/test2/LoopInvAssume.bpl20
-rw-r--r--Test/test2/NeverPattern.bpl29
-rw-r--r--Test/test2/NullaryMaps.bpl57
-rw-r--r--Test/test2/Old.bpl132
-rw-r--r--Test/test2/OldIllegal.bpl16
-rw-r--r--Test/test2/Output359
-rw-r--r--Test/test2/Passification.bpl169
-rw-r--r--Test/test2/Quantifiers.bpl154
-rw-r--r--Test/test2/Structured.bpl327
-rw-r--r--Test/test2/UpdateExpr.bpl81
-rw-r--r--Test/test2/Where.bpl163
-rw-r--r--Test/test2/runtest.bat26
-rw-r--r--Test/test2/sk_hack.bpl32
-rw-r--r--Test/test2/strings-no-where.bpl995
-rw-r--r--Test/test2/strings-where.bpl995
-rw-r--r--Test/test20/Answer192
-rw-r--r--Test/test20/Coercions.bpl17
-rw-r--r--Test/test20/EmptySeq.bpl6
-rw-r--r--Test/test20/Output192
-rw-r--r--Test/test20/ParallelAssignment.bpl23
-rw-r--r--Test/test20/ParallelAssignment2.bpl11
-rw-r--r--Test/test20/PolyFuns0.bpl55
-rw-r--r--Test/test20/PolyFuns1.bpl59
-rw-r--r--Test/test20/PolyPolyPoly.bpl22
-rw-r--r--Test/test20/PolyPolyPoly2.bpl34
-rw-r--r--Test/test20/PolyProcs0.bpl44
-rw-r--r--Test/test20/ProcParamReordering.bpl15
-rw-r--r--Test/test20/Prog0.bpl35
-rw-r--r--Test/test20/Prog1.bpl26
-rw-r--r--Test/test20/Prog2.bpl16
-rw-r--r--Test/test20/TypeDecls0.bpl45
-rw-r--r--Test/test20/TypeDecls1.bpl23
-rw-r--r--Test/test20/TypeSynonyms0.bpl29
-rw-r--r--Test/test20/TypeSynonyms1.bpl47
-rw-r--r--Test/test20/TypeSynonyms2.bpl20
-rw-r--r--Test/test20/runtest.bat26
-rw-r--r--Test/test21/Answer1677
-rw-r--r--Test/test21/BooleanQuantification.bpl32
-rw-r--r--Test/test21/BooleanQuantification2.bpl14
-rw-r--r--Test/test21/Boxing.bpl21
-rw-r--r--Test/test21/Casts.bpl11
-rw-r--r--Test/test21/Coercions2.bpl24
-rw-r--r--Test/test21/Colors.bpl21
-rw-r--r--Test/test21/DisjointDomains.bpl30
-rw-r--r--Test/test21/DisjointDomains2.bpl64
-rw-r--r--Test/test21/EmptyList.bpl47
-rw-r--r--Test/test21/EmptySetBug.bpl30
-rw-r--r--Test/test21/Flattening.bpl13
-rw-r--r--Test/test21/FunAxioms.bpl40
-rw-r--r--Test/test21/FunAxioms2.bpl21
-rw-r--r--Test/test21/HeapAbstraction.bpl19
-rw-r--r--Test/test21/HeapAxiom.bpl27
-rw-r--r--Test/test21/InterestingExamples0.bpl8
-rw-r--r--Test/test21/InterestingExamples1.bpl27
-rw-r--r--Test/test21/InterestingExamples2.bpl14
-rw-r--r--Test/test21/InterestingExamples3.bpl27
-rw-r--r--Test/test21/InterestingExamples4.bpl42
-rw-r--r--Test/test21/InterestingExamples5.bpl16
-rw-r--r--Test/test21/Keywords.bpl9
-rw-r--r--Test/test21/LargeLiterals0.bpl20
-rw-r--r--Test/test21/LetSorting.bpl15
-rw-r--r--Test/test21/MapAxiomsConsistency.bpl97
-rw-r--r--Test/test21/MapOutputTypeParams.bpl33
-rw-r--r--Test/test21/Maps0.bpl56
-rw-r--r--Test/test21/Maps1.bpl36
-rw-r--r--Test/test21/Maps2.bpl24
-rw-r--r--Test/test21/NameClash.bpl8
-rw-r--r--Test/test21/Orderings.bpl20
-rw-r--r--Test/test21/Orderings2.bpl18
-rw-r--r--Test/test21/Orderings3.bpl38
-rw-r--r--Test/test21/Orderings4.bpl11
-rw-r--r--Test/test21/Output1677
-rw-r--r--Test/test21/ParallelAssignment.bpl56
-rw-r--r--Test/test21/PolyList.bpl62
-rw-r--r--Test/test21/Triggers0.bpl44
-rw-r--r--Test/test21/Triggers1.bpl17
-rw-r--r--Test/test21/runtest.bat53
-rw-r--r--Test/test21/test3_AddMethod_conv.bpl1820
-rw-r--r--Test/test7/Answer64
-rw-r--r--Test/test7/MultipleErrors.bpl17
-rw-r--r--Test/test7/NestedVC.bpl21
-rw-r--r--Test/test7/Output64
-rw-r--r--Test/test7/UnreachableBlocks.bpl40
-rw-r--r--Test/test7/runtest.bat34
-rw-r--r--Test/textbook/Answer12
-rw-r--r--Test/textbook/Bubble.bpl66
-rw-r--r--Test/textbook/DutchFlag.bpl62
-rw-r--r--Test/textbook/Find.bpl39
-rw-r--r--Test/textbook/Output12
-rw-r--r--Test/textbook/runtest.bat13
-rw-r--r--Test/z3api/Answer187
-rw-r--r--Test/z3api/Boog24.bpl16
-rw-r--r--Test/z3api/boog0.bpl48
-rw-r--r--Test/z3api/boog1.bpl16
-rw-r--r--Test/z3api/boog10.bpl22
-rw-r--r--Test/z3api/boog11.bpl16
-rw-r--r--Test/z3api/boog12.bpl20
-rw-r--r--Test/z3api/boog13.bpl25
-rw-r--r--Test/z3api/boog14.bpl11
-rw-r--r--Test/z3api/boog15.bpl10
-rw-r--r--Test/z3api/boog16.bpl11
-rw-r--r--Test/z3api/boog17.bpl25
-rw-r--r--Test/z3api/boog18.bpl15
-rw-r--r--Test/z3api/boog19.bpl228
-rw-r--r--Test/z3api/boog2.bpl22
-rw-r--r--Test/z3api/boog20.bpl17
-rw-r--r--Test/z3api/boog21.bpl17
-rw-r--r--Test/z3api/boog22.bpl10
-rw-r--r--Test/z3api/boog23.bpl410
-rw-r--r--Test/z3api/boog25.bpl282
-rw-r--r--Test/z3api/boog28.bpl16
-rw-r--r--Test/z3api/boog29.bpl19
-rw-r--r--Test/z3api/boog3.bpl7
-rw-r--r--Test/z3api/boog30.bpl13
-rw-r--r--Test/z3api/boog31.bpl14
-rw-r--r--Test/z3api/boog34.bpl10
-rw-r--r--Test/z3api/boog4.bpl40
-rw-r--r--Test/z3api/boog5.bpl40
-rw-r--r--Test/z3api/boog6.bpl22
-rw-r--r--Test/z3api/boog7.bpl19
-rw-r--r--Test/z3api/boog8.bpl24
-rw-r--r--Test/z3api/boog9.bpl21
-rw-r--r--Test/z3api/runtest.bat10
314 files changed, 52956 insertions, 0 deletions
diff --git a/Test/CollectBenchmarks.py b/Test/CollectBenchmarks.py
new file mode 100644
index 00000000..d5c8a233
--- /dev/null
+++ b/Test/CollectBenchmarks.py
@@ -0,0 +1,295 @@
+#! /usr/bin/python
+
+# 13 Aug 2006 Alexander Fuchs
+#
+# creates bpl and prover files for all test cases
+# and puts these into a zip file
+
+import sys;
+import os;
+import shutil;
+import re;
+import zipfile;
+
+
+#PROVER_NAME = "smt"
+PROVER_NAME = "simplify"
+
+# constants
+# prefix of temporary files created by boogie
+PREFIX_TMP = "boogie_tmp"
+
+# prefix of files put into package
+PREFIX_PGK = "boogie"
+
+# arguments to runtest so that boogie creates problem specifications
+BOOGIE_ARG0 = "/prover:blank /print:" + PREFIX_TMP + ".@TIME@.bpl /proverLog:" + PREFIX_TMP + ".@TIME@.simplify"
+BOOGIE_ARG1 = "/prover:smt /print:" + PREFIX_TMP + ".@TIME@.bpl /proverLog:" + PREFIX_TMP + ".@TIME@.jjsmt"
+
+# file containing the directories with tests
+TESTS_FILE = "alltests.txt"
+
+# marker in boogie generated proover files to denote end of background axioms
+START_OF_AXIOMS = "; Boogie universal background predicate"
+END_OF_AXIOMS = "; Initialized all axioms."
+
+# assumptions:
+# files: problems, runtest
+# calling boogie: parameters and filename only
+
+
+
+
+
+# call runtests to create the bpl/prover specifications:
+# - /print creates the boogie bpl file
+# - /proverLog creates the prover verification condition
+# @TIME@ is used to create a unique file name per test case
+def runtests(parameters):
+ boogie_arg = BOOGIE_ARG0
+ if PROVER_NAME == "simplify":
+ boogie_arg = BOOGIE_ARG0
+ if PROVER_NAME == "smt":
+ boogie_arg = BOOGIE_ARG1
+ if os.name == "nt":
+ command = "runtestall.bat " + " ".join(parameters) + " " + boogie_arg
+ else:
+ command = "./rtestall " + " ".join(parameters) + " " + boogie_arg
+
+ print command
+
+ os.system(command)
+
+
+# evaluates a call to boogie, which is of the form:
+# ; Command Line Options: -nologo /print:boogie_testcase.@TIME@.bpl /proverLog:boogie_testcase.@TIME@.'prover' SimpleAssignments0.dll /infer:i
+#
+# returns (file_name, parameters), where
+# - file_name: the called file name (e.g. SimpleAssignments0.dll)
+# - parameters: boogie parameters except for nologo, print, proverLog
+def process_boogie_call(line):
+ match = re.match("; Command Line Options:(?P<parameters>.*)$", line)
+ parameters = match.group("parameters")
+ parameters = re.split("\s", parameters)
+
+ copy = []
+ for parameter in parameters:
+ # file names on DOS seem not to like containing ":", so replace by "_"
+ parameter = re.sub(":", "_", parameter)
+ # ignore these parameters
+ if parameter == "":
+ ()
+ elif re.match("-nologo", parameter):
+ ()
+ elif re.match("/nologo", parameter):
+ ()
+ elif re.match("/print", parameter):
+ ()
+ elif re.match("/proverLog", parameter):
+ ()
+ elif re.match("-prover", parameter):
+ ()
+ elif re.match("/prover", parameter):
+ ()
+
+ # keep any other parameter
+ elif re.match("-", parameter):
+ copy.append(parameter)
+ elif re.match("/", parameter):
+ copy.append("-" + parameter[1:])
+
+ # get the file name
+ elif re.match("[a-zA-Z]", parameter):
+ file_name = parameter
+
+ # don't know what that is
+ else:
+ raise ("process_parameters: unknown argument: " + parameter)
+
+ # couldn't find the file name???
+ if not file_name:
+ raise ("split_parameters: file_name not found in: " + parameters)
+
+ else:
+ return (file_name, copy)
+
+
+
+
+# evaluates the file name on which boogie was called, which is of the form:
+# SimpleAssignments0.dll
+#
+# returns (file_name, is_dll):
+# - file_name: the file name, e.g. SimpleAssignments0
+# - is_dll: if it was a dll or exe, and not a bpl file
+def process_file_name(file_name):
+ if re.match("^[a-zA-Z].*\.dll$", file_name.lower()):
+ return (file_name[:-4], 1)
+ elif re.match("^[a-zA-Z].*\.exe$", file_name.lower()):
+ return (file_name[:-4], 1)
+ elif re.match("^[a-zA-Z].*\.bpl$", file_name.lower()):
+ return (file_name[:-4], 0)
+ else:
+ return (file_name, 1)
+# else:
+# raise ("process_file_name: neither dll nor bpl: " + file_name)
+
+
+
+# creates the package name for a package file (without extension)
+# the file name creation scheme used here is not unique,
+# so a unique id is added in addition
+names = {}
+def create_pgk_name(suite, problem_name, condition_name, parameters, extension):
+ # things like LESS, less happen, doesn't work under Windows
+ name = (problem_name + condition_name + extension).lower()
+ if name in names:
+ names[name] = names[name] + 1
+ name_id = "_" + repr(names[name])
+ else:
+ names[name] = 0
+ name_id = ""
+
+ if condition_name != "":
+ condition_name = "_" + condition_name
+
+ return os.path.join(suite, PREFIX_PGK + "_" + problem_name + condition_name + "".join(parameters) + name_id + "." + extension)
+
+
+
+# creates the bpl package file and adds it to the manifest
+def create_bpl(suite, source_name, problem_name, is_dll, parameters, manifest):
+ # create unique problem file_name
+ target_name = create_pgk_name(suite, problem_name, "", parameters, "bpl")
+
+ # copy bpl
+ if is_dll:
+ # started from dll/exe, so rename converted bpl
+ source_name = os.path.join(suite, source_name[:-1-len(PROVER_NAME)] + ".bpl")
+ os.rename(source_name, target_name)
+ else:
+ # started from existing bpl, so just copy it
+ source_name = os.path.join(suite, problem_name + ".bpl")
+ shutil.copy(source_name, target_name)
+
+ manifest.append(target_name)
+
+
+
+def create_simplify(suite, problem_name, parameters, file, manifest):
+ # get background axioms
+ background = []
+ next = file.readline()
+ if (re.match("; -------------------------------------------------------------------------", next)):
+ next = file.readline()
+ if (re.match(START_OF_AXIOMS, next)):
+ while(not re.match(END_OF_AXIOMS, next)):
+ background.append(next)
+ next = file.readline()
+
+ next = file.readline()
+
+
+ # get individual queries
+ name = next
+ while(name):
+ query = file.readline()
+ status = file.readline()
+
+ # create simplify file for this query
+ match = re.match("; (?P<name>\S+)", name)
+ condition_name = match.group("name")
+ query_file_name = create_pgk_name(suite, problem_name, condition_name, parameters, PROVER_NAME)
+
+ query_file = open(query_file_name, 'w')
+ query_file.writelines(background)
+ query_file.write(name)
+ query_file.write(query)
+ query_file.write(status)
+ query_file.close()
+
+ manifest.append(query_file_name)
+
+ name = file.readline()
+
+
+
+
+
+#
+# main
+#
+
+# create problem specifications
+runtests(sys.argv[1:])
+
+# list of created files
+manifest = []
+# list of generated bpl files
+bpl_files = []
+
+# go into each test directory
+suites = open(TESTS_FILE)
+for suite in suites.readlines():
+ suite = re.split("\s", suite)[0]
+ #print suite
+
+ # find the created simplify input files
+ files = os.listdir(suite)
+
+ prover_files = filter(lambda file: re.search(PREFIX_TMP + ("\S+\.%s$" % PROVER_NAME) , file), files)
+ prover_files.sort()
+
+ new_bpl_files = filter(lambda file: re.search(PREFIX_TMP + "\S+\.bpl$" , file), files)
+ bpl_files.extend(map(lambda file: os.path.join(suite, file), new_bpl_files))
+
+
+ # process each prover input file
+ for prover_file in prover_files:
+ # parse header
+ file = open(os.path.join(suite, prover_file))
+ line = file.readline()
+ line = file.readline()
+ (file_name, parameters) = process_boogie_call(line)
+ (problem_name, is_dll) = process_file_name(file_name)
+
+ # create bpl file
+ create_bpl(suite, prover_file, problem_name, is_dll, parameters, manifest)
+
+ # keep prover file for all queries
+ target_name = create_pgk_name(suite, problem_name, "", parameters, PROVER_NAME)
+ manifest.append(target_name)
+
+ # split prover file into individual queries
+ if PROVER_NAME == "simplify":
+ create_simplify(suite, problem_name, parameters, file, manifest)
+ file.close()
+
+ os.rename(os.path.join(suite, prover_file), target_name)
+
+suites.close()
+
+
+
+#print "\n".join(manifest)
+
+# create package
+#print "zipping"
+zipFile = zipfile.ZipFile("boogie-benchmarks.zip", 'w', zipfile.ZIP_DEFLATED)
+for file_name in manifest:
+ zipFile.write(file_name)
+zipFile.close()
+
+# clean up
+for file_name in manifest:
+ os.remove(file_name)
+
+
+# some bpl files are create with /noVerify,
+# and then no prover file is generated,
+# so these files are just ignored and removed
+for file_name in bpl_files:
+ try:
+ os.remove(file_name)
+ except OSError:
+ ()
diff --git a/Test/CompareAll b/Test/CompareAll
new file mode 100644
index 00000000..1dfebd87
--- /dev/null
+++ b/Test/CompareAll
@@ -0,0 +1,22 @@
+#!/usr/bin/bash
+
+# ALL_TESTS=`cat alltests.txt | grep -E "^[[:alnum:]-]+\W+Use\W" | awk '{print $1}'`
+ALL_TESTS=`cat alltests.txt | grep -E "^[^[:space:]]+[[:space:]]+(Use|Long)[[:space:]]" | awk '{print $1}'`
+
+echo ---------- All tests ---------- > Answer-all
+for t in ${ALL_TESTS} ; do
+ echo ====================================================================== >> Answer-all
+ echo ======================================== $t >> Answer-all
+ echo ====================================================================== >> Answer-all
+ cat $t/Answer >> Answer-all
+done
+
+echo ---------- All tests ---------- > Output-all
+for t in ${ALL_TESTS} ; do
+ echo ====================================================================== >> Output-all
+ echo ======================================== $t >> Output-all
+ echo ====================================================================== >> Output-all
+ cat $t/Output >> Output-all
+done
+
+echo All answers collected in Answer-all and all outputs in Output-all
diff --git a/Test/aitest0/Answer b/Test/aitest0/Answer
new file mode 100644
index 00000000..58750460
--- /dev/null
+++ b/Test/aitest0/Answer
@@ -0,0 +1,111 @@
+var GlobalFlag: bool;
+
+const A: int;
+
+const B: int;
+
+const C: int;
+
+procedure Join(b: bool);
+ modifies GlobalFlag;
+
+
+
+implementation Join(b: bool)
+{
+ var x: int;
+ var y: int;
+ var z: int;
+
+ start:
+ assume true;
+ GlobalFlag := true;
+ x := 3;
+ y := 4;
+ z := x + y;
+ assume x == 3 && y == 4 && z == 7;
+ goto Then, Else;
+
+ Then:
+ assume x == 3 && y == 4 && z == 7;
+ assume b <==> true;
+ x := x + 1;
+ assume x == 4 && y == 4 && z == 7;
+ goto join;
+
+ Else:
+ assume x == 3 && y == 4 && z == 7;
+ assume b <==> false;
+ y := 4;
+ assume x == 3 && y == 4 && z == 7;
+ goto join;
+
+ join:
+ assume y == 4 && z == 7;
+ assert y == 4;
+ assert z == 7;
+ assert GlobalFlag <==> true;
+ assume y == 4 && z == 7;
+ return;
+}
+
+
+
+procedure Loop();
+
+
+
+implementation Loop()
+{
+ var c: int;
+ var i: int;
+
+ start:
+ assume true;
+ c := 0;
+ i := 0;
+ assume c == 0 && i == 0;
+ goto test;
+
+ test: // cut point
+ assume c == 0;
+ assume c == 0;
+ goto Then, Else;
+
+ Then:
+ assume c == 0;
+ assume i < 10;
+ i := i + 1;
+ assume c == 0;
+ goto test;
+
+ Else:
+ assume c == 0;
+ assume c == 0;
+ return;
+}
+
+
+
+procedure Evaluate();
+
+
+
+implementation Evaluate()
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 5;
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3;
+ assume i == 465;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
diff --git a/Test/aitest0/Output b/Test/aitest0/Output
new file mode 100644
index 00000000..58750460
--- /dev/null
+++ b/Test/aitest0/Output
@@ -0,0 +1,111 @@
+var GlobalFlag: bool;
+
+const A: int;
+
+const B: int;
+
+const C: int;
+
+procedure Join(b: bool);
+ modifies GlobalFlag;
+
+
+
+implementation Join(b: bool)
+{
+ var x: int;
+ var y: int;
+ var z: int;
+
+ start:
+ assume true;
+ GlobalFlag := true;
+ x := 3;
+ y := 4;
+ z := x + y;
+ assume x == 3 && y == 4 && z == 7;
+ goto Then, Else;
+
+ Then:
+ assume x == 3 && y == 4 && z == 7;
+ assume b <==> true;
+ x := x + 1;
+ assume x == 4 && y == 4 && z == 7;
+ goto join;
+
+ Else:
+ assume x == 3 && y == 4 && z == 7;
+ assume b <==> false;
+ y := 4;
+ assume x == 3 && y == 4 && z == 7;
+ goto join;
+
+ join:
+ assume y == 4 && z == 7;
+ assert y == 4;
+ assert z == 7;
+ assert GlobalFlag <==> true;
+ assume y == 4 && z == 7;
+ return;
+}
+
+
+
+procedure Loop();
+
+
+
+implementation Loop()
+{
+ var c: int;
+ var i: int;
+
+ start:
+ assume true;
+ c := 0;
+ i := 0;
+ assume c == 0 && i == 0;
+ goto test;
+
+ test: // cut point
+ assume c == 0;
+ assume c == 0;
+ goto Then, Else;
+
+ Then:
+ assume c == 0;
+ assume i < 10;
+ i := i + 1;
+ assume c == 0;
+ goto test;
+
+ Else:
+ assume c == 0;
+ assume c == 0;
+ return;
+}
+
+
+
+procedure Evaluate();
+
+
+
+implementation Evaluate()
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 5;
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3;
+ assume i == 465;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
diff --git a/Test/aitest0/constants.bpl b/Test/aitest0/constants.bpl
new file mode 100644
index 00000000..3a47bfcd
--- /dev/null
+++ b/Test/aitest0/constants.bpl
@@ -0,0 +1,69 @@
+// Test the constant propagation AI
+
+var GlobalFlag : bool;
+
+const A, B, C:int; // Consts
+
+procedure Join (b : bool)
+ modifies GlobalFlag;
+{
+ var x, y, z:int;
+
+ start:
+ GlobalFlag := true;
+ x := 3;
+ y := 4;
+ z := x + y;
+ goto Then, Else; // if (b)
+
+ Then:
+ assume b == true;
+ x := x + 1;
+ goto join;
+
+ Else:
+ assume b == false;
+ y := 4;
+ goto join;
+
+ join:
+ assert y == 4;
+ assert z == 7;
+ assert GlobalFlag == true;
+ return;
+}
+
+
+procedure Loop ()
+{
+ var c, i: int;
+
+ start:
+ c := 0; i := 0;
+ goto test;
+
+ test:
+ // if (i < 10);
+ goto Then, Else;
+
+ Then:
+ assume (i < 10);
+ i := i + 1;
+ goto test;
+
+ Else:
+ return;
+}
+
+procedure Evaluate ()
+{
+ var i : int;
+
+ start:
+ i := 5;
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3;
+ return;
+}
diff --git a/Test/aitest0/runtest.bat b/Test/aitest0/runtest.bat
new file mode 100644
index 00000000..15f36ab0
--- /dev/null
+++ b/Test/aitest0/runtest.bat
@@ -0,0 +1,6 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+
+%BGEXE% %* -infer:c -printInstrumented -noVerify constants.bpl
diff --git a/Test/aitest1/Answer b/Test/aitest1/Answer
new file mode 100644
index 00000000..4e5c8f27
--- /dev/null
+++ b/Test/aitest1/Answer
@@ -0,0 +1,510 @@
+-------------------- ineq.bpl --------------------
+procedure SimpleLoop();
+
+
+
+implementation SimpleLoop()
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 0;
+ assume i == 0;
+ goto test;
+
+ test: // cut point
+ assume 0 <= i;
+ assume 0 <= i;
+ goto Then, Else;
+
+ Then:
+ assume 0 <= i;
+ assume i < 10;
+ i := i + 1;
+ assume i <= 10 && 1 <= i;
+ goto test;
+
+ Else:
+ assume 0 <= i;
+ assume !(i < 10);
+ assume 10 <= i;
+ return;
+}
+
+
+
+procedure VariableBoundLoop(n: int);
+
+
+
+implementation VariableBoundLoop(n: int)
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 0;
+ assume i == 0;
+ goto test;
+
+ test: // cut point
+ assume 0 <= i;
+ assume 0 <= i;
+ goto Then, Else;
+
+ Then:
+ assume 0 <= i;
+ assume i < n;
+ i := i + 1;
+ assume i <= n && 1 <= i;
+ goto test;
+
+ Else:
+ assume 0 <= i;
+ assume !(i < n);
+ assume n <= i && 0 <= i;
+ return;
+}
+
+
+
+procedure Foo();
+
+
+
+implementation Foo()
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3;
+ assume true;
+ return;
+}
+
+
+
+procedure FooToo();
+
+
+
+implementation FooToo()
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 5;
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3;
+ assume 1 / 3 * i == 155;
+ return;
+}
+
+
+
+procedure FooTooStepByStep();
+
+
+
+implementation FooTooStepByStep()
+{
+ var i: int;
+
+ L0:
+ assume true;
+ i := 5;
+ assume i == 5;
+ goto L1;
+
+ L1:
+ assume i == 5;
+ i := 3 * i + 1;
+ assume i == 16;
+ goto L2;
+
+ L2:
+ assume i == 16;
+ i := 3 * (i + 1);
+ assume 1 / 3 * i == 17;
+ goto L3;
+
+ L3:
+ assume 1 / 3 * i == 17;
+ i := 1 + 3 * i;
+ assume i == 154;
+ goto L4;
+
+ L4:
+ assume i == 154;
+ i := (i + 1) * 3;
+ assume 1 / 3 * i == 155;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear0.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ start:
+ assume true;
+ assume true;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear1.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ start:
+ assume true;
+ assume x * x == y;
+ assume true;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear2.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ start:
+ assume true;
+ assume x == 8;
+ assume x == 8;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear3.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ start:
+ assume true;
+ assume x < y;
+ assume x + 1 <= y;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear4.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+ modifies x;
+
+
+
+implementation p()
+{
+
+ A:
+ assume true;
+ assume x < y;
+ assume x + 1 <= y;
+ goto B;
+
+ B:
+ assume x + 1 <= y;
+ x := x * x;
+ assume true;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear5.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+ modifies x;
+
+
+
+implementation p()
+{
+
+ A:
+ assume true;
+ assume 0 - 1 <= x;
+ assume -1 <= x;
+ goto B;
+
+ B:
+ assume -1 <= x;
+ assume x < y;
+ assume x + 1 <= y && -1 <= x;
+ goto C;
+
+ C:
+ assume x + 1 <= y && -1 <= x;
+ x := x * x;
+ assume 0 <= y;
+ goto D;
+
+ D:
+ assume 0 <= y;
+ x := y;
+ assume x == y && 0 <= y;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear6.bpl --------------------
+var x: int;
+
+var y: int;
+
+var z: int;
+
+procedure p();
+ modifies x;
+
+
+
+implementation p()
+{
+
+ A:
+ assume true;
+ x := 8;
+ assume x == 8;
+ goto B, C;
+
+ B:
+ assume x == 8;
+ x := 9;
+ assume x == 9;
+ goto D;
+
+ C:
+ assume x == 8;
+ x := 10;
+ assume x == 10;
+ goto D;
+
+ D:
+ assume 9 <= x && x <= 10;
+ assume 9 <= x && x <= 10;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear7.bpl --------------------
+var x: int;
+
+var y: int;
+
+var z: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ A:
+ assume true;
+ assume true;
+ goto B, C;
+
+ B:
+ assume true;
+ assume x <= 0;
+ assume x <= 0;
+ goto D;
+
+ C:
+ assume true;
+ assume y <= 0;
+ assume y <= 0;
+ goto D;
+
+ D:
+ assume true;
+ assume true;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear8.bpl --------------------
+procedure foo();
+
+
+
+implementation foo()
+{
+ var i: int;
+ var j: int;
+ var n: int;
+
+ A:
+ assume true;
+ n := 0;
+ assume n == 0;
+ goto B;
+
+ B:
+ assume n == 0;
+ j := 0;
+ assume j == 0 && n == 0;
+ goto C;
+
+ C:
+ assume j == 0 && n == 0;
+ i := j + 1;
+ assume i == j + 1 && j == 0 && n == 0;
+ goto D;
+
+ D:
+ assume i == j + 1 && j == 0 && n == 0;
+ i := i + 1;
+ assume i == j + 2 && j == 0 && n == 0;
+ goto E;
+
+ E:
+ assume i == j + 2 && j == 0 && n == 0;
+ i := i + 1;
+ assume i == j + 3 && j == 0 && n == 0;
+ goto F;
+
+ F:
+ assume i == j + 3 && j == 0 && n == 0;
+ i := i + 1;
+ assume i == j + 4 && j == 0 && n == 0;
+ goto G;
+
+ G:
+ assume i == j + 4 && j == 0 && n == 0;
+ i := i + 1;
+ assume i == j + 5 && j == 0 && n == 0;
+ goto H;
+
+ H:
+ assume i == j + 5 && j == 0 && n == 0;
+ j := j + 1;
+ assume i == j + 4 && j == 1 && n == 0;
+ goto I;
+
+ I:
+ assume i == j + 4 && j == 1 && n == 0;
+ assume i == j + 4 && j == 1 && n == 0;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear9.bpl --------------------
+procedure foo();
+
+
+
+implementation foo()
+{
+ var i: int;
+ var j: int;
+ var n: int;
+
+ entry:
+ assume true;
+ assume n >= 4;
+ i := 0;
+ j := i + 1;
+ assume j == i + 1 && i == 0 && 4 <= n;
+ goto exit, loop0;
+
+ loop0: // cut point
+ assume 4 <= n && 0 <= i && j == i + 1;
+ assume j <= n;
+ assume j <= n && 4 <= n && 0 <= i && j == i + 1;
+ goto loop1;
+
+ loop1:
+ assume j <= n && 4 <= n && 0 <= i && j == i + 1;
+ i := i + 1;
+ assume 1 <= i && j == i && j <= n && 4 <= n;
+ goto loop2;
+
+ loop2:
+ assume j <= n && 4 <= n && 1 <= i && j == i;
+ j := j + 1;
+ assume j <= n + 1 && j == i + 1 && 4 <= n && 1 <= i;
+ goto loop0, exit;
+
+ exit:
+ assume j <= n + 1 && 4 <= n && 0 <= i && j == i + 1;
+ assume j <= n + 1 && 4 <= n && 0 <= i && j == i + 1;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Bound.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/aitest1/Bound.bpl b/Test/aitest1/Bound.bpl
new file mode 100644
index 00000000..02b2c460
--- /dev/null
+++ b/Test/aitest1/Bound.bpl
@@ -0,0 +1,28 @@
+const TEST: name;
+
+procedure P()
+{
+var i: int;
+var N: int;
+
+start:
+ assume N >= 0;
+ i := 0;
+ assert i <= N;
+ goto LoopHead;
+
+LoopHead:
+ goto LoopBody, AfterLoop;
+
+LoopBody:
+ assume i < N;
+ i := i + 1;
+ goto LoopHead;
+
+AfterLoop:
+ assume !(i < N);
+ assert i == N;
+ return;
+}
+
+type name; \ No newline at end of file
diff --git a/Test/aitest1/Linear0.bpl b/Test/aitest1/Linear0.bpl
new file mode 100644
index 00000000..7a11c803
--- /dev/null
+++ b/Test/aitest1/Linear0.bpl
@@ -0,0 +1,10 @@
+// Simple test file for checking the inference of linear constraints.
+
+var x: int;
+var y: int;
+
+procedure p()
+{
+ start:
+ return;
+}
diff --git a/Test/aitest1/Linear1.bpl b/Test/aitest1/Linear1.bpl
new file mode 100644
index 00000000..0cbb4a07
--- /dev/null
+++ b/Test/aitest1/Linear1.bpl
@@ -0,0 +1,11 @@
+// Simple test file for checking the inference of linear constraints.
+
+var x: int;
+var y: int;
+
+procedure p()
+{
+ start:
+ assume x*x == y; // not a linear condition
+ return;
+}
diff --git a/Test/aitest1/Linear2.bpl b/Test/aitest1/Linear2.bpl
new file mode 100644
index 00000000..9e02c9e2
--- /dev/null
+++ b/Test/aitest1/Linear2.bpl
@@ -0,0 +1,11 @@
+// Simple test file for checking the inference of linear constraints.
+
+var x: int;
+var y: int;
+
+procedure p()
+{
+ start:
+ assume x == 8;
+ return;
+}
diff --git a/Test/aitest1/Linear3.bpl b/Test/aitest1/Linear3.bpl
new file mode 100644
index 00000000..c6b7a441
--- /dev/null
+++ b/Test/aitest1/Linear3.bpl
@@ -0,0 +1,11 @@
+// Simple test file for checking the inference of linear constraints.
+
+var x: int;
+var y: int;
+
+procedure p()
+{
+ start:
+ assume x < y;
+ return;
+}
diff --git a/Test/aitest1/Linear4.bpl b/Test/aitest1/Linear4.bpl
new file mode 100644
index 00000000..c8c4605c
--- /dev/null
+++ b/Test/aitest1/Linear4.bpl
@@ -0,0 +1,15 @@
+// Simple test file for checking the inference of linear constraints.
+
+var x: int;
+var y: int;
+
+procedure p()
+ modifies x;
+{
+ A:
+ assume x < y;
+ goto B;
+ B:
+ x := x*x;
+ return;
+}
diff --git a/Test/aitest1/Linear5.bpl b/Test/aitest1/Linear5.bpl
new file mode 100644
index 00000000..4f04999c
--- /dev/null
+++ b/Test/aitest1/Linear5.bpl
@@ -0,0 +1,21 @@
+// Simple test file for checking the inference of linear constraints.
+
+var x: int;
+var y: int;
+
+procedure p()
+ modifies x;
+{
+ A:
+ assume -1 <= x;
+ goto B;
+ B:
+ assume x < y;
+ goto C;
+ C:
+ x := x*x;
+ goto D;
+ D:
+ x := y;
+ return;
+}
diff --git a/Test/aitest1/Linear6.bpl b/Test/aitest1/Linear6.bpl
new file mode 100644
index 00000000..83e52a9a
--- /dev/null
+++ b/Test/aitest1/Linear6.bpl
@@ -0,0 +1,21 @@
+// Simple test file for checking the inference of linear constraints.
+
+var x: int;
+var y: int;
+var z: int;
+
+procedure p()
+ modifies x;
+{
+A:
+ x := 8;
+ goto B, C;
+B:
+ x := 9;
+ goto D;
+C:
+ x := 10;
+ goto D;
+D:
+ return;
+}
diff --git a/Test/aitest1/Linear7.bpl b/Test/aitest1/Linear7.bpl
new file mode 100644
index 00000000..b1bcaaaf
--- /dev/null
+++ b/Test/aitest1/Linear7.bpl
@@ -0,0 +1,19 @@
+// Simple test file for checking the inference of linear constraints.
+
+var x: int;
+var y: int;
+var z: int;
+
+procedure p()
+{
+A:
+ goto B, C;
+B:
+ assume x <= 0;
+ goto D;
+C:
+ assume y <= 0;
+ goto D;
+D:
+ return;
+}
diff --git a/Test/aitest1/Linear8.bpl b/Test/aitest1/Linear8.bpl
new file mode 100644
index 00000000..4bc3f887
--- /dev/null
+++ b/Test/aitest1/Linear8.bpl
@@ -0,0 +1,42 @@
+
+procedure foo () returns ()
+{
+ var i: int;
+ var j: int;
+ var n: int;
+
+A: // true
+ n := 0;
+ goto B;
+
+B: // n = 0
+ j := 0;
+ goto C;
+
+C: // n = 0 AND j = 0
+ i := j + 1;
+ goto D;
+
+D: // n = 0 AND j = 0 AND i = j + 1
+ i := i + 1;
+ goto E;
+
+E: // n = 0 AND j = 0 AND i = j + 2
+ i := i + 1;
+ goto F;
+
+F: // n = 0 AND j = 0 AND i = j + 3
+ i := i + 1;
+ goto G;
+
+G: // n = 0 AND j = 0 AND i = j + 4
+ i := i + 1;
+ goto H;
+
+H: // n = 0 AND j = 0 AND i = j + 1
+ j := j + 1;
+ goto I;
+
+I: // n = 0 AND j = 1 AND i = j + 4
+ return;
+}
diff --git a/Test/aitest1/Linear9.bpl b/Test/aitest1/Linear9.bpl
new file mode 100644
index 00000000..e48a7a0c
--- /dev/null
+++ b/Test/aitest1/Linear9.bpl
@@ -0,0 +1,29 @@
+procedure foo () returns ()
+{
+ var i: int;
+ var j: int;
+ var n: int;
+entry:
+ assume n >= 4;
+ i := 0;
+ j := i + 1;
+ // n >= 4 AND i = 0 AND j = i+1
+ goto exit, loop0;
+
+loop0:
+ // n >= 4 AND i >= 0 AND j = i+1
+ assume j <= n;
+ goto loop1;
+loop1:
+ // n >= 4 AND i >= 0 AND j = i+1 AND j <= n
+ i := i + 1;
+ goto loop2;
+loop2:
+ j := j + 1;
+ // n >= 4 AND i >= 1 AND j = i+1 AND j <= n+1
+ goto loop0, exit;
+
+exit:
+ // n >= 4 AND i >= 0 AND j = i+1 AND j <= n+1
+ return;
+}
diff --git a/Test/aitest1/Output b/Test/aitest1/Output
new file mode 100644
index 00000000..4e5c8f27
--- /dev/null
+++ b/Test/aitest1/Output
@@ -0,0 +1,510 @@
+-------------------- ineq.bpl --------------------
+procedure SimpleLoop();
+
+
+
+implementation SimpleLoop()
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 0;
+ assume i == 0;
+ goto test;
+
+ test: // cut point
+ assume 0 <= i;
+ assume 0 <= i;
+ goto Then, Else;
+
+ Then:
+ assume 0 <= i;
+ assume i < 10;
+ i := i + 1;
+ assume i <= 10 && 1 <= i;
+ goto test;
+
+ Else:
+ assume 0 <= i;
+ assume !(i < 10);
+ assume 10 <= i;
+ return;
+}
+
+
+
+procedure VariableBoundLoop(n: int);
+
+
+
+implementation VariableBoundLoop(n: int)
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 0;
+ assume i == 0;
+ goto test;
+
+ test: // cut point
+ assume 0 <= i;
+ assume 0 <= i;
+ goto Then, Else;
+
+ Then:
+ assume 0 <= i;
+ assume i < n;
+ i := i + 1;
+ assume i <= n && 1 <= i;
+ goto test;
+
+ Else:
+ assume 0 <= i;
+ assume !(i < n);
+ assume n <= i && 0 <= i;
+ return;
+}
+
+
+
+procedure Foo();
+
+
+
+implementation Foo()
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3;
+ assume true;
+ return;
+}
+
+
+
+procedure FooToo();
+
+
+
+implementation FooToo()
+{
+ var i: int;
+
+ start:
+ assume true;
+ i := 5;
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3;
+ assume 1 / 3 * i == 155;
+ return;
+}
+
+
+
+procedure FooTooStepByStep();
+
+
+
+implementation FooTooStepByStep()
+{
+ var i: int;
+
+ L0:
+ assume true;
+ i := 5;
+ assume i == 5;
+ goto L1;
+
+ L1:
+ assume i == 5;
+ i := 3 * i + 1;
+ assume i == 16;
+ goto L2;
+
+ L2:
+ assume i == 16;
+ i := 3 * (i + 1);
+ assume 1 / 3 * i == 17;
+ goto L3;
+
+ L3:
+ assume 1 / 3 * i == 17;
+ i := 1 + 3 * i;
+ assume i == 154;
+ goto L4;
+
+ L4:
+ assume i == 154;
+ i := (i + 1) * 3;
+ assume 1 / 3 * i == 155;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear0.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ start:
+ assume true;
+ assume true;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear1.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ start:
+ assume true;
+ assume x * x == y;
+ assume true;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear2.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ start:
+ assume true;
+ assume x == 8;
+ assume x == 8;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear3.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ start:
+ assume true;
+ assume x < y;
+ assume x + 1 <= y;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear4.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+ modifies x;
+
+
+
+implementation p()
+{
+
+ A:
+ assume true;
+ assume x < y;
+ assume x + 1 <= y;
+ goto B;
+
+ B:
+ assume x + 1 <= y;
+ x := x * x;
+ assume true;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear5.bpl --------------------
+var x: int;
+
+var y: int;
+
+procedure p();
+ modifies x;
+
+
+
+implementation p()
+{
+
+ A:
+ assume true;
+ assume 0 - 1 <= x;
+ assume -1 <= x;
+ goto B;
+
+ B:
+ assume -1 <= x;
+ assume x < y;
+ assume x + 1 <= y && -1 <= x;
+ goto C;
+
+ C:
+ assume x + 1 <= y && -1 <= x;
+ x := x * x;
+ assume 0 <= y;
+ goto D;
+
+ D:
+ assume 0 <= y;
+ x := y;
+ assume x == y && 0 <= y;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear6.bpl --------------------
+var x: int;
+
+var y: int;
+
+var z: int;
+
+procedure p();
+ modifies x;
+
+
+
+implementation p()
+{
+
+ A:
+ assume true;
+ x := 8;
+ assume x == 8;
+ goto B, C;
+
+ B:
+ assume x == 8;
+ x := 9;
+ assume x == 9;
+ goto D;
+
+ C:
+ assume x == 8;
+ x := 10;
+ assume x == 10;
+ goto D;
+
+ D:
+ assume 9 <= x && x <= 10;
+ assume 9 <= x && x <= 10;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear7.bpl --------------------
+var x: int;
+
+var y: int;
+
+var z: int;
+
+procedure p();
+
+
+
+implementation p()
+{
+
+ A:
+ assume true;
+ assume true;
+ goto B, C;
+
+ B:
+ assume true;
+ assume x <= 0;
+ assume x <= 0;
+ goto D;
+
+ C:
+ assume true;
+ assume y <= 0;
+ assume y <= 0;
+ goto D;
+
+ D:
+ assume true;
+ assume true;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear8.bpl --------------------
+procedure foo();
+
+
+
+implementation foo()
+{
+ var i: int;
+ var j: int;
+ var n: int;
+
+ A:
+ assume true;
+ n := 0;
+ assume n == 0;
+ goto B;
+
+ B:
+ assume n == 0;
+ j := 0;
+ assume j == 0 && n == 0;
+ goto C;
+
+ C:
+ assume j == 0 && n == 0;
+ i := j + 1;
+ assume i == j + 1 && j == 0 && n == 0;
+ goto D;
+
+ D:
+ assume i == j + 1 && j == 0 && n == 0;
+ i := i + 1;
+ assume i == j + 2 && j == 0 && n == 0;
+ goto E;
+
+ E:
+ assume i == j + 2 && j == 0 && n == 0;
+ i := i + 1;
+ assume i == j + 3 && j == 0 && n == 0;
+ goto F;
+
+ F:
+ assume i == j + 3 && j == 0 && n == 0;
+ i := i + 1;
+ assume i == j + 4 && j == 0 && n == 0;
+ goto G;
+
+ G:
+ assume i == j + 4 && j == 0 && n == 0;
+ i := i + 1;
+ assume i == j + 5 && j == 0 && n == 0;
+ goto H;
+
+ H:
+ assume i == j + 5 && j == 0 && n == 0;
+ j := j + 1;
+ assume i == j + 4 && j == 1 && n == 0;
+ goto I;
+
+ I:
+ assume i == j + 4 && j == 1 && n == 0;
+ assume i == j + 4 && j == 1 && n == 0;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Linear9.bpl --------------------
+procedure foo();
+
+
+
+implementation foo()
+{
+ var i: int;
+ var j: int;
+ var n: int;
+
+ entry:
+ assume true;
+ assume n >= 4;
+ i := 0;
+ j := i + 1;
+ assume j == i + 1 && i == 0 && 4 <= n;
+ goto exit, loop0;
+
+ loop0: // cut point
+ assume 4 <= n && 0 <= i && j == i + 1;
+ assume j <= n;
+ assume j <= n && 4 <= n && 0 <= i && j == i + 1;
+ goto loop1;
+
+ loop1:
+ assume j <= n && 4 <= n && 0 <= i && j == i + 1;
+ i := i + 1;
+ assume 1 <= i && j == i && j <= n && 4 <= n;
+ goto loop2;
+
+ loop2:
+ assume j <= n && 4 <= n && 1 <= i && j == i;
+ j := j + 1;
+ assume j <= n + 1 && j == i + 1 && 4 <= n && 1 <= i;
+ goto loop0, exit;
+
+ exit:
+ assume j <= n + 1 && 4 <= n && 0 <= i && j == i + 1;
+ assume j <= n + 1 && 4 <= n && 0 <= i && j == i + 1;
+ return;
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+-------------------- Bound.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/aitest1/ineq.bpl b/Test/aitest1/ineq.bpl
new file mode 100644
index 00000000..a417aaf3
--- /dev/null
+++ b/Test/aitest1/ineq.bpl
@@ -0,0 +1,81 @@
+// Test the polyhedra domain for linear inequalities
+
+
+procedure SimpleLoop ()
+{
+ var i : int;
+
+ start:
+ i := 0;
+ goto test;
+
+ test:
+ goto Then, Else;
+
+ Then:
+ assume i < 10;
+ i := i + 1;
+ goto test;
+
+ Else:
+ assume ! (i < 10);
+ return;
+}
+
+
+procedure VariableBoundLoop (n : int)
+{
+ var i : int;
+
+ start:
+ i := 0;
+ goto test;
+
+ test:
+ goto Then, Else;
+
+ Then:
+ assume i < n;
+ i := i + 1;
+ goto test;
+
+ Else:
+ assume ! (i < n);
+ return;
+}
+
+procedure Foo ()
+{
+ var i : int;
+
+ start:
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3 ;
+ return;
+}
+
+procedure FooToo ()
+{
+ var i : int;
+
+ start:
+ i := 5;
+ i := 3 * i + 1;
+ i := 3 * (i + 1);
+ i := 1 + 3 * i;
+ i := (i + 1) * 3 ;
+ return;
+}
+
+procedure FooTooStepByStep ()
+{
+ var i : int;
+
+ L0: i := 5; goto L1;
+ L1: i := 3 * i + 1; goto L2;
+ L2: i := 3 * (i + 1); goto L3;
+ L3: i := 1 + 3 * i; goto L4;
+ L4: i := (i + 1) * 3; return;
+}
diff --git a/Test/aitest1/runtest.bat b/Test/aitest1/runtest.bat
new file mode 100644
index 00000000..f2a4d3e5
--- /dev/null
+++ b/Test/aitest1/runtest.bat
@@ -0,0 +1,17 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+
+for %%f in (ineq.bpl Linear0.bpl Linear1.bpl Linear2.bpl
+ Linear3.bpl Linear4.bpl Linear5.bpl Linear6.bpl
+ Linear7.bpl Linear8.bpl Linear9.bpl) do (
+ echo -------------------- %%f --------------------
+ %BGEXE% %* -infer:p -printInstrumented -noVerify %%f
+)
+
+for %%f in (Bound.bpl) do (
+ echo -------------------- %%f --------------------
+ %BGEXE% %* -infer:p %%f
+)
+
diff --git a/Test/aitest9/Output b/Test/aitest9/Output
new file mode 100644
index 00000000..dd10a8b3
--- /dev/null
+++ b/Test/aitest9/Output
@@ -0,0 +1,26 @@
+
+-------------------- VarMapFixPoint.bpl --------------------
+VarMapFixPoint.bpl(11,5): Error BP5005: This loop invariant might not be maintained by the loop.
+Execution trace:
+ VarMapFixPoint.bpl(5,3): start
+ VarMapFixPoint.bpl(10,3): LoopHead
+ VarMapFixPoint.bpl(14,3): LoopBody
+
+Boogie program verifier finished with 1 verified, 1 error
+
+-------------------- TestIntervals.bpl --------------------
+TestIntervals.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ TestIntervals.bpl(5,5): anon0
+ TestIntervals.bpl(6,3): anon9_LoopHead
+ TestIntervals.bpl(6,3): anon9_LoopDone
+ TestIntervals.bpl(11,5): anon2
+ TestIntervals.bpl(12,14): anon10_Then
+ TestIntervals.bpl(13,3): anon4
+ TestIntervals.bpl(13,14): anon11_Then
+ TestIntervals.bpl(14,3): anon6
+ TestIntervals.bpl(14,14): anon12_Then
+ TestIntervals.bpl(17,5): anon8
+ TestIntervals.bpl(21,3): Next
+
+Boogie program verifier finished with 0 verified, 1 error
diff --git a/Test/aitest9/TestIntervals.bpl b/Test/aitest9/TestIntervals.bpl
new file mode 100644
index 00000000..b989e16c
--- /dev/null
+++ b/Test/aitest9/TestIntervals.bpl
@@ -0,0 +1,24 @@
+procedure P()
+{
+ var a: int, b: int, c: int;
+
+ a := 0;
+ while (*) {
+ a := a + 1;
+ }
+ // a in [0, infty]
+
+ b := 0;
+ if (*) { b := b + 1; }
+ if (*) { b := b + 1; }
+ if (*) { b := b + 1; }
+ // b in [0, 3]
+
+ c := a - b;
+ // c in [-3, infty]
+ goto Next;
+
+ Next:
+ assert -3 <= c;
+ assert c <= 0; // error (there was once an error in the Intervals which thought this assertion to be true)
+}
diff --git a/Test/aitest9/VarMapFixpoint.bpl b/Test/aitest9/VarMapFixpoint.bpl
new file mode 100644
index 00000000..6b53467d
--- /dev/null
+++ b/Test/aitest9/VarMapFixpoint.bpl
@@ -0,0 +1,58 @@
+procedure main()
+{
+ var x: int, y: int, z: int;
+
+ start:
+ x := 2;
+ y := 6;
+ goto LoopHead;
+
+ LoopHead:
+ assert y < 10; // error: the loop body sets y to an arbitrary value
+ goto LoopBody, LoopEnd;
+
+ LoopBody:
+ havoc y;
+ goto LoopHead;
+
+ LoopEnd:
+ return;
+}
+
+procedure SimpleWhile5() returns (returnValue: int)
+{
+ var i: int;
+
+ start:
+ returnValue := 1;
+ havoc i;
+ goto LoopHead;
+
+ LoopHead:
+ goto LoopBody, LoopEnd;
+
+ LoopBody:
+ // here, we would simply like to "assume 1 <= i", but the interval domain doesn't interpret
+ // assume commands, so we start a loop
+ i := 1;
+ goto IncLoopHead;
+
+ IncLoopHead:
+ goto IncI, IncDone;
+
+ IncI:
+ i := i + 1;
+ goto IncLoopHead;
+
+ IncDone:
+ // now we have 1 <= i
+ assert 1 <= i;
+
+ returnValue := returnValue * i;
+ i := i - 1;
+ goto LoopHead;
+
+ LoopEnd:
+ assert returnValue >= 1;
+ return;
+}
diff --git a/Test/aitest9/answer b/Test/aitest9/answer
new file mode 100644
index 00000000..dd10a8b3
--- /dev/null
+++ b/Test/aitest9/answer
@@ -0,0 +1,26 @@
+
+-------------------- VarMapFixPoint.bpl --------------------
+VarMapFixPoint.bpl(11,5): Error BP5005: This loop invariant might not be maintained by the loop.
+Execution trace:
+ VarMapFixPoint.bpl(5,3): start
+ VarMapFixPoint.bpl(10,3): LoopHead
+ VarMapFixPoint.bpl(14,3): LoopBody
+
+Boogie program verifier finished with 1 verified, 1 error
+
+-------------------- TestIntervals.bpl --------------------
+TestIntervals.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ TestIntervals.bpl(5,5): anon0
+ TestIntervals.bpl(6,3): anon9_LoopHead
+ TestIntervals.bpl(6,3): anon9_LoopDone
+ TestIntervals.bpl(11,5): anon2
+ TestIntervals.bpl(12,14): anon10_Then
+ TestIntervals.bpl(13,3): anon4
+ TestIntervals.bpl(13,14): anon11_Then
+ TestIntervals.bpl(14,3): anon6
+ TestIntervals.bpl(14,14): anon12_Then
+ TestIntervals.bpl(17,5): anon8
+ TestIntervals.bpl(21,3): Next
+
+Boogie program verifier finished with 0 verified, 1 error
diff --git a/Test/aitest9/runtest.bat b/Test/aitest9/runtest.bat
new file mode 100644
index 00000000..bafa6961
--- /dev/null
+++ b/Test/aitest9/runtest.bat
@@ -0,0 +1,11 @@
+@echo off
+setlocal
+
+set BOOGIEDIR=..\..\Binaries
+set BPLEXE=%BOOGIEDIR%\Boogie.exe
+
+for %%f in (VarMapFixPoint.bpl TestIntervals.bpl) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %BPLEXE% %* %%f /infer:i
+)
diff --git a/Test/alltests.txt b/Test/alltests.txt
new file mode 100644
index 00000000..2a7e11bd
--- /dev/null
+++ b/Test/alltests.txt
@@ -0,0 +1,22 @@
+test0 Use Name resolution tests
+test1 Use Typechecking tests
+test2 Use VC generation
+test7 Use Some tests for VCVariety.BlockNested
+test20 Use Types introduced in Boogie2
+test21 Use Verify Boogie 2 programs
+aitest0 Use Constant propagation test
+aitest1 Use Linear ineqality test
+aitest9 Use Test for the abstract domain of intervals
+lock Use SLAM example
+test13 Use ExistsUnique
+inline Use Procedure inlining
+textbook Use Some textbook examples
+test15 Use Benchmarks for error messages
+bitvectors Use Smoke tests for bitvectors
+smoke Use Soundness smoke testing
+test16 Use Tests methodology of visible-state semantics and loop unrolling
+test17 Postponed Tests inference of parameterized contracts
+z3api Postponed Test for Z3 Managed .NET API prover
+houdini Postponed Test for Houdini decision procedure
+dafny0 Use Dafny programs
+havoc0 Use HAVOC-generated bpl files
diff --git a/Test/bitvectors/Answer b/Test/bitvectors/Answer
new file mode 100644
index 00000000..9ad91f5b
--- /dev/null
+++ b/Test/bitvectors/Answer
@@ -0,0 +1,62 @@
+-------------------- arrays.bpl --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+-------------------- bv0.bpl --------------------
+bv0.bpl(4,3): Error: mismatched types in assignment command (cannot assign bv31 to bv32)
+bv0.bpl(5,3): Error: mismatched types in assignment command (cannot assign int to bv32)
+bv0.bpl(6,4): Error: mismatched types in assignment command (cannot assign bv1 to bv32)
+bv0.bpl(7,10): Error: start index in extract must be no bigger than the end index
+bv0.bpl(8,4): Error: mismatched types in assignment command (cannot assign bv1 to bv32)
+bv0.bpl(9,4): Error: mismatched types in assignment command (cannot assign bv1 to bv32)
+bv0.bpl(10,4): Error: mismatched types in assignment command (cannot assign concat$bvproxy#10 to bv32)
+7 type checking errors detected in bv0.bpl
+-------------------- bv1.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+-------------------- bv2.bpl --------------------
+bv2.bpl(4,13): Error: bitvector bounds in illegal position
+bv2.bpl(6,13): Error: undeclared type: x
+bv2.bpl(7,14): Error: bitvector bounds in illegal position
+3 name resolution errors detected in bv2.bpl
+-------------------- bv3.bpl --------------------
+bv3.bpl(2,5): Error: type name: bv16 is registered for bitvectors
+1 name resolution errors detected in bv3.bpl
+-------------------- bv4.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+-------------------- bv7.bpl --------------------
+bv7.bpl(4,14): Error: arguments of extract need to be integer literals
+bv7.bpl(5,15): Error: parentheses around bitvector bounds are not allowed
+2 parse errors detected in bv7.bpl
+-------------------- vcc0.bpl --------------------
+vcc0.bpl(553,22): syntax error: [ expected
+vcc0.bpl(553,28): syntax error: ] expected
+vcc0.bpl(555,29): syntax error: [ expected
+vcc0.bpl(557,28): syntax error: [ expected
+vcc0.bpl(557,37): syntax error: ] expected
+5 parse errors detected in vcc0.bpl
+-------------------- vcc0.bpl - toInt --------------------
+vcc0.bpl(553,22): syntax error: [ expected
+vcc0.bpl(553,28): syntax error: ] expected
+vcc0.bpl(555,29): syntax error: [ expected
+vcc0.bpl(557,28): syntax error: [ expected
+vcc0.bpl(557,37): syntax error: ] expected
+5 parse errors detected in vcc0.bpl
+-------------------- bv4.bpl - /bv:n --------------------
+bv4.bpl(3,6): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+bv4.bpl(3,13): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+bv4.bpl(5,6): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+bv4.bpl(5,14): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+4 type checking errors detected in bv4.bpl
+-------------------- bv5.bpl --------------------
+bv5.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ bv5.bpl(5,12): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+-------------------- bv6.bpl --------------------
+bv6.bpl(8,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ bv6.bpl(5,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
diff --git a/Test/bitvectors/Output b/Test/bitvectors/Output
new file mode 100644
index 00000000..9ad91f5b
--- /dev/null
+++ b/Test/bitvectors/Output
@@ -0,0 +1,62 @@
+-------------------- arrays.bpl --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+-------------------- bv0.bpl --------------------
+bv0.bpl(4,3): Error: mismatched types in assignment command (cannot assign bv31 to bv32)
+bv0.bpl(5,3): Error: mismatched types in assignment command (cannot assign int to bv32)
+bv0.bpl(6,4): Error: mismatched types in assignment command (cannot assign bv1 to bv32)
+bv0.bpl(7,10): Error: start index in extract must be no bigger than the end index
+bv0.bpl(8,4): Error: mismatched types in assignment command (cannot assign bv1 to bv32)
+bv0.bpl(9,4): Error: mismatched types in assignment command (cannot assign bv1 to bv32)
+bv0.bpl(10,4): Error: mismatched types in assignment command (cannot assign concat$bvproxy#10 to bv32)
+7 type checking errors detected in bv0.bpl
+-------------------- bv1.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+-------------------- bv2.bpl --------------------
+bv2.bpl(4,13): Error: bitvector bounds in illegal position
+bv2.bpl(6,13): Error: undeclared type: x
+bv2.bpl(7,14): Error: bitvector bounds in illegal position
+3 name resolution errors detected in bv2.bpl
+-------------------- bv3.bpl --------------------
+bv3.bpl(2,5): Error: type name: bv16 is registered for bitvectors
+1 name resolution errors detected in bv3.bpl
+-------------------- bv4.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+-------------------- bv7.bpl --------------------
+bv7.bpl(4,14): Error: arguments of extract need to be integer literals
+bv7.bpl(5,15): Error: parentheses around bitvector bounds are not allowed
+2 parse errors detected in bv7.bpl
+-------------------- vcc0.bpl --------------------
+vcc0.bpl(553,22): syntax error: [ expected
+vcc0.bpl(553,28): syntax error: ] expected
+vcc0.bpl(555,29): syntax error: [ expected
+vcc0.bpl(557,28): syntax error: [ expected
+vcc0.bpl(557,37): syntax error: ] expected
+5 parse errors detected in vcc0.bpl
+-------------------- vcc0.bpl - toInt --------------------
+vcc0.bpl(553,22): syntax error: [ expected
+vcc0.bpl(553,28): syntax error: ] expected
+vcc0.bpl(555,29): syntax error: [ expected
+vcc0.bpl(557,28): syntax error: [ expected
+vcc0.bpl(557,37): syntax error: ] expected
+5 parse errors detected in vcc0.bpl
+-------------------- bv4.bpl - /bv:n --------------------
+bv4.bpl(3,6): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+bv4.bpl(3,13): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+bv4.bpl(5,6): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+bv4.bpl(5,14): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+4 type checking errors detected in bv4.bpl
+-------------------- bv5.bpl --------------------
+bv5.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ bv5.bpl(5,12): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+-------------------- bv6.bpl --------------------
+bv6.bpl(8,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ bv6.bpl(5,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
diff --git a/Test/bitvectors/arrays.bpl b/Test/bitvectors/arrays.bpl
new file mode 100644
index 00000000..dc304d27
--- /dev/null
+++ b/Test/bitvectors/arrays.bpl
@@ -0,0 +1,41 @@
+const unique f1 : Field int;
+const unique f2 : Field bv32;
+const unique f3 : Field bool;
+
+const unique r1 : ref;
+const unique r2 : ref;
+
+var H : <x>[ref,Field x]x;
+
+procedure foo()
+ modifies H;
+{
+ var i : int;
+ var b : bv32;
+ var c : bool;
+
+ H[r1, f1] := 3;
+ H[r1, f2] := 77bv32;
+ H[r1, f3] := true;
+ i := H[r1,f1];
+ b := H[r1,f2];
+ c := H[r1,f3];
+ assert i == 3;
+ assert b == 77bv32;
+ assert H[r1,f3];
+}
+
+var B : [bv32]bv32;
+
+procedure bar()
+ modifies B;
+{
+ var b : bv32;
+
+ B[42bv32] := 77bv32;
+ b := B[42bv32];
+ assert b == 77bv32;
+}
+
+
+type Field a, ref; \ No newline at end of file
diff --git a/Test/bitvectors/bv0.bpl b/Test/bitvectors/bv0.bpl
new file mode 100644
index 00000000..43bf734a
--- /dev/null
+++ b/Test/bitvectors/bv0.bpl
@@ -0,0 +1,13 @@
+procedure foo2(x : bv32) returns(r : bv32)
+{
+ block1:
+ r := 17bv31; // Error
+ r := 17; // Error
+ r := x[1:0]; // Error
+ r := x[0:1]; // Error
+ r := x[55:54]; // Error
+ r := x[33:32]; // Error
+ r := 17bv10 ++ 17bv42 ++ 13bv22; // Error
+ return;
+}
+
diff --git a/Test/bitvectors/bv1.bpl b/Test/bitvectors/bv1.bpl
new file mode 100644
index 00000000..6c9ea70b
--- /dev/null
+++ b/Test/bitvectors/bv1.bpl
@@ -0,0 +1,17 @@
+procedure foo(x : bv32) returns(r : bv32)
+{
+ var q : bv64;
+
+ block1:
+ r := 17bv32;
+ assert r == r;
+ assert r[32:0] == r[32:0];
+ assert 0bv2 ++ r[12:0] == 0bv2 ++ r[12:0];
+ r := 17bv10 ++ 17bv22;
+ // r := 17;
+ q := 420000000000bv64;
+ q := 8444249301319680000bv64;
+ q := 16444249301319680000bv64;
+ return;
+}
+
diff --git a/Test/bitvectors/bv2.bpl b/Test/bitvectors/bv2.bpl
new file mode 100644
index 00000000..f1888c2b
--- /dev/null
+++ b/Test/bitvectors/bv2.bpl
@@ -0,0 +1,11 @@
+procedure foo2(x : bv32) returns(r : bv32)
+{
+ block1:
+ r := x[-1:1]; // Error
+// r := x[x:1]; // Error
+ r := x[1:x]; // Error
+ r := x[1+1:3]; // Error
+ return;
+}
+
+
diff --git a/Test/bitvectors/bv3.bpl b/Test/bitvectors/bv3.bpl
new file mode 100644
index 00000000..93e06077
--- /dev/null
+++ b/Test/bitvectors/bv3.bpl
@@ -0,0 +1,3 @@
+type bv;
+type bv16;
+
diff --git a/Test/bitvectors/bv4.bpl b/Test/bitvectors/bv4.bpl
new file mode 100644
index 00000000..f38891ff
--- /dev/null
+++ b/Test/bitvectors/bv4.bpl
@@ -0,0 +1,23 @@
+
+function a() returns(bv32);
+axiom a() == a();
+
+axiom 0bv5 != 1bv5;
+
+
+// -------------------------
+type $x;
+function g() returns($x);
+type Field x;
+var $gmem : <x>[ref, Field x] x;
+const unique f : Field $x;
+
+procedure qq()
+ modifies $gmem;
+{
+ $gmem[null, f] := g();
+}
+
+
+type ref;
+const null : ref;
diff --git a/Test/bitvectors/bv5.bpl b/Test/bitvectors/bv5.bpl
new file mode 100644
index 00000000..f9240e1c
--- /dev/null
+++ b/Test/bitvectors/bv5.bpl
@@ -0,0 +1,11 @@
+
+procedure P() returns () {
+ var m : <a>[a]int;
+
+ m[23bv5] := 17;
+ m[21bv5] := 19;
+ m[21bv6] := -3;
+
+ assert m[23bv5] == 17;
+ assert m[21bv6] == 3; // should not be provable
+}
diff --git a/Test/bitvectors/bv6.bpl b/Test/bitvectors/bv6.bpl
new file mode 100644
index 00000000..ca8f8367
--- /dev/null
+++ b/Test/bitvectors/bv6.bpl
@@ -0,0 +1,9 @@
+
+procedure Q() returns () {
+ var x : bv32, y : bv16;
+
+ x := y ++ y;
+ assert x[16:0] == y;
+ assert x == x[16:0] ++ y;
+ assert x[17:1] == y; // should not be verifiable
+} \ No newline at end of file
diff --git a/Test/bitvectors/bv7.bpl b/Test/bitvectors/bv7.bpl
new file mode 100644
index 00000000..2302cf2f
--- /dev/null
+++ b/Test/bitvectors/bv7.bpl
@@ -0,0 +1,9 @@
+procedure foo2(x : bv32) returns(r : bv32)
+{
+ block1:
+ r := x[x:1]; // Error
+ r := x[(1:13)]; // Error
+ return;
+}
+
+
diff --git a/Test/bitvectors/runtest.bat b/Test/bitvectors/runtest.bat
new file mode 100644
index 00000000..0b05e986
--- /dev/null
+++ b/Test/bitvectors/runtest.bat
@@ -0,0 +1,21 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+
+for %%f in (arrays.bpl bv0.bpl bv1.bpl bv2.bpl bv3.bpl bv4.bpl bv7.bpl vcc0.bpl) do (
+ echo -------------------- %%f --------------------
+ %BGEXE% /proverWarnings:1 /bv:z %* /logPrefix:-0 %%f
+)
+
+echo -------------------- vcc0.bpl - toInt --------------------
+%BGEXE% /proverWarnings:1 /bv:i /proc:foo %* /logPrefix:-1 vcc0.bpl
+
+echo -------------------- bv4.bpl - /bv:n --------------------
+%BGEXE% /bv:n %* /logPrefix:-1 bv4.bpl
+
+echo -------------------- bv5.bpl --------------------
+%BGEXE% /bv:z %* /logPrefix:-1 bv5.bpl
+
+echo -------------------- bv6.bpl --------------------
+%BGEXE% /bv:z %* /logPrefix:-1 bv6.bpl
diff --git a/Test/bitvectors/vcc0.bpl b/Test/bitvectors/vcc0.bpl
new file mode 100644
index 00000000..c0db5ebf
--- /dev/null
+++ b/Test/bitvectors/vcc0.bpl
@@ -0,0 +1,883 @@
+// -----------------------------------------------------------------------
+// Verified C prelude
+// version 42
+// -----------------------------------------------------------------------
+
+// ldc is left off, use 17bv32 and the like
+// bv to/from int functions are not provided by z3
+// Use ==/!= instead of ceq/cne.i4/i8 (could be axiomatized, but that would just slow things down)
+
+// Functions starting with $_ are internal to the prelude. The rest is the interface.
+
+// -----------------------------------------------------------------------
+// Types
+// -----------------------------------------------------------------------
+
+type $ptr;
+type $mem;
+
+// -----------------------------------------------------------------------
+// Pointers and memory model
+// -----------------------------------------------------------------------
+
+const $ldnull:$ptr;
+
+function $ld.i1(m:$mem, p:$ptr) returns(bv32);
+function $ld.i2(m:$mem, p:$ptr) returns(bv32);
+function $ld.i4(m:$mem, p:$ptr) returns(bv32);
+function $ld.i8(m:$mem, p:$ptr) returns(bv64);
+function $ld.u1(m:$mem, p:$ptr) returns(bv32);
+function $ld.u2(m:$mem, p:$ptr) returns(bv32);
+function $ld.ptr(m:$mem, p:$ptr) returns($ptr);
+
+function $st.i1(m:$mem, p:$ptr, v:bv32) returns($mem);
+function $st.i2(m:$mem, p:$ptr, v:bv32) returns($mem);
+function $st.i4(m:$mem, p:$ptr, v:bv32) returns($mem);
+function $st.i8(m:$mem, p:$ptr, v:bv64) returns($mem);
+function $st.ptr(m:$mem, p:$ptr, v:$ptr) returns($mem);
+
+function $add.ptr(p:$ptr, off:bv64, elsize:bv64) returns($ptr);
+function $sub.ptr(p1:$ptr, p2:$ptr) returns(bv64);
+
+function $_ptr(r:ref, off:bv64) returns($ptr);
+function $offset(p:$ptr) returns(bv64);
+function $base(p:$ptr) returns(ref);
+function $_end(p:$ptr, len:bv64) returns(bv64);
+
+axiom $ldnull == $_ptr(null, 0bv64);
+
+axiom (forall p:$ptr, q:$ptr :: { $sub.ptr(p, q) }
+ $base(p) == $base(q) ==> $sub.ptr(p, q) == $sub.i8($offset(p), $offset(q)));
+
+axiom (forall p:$ptr, o:bv64, sz:bv64 :: { $add.ptr(p, o, sz) }
+ $add.ptr(p, o, sz) == $_ptr($base(p), $add.i8($offset(p), $mul.i8(o, sz))));
+
+axiom (forall i:bv64, r:ref :: $offset($_ptr(r, i)) == i);
+axiom (forall i:bv64, r:ref :: $base($_ptr(r, i)) == r);
+axiom (forall p:$ptr, len:bv64 :: { $_end(p, len) } $_end(p, len) == $add.i8($offset(p), len));
+
+// expensive, do we need it?
+//axiom (forall p1: $ptr, p2: $ptr:: { $offset(p1), $offset(p2) }
+// ($base(p1) == $base(p2) && $offset(p1) == $offset(p2)) ==> p1 == p2);
+
+// -----------------------------------------------------------------------
+// Native Z3 BV memory model
+// -----------------------------------------------------------------------
+
+function {:bvbuiltin "sign_extend 24"} $_sign_extend.8.32(v:bv8) returns(bv32);
+function {:bvbuiltin "sign_extend 16"} $_sign_extend.16.32(v:bv16) returns(bv32);
+function {:bvbuiltin "sign_extend 32"} $_sign_extend.32.64(v:bv32) returns(bv64);
+
+function $_get_byte(m:$mem, r:ref, off:bv64) returns(bv8);
+function $_set_byte(m:$mem, r:ref, off:bv64, v:bv8) returns($mem);
+
+axiom {:ignore "bvInt"} (forall m:$mem, r:ref, off:bv64, v:bv8 ::
+ $_get_byte($_set_byte(m, r, off, v), r, off) == v);
+
+axiom {:ignore "bvInt"} (forall m:$mem, r1:ref, r2:ref, off1:bv64, off2:bv64, v:bv8 ::
+ r1 != r2 ==>
+ $_get_byte($_set_byte(m, r1, off1, v), r2, off2) == $_get_byte(m, r2, off2));
+
+axiom {:ignore "bvInt"} (forall m:$mem, r1:ref, r2:ref, off1:bv64, off2:bv64, v:bv8 ::
+ off1 != off2 ==>
+ $_get_byte($_set_byte(m, r1, off1, v), r2, off2) == $_get_byte(m, r2, off2));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr :: { $ld.i4(m, p) }
+ $ld.i4(m, p) ==
+ $_get_byte(m, $base(p), $add.i8($offset(p), 3bv64)) ++ $_get_byte(m, $base(p), $add.i8($offset(p), 2bv64)) ++
+ $_get_byte(m, $base(p), $add.i8($offset(p), 1bv64)) ++ $_get_byte(m, $base(p), $offset(p)));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr :: { $ld.i8(m, p) }
+ $ld.i8(m, p) ==
+ $_get_byte(m, $base(p), $add.i8($offset(p), 7bv64)) ++ $_get_byte(m, $base(p), $add.i8($offset(p), 6bv64)) ++
+ $_get_byte(m, $base(p), $add.i8($offset(p), 5bv64)) ++ $_get_byte(m, $base(p), $add.i8($offset(p), 4bv64)) ++
+ $_get_byte(m, $base(p), $add.i8($offset(p), 3bv64)) ++ $_get_byte(m, $base(p), $add.i8($offset(p), 2bv64)) ++
+ $_get_byte(m, $base(p), $add.i8($offset(p), 1bv64)) ++ $_get_byte(m, $base(p), $offset(p)));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr :: { $ld.u2(m, p) }
+ $ld.u2(m, p) == 0bv16 ++ $_get_byte(m, $base(p), $add.i8($offset(p), 1bv64)) ++ $_get_byte(m, $base(p), $offset(p)));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr :: { $ld.u1(m, p) }
+ $ld.u1(m, p) == 0bv24 ++ $_get_byte(m, $base(p), $offset(p)));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr :: { $ld.i2(m, p) }
+ $ld.i2(m, p) == $conv.i4.to.i2($ld.u2(m, p)));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr :: { $ld.i1(m, p) }
+ $ld.i1(m, p) == $conv.i4.to.i1($ld.u1(m, p)));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr, v:bv32 :: { $st.i1(m, p, v) }
+ $st.i1(m, p, v) == $_set_byte(m, $base(p), $offset(p), v[8:0]));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr, v:bv32 :: { $st.i2(m, p, v) }
+ $st.i2(m, p, v) ==
+ $_set_byte($_set_byte(m, $base(p), $offset(p), v[8:0]), $base(p), $add.i8($offset(p), 1bv64), v[16:8]));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr, v:bv32 :: { $st.i4(m, p, v) }
+ $st.i4(m, p, v) ==
+ $_set_byte(
+ $_set_byte(
+ $_set_byte(
+ $_set_byte(m,
+ $base(p), $offset(p), v[8:0]),
+ $base(p), $add.i8($offset(p), 1bv64), v[16:8]),
+ $base(p), $add.i8($offset(p), 2bv64), v[24:16]),
+ $base(p), $add.i8($offset(p), 3bv64), v[32:24]));
+
+axiom {:ignore "bvInt"} (forall m:$mem, p:$ptr, v:bv64 :: { $st.i8(m, p, v) }
+ $st.i8(m, p, v) ==
+ $_set_byte(
+ $_set_byte(
+ $_set_byte(
+ $_set_byte(
+ $_set_byte(
+ $_set_byte(
+ $_set_byte(
+ $_set_byte(m,
+ $base(p), $offset(p), v[8:0]),
+ $base(p), $add.i8($offset(p), 1bv64), v[16:8]),
+ $base(p), $add.i8($offset(p), 2bv64), v[24:16]),
+ $base(p), $add.i8($offset(p), 3bv64), v[32:24]),
+ $base(p), $add.i8($offset(p), 4bv64), v[40:32]),
+ $base(p), $add.i8($offset(p), 5bv64), v[48:40]),
+ $base(p), $add.i8($offset(p), 6bv64), v[56:48]),
+ $base(p), $add.i8($offset(p), 7bv64), v[64:56]));
+
+
+
+axiom {:ignore "bvInt"} (forall v:bv32 :: { $conv.i4.to.i1(v) } $conv.i4.to.i1(v) == $_sign_extend.8.32(v[8:0]));
+axiom {:ignore "bvInt"} (forall v:bv32 :: { $conv.i4.to.i2(v) } $conv.i4.to.i2(v) == $_sign_extend.16.32(v[16:0]));
+axiom {:ignore "bvInt"} (forall v:bv64 :: { $conv.i8.to.i1(v) } $conv.i8.to.i1(v) == $_sign_extend.8.32(v[8:0]));
+axiom {:ignore "bvInt"} (forall v:bv64 :: { $conv.i8.to.i2(v) } $conv.i8.to.i2(v) == $_sign_extend.16.32(v[16:0]));
+
+axiom {:ignore "bvInt"} (forall v:bv32 :: { $conv.i4.to.i8(v) } $conv.i4.to.i8(v) == $_sign_extend.32.64(v));
+axiom {:ignore "bvInt"} (forall v:bv32 :: { $conv.i4.to.u8(v) } $conv.i4.to.u8(v) == 0bv32 ++ v);
+axiom {:ignore "bvInt"} (forall v:bv64 :: { $conv.i8.to.i4(v) } $conv.i8.to.i4(v) == v[32:0]);
+axiom {:ignore "bvInt"} (forall v:bv32 :: { $conv.i4.to.u1(v) } $conv.i4.to.u1(v) == 0bv24 ++ v[8:0]);
+axiom {:ignore "bvInt"} (forall v:bv32 :: { $conv.i4.to.u2(v) } $conv.i4.to.u2(v) == 0bv16 ++ v[16:0]);
+axiom {:ignore "bvInt"} (forall v:bv64 :: { $conv.i8.to.u1(v) } $conv.i8.to.u1(v) == 0bv24 ++ v[8:0]);
+axiom {:ignore "bvInt"} (forall v:bv64 :: { $conv.i8.to.u2(v) } $conv.i8.to.u2(v) == 0bv16 ++ v[16:0]);
+
+// -----------------------------------------------------------------------
+// BV-->int memory model
+// -----------------------------------------------------------------------
+
+function $_ld.i(m:$mem, p:$ptr, len:int) returns(int);
+function $_st.i(m:$mem, p:$ptr, len:int, v:int) returns($mem);
+function $_shl(x:int, y:int) returns(int);
+function $_shr(x:int, y:int) returns(int);
+function $_or(x:int, y:int) returns(int);
+function $_xor(x:int, y:int) returns(int);
+function $_and(x:int, y:int) returns(int);
+function $_not(x:int) returns(int);
+
+function $_ioffset(p:$ptr) returns(int);
+
+function {:bvint "id"} $_int.to.bv32(v:int) returns(bv32);
+function {:bvint "id"} $_int.to.bv64(v:int) returns(bv64);
+function {:bvint "id"} $_bv32.to.int(v:bv32) returns(int);
+function {:bvint "id"} $_bv64.to.int(v:bv64) returns(int);
+
+axiom {:ignore "bvDefSem"} (forall p:$ptr :: { $_ioffset(p) } $_ioffset(p) == $_bv64.to.int($offset(p)));
+
+axiom {:ignore "bvDefSem"} (forall m:$mem, len:int, v:int, p:$ptr ::
+ $_ld.i($_st.i(m, p, len, v), p, len) == v);
+
+axiom {:ignore "bvDefSem"} (forall m:$mem, l1:int, l2:int, v:int, p1:$ptr, p2:$ptr ::
+ ($base(p1) != $base(p2) || $_ioffset(p1) + l1 <= $_ioffset(p2) || $_ioffset(p2) + l2 <= $_ioffset(p1)) ==>
+ $_ld.i($_st.i(m, p1, l1, v), p2, l2) == $_ld.i(m, p2, l2));
+
+// Arithmetic axioms for int mapping
+axiom {:ignore "bvDefSem"} (forall i: int :: { $_shl(i, 0) } $_shl(i, 0) == i);
+axiom {:ignore "bvDefSem"} (forall i: int, j: int :: { $_shl(i, j) } 1 <= j ==> $_shl(i, j) == $_shl(i, j - 1) * 2);
+axiom {:ignore "bvDefSem"} (forall i: int :: { $_shr(i, 0) } $_shr(i, 0) == i);
+axiom {:ignore "bvDefSem"} (forall i: int, j: int :: { $_shr(i, j) } 1 <= j ==> 2 * $_shr(i, j) <= $_shr(i, j - 1) && $_shr(i, j - 1) <= 2 * $_shr(i, j) + 1);
+
+axiom {:ignore "bvDefSem"} (forall i: int, j: int :: { i / j } i > 0 && j > 0 ==> i - j < (i / j) * j && (i / j) * j <= i);
+
+// from Spec# prelude, needs review
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { x % y } { x / y } x % y == x - x / y * y);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { x % y } 0 <= x && 0 < y ==> 0 <= x % y && x % y < y);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { x % y } 0 <= x && y < 0 ==> 0 <= x % y && x % y < 0 - y);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { x % y } x <= 0 && 0 < y ==> 0 - y < x % y && x % y <= 0);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { x % y } x <= 0 && y < 0 ==> y < x % y && x % y <= 0);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { (x + y) % y } 0 <= x && 0 <= y ==> (x + y) % y == x % y);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { (y + x) % y } 0 <= x && 0 <= y ==> (y + x) % y == x % y);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { (x - y) % y } 0 <= x - y && 0 <= y ==> (x - y) % y == x % y);
+axiom {:ignore "bvDefSem"} (forall a: int, b: int, d: int :: { a % d, b % d } 2 <= d && a % d == b % d && a < b ==> a + d <= b);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { $_and(x, y) } 0 <= x || 0 <= y ==> 0 <= $_and(x, y));
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { $_or(x, y) } 0 <= x && 0 <= y ==> 0 <= $_or(x, y) && $_or(x, y) <= x + y);
+
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_or(x, $_not(x)) } $_or(x, $_not(x)) == $_not(0));
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_and(x, $_not(x)) } $_and(x, $_not(x)) == 0);
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_or(x, 0) } $_or(x, 0) == x);
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_or(x, $_not(0)) } $_or(x, $_not(0)) == $_not(0));
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_and(x, 0) } $_and(x, 0) == 0);
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_and(x, $_not(0)) } $_and(x, $_not(0)) == x);
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_xor(x, 0) } $_xor(x, 0) == x);
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_xor(x, $_not(0)) } $_xor(x, $_not(0)) == $_not(x));
+axiom {:ignore "bvDefSem"} (forall x: int :: { $_not($_not(x)) } $_not($_not(x)) == x);
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { $_or(x, y) } $_or(x, y) == $_or(y, x));
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { $_xor(x, y) } $_xor(x, y) == $_xor(y, x));
+axiom {:ignore "bvDefSem"} (forall x: int, y: int :: { $_and(x, y) } $_and(x, y) == $_and(y, x));
+
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem :: $ld.i1(m, p) == $_int.to.bv32($_ld.i(m, p, 1)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem, v:bv32 :: $st.i1(m, p, v) == $_st.i(m, p, 1, $_bv32.to.int(v)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem :: $ld.u1(m, p) == $_int.to.bv32($_ld.i(m, p, 1)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem :: $ld.i2(m, p) == $_int.to.bv32($_ld.i(m, p, 2)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem, v:bv32 :: $st.i2(m, p, v) == $_st.i(m, p, 2, $_bv32.to.int(v)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem :: $ld.u2(m, p) == $_int.to.bv32($_ld.i(m, p, 2)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem :: $ld.i4(m, p) == $_int.to.bv32($_ld.i(m, p, 4)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem, v:bv32 :: $st.i4(m, p, v) == $_st.i(m, p, 4, $_bv32.to.int(v)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem :: $ld.i8(m, p) == $_int.to.bv64($_ld.i(m, p, 8)));
+axiom {:ignore "bvDefSem"} (forall p:$ptr, m:$mem, v:bv64 :: $st.i8(m, p, v) == $_st.i(m, p, 8, $_bv64.to.int(v)));
+
+
+// -----------------------------------------------------------------------
+// Utilities
+// -----------------------------------------------------------------------
+
+function $ite.i4(cond:bool, then:bv32, else_:bv32) returns(bv32);
+function $ite.i8(cond:bool, then:bv64, else_:bv64) returns(bv64);
+function $ite.ptr(cond:bool, then:$ptr, else_:$ptr) returns($ptr);
+
+/*
+axiom (forall cond:bool, then:bv32, else_:bv32 ::
+ cond ==> $ite.i4(cond, then, else_) == then);
+axiom (forall cond:bool, then:bv32, else_:bv32 ::
+ !cond ==> $ite.i4(cond, then, else_) == else_);
+
+axiom (forall cond:bool, then:bv64, else_:bv64 ::
+ cond ==> $ite.i8(cond, then, else_) == then);
+axiom (forall cond:bool, then:bv64, else_:bv64 ::
+ !cond ==> $ite.i8(cond, then, else_) == else_);
+
+axiom (forall cond:bool, then:$ptr, else_:$ptr ::
+ cond ==> $ite.ptr(cond, then, else_) == then);
+axiom (forall cond:bool, then:$ptr, else_:$ptr ::
+ !cond ==> $ite.ptr(cond, then, else_) == else_);
+*/
+
+// -----------------------------------------------------------------------
+// Conversions
+// -----------------------------------------------------------------------
+
+function {:bvint "id"} $conv.i4.to.i1(v:bv32) returns(bv32);
+function {:bvint "id"} $conv.i4.to.i2(v:bv32) returns(bv32);
+function {:bvint "id"} $conv.i8.to.i1(v:bv64) returns(bv32);
+function {:bvint "id"} $conv.i8.to.i2(v:bv64) returns(bv32);
+function {:bvint "id"} $conv.i4.to.i8(v:bv32) returns(bv64);
+function {:bvint "id"} $conv.i4.to.u8(v:bv32) returns(bv64);
+function {:bvint "id"} $conv.i8.to.i4(v:bv64) returns(bv32);
+function {:bvint "id"} $conv.i4.to.u1(v:bv32) returns(bv32);
+function {:bvint "id"} $conv.i4.to.u2(v:bv32) returns(bv32);
+function {:bvint "id"} $conv.i8.to.u1(v:bv64) returns(bv32);
+function {:bvint "id"} $conv.i8.to.u2(v:bv64) returns(bv32);
+
+function $conv.ptr.to.i8(p:$ptr) returns(bv64);
+function $_conv.base.to.i8(p:ref) returns(bv64);
+function $conv.i8.to.ptr(p:bv64) returns($ptr);
+
+function $conv.bool.to.i4(v:bool) returns(bv32);
+function $conv.i4.to.bool(v:bv32) returns(bool);
+
+// TODO: use patterns here?
+axiom (forall p:$ptr :: $conv.i8.to.ptr($conv.ptr.to.i8(p)) == p);
+axiom (forall p:bv64 :: $conv.ptr.to.i8($conv.i8.to.ptr(p)) == p);
+
+axiom (forall p:$ptr :: $conv.ptr.to.i8(p) == $add.i8($_conv.base.to.i8($base(p)), $offset(p)));
+// TODO what about i4?
+
+axiom ($conv.ptr.to.i8($ldnull) == 0bv64);
+axiom ($conv.i8.to.ptr(0bv64) == $ldnull);
+
+axiom (forall m:$mem, p:$ptr :: { $ld.ptr(m, p) } $ld.ptr(m, p) == $conv.i8.to.ptr($ld.i8(m, p)));
+axiom (forall m:$mem, p:$ptr, v:$ptr :: { $st.ptr(m, p, v) } $st.ptr(m, p, v) == $st.i8(m, p, $conv.ptr.to.i8(v)));
+
+axiom $conv.bool.to.i4(true) == 1bv32;
+axiom $conv.bool.to.i4(false) == 0bv32;
+axiom $conv.i4.to.bool(0bv32) == false;
+axiom (forall v:bv32 :: v != 0bv32 ==> $conv.i4.to.bool(v) == true);
+
+// -----------------------------------------------------------------------
+// Arithetmic
+// -----------------------------------------------------------------------
+
+const $min.u1:bv32;
+axiom $min.u1 == 0bv32;
+const $max.u1:bv32;
+axiom $max.u1 == 255bv32;
+const $min.i1:bv32;
+axiom $min.i1 == $neg.i4(128bv32);
+const $max.i1:bv32;
+axiom $max.i1 == 127bv32;
+
+const $min.u2:bv32;
+axiom $min.u2 == 0bv32;
+const $max.u2:bv32;
+axiom $max.u2 == 65535bv32;
+const $min.i2:bv32;
+axiom $min.i2 == $neg.i4(32768bv32);
+const $max.i2:bv32;
+axiom $max.i2 == 32767bv32;
+
+const $min.u4:bv32;
+axiom $min.u4 == 0bv32;
+const $max.u4:bv32;
+axiom $max.u4 == 4294967295bv32;
+const $min.i4:bv32;
+axiom $min.i4 == $neg.i4(2147483648bv32);
+const $max.i4:bv32;
+axiom $max.i4 == 2147483647bv32;
+
+const $min.u8:bv64;
+axiom $min.u8 == 0bv64;
+const $max.u8:bv64;
+axiom $max.u8 == 18446744073709551615bv64;
+const $min.i8:bv64;
+axiom $min.i8 == $neg.i8(9223372036854775808bv64);
+const $max.i8:bv64;
+axiom $max.i8 == 9223372036854775807bv64;
+
+function {:bvbuiltin "bvadd"} {:bvint "+"} $add.i4(x:bv32, y:bv32) returns(bv32);
+function $check.add.i4(x:bv32, y:bv32) returns(bool);
+function $check.add.u4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvadd"} {:bvint "+"} $add.i8(x:bv64, y:bv64) returns(bv64);
+function $check.add.i8(x:bv64, y:bv64) returns(bool);
+function $check.add.u8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvsub"} {:bvint "-"} $sub.i4(x:bv32, y:bv32) returns(bv32);
+function $check.sub.i4(x:bv32, y:bv32) returns(bool);
+function $check.sub.u4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvsub"} {:bvint "-"} $sub.i8(x:bv64, y:bv64) returns(bv64);
+function $check.sub.i8(x:bv64, y:bv64) returns(bool);
+function $check.sub.u8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvmul"} {:bvint "*"} $mul.i4(x:bv32, y:bv32) returns(bv32);
+function $check.mul.i4(x:bv32, y:bv32) returns(bool);
+function $check.mul.u4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvmul"} {:bvint "*"} $mul.i8(x:bv64, y:bv64) returns(bv64);
+function $check.mul.i8(x:bv64, y:bv64) returns(bool);
+function $check.mul.u8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvand"} {:bvint "$_and"} $and.i4(x:bv32, y:bv32) returns(bv32);
+function {:bvbuiltin "bvand"} {:bvint "$_and"} $and.i8(x:bv64, y:bv64) returns(bv64);
+function {:bvbuiltin "bvor"} {:bvint "$_or"} $or.i4(x:bv32, y:bv32) returns(bv32);
+function {:bvbuiltin "bvor"} {:bvint "$_or"} $or.i8(x:bv64, y:bv64) returns(bv64);
+function {:bvbuiltin "bvxor"} {:bvint "$_xor"} $xor.i4(x:bv32, y:bv32) returns(bv32);
+function {:bvbuiltin "bvxor"} {:bvint "$_xor"} $xor.i8(x:bv64, y:bv64) returns(bv64);
+function {:bvbuiltin "bvshl"} {:bvint "$_shl"} $shl.i4(x:bv32, y:bv32) returns(bv32);
+function {:bvbuiltin "bvshl"} {:bvint "$_shl"} $shl.i8(x:bv64, y:bv64) returns(bv64);
+function {:bvbuiltin "bvsdiv"} {:bvint "/"} $div.i4(x:bv32, y:bv32) returns(bv32);
+function {:bvbuiltin "bvudiv"} {:bvint "/"} $div.u4(x:bv32, y:bv32) returns(bv32);
+function $check.div.i4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvsdiv"} {:bvint "/"} $div.i8(x:bv64, y:bv64) returns(bv64);
+function {:bvbuiltin "bvudiv"} {:bvint "/"} $div.u8(x:bv64, y:bv64) returns(bv64);
+function $check.div.i8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvsrem"} {:bvint "%"} $rem.i4(x:bv32, y:bv32) returns(bv32);
+function {:bvbuiltin "bvurem"} {:bvint "%"} $rem.u4(x:bv32, y:bv32) returns(bv32);
+function $check.rem.i4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvsrem"} {:bvint "%"} $rem.i8(x:bv64, y:bv64) returns(bv64);
+function {:bvbuiltin "bvurem"} {:bvint "%"} $rem.u8(x:bv64, y:bv64) returns(bv64);
+function $check.rem.i8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvashr"} {:bvint "$_shr"} $shr.i4(x:bv32, y:bv32) returns(bv32);
+function {:bvbuiltin "bvlshr"} {:bvint "$_shr"} $shr.u4(x:bv32, y:bv32) returns(bv32);
+function {:bvbuiltin "bvashr"} {:bvint "$_shr"} $shr.i8(x:bv64, y:bv64) returns(bv64);
+function {:bvbuiltin "bvlshr"} {:bvint "$_shr"} $shr.u8(x:bv64, y:bv64) returns(bv64);
+function {:bvbuiltin "bvneg"} {:bvint "- 0"} $neg.i4(x:bv32) returns(bv32);
+function {:bvbuiltin "bvneg"} {:bvint "- 0"} $neg.i8(x:bv64) returns(bv64);
+function {:bvbuiltin "bvnot"} {:bvint "$_not"} $not.i4(x:bv32) returns(bv32);
+function {:bvbuiltin "bvnot"} {:bvint "$_not"} $not.i8(x:bv64) returns(bv64);
+function {:bvbuiltin "bvsgt"} {:bvint ">"} $cgt.i4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvugt"} {:bvint ">"} $cgt.u4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvsgt"} {:bvint ">"} $cgt.i8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvugt"} {:bvint ">"} $cgt.u8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvslt"} {:bvint "<"} $clt.i4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvult"} {:bvint "<"} $clt.u4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvslt"} {:bvint "<"} $clt.i8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvult"} {:bvint "<"} $clt.u8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvsge"} {:bvint ">="} $cge.i4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvuge"} {:bvint ">="} $cge.u4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvsge"} {:bvint ">="} $cge.i8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvuge"} {:bvint ">="} $cge.u8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvsle"} {:bvint "<="} $cle.i4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvule"} {:bvint "<="} $cle.u4(x:bv32, y:bv32) returns(bool);
+function {:bvbuiltin "bvsle"} {:bvint "<="} $cle.i8(x:bv64, y:bv64) returns(bool);
+function {:bvbuiltin "bvule"} {:bvint "<="} $cle.u8(x:bv64, y:bv64) returns(bool);
+
+function $_inrange.i1(bv32) returns(bool);
+axiom {:ignore "bvDefSem"} (forall x:bv32 :: { $_inrange.i1(x) } $_inrange.i1(x) <==> $cle.i4($min.i1, x) && $cle.i4(x, $max.i1));
+
+function $_inrange.u1(bv32) returns(bool);
+axiom {:ignore "bvDefSem"} (forall x:bv32 :: { $_inrange.u1(x) } $_inrange.u1(x) <==> $cle.u4($min.u1, x) && $cle.u4(x, $max.u1));
+
+function $_inrange.i2(bv32) returns(bool);
+axiom {:ignore "bvDefSem"} (forall x:bv32 :: { $_inrange.i2(x) } $_inrange.i2(x) <==> $cle.i4($min.i2, x) && $cle.i4(x, $max.i2));
+
+function $_inrange.u2(bv32) returns(bool);
+axiom {:ignore "bvDefSem"} (forall x:bv32 :: { $_inrange.u2(x) } $_inrange.u2(x) <==> $cle.u4($min.u2, x) && $cle.u4(x, $max.u2));
+
+function $_inrange.i4(bv32) returns(bool);
+axiom {:ignore "bvDefSem"} (forall x:bv32 :: { $_inrange.i4(x) } $_inrange.i4(x) <==> $cle.i4($min.i4, x) && $cle.i4(x, $max.i4));
+
+function $_inrange.u4(bv32) returns(bool);
+axiom {:ignore "bvDefSem"} (forall x:bv32 :: { $_inrange.u4(x) } $_inrange.u4(x) <==> $cle.u4($min.u4, x) && $cle.u4(x, $max.u4));
+
+function $_inrange.i8(bv64) returns(bool);
+axiom {:ignore "bvDefSem"} (forall x:bv64 :: { $_inrange.i8(x) } $_inrange.i8(x) <==> $cle.i8($min.i8, x) && $cle.i8(x, $max.i8));
+
+function $_inrange.u8(bv64) returns(bool);
+axiom {:ignore "bvDefSem"} (forall x:bv64 :: { $_inrange.u8(x) } $_inrange.u8(x) <==> $cle.u8($min.u8, x) && $cle.u8(x, $max.u8));
+axiom {:ignore "bvDefSem"} (forall x:bv32, y:bv32 :: { $check.add.i4(x, y) } $check.add.i4(x, y) <==> $_inrange.i4($add.i4(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv32, y:bv32 :: { $check.add.u4(x, y) } $check.add.u4(x, y) <==> $_inrange.u4($add.i4(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv64, y:bv64 :: { $check.add.i8(x, y) } $check.add.i8(x, y) <==> $_inrange.i8($add.i8(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv64, y:bv64 :: { $check.add.u8(x, y) } $check.add.u8(x, y) <==> $_inrange.u8($add.i8(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv32, y:bv32 :: { $check.sub.i4(x, y) } $check.sub.i4(x, y) <==> $_inrange.i4($sub.i4(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv32, y:bv32 :: { $check.sub.u4(x, y) } $check.sub.u4(x, y) <==> $_inrange.u4($sub.i4(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv64, y:bv64 :: { $check.sub.i8(x, y) } $check.sub.i8(x, y) <==> $_inrange.i8($sub.i8(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv64, y:bv64 :: { $check.sub.u8(x, y) } $check.sub.u8(x, y) <==> $_inrange.u8($sub.i8(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv32, y:bv32 :: { $check.mul.i4(x, y) } $check.mul.i4(x, y) <==> $_inrange.i4($mul.i4(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv32, y:bv32 :: { $check.mul.u4(x, y) } $check.mul.u4(x, y) <==> $_inrange.u4($mul.i4(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv64, y:bv64 :: { $check.mul.i8(x, y) } $check.mul.i8(x, y) <==> $_inrange.i8($mul.i8(x, y)));
+axiom {:ignore "bvDefSem"} (forall x:bv64, y:bv64 :: { $check.mul.u8(x, y) } $check.mul.u8(x, y) <==> $_inrange.u8($mul.i8(x, y)));
+
+function $check.conv.i4.to.i1(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.i4.to.i1(x) }
+ $check.conv.i4.to.i1(x) <==> $cle.i4(($min.i1), x) && $cle.i4(x, ($max.i1)));
+
+function $check.conv.i4.to.u1(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.i4.to.u1(x) }
+ $check.conv.i4.to.u1(x) <==> $cle.i4(($min.u1), x) && $cle.i4(x, ($max.u1)));
+
+function $check.conv.i4.to.i2(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.i4.to.i2(x) }
+ $check.conv.i4.to.i2(x) <==> $cle.i4(($min.i2), x) && $cle.i4(x, ($max.i2)));
+
+function $check.conv.i4.to.u2(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.i4.to.u2(x) }
+ $check.conv.i4.to.u2(x) <==> $cle.i4(($min.u2), x) && $cle.i4(x, ($max.u2)));
+
+function $check.conv.i4.to.u4(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.i4.to.u4(x) }
+ $check.conv.i4.to.u4(x) <==> $cle.i4(0bv32, x));
+
+function $check.conv.i4.to.u8(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.i4.to.u8(x) }
+ $check.conv.i4.to.u8(x) <==> $cle.i4(0bv32, x));
+
+function $check.conv.u4.to.i1(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.u4.to.i1(x) }
+ $check.conv.u4.to.i1(x) <==> $cle.u4(x, ($max.i1)));
+
+function $check.conv.u4.to.u1(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.u4.to.u1(x) }
+ $check.conv.u4.to.u1(x) <==> $cle.u4(x, ($max.u1)));
+
+function $check.conv.u4.to.i2(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.u4.to.i2(x) }
+ $check.conv.u4.to.i2(x) <==> $cle.u4(x, ($max.i2)));
+
+function $check.conv.u4.to.u2(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.u4.to.u2(x) }
+ $check.conv.u4.to.u2(x) <==> $cle.u4(x, ($max.u2)));
+
+function $check.conv.u4.to.i4(bv32) returns(bool);
+axiom (forall x:bv32 :: { $check.conv.u4.to.i4(x) }
+ $check.conv.u4.to.i4(x) <==> $cle.u4(x, ($max.i4)));
+
+function $check.conv.i8.to.i1(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.i8.to.i1(x) }
+ $check.conv.i8.to.i1(x) <==> $cle.i8($conv.i4.to.i8($min.i1), x) && $cle.i8(x, $conv.i4.to.i8($max.i1)));
+
+function $check.conv.i8.to.u1(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.i8.to.u1(x) }
+ $check.conv.i8.to.u1(x) <==> $cle.i8($conv.i4.to.u8($min.u1), x) && $cle.i8(x, $conv.i4.to.u8($max.u1)));
+
+function $check.conv.i8.to.i2(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.i8.to.i2(x) }
+ $check.conv.i8.to.i2(x) <==> $cle.i8($conv.i4.to.i8($min.i2), x) && $cle.i8(x, $conv.i4.to.i8($max.i2)));
+
+function $check.conv.i8.to.u2(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.i8.to.u2(x) }
+ $check.conv.i8.to.u2(x) <==> $cle.i8($conv.i4.to.u8($min.u2), x) && $cle.i8(x, $conv.i4.to.u8($max.u2)));
+
+function $check.conv.i8.to.i4(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.i8.to.i4(x) }
+ $check.conv.i8.to.i4(x) <==> $cle.i8($conv.i4.to.i8($min.i4), x) && $cle.i8(x, $conv.i4.to.i8($max.i4)));
+
+function $check.conv.i8.to.u4(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.i8.to.u4(x) }
+ $check.conv.i8.to.u4(x) <==> $cle.i8($conv.i4.to.u8($min.u4), x) && $cle.i8(x, $conv.i4.to.u8($max.u4)));
+
+function $check.conv.i8.to.u8(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.i8.to.u8(x) }
+ $check.conv.i8.to.u8(x) <==> $cle.i8(0bv64, x));
+
+function $check.conv.u8.to.i1(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.u8.to.i1(x) }
+ $check.conv.u8.to.i1(x) <==> $cle.u8(x, $conv.i4.to.i8($max.i1)));
+
+function $check.conv.u8.to.u1(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.u8.to.u1(x) }
+ $check.conv.u8.to.u1(x) <==> $cle.u8(x, $conv.i4.to.u8($max.u1)));
+
+function $check.conv.u8.to.i2(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.u8.to.i2(x) }
+ $check.conv.u8.to.i2(x) <==> $cle.u8(x, $conv.i4.to.i8($max.i2)));
+
+function $check.conv.u8.to.u2(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.u8.to.u2(x) }
+ $check.conv.u8.to.u2(x) <==> $cle.u8(x, $conv.i4.to.u8($max.u2)));
+
+function $check.conv.u8.to.i4(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.u8.to.i4(x) }
+ $check.conv.u8.to.i4(x) <==> $cle.u8(x, $conv.i4.to.i8($max.i4)));
+
+function $check.conv.u8.to.u4(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.u8.to.u4(x) }
+ $check.conv.u8.to.u4(x) <==> $cle.u8(x, $conv.i4.to.u8($max.u4)));
+
+function $check.conv.u8.to.i8(bv64) returns(bool);
+axiom (forall x:bv64 :: { $check.conv.u8.to.i8(x) }
+ $check.conv.u8.to.i8(x) <==> $cle.u8(x, ($max.i8)));
+
+axiom (forall x:bv32, y:bv32 :: { $check.div.i4(x, y) } $check.div.i4(x, y) <==> ! (x == $min.i4 && y == $neg.i4(1bv32)));
+axiom (forall x:bv32, y:bv32 :: { $check.rem.i4(x, y) } $check.rem.i4(x, y) <==> ! (x == $min.i4 && y == $neg.i4(1bv32)));
+
+axiom (forall x:bv64, y:bv64 :: { $check.div.i8(x, y) } $check.div.i8(x, y) <==> ! (x == $min.i8 && y == $neg.i8(1bv64)));
+axiom (forall x:bv64, y:bv64 :: { $check.rem.i8(x, y) } $check.rem.i8(x, y) <==> ! (x == $min.i8 && y == $neg.i8(1bv64)));
+
+
+// -----------------------------------------------------------------------
+// malloc/free
+// -----------------------------------------------------------------------
+
+var $mem : $mem;
+var $gmem : [$ptr,<x>name]x;
+
+const unique $_size : <bv64>name;
+
+function $valid(m:[$ptr,<x>name]x, p:$ptr, l:bv64) returns(bool);
+// we cannot use array, as boogie/z3 does not support bv arrays
+function $size(m:[$ptr,<x>name]x, p:ref) returns(bv64);
+function $allocated(m:[$ptr,<x>name]x, p:$ptr) returns(bool);
+function $is_fresh(oldalloc:[$ptr,<x>name]x, newalloc:[$ptr,<x>name]x, p:$ptr) returns(bool);
+function $same_region(mdst:$mem, dst:$ptr, msrc:$mem, src:$ptr, len:bv64) returns(bool);
+function $always_allocated(p:$ptr, sz:bv64) returns(bool);
+
+// For writes(set) the postcondition is:
+// ensures $only_region_changed_or_new(set, old($gmem), old($mem), $mem);
+//
+// For reads(set) the postcondition is:
+// ensures $contains(##readsSet, set);
+//
+// For frees(p1;p2;...) the postcondition is:
+// ensures (forall r:ref :: { $size($gmem, r) }
+// $size($gmem, r) == $size(old($gmem), r) ||
+// $size(old($gmem), r) == 0bv64 ||
+// (r == $base(p1) && $offset(p1) == 0bv64) ||
+// (r == $base(p2) && $offset(p2) == 0bv64) ||
+// ...);
+//
+// The sets are constructed using $region, $union, $empty and $universe.
+
+axiom (forall alloc:[$ptr,<x>name]x, p:$ptr, len:bv64 ::
+ { $valid(alloc, p, len) }
+ $valid(alloc, p, len) <==>
+ p != $ldnull &&
+ $cgt.u8(len, 0bv64) && $cge.u8($offset(p), 0bv64) && // for int model
+ $cgt.u8($add.i8($offset(p), len), $offset(p)) &&
+ $cle.u8($add.i8($offset(p), len), $size(alloc, $base(p))));
+
+axiom (forall oldalloc:[$ptr,<x>name]x, newalloc:[$ptr,<x>name]x, p:$ptr :: { $is_fresh(oldalloc, newalloc, p) }
+ $is_fresh(oldalloc, newalloc, p) <==>
+ !$allocated(oldalloc, p) && $allocated(newalloc, p));
+
+axiom (forall m:[$ptr,<x>name]x, p:ref :: { $size(m, p) }
+ $size(m, p) == m[$_ptr(p, 0bv64), $_size]);
+
+axiom (forall m:[$ptr,<x>name]x, p:$ptr :: { $allocated(m, p) }
+ $allocated(m, p) <==> $size(m, $base(p)) != 0bv64);
+
+// this one is here to help discharge false aliasing accustions between globals
+// and freshly allocated memory
+axiom (forall g:$ptr, sz:bv64 :: { $always_allocated(g, sz) }
+ $always_allocated(g, sz) <==>
+ (forall a:[$ptr,<x>name]x :: $allocated(a, g)) &&
+ (forall a:[$ptr,<x>name]x :: $size(a, $base(g)) == sz));
+
+procedure $malloc(size:bv64) returns (p:$ptr);
+ modifies $gmem;
+ ensures p != $ldnull ==>
+ $base(p) != null &&
+ $size(old($gmem), $base(p)) == 0bv64 &&
+ $size($gmem, $base(p)) == size &&
+ $offset(p) == 0bv64 &&
+ (forall r:ref :: { $size($gmem, r) }
+ r != $base(p) ==> $size(old($gmem), r) == $size($gmem, r));
+ ensures p == $ldnull ==>
+ old($gmem) == $gmem;
+
+procedure $free(p:$ptr);
+ modifies $gmem;
+ requires p == $ldnull || $size($gmem, $base(p)) != 0bv64;
+ ensures
+ p != $ldnull ==>
+ $size($gmem, $base(p)) == 0bv64 &&
+ (forall r:ref :: { $size($gmem, r) }
+ r != $base(p) ==> $size(old($gmem), r) == $size($gmem, r));
+ ensures
+ p == $ldnull ==>
+ old($gmem) == $gmem;
+
+axiom (forall mdst:$mem, dst:$ptr, msrc:$mem, src:$ptr, len:bv64 ::
+ { $same_region(mdst, dst, msrc, src, len) }
+ $same_region(mdst, dst, msrc, src, len) <==>
+ (forall p:$ptr :: { $ld.i1(mdst, p) }
+ $contains($region(p, 1bv64), $region(dst, len)) ==> $ld.i1(mdst, p) == $ld.i1(msrc, $add.ptr(src, $sub.ptr(p, dst), 1bv64))) &&
+ (forall p:$ptr :: { $ld.u1(mdst, p) }
+ $contains($region(p, 1bv64), $region(dst, len)) ==> $ld.u1(mdst, p) == $ld.u1(msrc, $add.ptr(src, $sub.ptr(p, dst), 1bv64))) &&
+ (forall p:$ptr :: { $ld.i2(mdst, p) }
+ $contains($region(p, 2bv64), $region(dst, len)) ==> $ld.i2(mdst, p) == $ld.i2(msrc, $add.ptr(src, $sub.ptr(p, dst), 1bv64))) &&
+ (forall p:$ptr :: { $ld.u2(mdst, p) }
+ $contains($region(p, 2bv64), $region(dst, len)) ==> $ld.u2(mdst, p) == $ld.u2(msrc, $add.ptr(src, $sub.ptr(p, dst), 1bv64))) &&
+ (forall p:$ptr :: { $ld.i4(mdst, p) }
+ $contains($region(p, 4bv64), $region(dst, len)) ==> $ld.i4(mdst, p) == $ld.i4(msrc, $add.ptr(src, $sub.ptr(p, dst), 1bv64))) &&
+ (forall p:$ptr :: { $ld.i8(mdst, p) }
+ $contains($region(p, 8bv64), $region(dst, len)) ==> $ld.i8(mdst, p) == $ld.i8(msrc, $add.ptr(src, $sub.ptr(p, dst), 1bv64))) &&
+ (forall p:$ptr :: { $ld.ptr(mdst, p) }
+ $contains($region(p, 8bv64), $region(dst, len)) ==> $ld.ptr(mdst, p) == $ld.ptr(msrc, $add.ptr(src, $sub.ptr(p, dst), 1bv64))));
+
+
+procedure $memmove(dest: $ptr, src: $ptr, noOfBytes: bv64);
+ modifies $mem;
+ requires $valid($gmem, dest, noOfBytes) && $valid($gmem, src, noOfBytes);
+ ensures $same_region($mem, dest, old($mem), src, noOfBytes);
+ ensures $only_region_changed($region(dest, noOfBytes), old($mem), $mem);
+
+procedure $memcpy(dest: $ptr, src: $ptr, noOfBytes: bv64);
+ modifies $mem;
+ requires !$overlaps($region(dest, noOfBytes), $region(src, noOfBytes));
+ requires $valid($gmem, dest, noOfBytes) && $valid($gmem, src, noOfBytes);
+ ensures $same_region($mem, dest, old($mem), src, noOfBytes);
+ ensures $only_region_changed($region(dest, noOfBytes), old($mem), $mem);
+
+// -----------------------------------------------------------------------
+// Writes clause handling
+// -----------------------------------------------------------------------
+
+// region is a set of memory locations
+type $region;
+
+function $region(p:$ptr, len:bv64) returns($region);
+function $overlaps(r1:$region, r2:$region) returns(bool);
+// check if big contains small
+function $contains(small:$region, big:$region) returns(bool);
+function $only_region_changed(r:$region, oldmem:$mem, newmem:$mem) returns(bool);
+function $only_region_changed_or_new(r:$region, oldalloc:[$ptr,<x>name]x, oldmem:$mem, newmem:$mem) returns(bool);
+function $nothing_in_region_changed(r:$region, oldmem:$mem, newmem:$mem) returns(bool);
+function $alloc_grows(oldalloc:[$ptr,<x>name]x, newalloc:[$ptr,<x>name]x) returns(bool);
+
+function $union(r1:$region, r2:$region) returns($region);
+function $empty() returns($region);
+function $universe() returns($region);
+
+// NOTE $empty() is very different from $region(whatever, 0), for example $region(whatever, 0) is not contained in $empty()
+
+axiom (forall r:$region :: !$overlaps($empty(), r));
+axiom (forall r:$region :: !$overlaps(r, $empty()));
+axiom (forall r:$region :: r != $empty() ==> $overlaps($universe(), r));
+axiom (forall r:$region :: r != $empty() ==> $overlaps(r, $universe()));
+axiom (forall r:$region :: $contains($empty(), r));
+axiom (forall r:$region :: $contains(r, $empty()) ==> r == $empty());
+axiom (forall r:$region :: $contains($universe(), r) ==> r == $universe());
+axiom (forall r:$region :: $contains(r, $universe()));
+
+// the triggers should do the structural induction
+axiom (forall ptr1:$ptr, len1:bv64, ptr2:$ptr, len2:bv64 ::
+ { $overlaps($region(ptr1, len1), $region(ptr2, len2)) }
+ $overlaps($region(ptr1, len1), $region(ptr2, len2)) <==>
+ $base(ptr1) == $base(ptr2) &&
+ ((
+ $cle.u8($offset(ptr1), $add.i8($offset(ptr1), len1)) &&
+ $cle.u8($offset(ptr1), $offset(ptr2)) &&
+ $clt.u8($offset(ptr2), $add.i8($offset(ptr1), len1))
+ ) || (
+ $cle.u8($offset(ptr2), $add.i8($offset(ptr2), len2)) &&
+ $cle.u8($offset(ptr2), $offset(ptr1)) &&
+ $clt.u8($offset(ptr1), $add.i8($offset(ptr2), len2))
+ ) ||
+ (
+ $cgt.u8($offset(ptr1), $add.i8($offset(ptr1), len1)) &&
+ ( $cle.u8($offset(ptr2), $add.i8($offset(ptr1), len1)) ||
+ $cge.u8($add.i8($offset(ptr2), len2), $offset(ptr1))
+ ))
+ ||
+ (
+ $cgt.u8($offset(ptr2), $add.i8($offset(ptr2), len2)) &&
+ ( $cle.u8($offset(ptr1), $add.i8($offset(ptr2), len2)) ||
+ $cge.u8($add.i8($offset(ptr1), len1), $offset(ptr2))
+ ))
+ ));
+
+axiom (forall r1:$region, r2:$region, r3:$region ::
+ { $overlaps($union(r1, r2), r3) }
+ $overlaps($union(r1, r2), r3) <==> $overlaps(r1, r3) || $overlaps(r2, r3));
+
+axiom (forall r1:$region, r2:$region, r3:$region ::
+ { $overlaps(r3, $union(r1, r2)) }
+ $overlaps(r3, $union(r1, r2)) <==> $overlaps(r3, r1) || $overlaps(r3, r2));
+
+axiom (forall big:$ptr, bigl:bv64, small:$ptr, smalll:bv64 ::
+ { $contains($region(small, smalll), $region(big, bigl)) }
+ $contains($region(small, smalll), $region(big, bigl)) <==>
+ $base(big) == $base(small) &&
+ $cle.u8($offset(big), $offset(small)) &&
+ $cle.u8($offset(small), $_end(big, bigl)) &&
+ $cle.u8($offset(big), $_end(small, smalll)) &&
+ $cle.u8($_end(small, smalll), $_end(big, bigl)));
+
+axiom (forall r1:$region, r2:$region, r3:$region ::
+ { $contains(r1, $union(r2, r3)) }
+ $contains(r1, $union(r2, r3)) <==> $contains(r1, r2) || $contains(r1, r3));
+
+axiom (forall r1:$region, r2:$region, r3:$region ::
+ { $contains($union(r1, r2), r3) }
+ $contains($union(r1, r2), r3) <==> $contains(r1, r3) && $contains(r2, r3));
+
+axiom (forall r:$region, oldmem:$mem, newmem:$mem ::
+ { $only_region_changed(r, oldmem, newmem) }
+ $only_region_changed(r, oldmem, newmem) <==>
+
+ (forall p:$ptr :: { $ld.i1(oldmem, p) } { $ld.i1(newmem, p) } // TODO maybe we want only newmem?
+ $overlaps($region(p, 1bv64), r) || $ld.i1(oldmem, p) == $ld.i1(newmem, p)) &&
+ (forall p:$ptr :: { $ld.u1(oldmem, p) } { $ld.u1(newmem, p) } // TODO maybe we want only newmem?
+ $overlaps($region(p, 1bv64), r) || $ld.u1(oldmem, p) == $ld.u1(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i2(oldmem, p) } { $ld.i2(newmem, p) } // TODO maybe we want only newmem?
+ $overlaps($region(p, 2bv64), r) || $ld.i2(oldmem, p) == $ld.i2(newmem, p)) &&
+ (forall p:$ptr :: { $ld.u2(oldmem, p) } { $ld.u2(newmem, p) } // TODO maybe we want only newmem?
+ $overlaps($region(p, 2bv64), r) || $ld.u2(oldmem, p) == $ld.u2(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i4(oldmem, p) } { $ld.i4(newmem, p) } // TODO maybe we want only newmem?
+ $overlaps($region(p, 4bv64), r) || $ld.i4(oldmem, p) == $ld.i4(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i8(oldmem, p) } { $ld.i8(newmem, p) } // TODO maybe we want only newmem?
+ $overlaps($region(p, 8bv64), r) || $ld.i8(oldmem, p) == $ld.i8(newmem, p)) &&
+ (forall p:$ptr :: { $ld.ptr(oldmem, p) } { $ld.ptr(newmem, p) } // TODO maybe we want only newmem?
+ $overlaps($region(p, 8bv64), r) || $ld.ptr(oldmem, p) == $ld.ptr(newmem, p)));
+
+
+axiom (forall r:$region, oldalloc:[$ptr,<x>name]x, oldmem:$mem, newmem:$mem ::
+ { $only_region_changed_or_new(r, oldalloc, oldmem, newmem) }
+ $only_region_changed_or_new(r, oldalloc, oldmem, newmem) <==>
+
+ (forall p:$ptr :: { $ld.i1(oldmem, p) } { $ld.i1(newmem, p) } // TODO maybe we want only newmem?
+ !$allocated(oldalloc, p) || $overlaps($region(p, 1bv64), r) || $ld.i1(oldmem, p) == $ld.i1(newmem, p)) &&
+ (forall p:$ptr :: { $ld.u1(oldmem, p) } { $ld.u1(newmem, p) } // TODO maybe we want only newmem?
+ !$allocated(oldalloc, p) || $overlaps($region(p, 1bv64), r) || $ld.u1(oldmem, p) == $ld.u1(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i2(oldmem, p) } { $ld.i2(newmem, p) } // TODO maybe we want only newmem?
+ !$allocated(oldalloc, p) || $overlaps($region(p, 2bv64), r) || $ld.i2(oldmem, p) == $ld.i2(newmem, p)) &&
+ (forall p:$ptr :: { $ld.u2(oldmem, p) } { $ld.u2(newmem, p) } // TODO maybe we want only newmem?
+ !$allocated(oldalloc, p) || $overlaps($region(p, 2bv64), r) || $ld.u2(oldmem, p) == $ld.u2(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i4(oldmem, p) } { $ld.i4(newmem, p) } // TODO maybe we want only newmem?
+ !$allocated(oldalloc, p) || $overlaps($region(p, 4bv64), r) || $ld.i4(oldmem, p) == $ld.i4(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i8(oldmem, p) } { $ld.i8(newmem, p) } // TODO maybe we want only newmem?
+ !$allocated(oldalloc, p) || $overlaps($region(p, 8bv64), r) || $ld.i8(oldmem, p) == $ld.i8(newmem, p)) &&
+ (forall p:$ptr :: { $ld.ptr(oldmem, p) } { $ld.ptr(newmem, p) } // TODO maybe we want only newmem?
+ !$allocated(oldalloc, p) || $overlaps($region(p, 8bv64), r) || $ld.ptr(oldmem, p) == $ld.ptr(newmem, p)));
+
+
+axiom (forall r:$region, oldmem:$mem, newmem:$mem ::
+ { $nothing_in_region_changed(r, oldmem, newmem) }
+ $nothing_in_region_changed(r, oldmem, newmem) <==>
+
+ (forall p:$ptr :: { $ld.i1(oldmem, p) } { $ld.i1(newmem, p) } // TODO maybe we want only newmem?
+ !$contains($region(p, 1bv64), r) || $ld.i1(oldmem, p) == $ld.i1(newmem, p)) &&
+ (forall p:$ptr :: { $ld.u1(oldmem, p) } { $ld.u1(newmem, p) } // TODO maybe we want only newmem?
+ !$contains($region(p, 1bv64), r) || $ld.u1(oldmem, p) == $ld.u1(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i2(oldmem, p) } { $ld.i2(newmem, p) } // TODO maybe we want only newmem?
+ !$contains($region(p, 2bv64), r) || $ld.i2(oldmem, p) == $ld.i2(newmem, p)) &&
+ (forall p:$ptr :: { $ld.u2(oldmem, p) } { $ld.u2(newmem, p) } // TODO maybe we want only newmem?
+ !$contains($region(p, 2bv64), r) || $ld.u2(oldmem, p) == $ld.u2(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i4(oldmem, p) } { $ld.i4(newmem, p) } // TODO maybe we want only newmem?
+ !$contains($region(p, 4bv64), r) || $ld.i4(oldmem, p) == $ld.i4(newmem, p)) &&
+ (forall p:$ptr :: { $ld.i8(oldmem, p) } { $ld.i8(newmem, p) } // TODO maybe we want only newmem?
+ !$contains($region(p, 8bv64), r) || $ld.i8(oldmem, p) == $ld.i8(newmem, p)) &&
+ (forall p:$ptr :: { $ld.ptr(oldmem, p) } { $ld.ptr(newmem, p) } // TODO maybe we want only newmem?
+ !$contains($region(p, 8bv64), r) || $ld.ptr(oldmem, p) == $ld.ptr(newmem, p)));
+
+
+
+axiom (forall oldalloc:[$ptr,<x>name]x, newalloc:[$ptr,<x>name]x ::
+ { $alloc_grows(oldalloc, newalloc) }
+ $alloc_grows(oldalloc, newalloc) <==>
+ (forall p:ref :: { $size(newalloc, p) }
+ $size(oldalloc, p) == 0bv64 || $size(oldalloc, p) == $size(newalloc, p)));
+
+
+// -----------------------------------------------------------------------
+// That`s all folks!
+// -----------------------------------------------------------------------
+
+
+procedure x(a : bv64, b: bv64)
+{
+ block1 : return;
+}
+
+procedure a(a : bv32, b: bv32)
+{
+ block1 :
+ // OK:
+ assert a == a;
+ assert a[32:16] ++ a[16:0] == a;
+ assert 0bv32 != 1bv32;
+ // Error:
+ assert $add.i4(a, b) == $add.i4(b, a);
+ assert $and.i4(a, b) == $and.i4(b, a);
+ assert $add.i4(a, 0bv32) == a;
+ return;
+}
+
+procedure b(a : bv64, b: bv64)
+{
+ block1 :
+ assert a == a;
+ assert a[64:16] ++ a[16:0] == a;
+ assert $add.i8(a, b) == $add.i8(b, a);
+ assert $and.i8(a, b) == $and.i8(b, a);
+ return;
+}
+
+// Example usage of the memory model:
+procedure foo()
+ modifies $mem, $gmem;
+{
+ var p :$ptr;
+ var q :bv32;
+
+ block1:
+
+ call p := $malloc(8bv64);
+
+ if (p == $ldnull) { return; }
+
+ assert $valid($gmem, p, 4bv64);
+
+ $mem := $st.i1($mem, p, 42bv32);
+ q := $ld.u1($mem, p);
+ assert q == 42bv32;
+
+
+ p := $add.ptr(p, 4bv64, 1bv64);
+ assert $valid($gmem, p, 4bv64);
+ $mem := $st.i4($mem, p, $add.i4(q, 42bv32));
+ q := $ld.i4($mem, p);
+ assert q == 84bv32;
+
+ call $free(p);
+
+ return;
+}
+
+procedure mem_model(mem:$mem, p:$ptr, a:bv32, b:bv64)
+{
+ assert $ld.i4($st.i4(mem, p, a), p) == a;
+ assert $ld.i2($st.i2(mem, p, a), p)[16:0] == a[16:0];
+ return;
+}
diff --git a/Test/ccnet.runtestall.bat b/Test/ccnet.runtestall.bat
new file mode 100644
index 00000000..03b717e1
--- /dev/null
+++ b/Test/ccnet.runtestall.bat
@@ -0,0 +1,2 @@
+set BOOGIE=%CD%\..
+runtestall.bat %*
diff --git a/Test/dafny0/Answer b/Test/dafny0/Answer
new file mode 100644
index 00000000..64c43c87
--- /dev/null
+++ b/Test/dafny0/Answer
@@ -0,0 +1,100 @@
+
+-------------------- Simple.dfy --------------------
+// synthetic program
+
+class MyClass<T, U> {
+ var x: int;
+
+ method M(s: bool, lotsaObjects: set<object>)
+ returns (t: object, u: set<int>, v: seq<MyClass<bool,U>>):
+ requires s;
+ modifies this;
+ modifies lotsaObjects;
+ ensures t == t;
+ ensures old(null) != this;
+ {
+ x := 12;
+ while (x < 100)
+ invariant x <= 100;
+ {
+ x := x + 17;
+ if (x % 20 == 3) {
+ x := this.x + 1;
+ } else {
+ this.x := x + 0;
+ }
+ call t, u, v := M(true, lotsaObjects)
+ var to: MyClass<T,U>;
+ call to, u, v := M(true, lotsaObjects)
+ call to, u, v := to.M(true, lotsaObjects)
+ }
+ }
+}
+
+Dafny program verifier finished with 0 verified, 0 errors
+
+-------------------- BQueue.bpl --------------------
+
+Boogie program verifier finished with 8 verified, 0 errors
+
+-------------------- SmallTests.dfy --------------------
+
+Dafny program verifier finished with 3 verified, 0 errors
+
+-------------------- Queue.dfy --------------------
+
+Dafny program verifier finished with 12 verified, 0 errors
+
+-------------------- ListCopy.dfy --------------------
+
+Dafny program verifier finished with 2 verified, 0 errors
+
+-------------------- BinaryTree.dfy --------------------
+
+Dafny program verifier finished with 13 verified, 0 errors
+
+-------------------- ListReverse.dfy --------------------
+
+Dafny program verifier finished with 1 verified, 0 errors
+
+-------------------- ListContents.dfy --------------------
+
+Dafny program verifier finished with 5 verified, 0 errors
+
+-------------------- SchorrWaite.dfy --------------------
+
+Dafny program verifier finished with 4 verified, 0 errors
+
+-------------------- Termination.dfy --------------------
+
+Dafny program verifier finished with 5 verified, 0 errors
+
+-------------------- Use.dfy --------------------
+Use.dfy(12,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+Use.dfy(25,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+Use.dfy(50,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+
+Dafny program verifier finished with 6 verified, 3 errors
+
+-------------------- DTypes.dfy --------------------
+DTypes.dfy(15,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+DTypes.dfy(28,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+DTypes.dfy(54,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+
+Dafny program verifier finished with 5 verified, 3 errors
+
+-------------------- TypeParameters.dfy --------------------
+
+Dafny program verifier finished with 3 verified, 0 errors
diff --git a/Test/dafny0/BQueue.bpl b/Test/dafny0/BQueue.bpl
new file mode 100644
index 00000000..21c1c58a
--- /dev/null
+++ b/Test/dafny0/BQueue.bpl
@@ -0,0 +1,430 @@
+// BQueue.bpl
+// A queue program specified in the style of dynamic frames.
+// Rustan Leino, Michal Moskal, and Wolfram Schulte, 2007.
+
+// ---------------------------------------------------------------
+
+type ref;
+const null: ref;
+
+type Field x;
+
+// this variable represents the heap; read its type as \forall \alpha. ref * Field \alpha --> \alpha
+type HeapType = <x>[ref, Field x]x;
+var H: HeapType;
+
+// every object has an 'alloc' field, which says whether or not the object has been allocated
+const unique alloc: Field bool;
+
+// for simplicity, we say that every object has one field representing its abstract value and one
+// field representing its footprint (aka frame aka data group).
+
+const unique abstractValue: Field Seq;
+const unique footprint: Field [ref]bool;
+
+// ---------------------------------------------------------------
+
+type T; // the type of the elements of the queue
+const NullT: T; // some value of type T
+
+// ---------------------------------------------------------------
+
+// Queue:
+const unique head: Field ref;
+const unique tail: Field ref;
+const unique mynodes: Field [ref]bool;
+// Node:
+const unique data: Field T;
+const unique next: Field ref;
+
+function ValidQueue(HeapType, ref) returns (bool);
+axiom (forall h: HeapType, q: ref ::
+ { ValidQueue(h, q) }
+ q != null && h[q,alloc] ==>
+ (ValidQueue(h, q) <==>
+ h[q,head] != null && h[h[q,head],alloc] &&
+ h[q,tail] != null && h[h[q,tail],alloc] &&
+ h[h[q,tail], next] == null &&
+ // The following line can be suppressed now that we have a ValidFootprint invariant
+ (forall o: ref :: { h[q,footprint][o] } o != null && h[q,footprint][o] ==> h[o,alloc]) &&
+ h[q,footprint][q] &&
+ h[q,mynodes][h[q,head]] && h[q,mynodes][h[q,tail]] &&
+ (forall n: ref :: { h[q,mynodes][n] }
+ h[q,mynodes][n] ==>
+ n != null && h[n,alloc] && ValidNode(h, n) &&
+ SubSet(h[n,footprint], h[q,footprint]) &&
+ !h[n,footprint][q] &&
+ (h[n,next] == null ==> n == h[q,tail])
+ ) &&
+ (forall n: ref :: { h[n,next] }
+ h[q,mynodes][n] ==>
+ (h[n,next] != null ==> h[q,mynodes][h[n,next]])
+ ) &&
+ h[q,abstractValue] == h[h[q,head],abstractValue]
+ ));
+
+// frame axiom for ValidQueue
+axiom (forall h0: HeapType, h1: HeapType, n: ref ::
+ { ValidQueue(h0,n), ValidQueue(h1,n) }
+ (forall<alpha> o: ref, f: Field alpha :: o != null && h0[o,alloc] && h0[n,footprint][o]
+ ==> h0[o,f] == h1[o,f])
+ &&
+ (forall<alpha> o: ref, f: Field alpha :: o != null && h1[o,alloc] && h1[n,footprint][o]
+ ==> h0[o,f] == h1[o,f])
+ ==>
+ ValidQueue(h0,n) == ValidQueue(h1,n));
+
+function ValidNode(HeapType, ref) returns (bool);
+axiom (forall h: HeapType, n: ref ::
+ { ValidNode(h, n) }
+ n != null && h[n,alloc] ==>
+ (ValidNode(h, n) <==>
+ // The following line can be suppressed now that we have a ValidFootprint invariant
+ (forall o: ref :: { h[n,footprint][o] } o != null && h[n,footprint][o] ==> h[o,alloc]) &&
+ h[n,footprint][n] &&
+ (h[n,next] != null ==>
+ h[h[n,next],alloc] &&
+ SubSet(h[h[n,next], footprint], h[n,footprint]) &&
+ !h[h[n,next], footprint][n]) &&
+ (h[n,next] == null ==> EqualSeq(h[n,abstractValue], EmptySeq)) &&
+ (h[n,next] != null ==> EqualSeq(h[n,abstractValue],
+ Append(Singleton(h[h[n,next],data]), h[h[n,next],abstractValue])))
+ ));
+
+// frame axiom for ValidNode
+axiom (forall h0: HeapType, h1: HeapType, n: ref ::
+ { ValidNode(h0,n), ValidNode(h1,n) }
+ (forall<alpha> o: ref, f: Field alpha :: o != null && h0[o,alloc] && h0[n,footprint][o]
+ ==> h0[o,f] == h1[o,f])
+ &&
+ (forall<alpha> o: ref, f: Field alpha :: o != null && h1[o,alloc] && h1[n,footprint][o]
+ ==> h0[o,f] == h1[o,f])
+ ==>
+ ValidNode(h0,n) == ValidNode(h1,n));
+
+// ---------------------------------------------------------------
+
+procedure MakeQueue() returns (q: ref)
+ requires ValidFootprints(H);
+ modifies H;
+ ensures ValidFootprints(H);
+ ensures ModifiesOnlySet(old(H), H, EmptySet);
+ ensures q != null && H[q,alloc];
+ ensures AllNewSet(old(H), H[q,footprint]);
+ ensures ValidQueue(H, q);
+ ensures Length(H[q,abstractValue]) == 0;
+{
+ var n: ref;
+
+ assume Fresh(H,q);
+ H[q,alloc] := true;
+
+ call n := MakeNode(NullT);
+ H[q,head] := n;
+ H[q,tail] := n;
+ H[q,mynodes] := SingletonSet(n);
+ H[q,footprint] := UnionSet(SingletonSet(q), H[n,footprint]);
+ H[q,abstractValue] := H[n,abstractValue];
+}
+
+procedure IsEmpty(q: ref) returns (isEmpty: bool)
+ requires ValidFootprints(H);
+ requires q != null && H[q,alloc] && ValidQueue(H, q);
+ ensures isEmpty <==> Length(H[q,abstractValue]) == 0;
+{
+ isEmpty := H[q,head] == H[q,tail];
+}
+
+procedure Enqueue(q: ref, t: T)
+ requires ValidFootprints(H);
+ requires q != null && H[q,alloc] && ValidQueue(H, q);
+ modifies H;
+ ensures ValidFootprints(H);
+ ensures ModifiesOnlySet(old(H), H, old(H)[q,footprint]);
+ ensures DifferenceIsNew(old(H), old(H)[q,footprint], H[q,footprint]);
+ ensures ValidQueue(H, q);
+ ensures EqualSeq(H[q,abstractValue], Append(old(H)[q,abstractValue], Singleton(t)));
+{
+ var n: ref;
+
+ call n := MakeNode(t);
+
+ // foreach m in q.mynodes { m.footprint := m.footprint U n.footprint }
+ call BulkUpdateFootprint(H[q,mynodes], H[n,footprint]);
+ H[q,footprint] := UnionSet(H[q,footprint], H[n,footprint]);
+
+ // foreach m in q.mynodes { m.abstractValue := Append(m.abstractValue, Singleton(t)) }
+ call BulkUpdateAbstractValue(H[q,mynodes], t);
+ H[q,abstractValue] := H[H[q,head],abstractValue];
+
+ H[q,mynodes] := UnionSet(H[q,mynodes], SingletonSet(n));
+
+ H[H[q,tail], next] := n;
+ H[q,tail] := n;
+}
+
+procedure BulkUpdateFootprint(targetSet: [ref]bool, delta: [ref]bool);
+ requires ValidFootprints(H);
+ modifies H;
+ ensures ValidFootprints(H);
+ ensures ModifiesOnlySetField(old(H), H, targetSet, footprint);
+ ensures (forall o: ref ::
+ o != null && old(H)[o,alloc] && targetSet[o]
+ ==> H[o,footprint] == UnionSet(old(H)[o,footprint], delta));
+
+procedure BulkUpdateAbstractValue(targetSet: [ref]bool, t: T);
+ requires ValidFootprints(H);
+ modifies H;
+ ensures ValidFootprints(H);
+ ensures ModifiesOnlySetField(old(H), H, targetSet, abstractValue);
+ ensures (forall o: ref ::
+ o != null && old(H)[o,alloc] && targetSet[o]
+ ==> EqualSeq(H[o,abstractValue], Append(old(H)[o,abstractValue], Singleton(t))));
+
+procedure Front(q: ref) returns (t: T)
+ requires ValidFootprints(H);
+ requires q != null && H[q,alloc] && ValidQueue(H, q);
+ requires 0 < Length(H[q,abstractValue]);
+ ensures t == Index(H[q,abstractValue], 0);
+{
+ t := H[H[H[q,head], next], data];
+}
+
+procedure Dequeue(q: ref)
+ requires ValidFootprints(H);
+ requires q != null && H[q,alloc] && ValidQueue(H, q);
+ requires 0 < Length(H[q,abstractValue]);
+ modifies H;
+ ensures ValidFootprints(H);
+ ensures ModifiesOnlySet(old(H), H, old(H)[q,footprint]);
+ ensures DifferenceIsNew(old(H), old(H)[q,footprint], H[q,footprint]);
+ ensures ValidQueue(H, q);
+ ensures EqualSeq(H[q,abstractValue], Drop(old(H)[q,abstractValue], 1));
+{
+ var n: ref;
+
+ n := H[H[q,head], next];
+ H[q,head] := n;
+ // we could also remove old(H)[q,head] from H[q,mynodes], and similar for the footprints
+ H[q,abstractValue] := H[n,abstractValue];
+}
+
+// --------------------------------------------------------------------------------
+
+procedure MakeNode(t: T) returns (n: ref)
+ requires ValidFootprints(H);
+ modifies H;
+ ensures ValidFootprints(H);
+ ensures ModifiesOnlySet(old(H), H, EmptySet);
+ ensures n != null && H[n,alloc];
+ ensures AllNewSet(old(H), H[n,footprint]);
+ ensures ValidNode(H, n);
+ ensures H[n,data] == t && H[n,next] == null;
+{
+ assume Fresh(H,n);
+ H[n,alloc] := true;
+
+ H[n,next] := null;
+ H[n,data] := t;
+ H[n,footprint] := SingletonSet(n);
+ H[n,abstractValue] := EmptySeq;
+}
+
+// --------------------------------------------------------------------------------
+
+procedure Main(t: T, u: T, v: T)
+ requires ValidFootprints(H);
+ modifies H;
+ ensures ValidFootprints(H);
+ ensures ModifiesOnlySet(old(H), H, EmptySet);
+{
+ var q0, q1: ref;
+ var w: T;
+
+ call q0 := MakeQueue();
+ call q1 := MakeQueue();
+
+ call Enqueue(q0, t);
+ call Enqueue(q0, u);
+
+ call Enqueue(q1, v);
+
+ assert Length(H[q0,abstractValue]) == 2;
+
+ call w := Front(q0);
+ assert w == t;
+ call Dequeue(q0);
+
+ call w := Front(q0);
+ assert w == u;
+
+ assert Length(H[q0,abstractValue]) == 1;
+ assert Length(H[q1,abstractValue]) == 1;
+}
+
+// --------------------------------------------------------------------------------
+
+procedure Main2(t: T, u: T, v: T, q0: ref, q1: ref)
+ requires q0 != null && H[q0,alloc] && ValidQueue(H, q0);
+ requires q1 != null && H[q1,alloc] && ValidQueue(H, q1);
+ requires DisjointSet(H[q0,footprint], H[q1,footprint]);
+ requires Length(H[q0,abstractValue]) == 0;
+
+ requires ValidFootprints(H);
+ modifies H;
+ ensures ValidFootprints(H);
+ ensures ModifiesOnlySet(old(H), H, UnionSet(old(H)[q0,footprint], old(H)[q1,footprint]));
+{
+ var w: T;
+
+ call Enqueue(q0, t);
+ call Enqueue(q0, u);
+
+ call Enqueue(q1, v);
+
+ assert Length(H[q0,abstractValue]) == 2;
+
+ call w := Front(q0);
+ assert w == t;
+ call Dequeue(q0);
+
+ call w := Front(q0);
+ assert w == u;
+
+ assert Length(H[q0,abstractValue]) == 1;
+ assert Length(H[q1,abstractValue]) == old(Length(H[q1,abstractValue])) + 1;
+}
+
+// ---------------------------------------------------------------
+
+// Helpful predicates used in specs
+
+function ModifiesOnlySet(oldHeap: HeapType, newHeap: HeapType, set: [ref]bool) returns (bool);
+axiom (forall oldHeap: HeapType, newHeap: HeapType, set: [ref]bool ::
+ { ModifiesOnlySet(oldHeap, newHeap, set) }
+ ModifiesOnlySet(oldHeap, newHeap, set) <==>
+ NoDeallocs(oldHeap, newHeap) &&
+ (forall<alpha> o: ref, f: Field alpha :: { newHeap[o,f] }
+ o != null && oldHeap[o,alloc] ==>
+ oldHeap[o,f] == newHeap[o,f] || set[o]));
+
+function ModifiesOnlySetField<alpha>(oldHeap: HeapType, newHeap: HeapType,
+ set: [ref]bool, field: Field alpha) returns (bool);
+axiom (forall<alpha> oldHeap: HeapType, newHeap: HeapType, set: [ref]bool, field: Field alpha ::
+ { ModifiesOnlySetField(oldHeap, newHeap, set, field) }
+ ModifiesOnlySetField(oldHeap, newHeap, set, field) <==>
+ NoDeallocs(oldHeap, newHeap) &&
+ (forall<beta> o: ref, f: Field beta :: { newHeap[o,f] }
+ o != null && oldHeap[o,alloc] ==>
+ oldHeap[o,f] == newHeap[o,f] || (set[o] && f == field)));
+
+function NoDeallocs(oldHeap: HeapType, newHeap: HeapType) returns (bool);
+axiom (forall oldHeap: HeapType, newHeap: HeapType ::
+ { NoDeallocs(oldHeap, newHeap) }
+ NoDeallocs(oldHeap, newHeap) <==>
+ (forall o: ref :: { newHeap[o,alloc] }
+ o != null && oldHeap[o,alloc] ==> newHeap[o,alloc]));
+
+function AllNewSet(oldHeap: HeapType, set: [ref]bool) returns (bool);
+axiom (forall oldHeap: HeapType, set: [ref]bool ::
+ { AllNewSet(oldHeap, set) }
+ AllNewSet(oldHeap, set) <==>
+ (forall o: ref :: { oldHeap[o,alloc] }
+ o != null && set[o] ==> !oldHeap[o,alloc]));
+
+function DifferenceIsNew(oldHeap: HeapType, oldSet: [ref]bool, newSet: [ref]bool) returns (bool);
+axiom (forall oldHeap: HeapType, oldSet: [ref]bool, newSet: [ref]bool ::
+ { DifferenceIsNew(oldHeap, oldSet, newSet) }
+ DifferenceIsNew(oldHeap, oldSet, newSet) <==>
+ (forall o: ref :: { oldHeap[o,alloc] }
+ o != null && !oldSet[o] && newSet[o] ==> !oldHeap[o,alloc]));
+
+function ValidFootprints(h: HeapType) returns (bool);
+axiom (forall h: HeapType ::
+ { ValidFootprints(h) }
+ ValidFootprints(h) <==>
+ (forall o: ref, r: ref :: { h[o,footprint][r] }
+ o != null && h[o,alloc] && r != null && h[o,footprint][r] ==> h[r,alloc]));
+
+function Fresh(h: HeapType, o: ref) returns (bool);
+axiom (forall h: HeapType, o: ref ::
+ { Fresh(h,o) }
+ Fresh(h,o) <==>
+ o != null && !h[o,alloc] && h[o,footprint] == SingletonSet(o));
+
+// ---------------------------------------------------------------
+
+const EmptySet: [ref]bool;
+axiom (forall o: ref :: { EmptySet[o] } !EmptySet[o]);
+
+function SingletonSet(ref) returns ([ref]bool);
+axiom (forall r: ref :: { SingletonSet(r) } SingletonSet(r)[r]);
+axiom (forall r: ref, o: ref :: { SingletonSet(r)[o] } SingletonSet(r)[o] <==> r == o);
+
+function UnionSet([ref]bool, [ref]bool) returns ([ref]bool);
+axiom (forall a: [ref]bool, b: [ref]bool, o: ref :: { UnionSet(a,b)[o] }
+ UnionSet(a,b)[o] <==> a[o] || b[o]);
+
+function SubSet([ref]bool, [ref]bool) returns (bool);
+axiom(forall a: [ref]bool, b: [ref]bool :: { SubSet(a,b) }
+ SubSet(a,b) <==> (forall o: ref :: {a[o]} {b[o]} a[o] ==> b[o]));
+
+function EqualSet([ref]bool, [ref]bool) returns (bool);
+axiom(forall a: [ref]bool, b: [ref]bool :: { EqualSet(a,b) }
+ EqualSet(a,b) <==> (forall o: ref :: {a[o]} {b[o]} a[o] <==> b[o]));
+
+function DisjointSet([ref]bool, [ref]bool) returns (bool);
+axiom (forall a: [ref]bool, b: [ref]bool :: { DisjointSet(a,b) }
+ DisjointSet(a,b) <==> (forall o: ref :: {a[o]} {b[o]} !a[o] || !b[o]));
+
+// ---------------------------------------------------------------
+
+// Sequence of T
+type Seq;
+
+function Length(Seq) returns (int);
+axiom (forall s: Seq :: { Length(s) } 0 <= Length(s));
+
+const EmptySeq: Seq;
+axiom Length(EmptySeq) == 0;
+axiom (forall s: Seq :: { Length(s) } Length(s) == 0 ==> s == EmptySeq);
+
+function Singleton(T) returns (Seq);
+axiom (forall t: T :: { Length(Singleton(t)) } Length(Singleton(t)) == 1);
+
+function Append(Seq, Seq) returns (Seq);
+axiom (forall s0: Seq, s1: Seq :: { Length(Append(s0,s1)) }
+ Length(Append(s0,s1)) == Length(s0) + Length(s1));
+
+function Index(Seq, int) returns (T);
+axiom (forall t: T :: { Index(Singleton(t), 0) } Index(Singleton(t), 0) == t);
+axiom (forall s0: Seq, s1: Seq, n: int :: { Index(Append(s0,s1), n) }
+ (n < Length(s0) ==> Index(Append(s0,s1), n) == Index(s0, n)) &&
+ (Length(s0) <= n ==> Index(Append(s0,s1), n) == Index(s1, n - Length(s0))));
+
+function EqualSeq(Seq, Seq) returns (bool);
+axiom (forall s0: Seq, s1: Seq :: { EqualSeq(s0,s1) }
+ EqualSeq(s0,s1) <==>
+ Length(s0) == Length(s1) &&
+ (forall j: int :: { Index(s0,j) } { Index(s1,j) }
+ 0 <= j && j < Length(s0) ==> Index(s0,j) == Index(s1,j)));
+
+function Take(Seq, howMany: int) returns (Seq);
+axiom (forall s: Seq, n: int :: { Length(Take(s,n)) }
+ 0 <= n ==>
+ (n <= Length(s) ==> Length(Take(s,n)) == n) &&
+ (Length(s) < n ==> Length(Take(s,n)) == Length(s)));
+axiom (forall s: Seq, n: int, j: int :: { Index(Take(s,n), j) }
+ 0 <= j && j < n && j < Length(s) ==>
+ Index(Take(s,n), j) == Index(s, j));
+
+function Drop(Seq, howMany: int) returns (Seq);
+axiom (forall s: Seq, n: int :: { Length(Drop(s,n)) }
+ 0 <= n ==>
+ (n <= Length(s) ==> Length(Drop(s,n)) == Length(s) - n) &&
+ (Length(s) < n ==> Length(Drop(s,n)) == 0));
+axiom (forall s: Seq, n: int, j: int :: { Index(Drop(s,n), j) }
+ 0 <= n && 0 <= j && j < Length(s)-n ==>
+ Index(Drop(s,n), j) == Index(s, j+n));
+
+// ---------------------------------------------------------------
diff --git a/Test/dafny0/BinaryTree.dfy b/Test/dafny0/BinaryTree.dfy
new file mode 100644
index 00000000..b3bcc823
--- /dev/null
+++ b/Test/dafny0/BinaryTree.dfy
@@ -0,0 +1,245 @@
+class IntSet {
+ var contents: set<int>;
+ var footprint: set<object>;
+
+ var root: Node;
+
+ function Valid(): bool
+ reads this, footprint;
+ {
+ this in footprint &&
+ (root == null ==> contents == {}) &&
+ (root != null ==>
+ root in footprint && root.Valid() &&
+ contents == root.contents &&
+ root.footprint <= footprint && !(this in root.footprint))
+ }
+
+ method Init()
+ modifies this;
+ ensures Valid() && fresh(footprint - {this});
+ ensures contents == {};
+ {
+ root := null;
+ footprint := {this};
+ contents := {};
+ }
+
+ method Find(x: int) returns (present: bool)
+ requires Valid();
+ ensures present <==> x in contents;
+ {
+ if (root == null) {
+ present := false;
+ } else {
+ call present := root.Find(x);
+ }
+ }
+
+ method Insert(x: int)
+ requires Valid();
+ modifies footprint;
+ ensures Valid() && fresh(footprint - old(footprint));
+ ensures contents == old(contents) + {x};
+ {
+ var t;
+ call t := InsertHelper(x, root);
+ root := t;
+ contents := root.contents;
+ footprint := root.footprint + {this};
+ }
+
+ method InsertHelper(x: int, n: Node) returns (m: Node)
+ requires n == null || n.Valid();
+ modifies n.footprint;
+ ensures m != null && m.Valid();
+ ensures n == null ==> fresh(m.footprint) && m.contents == {x};
+ ensures n != null ==> m == n && n.contents == old(n.contents) + {x};
+ ensures n != null ==> fresh(n.footprint - old(n.footprint));
+ {
+ if (n == null) {
+ m := new Node;
+ call m.Init(x);
+ } else if (x == n.data) {
+ m := n;
+ } else {
+ if (x < n.data) {
+ var t;
+ call t := InsertHelper(x, n.left);
+ n.left := t;
+ n.footprint := n.footprint + n.left.footprint;
+ } else {
+ var t;
+ call t := InsertHelper(x, n.right);
+ n.right := t;
+ n.footprint := n.footprint + n.right.footprint;
+ }
+ n.contents := n.contents + {x};
+ m := n;
+ }
+ }
+
+ method Remove(x: int)
+ requires Valid();
+ modifies footprint;
+ ensures Valid() && fresh(footprint - old(footprint));
+ ensures contents == old(contents) - {x};
+ {
+ if (root != null) {
+ var newRoot;
+ call newRoot := root.Remove(x);
+ root := newRoot;
+ if (root == null) {
+ contents := {};
+ footprint := {this};
+ } else {
+ contents := root.contents;
+ footprint := root.footprint + {this};
+ }
+ }
+ }
+}
+
+class Node {
+ var contents: set<int>;
+ var footprint: set<object>;
+
+ var data: int;
+ var left: Node;
+ var right: Node;
+
+ function Valid(): bool
+ reads this, footprint;
+ {
+ this in footprint &&
+ !(null in footprint) &&
+ (left != null ==>
+ left in footprint && left.Valid() &&
+ left.footprint <= footprint && !(this in left.footprint) &&
+ (forall y :: y in left.contents ==> y < data)) &&
+ (right != null ==>
+ right in footprint && right.Valid() &&
+ right.footprint <= footprint && !(this in right.footprint) &&
+ (forall y :: y in right.contents ==> data < y)) &&
+ (left == null && right == null ==>
+ contents == {data}) &&
+ (left != null && right == null ==>
+ contents == left.contents + {data}) &&
+ (left == null && right != null ==>
+ contents == {data} + right.contents) &&
+ (left != null && right != null ==>
+ left.footprint !! right.footprint &&
+ contents == left.contents + {data} + right.contents)
+ }
+
+ method Init(x: int)
+ modifies this;
+ ensures Valid() && fresh(footprint - {this});
+ ensures contents == {x};
+ {
+ data := x;
+ left := null;
+ right := null;
+ contents := {x};
+ footprint := {this};
+ }
+
+ method Find(x: int) returns (present: bool)
+ requires Valid();
+ ensures present <==> x in contents;
+ {
+ if (x == data) {
+ present := true;
+ } else if (left != null && x < data) {
+ call present := left.Find(x);
+ } else if (right != null && data < x) {
+ call present := right.Find(x);
+ } else {
+ present := false;
+ }
+ }
+
+ method Remove(x: int) returns (node: Node)
+ requires Valid();
+ modifies footprint;
+ ensures fresh(footprint - old(footprint));
+ ensures node != null ==> node.Valid();
+ ensures node == null ==> old(contents) <= {x};
+ ensures node != null ==> node.footprint <= footprint && node.contents == old(contents) - {x};
+ {
+ node := this;
+ if (left != null && x < data) {
+ var t;
+ call t := left.Remove(x);
+ left := t;
+ contents := contents - {x};
+ if (left != null) { footprint := footprint + left.footprint; }
+ } else if (right != null && data < x) {
+ var t;
+ call t := right.Remove(x);
+ right := t;
+ contents := contents - {x};
+ if (right != null) { footprint := footprint + right.footprint; }
+ } else if (x == data) {
+ if (left == null && right == null) {
+ node := null;
+ } else if (left == null) {
+ node := right;
+ } else if (right == null) {
+ node := left;
+ } else {
+ // rotate
+ var min, r;
+ call min, r := right.RemoveMin();
+ data := min; right := r;
+ contents := contents - {x};
+ if (right != null) { footprint := footprint + right.footprint; }
+ }
+ }
+ }
+
+ method RemoveMin() returns (min: int, node: Node)
+ requires Valid();
+ modifies footprint;
+ ensures fresh(footprint - old(footprint));
+ ensures node != null ==> node.Valid();
+ ensures node == null ==> old(contents) == {min};
+ ensures node != null ==> node.footprint <= footprint && node.contents == old(contents) - {min};
+ ensures min in old(contents) && (forall x :: x in old(contents) ==> min <= x);
+ {
+ if (left == null) {
+ min := data;
+ node := right;
+ } else {
+ var t;
+ call min, t := left.RemoveMin();
+ left := t;
+ node := this;
+ contents := contents - {min};
+ if (left != null) { footprint := footprint + left.footprint; }
+ }
+ }
+}
+
+class Main {
+ method Client0(x: int)
+ {
+ var s := new IntSet;
+ call s.Init();
+
+ call s.Insert(12);
+ call s.Insert(24);
+ var present;
+ call present := s.Find(x);
+ assert present <==> x == 12 || x == 24;
+ }
+
+ method Client1(s: IntSet, x: int)
+ requires s != null && s.Valid();
+ modifies s.footprint;
+ {
+ call s.Insert(x);
+ call s.Insert(24);
+ assert old(s.contents) - {x,24} == s.contents - {x,24};
+ }
+}
diff --git a/Test/dafny0/DTypes.dfy b/Test/dafny0/DTypes.dfy
new file mode 100644
index 00000000..f6e0a2b4
--- /dev/null
+++ b/Test/dafny0/DTypes.dfy
@@ -0,0 +1,74 @@
+class C {
+ var n: set<Node>;
+
+ method M(v: Stack)
+ requires v != null;
+ {
+ var o: object := v;
+ assert !(o in n); // should be known from the types involved
+ }
+
+ method N(v: Stack)
+ /* this time without the precondition */
+ {
+ var o: object := v;
+ assert !(o in n); // error: v may be null
+ }
+
+ method A0(a: CP<int,C>, b: CP<int,object>)
+ {
+ var x: object := a;
+ var y: object := b;
+ assert x == y ==> x == null;
+ }
+
+ method A1(a: CP<int,C>)
+ {
+ var x: object := a;
+ assert (forall b: CP<int,Stack> :: x == b ==> b == null); // error (we don't add a type antecedent to
+ // quantifiers; is that what we want?)
+ }
+
+ var a2x: set<CP<C,Node>>;
+ method A2(b: set<CP<Node,C>>)
+ requires !(null in b);
+ {
+ var x: set<object> := a2x;
+ var y: set<object> := b;
+ assert x * y == {};
+ }
+
+ method A3(b: set<CP<Node,C>>)
+ /* this time without the precondition */
+ {
+ var x: set<object> := a2x;
+ var y: set<object> := b;
+ assert x * y <= {null};
+ }
+
+ method A4(b: set<CP<Node,C>>)
+ /* again, without the precondition */
+ {
+ var x: set<object> := a2x;
+ var y: set<object> := b;
+ assert x * y == {}; // error
+ }
+
+ method A5()
+ {
+ var a := new CP<int,C>;
+ var b := new CP<int,object>;
+ while (a != null) {
+ var x: object := a;
+ var y: object := b;
+ assert x == y ==> x == null;
+ a := a; // make 'a' a loop target
+ }
+ }
+}
+
+class Stack { }
+class Node { }
+
+class CP<T,U> {
+}
diff --git a/Test/dafny0/ListContents.dfy b/Test/dafny0/ListContents.dfy
new file mode 100644
index 00000000..6cb7c5a0
--- /dev/null
+++ b/Test/dafny0/ListContents.dfy
@@ -0,0 +1,92 @@
+class Node<T> {
+ var list: seq<T>;
+ var footprint: set<Node<T>>;
+
+ var data: T;
+ var next: Node<T>;
+
+ function Valid(): bool
+ reads this, footprint;
+ {
+ this in this.footprint && !(null in this.footprint) &&
+ (next == null ==> list == [data]) &&
+ (next != null ==>
+ next in footprint && next.footprint <= footprint &&
+ !(this in next.footprint) &&
+ list == [data] + next.list &&
+ next.Valid())
+ }
+
+ method Init(d: T)
+ modifies this;
+ ensures Valid() && fresh(footprint - {this});
+ ensures list == [d];
+ {
+ data := d;
+ next := null;
+ list := [d];
+ footprint := {this};
+ }
+
+ method SkipHead() returns (r: Node<T>)
+ requires Valid();
+ ensures r == null ==> |list| == 1;
+ ensures r != null ==> r.Valid() && r.footprint <= footprint;
+ ensures r != null ==> r.list == list[1..];
+ {
+ r := next;
+ }
+
+ method Prepend(d: T) returns (r: Node<T>)
+ requires Valid();
+ ensures r.Valid() && fresh(r.footprint - old(footprint));
+ ensures r.list == [d] + list;
+ {
+ r := new Node<T>;
+ r.data := d;
+ r.next := this;
+ r.footprint := {r} + this.footprint;
+ r.list := [r.data] + this.list;
+ }
+
+ method ReverseInPlace() returns (reverse: Node<T>)
+ requires Valid();
+ modifies footprint;
+ ensures reverse != null && reverse.Valid();
+ ensures fresh(reverse.footprint - old(footprint));
+ ensures |reverse.list| == |old(list)|;
+ ensures (forall i :: 0 <= i && i < |old(list)| ==> old(list)[i] == reverse.list[|old(list)|-1-i]);
+ {
+ var current := next;
+ reverse := this;
+ reverse.next := null;
+ reverse.footprint := {reverse};
+ reverse.list := [data];
+
+ while (current != null)
+ invariant reverse != null && reverse.Valid();
+ invariant reverse.footprint <= old(footprint);
+ invariant current == null ==> |old(list)| == |reverse.list|;
+ invariant current != null ==>
+ current.Valid() &&
+ current in old(footprint) && current.footprint <= old(footprint) &&
+ current.footprint !! reverse.footprint &&
+ |old(list)| == |reverse.list| + |current.list| &&
+ (forall i :: 0 <= i && i < |current.list| ==> current.list[i] == old(list)[|reverse.list|+i]);
+ invariant
+ (forall i :: 0 <= i && i < |reverse.list| ==> old(list)[i] == reverse.list[|reverse.list|-1-i]);
+ {
+ var nx := current.next;
+ assert nx != null ==> (forall i :: 0 <= i && i < |nx.list| ==> current.list[1+i] == nx.list[i]);
+
+ // ..., reverse, current, nx, ...
+ assert current.data == current.list[0];
+ current.next := reverse;
+ current.footprint := {current} + reverse.footprint;
+ current.list := [current.data] + reverse.list;
+
+ reverse := current;
+ current := nx;
+ }
+ }
+}
diff --git a/Test/dafny0/ListCopy.dfy b/Test/dafny0/ListCopy.dfy
new file mode 100644
index 00000000..f3c64fe2
--- /dev/null
+++ b/Test/dafny0/ListCopy.dfy
@@ -0,0 +1,54 @@
+class Node {
+ var nxt: Node;
+
+ method Init()
+ modifies this;
+ ensures nxt == null;
+ {
+ nxt := null;
+ }
+
+ method Copy(root: Node) returns (result: Node)
+ {
+ var existingRegion: set<Node>;
+ assume root == null || root in existingRegion;
+ assume (forall o: Node :: o != null && o in existingRegion && o.nxt != null ==> o.nxt in existingRegion);
+
+ var newRoot := null;
+ var oldListPtr := root;
+ var newRegion: set<Node> := {};
+
+ if (oldListPtr != null) {
+ newRoot := new Node;
+ call newRoot.Init();
+ newRegion := newRegion + {newRoot};
+ var prev := newRoot;
+
+ while (oldListPtr != null)
+ invariant newRoot in newRegion;
+ invariant (forall o: Node :: o in newRegion ==> o != null);
+ invariant (forall o: Node :: o in newRegion && o.nxt != null ==> o.nxt in newRegion);
+ invariant prev in newRegion;
+ invariant fresh(newRegion);
+ invariant newRegion !! existingRegion;
+ {
+ var tmp := new Node;
+ call tmp.Init();
+
+ newRegion := newRegion + {tmp};
+ prev.nxt := tmp;
+
+ prev := tmp;
+ oldListPtr := oldListPtr.nxt;
+ }
+ }
+ result := newRoot;
+ assert result == null || result in newRegion;
+
+ // everything in newRegion is fresh
+ assert fresh(newRegion);
+
+ // newRegion # exisitingRegion
+ assert newRegion !! existingRegion;
+ }
+}
diff --git a/Test/dafny0/ListReverse.dfy b/Test/dafny0/ListReverse.dfy
new file mode 100644
index 00000000..af61a7a3
--- /dev/null
+++ b/Test/dafny0/ListReverse.dfy
@@ -0,0 +1,26 @@
+
+class Node {
+ var nxt: Node;
+
+ method ReverseInPlace(x: Node, r: set<Node>) returns (reverse: Node)
+ requires !(null in r);
+ requires x == null || x in r;
+ requires (forall y :: y in r ==> y.nxt == null || y.nxt in r); // region closure
+ modifies r;
+ ensures reverse == null || reverse in r;
+ ensures (forall y :: y in r ==> y.nxt == null || y.nxt in r); // region closure
+ {
+ var current := x;
+ reverse := null;
+ while (current != null)
+ invariant current == null || current in r;
+ invariant reverse == null || reverse in r;
+ invariant (forall y :: y in r ==> y.nxt == null || y.nxt in r); // region closure
+ {
+ var tmp := current.nxt;
+ current.nxt := reverse;
+ reverse := current;
+ current := tmp;
+ }
+ }
+}
diff --git a/Test/dafny0/Output b/Test/dafny0/Output
new file mode 100644
index 00000000..64c43c87
--- /dev/null
+++ b/Test/dafny0/Output
@@ -0,0 +1,100 @@
+
+-------------------- Simple.dfy --------------------
+// synthetic program
+
+class MyClass<T, U> {
+ var x: int;
+
+ method M(s: bool, lotsaObjects: set<object>)
+ returns (t: object, u: set<int>, v: seq<MyClass<bool,U>>):
+ requires s;
+ modifies this;
+ modifies lotsaObjects;
+ ensures t == t;
+ ensures old(null) != this;
+ {
+ x := 12;
+ while (x < 100)
+ invariant x <= 100;
+ {
+ x := x + 17;
+ if (x % 20 == 3) {
+ x := this.x + 1;
+ } else {
+ this.x := x + 0;
+ }
+ call t, u, v := M(true, lotsaObjects)
+ var to: MyClass<T,U>;
+ call to, u, v := M(true, lotsaObjects)
+ call to, u, v := to.M(true, lotsaObjects)
+ }
+ }
+}
+
+Dafny program verifier finished with 0 verified, 0 errors
+
+-------------------- BQueue.bpl --------------------
+
+Boogie program verifier finished with 8 verified, 0 errors
+
+-------------------- SmallTests.dfy --------------------
+
+Dafny program verifier finished with 3 verified, 0 errors
+
+-------------------- Queue.dfy --------------------
+
+Dafny program verifier finished with 12 verified, 0 errors
+
+-------------------- ListCopy.dfy --------------------
+
+Dafny program verifier finished with 2 verified, 0 errors
+
+-------------------- BinaryTree.dfy --------------------
+
+Dafny program verifier finished with 13 verified, 0 errors
+
+-------------------- ListReverse.dfy --------------------
+
+Dafny program verifier finished with 1 verified, 0 errors
+
+-------------------- ListContents.dfy --------------------
+
+Dafny program verifier finished with 5 verified, 0 errors
+
+-------------------- SchorrWaite.dfy --------------------
+
+Dafny program verifier finished with 4 verified, 0 errors
+
+-------------------- Termination.dfy --------------------
+
+Dafny program verifier finished with 5 verified, 0 errors
+
+-------------------- Use.dfy --------------------
+Use.dfy(12,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+Use.dfy(25,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+Use.dfy(50,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+
+Dafny program verifier finished with 6 verified, 3 errors
+
+-------------------- DTypes.dfy --------------------
+DTypes.dfy(15,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+DTypes.dfy(28,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+DTypes.dfy(54,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ (0,0): anon0
+
+Dafny program verifier finished with 5 verified, 3 errors
+
+-------------------- TypeParameters.dfy --------------------
+
+Dafny program verifier finished with 3 verified, 0 errors
diff --git a/Test/dafny0/Queue.dfy b/Test/dafny0/Queue.dfy
new file mode 100644
index 00000000..ab83a75d
--- /dev/null
+++ b/Test/dafny0/Queue.dfy
@@ -0,0 +1,205 @@
+// Queue.dfy
+// Dafny version of Queue.bpl
+// Rustan Leino, 2008
+
+class Queue<T> {
+ var head: Node<T>;
+ var tail: Node<T>;
+
+ var contents: seq<T>;
+ var footprint: set<object>;
+ var spine: set<Node<T>>;
+
+ function Valid(): bool
+ reads this, footprint;
+ {
+ this in footprint && spine <= footprint &&
+ head != null && head in spine &&
+ tail != null && tail in spine &&
+ tail.next == null &&
+ (forall n :: // { n in spine }
+ n in spine ==>
+ n != null && n.Valid() &&
+ n.footprint <= footprint &&
+ (n.next == null ==> n == tail)) &&
+ (forall n :: // { n.next }
+ n in spine ==>
+ n.next != null ==> n.next in spine) &&
+ contents == head.tailContents
+ }
+
+ method Init()
+ modifies this;
+ ensures Valid() && fresh(footprint - {this});
+ ensures |contents| == 0;
+ {
+ var n := new Node<T>;
+ call n.Init();
+ head := n;
+ tail := n;
+ contents := n.tailContents;
+ footprint := {this} + n.footprint;
+ spine := {n};
+ }
+
+ method Rotate()
+ requires Valid();
+ requires 0 < |contents|;
+ modifies footprint;
+ ensures Valid() && fresh(footprint - old(footprint));
+ ensures contents == old(contents)[1..] + old(contents)[..1];
+ {
+ var t: T;
+ call t := Front();
+ call Dequeue();
+ call Enqueue(t);
+ }
+
+ method RotateAny()
+ requires Valid();
+ requires 0 < |contents|;
+ modifies footprint;
+ ensures Valid() && fresh(footprint - old(footprint));
+ ensures (exists i :: 0 <= i && i <= |contents| &&
+ contents == old(contents)[i..] + old(contents)[..i]);
+ {
+ var t: T;
+ call t := Front();
+ call Dequeue();
+ call Enqueue(t);
+ }
+
+ method IsEmpty() returns (isEmpty: bool)
+ requires Valid();
+ ensures isEmpty <==> |contents| == 0;
+ {
+ isEmpty := head == tail;
+ }
+
+ method Enqueue(t: T)
+ requires Valid();
+ modifies footprint;
+ ensures Valid() && fresh(footprint - old(footprint));
+ ensures contents == old(contents) + [t];
+ {
+ var n := new Node<T>;
+ call n.Init(); n.data := t;
+ tail.next := n;
+ tail := n;
+
+ foreach (m in spine) {
+ m.tailContents := m.tailContents + [t];
+ }
+ contents := head.tailContents;
+
+ foreach (m in spine) {
+ m.footprint := m.footprint + n.footprint;
+ }
+ footprint := footprint + n.footprint;
+
+ spine := spine + {n};
+ }
+
+ method Front() returns (t: T)
+ requires Valid();
+ requires 0 < |contents|;
+ ensures t == contents[0];
+ {
+ t := head.next.data;
+ }
+
+ method Dequeue()
+ requires Valid();
+ requires 0 < |contents|;
+ modifies footprint;
+ ensures Valid() && fresh(footprint - old(footprint));
+ ensures contents == old(contents)[1..];
+ {
+ var n := head.next;
+ head := n;
+ contents := n.tailContents;
+ }
+}
+
+class Node<T> {
+ var data: T;
+ var next: Node<T>;
+
+ var tailContents: seq<T>;
+ var footprint: set<object>;
+
+ function Valid(): bool
+ reads this, footprint;
+ {
+ this in footprint &&
+ (next != null ==> next in footprint && next.footprint <= footprint) &&
+ (next == null ==> tailContents == []) &&
+ (next != null ==> tailContents == [next.data] + next.tailContents)
+ }
+
+ method Init()
+ modifies this;
+ ensures Valid() && fresh(footprint - {this});
+ ensures next == null;
+ {
+ next := null;
+ tailContents := [];
+ footprint := {this};
+ }
+}
+
+class Main<U> {
+ method A<T>(t: T, u: T, v: T)
+ {
+ var q0 := new Queue<T>;
+ call q0.Init();
+ var q1 := new Queue<T>;
+ call q1.Init();
+
+ call q0.Enqueue(t);
+ call q0.Enqueue(u);
+
+ call q1.Enqueue(v);
+
+ assert |q0.contents| == 2;
+
+ var w;
+ call w := q0.Front();
+ assert w == t;
+ call q0.Dequeue();
+
+ call w := q0.Front();
+ assert w == u;
+
+ assert |q0.contents| == 1;
+ assert |q1.contents| == 1;
+ }
+
+ method Main2(t: U, u: U, v: U, q0: Queue<U>, q1: Queue<U>)
+ requires q0 != null && q0.Valid();
+ requires q1 != null && q1.Valid();
+ requires q0.footprint !! q1.footprint;
+ requires |q0.contents| == 0;
+ modifies q0.footprint, q1.footprint;
+ ensures fresh(q0.footprint - old(q0.footprint));
+ ensures fresh(q1.footprint - old(q1.footprint));
+ {
+ call q0.Enqueue(t);
+ call q0.Enqueue(u);
+
+ call q1.Enqueue(v);
+
+ assert |q0.contents| == 2;
+
+ var w;
+ call w := q0.Front();
+ assert w == t;
+ call q0.Dequeue();
+
+ call w := q0.Front();
+ assert w == u;
+
+ assert |q0.contents| == 1;
+ assert |q1.contents| == old(|q1.contents|) + 1;
+ }
+}
diff --git a/Test/dafny0/SchorrWaite.dfy b/Test/dafny0/SchorrWaite.dfy
new file mode 100644
index 00000000..db5928f4
--- /dev/null
+++ b/Test/dafny0/SchorrWaite.dfy
@@ -0,0 +1,229 @@
+// Rustan Leino
+// 7 November 2008
+// Schorr-Waite and other marking algorithms, written and verified in Dafny.
+// Copyright (c) 2008, Microsoft.
+
+class Node {
+ var marked: bool;
+ var childrenVisited: int;
+ var children: seq<Node>;
+}
+
+class Main {
+ method RecursiveMark(root: Node, S: set<Node>)
+ requires root in S;
+ // S is closed under 'children':
+ requires (forall n :: n in S ==> n != null &&
+ (forall ch :: ch in n.children ==> ch == null || ch in S));
+ requires (forall n :: n in S ==> ! n.marked && n.childrenVisited == 0);
+ modifies S;
+ ensures root.marked;
+ // nodes reachable from 'root' are marked:
+ ensures (forall n :: n in S && n.marked ==>
+ (forall ch :: ch in n.children && ch != null ==> ch in S && ch.marked));
+ ensures (forall n :: n in S ==>
+ n.childrenVisited == old(n.childrenVisited) &&
+ n.children == old(n.children));
+ {
+ call RecursiveMarkWorker(root, S, {});
+ }
+
+ method RecursiveMarkWorker(root: Node, S: set<Node>, stackNodes: set<Node>)
+ requires root != null && root in S;
+ requires (forall n :: n in S ==> n != null &&
+ (forall ch :: ch in n.children ==> ch == null || ch in S));
+ requires (forall n :: n in S && n.marked ==>
+ n in stackNodes ||
+ (forall ch :: ch in n.children && ch != null ==> ch in S && ch.marked));
+ modifies S;
+ ensures root.marked;
+ // nodes reachable from 'root' are marked:
+ ensures (forall n :: n in S && n.marked ==>
+ n in stackNodes ||
+ (forall ch :: ch in n.children && ch != null ==> ch in S && ch.marked));
+ ensures (forall n: Node :: old(n.marked) ==> n.marked);
+ ensures (forall n :: n in S ==>
+ n.childrenVisited == old(n.childrenVisited) &&
+ n.children == old(n.children));
+ {
+ if (! root.marked) {
+ root.marked := true;
+ var i := 0;
+ while (i < |root.children|)
+ invariant root.marked && i <= |root.children|;
+ invariant (forall n :: n in S && n.marked ==>
+ n == root ||
+ n in stackNodes ||
+ (forall ch :: ch in n.children && ch != null ==> ch in S && ch.marked));
+ invariant (forall j :: 0 <= j && j < i ==>
+ root.children[j] == null || root.children[j].marked);
+ invariant (forall n: Node :: old(n.marked) ==> n.marked);
+ invariant (forall n :: n in S ==>
+ n.childrenVisited == old(n.childrenVisited) &&
+ n.children == old(n.children));
+ {
+ var c := root.children[i];
+ if (c != null) {
+ call RecursiveMarkWorker(c, S, stackNodes + {root});
+ }
+ }
+ }
+ }
+
+ // ---------------------------------------------------------------------------------
+
+ method IterativeMark(root: Node, S: set<Node>)
+ requires root in S;
+ // S is closed under 'children':
+ requires (forall n :: n in S ==> n != null &&
+ (forall ch :: ch in n.children ==> ch == null || ch in S));
+ requires (forall n :: n in S ==> ! n.marked && n.childrenVisited == 0);
+ modifies S;
+ ensures root.marked;
+ // nodes reachable from 'root' are marked:
+ ensures (forall n :: n in S && n.marked ==>
+ (forall ch :: ch in n.children && ch != null ==> ch in S && ch.marked));
+ ensures (forall n :: n in S ==>
+ n.childrenVisited == old(n.childrenVisited) &&
+ n.children == old(n.children));
+ {
+ var t := root;
+ t.marked := true;
+ var stackNodes := [];
+ var unmarkedNodes := S - {t}; // used as ghost variable
+ while (true)
+ invariant root.marked && t in S && !(t in stackNodes);
+ // stackNodes has no duplicates:
+ invariant (forall i, j :: 0 <= i && i < j && j < |stackNodes| ==>
+ stackNodes[i] != stackNodes[j]);
+ invariant (forall n :: n in stackNodes ==> n in S);
+ invariant (forall n :: n in stackNodes || n == t ==>
+ n.marked &&
+ 0 <= n.childrenVisited && n.childrenVisited <= |n.children| &&
+ (forall j :: 0 <= j && j < n.childrenVisited ==>
+ n.children[j] == null || n.children[j].marked));
+ invariant (forall n :: n in stackNodes ==> n.childrenVisited < |n.children|);
+ // nodes on the stack are linked:
+ invariant (forall j :: 0 <= j && j+1 < |stackNodes| ==>
+ stackNodes[j].children[stackNodes[j].childrenVisited] == stackNodes[j+1]);
+ invariant 0 < |stackNodes| ==>
+ stackNodes[|stackNodes|-1].children[stackNodes[|stackNodes|-1].childrenVisited] == t;
+ invariant (forall n :: n in S && n.marked && !(n in stackNodes) && n != t ==>
+ (forall ch :: ch in n.children && ch != null ==> ch in S && ch.marked));
+ invariant (forall n :: n in S && !(n in stackNodes) && n != t ==>
+ n.childrenVisited == old(n.childrenVisited));
+ invariant (forall n: Node :: n.children == old(n.children));
+ invariant (forall n :: n in S && !n.marked ==> n in unmarkedNodes);
+ decreases unmarkedNodes, stackNodes, |t.children| - t.childrenVisited;
+ {
+ if (t.childrenVisited == |t.children|) {
+ // pop
+ t.childrenVisited := 0;
+ if (|stackNodes| == 0) {
+ return;
+ }
+ t := stackNodes[|stackNodes| - 1];
+ stackNodes := stackNodes[..|stackNodes| - 1];
+ t.childrenVisited := t.childrenVisited + 1;
+ } else if (t.children[t.childrenVisited] == null || t.children[t.childrenVisited].marked) {
+ // just advance to next child
+ t.childrenVisited := t.childrenVisited + 1;
+ } else {
+ // push
+ stackNodes := stackNodes + [t];
+ t := t.children[t.childrenVisited];
+ t.marked := true;
+ unmarkedNodes := unmarkedNodes - {t};
+ }
+ }
+ }
+
+ // ---------------------------------------------------------------------------------
+
+ method SchorrWaite(root: Node, S: set<Node>)
+ requires root in S;
+ // S is closed under 'children':
+ requires (forall n :: n in S ==> n != null &&
+ (forall ch :: ch in n.children ==> ch == null || ch in S));
+ requires (forall n :: n in S ==> ! n.marked && n.childrenVisited == 0);
+ modifies S;
+ ensures root.marked;
+ // nodes reachable from 'root' are marked:
+ ensures (forall n :: n in S && n.marked ==>
+ (forall ch :: ch in n.children && ch != null ==> ch in S && ch.marked));
+ ensures (forall n :: n in S ==>
+ n.childrenVisited == old(n.childrenVisited) &&
+ n.children == old(n.children));
+ {
+ var t := root;
+ var p: Node := null; // parent of t in original graph
+ t.marked := true;
+ var stackNodes := []; // used as ghost variable
+ var unmarkedNodes := S - {t}; // used as ghost variable
+ while (true)
+ invariant root.marked && t != null && t in S && !(t in stackNodes);
+ invariant |stackNodes| == 0 <==> p == null;
+ invariant 0 < |stackNodes| ==> p == stackNodes[|stackNodes|-1];
+ // stackNodes has no duplicates:
+ invariant (forall i, j :: 0 <= i && i < j && j < |stackNodes| ==>
+ stackNodes[i] != stackNodes[j]);
+ invariant (forall n :: n in stackNodes ==> n in S);
+ invariant (forall n :: n in stackNodes || n == t ==>
+ n.marked &&
+ 0 <= n.childrenVisited && n.childrenVisited <= |n.children| &&
+ (forall j :: 0 <= j && j < n.childrenVisited ==>
+ n.children[j] == null || n.children[j].marked));
+ invariant (forall n :: n in stackNodes ==> n.childrenVisited < |n.children|);
+ invariant (forall n :: n in S && n.marked && !(n in stackNodes) && n != t ==>
+ (forall ch :: ch in n.children && ch != null ==> ch in S && ch.marked));
+ invariant (forall n :: n in S && !(n in stackNodes) && n != t ==>
+ n.childrenVisited == old(n.childrenVisited));
+ invariant (forall n :: n in stackNodes || n.children == old(n.children));
+ invariant (forall n :: n in stackNodes ==>
+ |n.children| == old(|n.children|) &&
+ (forall j :: 0 <= j && j < |n.children| ==>
+ j == n.childrenVisited || n.children[j] == old(n.children[j])));
+ // the current values of m.children[m.childrenVisited] for m's on the stack:
+ invariant 0 < |stackNodes| ==> stackNodes[0].children[stackNodes[0].childrenVisited] == null;
+ invariant (forall k :: 0 < k && k < |stackNodes| ==>
+ stackNodes[k].children[stackNodes[k].childrenVisited] == stackNodes[k-1]);
+ // the original values of m.children[m.childrenVisited] for m's on the stack:
+ invariant (forall k :: 0 <= k && k+1 < |stackNodes| ==>
+ old(stackNodes[k].children)[stackNodes[k].childrenVisited] == stackNodes[k+1]);
+ invariant 0 < |stackNodes| ==>
+ old(stackNodes[|stackNodes|-1].children)[stackNodes[|stackNodes|-1].childrenVisited] == t;
+ invariant (forall n :: n in S && !n.marked ==> n in unmarkedNodes);
+ decreases unmarkedNodes, stackNodes, |t.children| - t.childrenVisited;
+ {
+ if (t.childrenVisited == |t.children|) {
+ // pop
+ t.childrenVisited := 0;
+ if (p == null) {
+ return;
+ }
+ var oldP := p.children[p.childrenVisited];
+ // p.children[p.childrenVisited] := t;
+ p.children := p.children[..p.childrenVisited] + [t] + p.children[p.childrenVisited + 1..];
+ t := p;
+ p := oldP;
+ stackNodes := stackNodes[..|stackNodes| - 1];
+ t.childrenVisited := t.childrenVisited + 1;
+
+ } else if (t.children[t.childrenVisited] == null || t.children[t.childrenVisited].marked) {
+ // just advance to next child
+ t.childrenVisited := t.childrenVisited + 1;
+ } else {
+ // push
+
+ var newT := t.children[t.childrenVisited];
+ // t.children[t.childrenVisited] := p;
+ t.children := t.children[..t.childrenVisited] + [p] + t.children[t.childrenVisited + 1..];
+ p := t;
+ stackNodes := stackNodes + [t];
+ t := newT;
+ t.marked := true;
+ unmarkedNodes := unmarkedNodes - {t};
+ }
+ }
+ }
+}
diff --git a/Test/dafny0/Simple.dfy b/Test/dafny0/Simple.dfy
new file mode 100644
index 00000000..9f89543c
--- /dev/null
+++ b/Test/dafny0/Simple.dfy
@@ -0,0 +1,29 @@
+// My first Dafny program
+// Rustan Leino, 27 January 2008
+
+class MyClass<T,U> {
+ var x: int;
+
+ method M(s: bool, lotsaObjects: set<object>) returns (t: object, u: set<int>, v: seq<MyClass<bool,U>>)
+ requires s;
+ modifies this, lotsaObjects;
+ ensures t == t;
+ ensures old(null) != this;
+ {
+ x := 12;
+ while (x < 100)
+ invariant x <= 100;
+ {
+ x := x + 17;
+ if (x % 20 == 3) {
+ x := this.x + 1;
+ } else {
+ this.x := x + 0;
+ }
+ call t, u, v := M(true, lotsaObjects);
+ var to: MyClass<T,U>;
+ call to, u, v := this.M(true, lotsaObjects);
+ call to, u, v := to.M(true, lotsaObjects);
+ }
+ }
+}
diff --git a/Test/dafny0/SmallTests.dfy b/Test/dafny0/SmallTests.dfy
new file mode 100644
index 00000000..a2cfc741
--- /dev/null
+++ b/Test/dafny0/SmallTests.dfy
@@ -0,0 +1,26 @@
+class Node {
+ var next: Node;
+
+ function IsList(r: set<Node>): bool
+ reads this, r;
+ {
+ next != null ==> next.IsList(r - {this})
+ }
+
+ method Test(n: Node, nodes: set<Node>)
+ {
+ assume nodes == nodes - {n};
+ // the next line needs the Set extensionality axiom, the antecedent of
+ // which is supplied by the previous line
+ assert IsList(nodes) == IsList(nodes - {n});
+ }
+
+ method Create()
+ modifies this;
+ {
+ next := null;
+ var tmp: Node;
+ tmp := new Node;
+ assert tmp != this; // was once a bug in the Dafny checker
+ }
+}
diff --git a/Test/dafny0/Termination.dfy b/Test/dafny0/Termination.dfy
new file mode 100644
index 00000000..43fe63df
--- /dev/null
+++ b/Test/dafny0/Termination.dfy
@@ -0,0 +1,80 @@
+class Termination {
+ method A(N: int)
+ requires 0 <= N;
+ {
+ var i := 0;
+ while (i < N)
+ invariant i <= N;
+ decreases N - i;
+ {
+ i := i + 1;
+ }
+ }
+
+ method B(N: int)
+ requires 0 <= N;
+ {
+ var i := N;
+ while (true)
+ invariant 0 <= i;
+ decreases i;
+ {
+ i := i - 1;
+ if (!(0 <= i)) {
+ break;
+ }
+ }
+ assert i == -1;
+ }
+
+ method Lex() {
+ var x: int, y: int;
+ call x := Update();
+ call y := Update();
+ while (!(x == 0 && y == 0))
+ invariant 0 <= x && 0 <= y;
+ decreases x, y;
+ {
+ if (0 < y) {
+ y := y - 1;
+ } else {
+ x := x - 1;
+ call y := Update();
+ }
+ }
+ }
+
+ method Update() returns (r: int)
+ ensures 0 <= r;
+ {
+ r := 8;
+ }
+
+ method M() {
+ var b := true;
+ var i := 500;
+ var r := new Termination;
+ var s := {12, 200};
+ var q := [5, 8, 13];
+ while (true)
+ decreases b, i, r;
+// invariant b ==> 0 <= i;
+ decreases s, q;
+ {
+ if (12 in s) {
+ s := s - {12};
+ } else if (b) {
+ b := !b;
+ i := i + 1;
+ } else if (20 <= i) {
+ i := i - 20;
+ } else if (r != null) {
+ r := null;
+ } else if (|q| != 0) {
+ q := q[1..];
+ } else {
+ break;
+ }
+ }
+ }
+}
diff --git a/Test/dafny0/TypeParameters.dfy b/Test/dafny0/TypeParameters.dfy
new file mode 100644
index 00000000..a5764be5
--- /dev/null
+++ b/Test/dafny0/TypeParameters.dfy
@@ -0,0 +1,22 @@
+class C<U> {
+ method M<T>(x: T, u: U) returns (y: T)
+ ensures x == y && u == u;
+ {
+ y := x;
+ }
+
+ function F<X>(x: X, u: U): bool
+ {
+ x == x && u == u
+ }
+
+ method Main(u: U)
+ {
+ var t := F(3,u) && F(this,u);
+ var kz;
+ call kz := M(t,u);
+ assert kz && (G() || !G());
+ }
+
+ function G<Y>(): Y;
+}
diff --git a/Test/dafny0/Use.dfy b/Test/dafny0/Use.dfy
new file mode 100644
index 00000000..1d2d264f
--- /dev/null
+++ b/Test/dafny0/Use.dfy
@@ -0,0 +1,70 @@
+class T {
+ var x: int;
+
+ function use F(y: int): int {
+ 2*y
+ }
+
+ method M(s: set<T>) {
+ use F(4);
+ use F(5);
+ assert F(5) == 10;
+ assert F(7) == 14; // error (definition not engaged)
+ }
+
+ function use G(y: int): bool {
+ 0 <= y
+ }
+
+ method N(s: set<T>) {
+ use G(4);
+ use G(5);
+ use G(-5);
+ assert G(5);
+ assert !G(-5);
+ assert G(7); // error (definition not engaged)
+ }
+
+ function use H(): int
+ reads this;
+ {
+ x
+ }
+
+ method Q0()
+ modifies this;
+ {
+ var t := x;
+ use H();
+ assert H() == t;
+
+ x := x + 1;
+ assert old(H()) == t;
+ }
+
+ method Q1()
+ modifies this;
+ {
+ x := x + 1;
+ use H();
+ assert H() == old(H()) + 1; // error: does not know what old(H()) is
+ }
+
+ method Q2()
+ modifies this;
+ {
+ use H();
+ x := x + 1;
+ use H();
+ assert H() == old(H()) + 1;
+ }
+
+ method Q3()
+ modifies this;
+ {
+ x := x + 1;
+ use H();
+ use old(H());
+ assert H() == old(H()) + 1;
+ }
+}
diff --git a/Test/dafny0/runtest.bat b/Test/dafny0/runtest.bat
new file mode 100644
index 00000000..a6cfa2c0
--- /dev/null
+++ b/Test/dafny0/runtest.bat
@@ -0,0 +1,27 @@
+@echo off
+setlocal
+
+set BOOGIEDIR=..\..\Binaries
+set DAFNY_EXE=%BOOGIEDIR%\Dafny.exe
+set BPLEXE=%BOOGIEDIR%\Boogie.exe
+
+for %%f in (Simple.dfy) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %DAFNY_EXE% %* /dprint:- /env:0 /noVerify %%f
+)
+
+for %%f in (BQueue.bpl) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %BPLEXE% %* %%f
+)
+
+for %%f in (SmallTests.dfy Queue.dfy ListCopy.dfy
+ BinaryTree.dfy ListReverse.dfy ListContents.dfy
+ SchorrWaite.dfy Termination.dfy Use.dfy DTypes.dfy
+ TypeParameters.dfy) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %DAFNY_EXE% %* %%f
+)
diff --git a/Test/filter.pl b/Test/filter.pl
new file mode 100644
index 00000000..c95a7e4f
--- /dev/null
+++ b/Test/filter.pl
@@ -0,0 +1,38 @@
+$numargs = $#ARGV + 1;
+
+($numargs == 2) || die "usage: filter.pl input-log output-log\n";
+
+$input = $ARGV[0];
+$output = $ARGV[1];
+
+open(IN, "<$input") || die "can't open $input";
+open(OUT, ">$output") || die "can't open $output";
+
+my @array = ();
+
+while (<IN>) {
+ s/^\s*.:.*\\//;
+ s/^Microsoft .*//;
+ s/^for Microsoft \(R\) .NET.*//;
+ s/^Copyright \(C\).*//;
+ if ($_ !~ m/^\s*$/) # don't write out blank lines
+ {
+ push(@array, ($_));
+ }
+}
+
+#
+# if we want to compare only sorted output uncomment this
+#@sorted = sort(@array);
+@sorted = @array;
+
+
+# eliminate duplicates in the output
+$last = "";
+foreach (@sorted)
+{
+ if ($_ ne $last) {
+ print(OUT $_);
+ $last = $_;
+ }
+}
diff --git a/Test/havoc0/Answer b/Test/havoc0/Answer
new file mode 100644
index 00000000..80fd4aa3
--- /dev/null
+++ b/Test/havoc0/Answer
@@ -0,0 +1,12 @@
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/havoc0/KbdCreateClassObject.bpl b/Test/havoc0/KbdCreateClassObject.bpl
new file mode 100644
index 00000000..a7f6e9c2
--- /dev/null
+++ b/Test/havoc0/KbdCreateClassObject.bpl
@@ -0,0 +1,5155 @@
+type byte, name;
+function OneByteToInt(byte) returns (int);
+function TwoBytesToInt(byte, byte) returns (int);
+function FourBytesToInt(byte, byte, byte, byte) returns (int);
+axiom(forall b0:byte, c0:byte :: {OneByteToInt(b0), OneByteToInt(c0)} OneByteToInt(b0) == OneByteToInt(c0) ==> b0 == c0);
+axiom(forall b0:byte, b1: byte, c0:byte, c1:byte :: {TwoBytesToInt(b0, b1), TwoBytesToInt(c0, c1)} TwoBytesToInt(b0, b1) == TwoBytesToInt(c0, c1) ==> b0 == c0 && b1 == c1);
+axiom(forall b0:byte, b1: byte, b2:byte, b3:byte, c0:byte, c1:byte, c2:byte, c3:byte :: {FourBytesToInt(b0, b1, b2, b3), FourBytesToInt(c0, c1, c2, c3)} FourBytesToInt(b0, b1, b2, b3) == FourBytesToInt(c0, c1, c2, c3) ==> b0 == c0 && b1 == c1 && b2 == c2 && b3 == c3);
+
+// Mutable
+var Mem_BYTE:[int]byte;
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function SetTrue() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+/*
+function AtLeast(int, int) returns ([int]bool);
+function ModEqual(int, int, int) returns (bool);
+axiom(forall n:int, x:int :: ModEqual(n,x,x));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> ModEqual(n,y,x));
+axiom(forall n:int, x:int, y:int, z:int :: {ModEqual(n,x,y), ModEqual(n,y,z)} ModEqual(n,x,y) && ModEqual(n,y,z) ==> ModEqual(n,x,z));
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} ModEqual(n,x,PLUS(x,n,z)));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> (exists k:int :: x - y == n*k));
+axiom(forall x:int, n:int, y:int :: {AtLeast(n,x)[y]}{ModEqual(n,x,y)} AtLeast(n,x)[y] <==> x <= y && ModEqual(n,x,y));
+axiom(forall x:int, n:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+*/
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int :: SetTrue()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]}{Union(S,T),S[x]}{Union(S,T),T[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]}{Intersection(S,T),S[x]}{Intersection(S,T),T[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]}{Difference(S,T),S[x]}{Difference(S,T),T[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Subset(S,T)}{T[x],Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Disjoint(S,T)}{T[x],Disjoint(S,T)} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f,y), f[x]} Inverse(f,y)[x] ==> f[x] == y);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name, m:[name][int]int) returns (bool);
+function Values(t:name, m:[name][int]int) returns ([int]bool);
+function T.Ptr(t:name) returns (name);
+
+axiom(forall v:int, t:name, m:[name][int]int :: {Values(t, m)[v]} Values(t, m)[v] ==> HasType(v, t, m));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, t, m), Values(t, m)} HasType(v, t, m) ==> Values(t, m)[v]);
+
+axiom(forall a:int, t:name :: {Match(a, T.Ptr(t))} Match(a, T.Ptr(t)) <==> Field(a) == T.Ptr(t));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, T.Ptr(t), m)} HasType(v, T.Ptr(t), m) <==> (v == 0 || (v > 0 && Match(v, t))));
+
+axiom(forall v:int, t:name, m1:[name][int]int, m2:[name][int]int :: {HasType(v, t, m1), HasType(v, t, m2)}
+ (HasType(v, t, m1) <==> HasType(v, t, m2)));
+
+// Field declarations
+
+const unique T.Guid_WMIGUIDREGINFO:name;
+const unique T.InstanceCount_WMIGUIDREGINFO:name;
+const unique T.Flags_WMIGUIDREGINFO:name;
+const unique T.OperationID__ACCESS_STATE:name;
+const unique T.SecurityEvaluated__ACCESS_STATE:name;
+const unique T.GenerateAudit__ACCESS_STATE:name;
+const unique T.GenerateOnClose__ACCESS_STATE:name;
+const unique T.PrivilegesAllocated__ACCESS_STATE:name;
+const unique T.Flags__ACCESS_STATE:name;
+const unique T.RemainingDesiredAccess__ACCESS_STATE:name;
+const unique T.PreviouslyGrantedAccess__ACCESS_STATE:name;
+const unique T.OriginalDesiredAccess__ACCESS_STATE:name;
+const unique T.SubjectSecurityContext__ACCESS_STATE:name;
+const unique T.SecurityDescriptor__ACCESS_STATE:name;
+const unique T.AuxData__ACCESS_STATE:name;
+const unique T.Privileges__ACCESS_STATE:name;
+const unique T.AuditPrivileges__ACCESS_STATE:name;
+const unique T.ObjectName__ACCESS_STATE:name;
+const unique T.ObjectTypeName__ACCESS_STATE:name;
+const unique T.InterfaceType__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.BusNumber__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.PartialResourceList__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.u__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Revision__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.PartialDescriptors__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_RESOURCE_LIST:name;
+const unique T.List__CM_RESOURCE_LIST:name;
+const unique T.Size__DEVICE_CAPABILITIES:name;
+const unique T.Version__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD1__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD2__DEVICE_CAPABILITIES:name;
+const unique T.LockSupported__DEVICE_CAPABILITIES:name;
+const unique T.EjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.Removable__DEVICE_CAPABILITIES:name;
+const unique T.DockDevice__DEVICE_CAPABILITIES:name;
+const unique T.UniqueID__DEVICE_CAPABILITIES:name;
+const unique T.SilentInstall__DEVICE_CAPABILITIES:name;
+const unique T.RawDeviceOK__DEVICE_CAPABILITIES:name;
+const unique T.SurpriseRemovalOK__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD0__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD1__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD2__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD3__DEVICE_CAPABILITIES:name;
+const unique T.HardwareDisabled__DEVICE_CAPABILITIES:name;
+const unique T.NonDynamic__DEVICE_CAPABILITIES:name;
+const unique T.WarmEjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.NoDisplayInUI__DEVICE_CAPABILITIES:name;
+const unique T.Reserved__DEVICE_CAPABILITIES:name;
+const unique T.Address__DEVICE_CAPABILITIES:name;
+const unique T.UINumber__DEVICE_CAPABILITIES:name;
+const unique T.DeviceState__DEVICE_CAPABILITIES:name;
+const unique T.SystemWake__DEVICE_CAPABILITIES:name;
+const unique T.DeviceWake__DEVICE_CAPABILITIES:name;
+const unique T.D1Latency__DEVICE_CAPABILITIES:name;
+const unique T.D2Latency__DEVICE_CAPABILITIES:name;
+const unique T.D3Latency__DEVICE_CAPABILITIES:name;
+const unique T.Self__DEVICE_EXTENSION:name;
+const unique T.TrueClassDevice__DEVICE_EXTENSION:name;
+const unique T.TopPort__DEVICE_EXTENSION:name;
+const unique T.PDO__DEVICE_EXTENSION:name;
+const unique T.RemoveLock__DEVICE_EXTENSION:name;
+const unique T.PnP__DEVICE_EXTENSION:name;
+const unique T.Started__DEVICE_EXTENSION:name;
+const unique T.AllowDisable__DEVICE_EXTENSION:name;
+const unique T.WaitWakeSpinLock__DEVICE_EXTENSION:name;
+const unique T.TrustedSubsystemCount__DEVICE_EXTENSION:name;
+const unique T.InputCount__DEVICE_EXTENSION:name;
+const unique T.SymbolicLinkName__DEVICE_EXTENSION:name;
+const unique T.InputData__DEVICE_EXTENSION:name;
+const unique T.DataIn__DEVICE_EXTENSION:name;
+const unique T.DataOut__DEVICE_EXTENSION:name;
+const unique T.KeyboardAttributes__DEVICE_EXTENSION:name;
+const unique T.IndicatorParameters__DEVICE_EXTENSION:name;
+const unique T.SpinLock__DEVICE_EXTENSION:name;
+const unique T.ReadQueue__DEVICE_EXTENSION:name;
+const unique T.SequenceNumber__DEVICE_EXTENSION:name;
+const unique T.DeviceState__DEVICE_EXTENSION:name;
+const unique T.SystemState__DEVICE_EXTENSION:name;
+const unique T.UnitId__DEVICE_EXTENSION:name;
+const unique T.WmiLibInfo__DEVICE_EXTENSION:name;
+const unique T.SystemToDeviceState__DEVICE_EXTENSION:name;
+const unique T.MinDeviceWakeState__DEVICE_EXTENSION:name;
+const unique T.MinSystemWakeState__DEVICE_EXTENSION:name;
+const unique T.WaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.ExtraWaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.TargetNotifyHandle__DEVICE_EXTENSION:name;
+const unique T.Link__DEVICE_EXTENSION:name;
+const unique T.File__DEVICE_EXTENSION:name;
+const unique T.Enabled__DEVICE_EXTENSION:name;
+const unique T.OkayToLogOverflow__DEVICE_EXTENSION:name;
+const unique T.WaitWakeEnabled__DEVICE_EXTENSION:name;
+const unique T.SurpriseRemoved__DEVICE_EXTENSION:name;
+const unique T.Type__DEVICE_OBJECT:name;
+const unique T.Size__DEVICE_OBJECT:name;
+const unique T.ReferenceCount__DEVICE_OBJECT:name;
+const unique T.DriverObject__DEVICE_OBJECT:name;
+const unique T.NextDevice__DEVICE_OBJECT:name;
+const unique T.AttachedDevice__DEVICE_OBJECT:name;
+const unique T.CurrentIrp__DEVICE_OBJECT:name;
+const unique T.Timer__DEVICE_OBJECT:name;
+const unique T.Flags__DEVICE_OBJECT:name;
+const unique T.Characteristics__DEVICE_OBJECT:name;
+const unique T.Vpb__DEVICE_OBJECT:name;
+const unique T.DeviceExtension__DEVICE_OBJECT:name;
+const unique T.DeviceType__DEVICE_OBJECT:name;
+const unique T.StackSize__DEVICE_OBJECT:name;
+const unique T.Queue__DEVICE_OBJECT:name;
+const unique T.AlignmentRequirement__DEVICE_OBJECT:name;
+const unique T.DeviceQueue__DEVICE_OBJECT:name;
+const unique T.Dpc__DEVICE_OBJECT:name;
+const unique T.ActiveThreadCount__DEVICE_OBJECT:name;
+const unique T.SecurityDescriptor__DEVICE_OBJECT:name;
+const unique T.DeviceLock__DEVICE_OBJECT:name;
+const unique T.SectorSize__DEVICE_OBJECT:name;
+const unique T.Spare1__DEVICE_OBJECT:name;
+const unique T.DeviceObjectExtension__DEVICE_OBJECT:name;
+const unique T.Reserved__DEVICE_OBJECT:name;
+const unique T.Type__DEVOBJ_EXTENSION:name;
+const unique T.Size__DEVOBJ_EXTENSION:name;
+const unique T.DeviceObject__DEVOBJ_EXTENSION:name;
+const unique T.__unnamed_4_a97c65a1__DISPATCHER_HEADER:name;
+const unique T.SignalState__DISPATCHER_HEADER:name;
+const unique T.WaitListHead__DISPATCHER_HEADER:name;
+const unique T.DriverObject__DRIVER_EXTENSION:name;
+const unique T.AddDevice__DRIVER_EXTENSION:name;
+const unique T.Count__DRIVER_EXTENSION:name;
+const unique T.ServiceKeyName__DRIVER_EXTENSION:name;
+const unique T.Type__DRIVER_OBJECT:name;
+const unique T.Size__DRIVER_OBJECT:name;
+const unique T.DeviceObject__DRIVER_OBJECT:name;
+const unique T.Flags__DRIVER_OBJECT:name;
+const unique T.DriverStart__DRIVER_OBJECT:name;
+const unique T.DriverSize__DRIVER_OBJECT:name;
+const unique T.DriverSection__DRIVER_OBJECT:name;
+const unique T.DriverExtension__DRIVER_OBJECT:name;
+const unique T.DriverName__DRIVER_OBJECT:name;
+const unique T.HardwareDatabase__DRIVER_OBJECT:name;
+const unique T.FastIoDispatch__DRIVER_OBJECT:name;
+const unique T.DriverInit__DRIVER_OBJECT:name;
+const unique T.DriverStartIo__DRIVER_OBJECT:name;
+const unique T.DriverUnload__DRIVER_OBJECT:name;
+const unique T.MajorFunction__DRIVER_OBJECT:name;
+const unique T.SystemResourcesList__ERESOURCE:name;
+const unique T.OwnerTable__ERESOURCE:name;
+const unique T.ActiveCount__ERESOURCE:name;
+const unique T.Flag__ERESOURCE:name;
+const unique T.SharedWaiters__ERESOURCE:name;
+const unique T.ExclusiveWaiters__ERESOURCE:name;
+const unique T.OwnerEntry__ERESOURCE:name;
+const unique T.ActiveEntries__ERESOURCE:name;
+const unique T.ContentionCount__ERESOURCE:name;
+const unique T.NumberOfSharedWaiters__ERESOURCE:name;
+const unique T.NumberOfExclusiveWaiters__ERESOURCE:name;
+const unique T.__unnamed_4_52c594f7__ERESOURCE:name;
+const unique T.SpinLock__ERESOURCE:name;
+const unique T.SizeOfFastIoDispatch__FAST_IO_DISPATCH:name;
+const unique T.FastIoCheckIfPossible__FAST_IO_DISPATCH:name;
+const unique T.FastIoRead__FAST_IO_DISPATCH:name;
+const unique T.FastIoWrite__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryBasicInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryStandardInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoLock__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockSingle__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAll__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAllByKey__FAST_IO_DISPATCH:name;
+const unique T.FastIoDeviceControl__FAST_IO_DISPATCH:name;
+const unique T.AcquireFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.ReleaseFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.FastIoDetachDevice__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryNetworkOpenInfo__FAST_IO_DISPATCH:name;
+const unique T.AcquireForModWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlRead__FAST_IO_DISPATCH:name;
+const unique T.MdlReadComplete__FAST_IO_DISPATCH:name;
+const unique T.PrepareMdlWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteComplete__FAST_IO_DISPATCH:name;
+const unique T.FastIoReadCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoWriteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlReadCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryOpen__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForModWrite__FAST_IO_DISPATCH:name;
+const unique T.AcquireForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.Count__FAST_MUTEX:name;
+const unique T.Owner__FAST_MUTEX:name;
+const unique T.Contention__FAST_MUTEX:name;
+const unique T.Gate__FAST_MUTEX:name;
+const unique T.OldIrql__FAST_MUTEX:name;
+const unique T.CreationTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastAccessTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastWriteTime__FILE_BASIC_INFORMATION:name;
+const unique T.ChangeTime__FILE_BASIC_INFORMATION:name;
+const unique T.FileAttributes__FILE_BASIC_INFORMATION:name;
+const unique T.CreationTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastAccessTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastWriteTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.ChangeTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.AllocationSize__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.EndOfFile__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.FileAttributes__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.Type__FILE_OBJECT:name;
+const unique T.Size__FILE_OBJECT:name;
+const unique T.DeviceObject__FILE_OBJECT:name;
+const unique T.Vpb__FILE_OBJECT:name;
+const unique T.FsContext__FILE_OBJECT:name;
+const unique T.FsContext2__FILE_OBJECT:name;
+const unique T.SectionObjectPointer__FILE_OBJECT:name;
+const unique T.PrivateCacheMap__FILE_OBJECT:name;
+const unique T.FinalStatus__FILE_OBJECT:name;
+const unique T.RelatedFileObject__FILE_OBJECT:name;
+const unique T.LockOperation__FILE_OBJECT:name;
+const unique T.DeletePending__FILE_OBJECT:name;
+const unique T.ReadAccess__FILE_OBJECT:name;
+const unique T.WriteAccess__FILE_OBJECT:name;
+const unique T.DeleteAccess__FILE_OBJECT:name;
+const unique T.SharedRead__FILE_OBJECT:name;
+const unique T.SharedWrite__FILE_OBJECT:name;
+const unique T.SharedDelete__FILE_OBJECT:name;
+const unique T.Flags__FILE_OBJECT:name;
+const unique T.FileName__FILE_OBJECT:name;
+const unique T.CurrentByteOffset__FILE_OBJECT:name;
+const unique T.Waiters__FILE_OBJECT:name;
+const unique T.Busy__FILE_OBJECT:name;
+const unique T.LastLock__FILE_OBJECT:name;
+const unique T.Lock__FILE_OBJECT:name;
+const unique T.Event__FILE_OBJECT:name;
+const unique T.CompletionContext__FILE_OBJECT:name;
+const unique T.IrpListLock__FILE_OBJECT:name;
+const unique T.IrpList__FILE_OBJECT:name;
+const unique T.FileObjectExtension__FILE_OBJECT:name;
+const unique T.AllocationSize__FILE_STANDARD_INFORMATION:name;
+const unique T.EndOfFile__FILE_STANDARD_INFORMATION:name;
+const unique T.NumberOfLinks__FILE_STANDARD_INFORMATION:name;
+const unique T.DeletePending__FILE_STANDARD_INFORMATION:name;
+const unique T.Directory__FILE_STANDARD_INFORMATION:name;
+const unique T.Debug__GLOBALS:name;
+const unique T.GrandMaster__GLOBALS:name;
+const unique T.AssocClassList__GLOBALS:name;
+const unique T.NumAssocClass__GLOBALS:name;
+const unique T.Opens__GLOBALS:name;
+const unique T.NumberLegacyPorts__GLOBALS:name;
+const unique T.Mutex__GLOBALS:name;
+const unique T.ConnectOneClassToOnePort__GLOBALS:name;
+const unique T.SendOutputToAllPorts__GLOBALS:name;
+const unique T.PortsServiced__GLOBALS:name;
+const unique T.InitExtension__GLOBALS:name;
+const unique T.RegistryPath__GLOBALS:name;
+const unique T.BaseClassName__GLOBALS:name;
+const unique T.BaseClassBuffer__GLOBALS:name;
+const unique T.LegacyDeviceList__GLOBALS:name;
+const unique T.Data1__GUID:name;
+const unique T.Data2__GUID:name;
+const unique T.Data3__GUID:name;
+const unique T.Data4__GUID:name;
+const unique T.PrivilegeCount__INITIAL_PRIVILEGE_SET:name;
+const unique T.Control__INITIAL_PRIVILEGE_SET:name;
+const unique T.Privilege__INITIAL_PRIVILEGE_SET:name;
+const unique T.Size__INTERFACE:name;
+const unique T.Version__INTERFACE:name;
+const unique T.Context__INTERFACE:name;
+const unique T.InterfaceReference__INTERFACE:name;
+const unique T.InterfaceDereference__INTERFACE:name;
+const unique T.Port__IO_COMPLETION_CONTEXT:name;
+const unique T.Key__IO_COMPLETION_CONTEXT:name;
+const unique T.Common__IO_REMOVE_LOCK:name;
+const unique T.Dbg__IO_REMOVE_LOCK:name;
+const unique T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Signature__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LockList__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Spin__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Option__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare1__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare2__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.u__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__IO_RESOURCE_LIST:name;
+const unique T.Revision__IO_RESOURCE_LIST:name;
+const unique T.Count__IO_RESOURCE_LIST:name;
+const unique T.Descriptors__IO_RESOURCE_LIST:name;
+const unique T.ListSize__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.InterfaceType__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.BusNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SlotNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.Reserved__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.AlternativeLists__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.List__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SecurityQos__IO_SECURITY_CONTEXT:name;
+const unique T.AccessState__IO_SECURITY_CONTEXT:name;
+const unique T.DesiredAccess__IO_SECURITY_CONTEXT:name;
+const unique T.FullCreateOptions__IO_SECURITY_CONTEXT:name;
+const unique T.MajorFunction__IO_STACK_LOCATION:name;
+const unique T.MinorFunction__IO_STACK_LOCATION:name;
+const unique T.Flags__IO_STACK_LOCATION:name;
+const unique T.Control__IO_STACK_LOCATION:name;
+const unique T.Parameters__IO_STACK_LOCATION:name;
+const unique T.DeviceObject__IO_STACK_LOCATION:name;
+const unique T.FileObject__IO_STACK_LOCATION:name;
+const unique T.CompletionRoutine__IO_STACK_LOCATION:name;
+const unique T.Context__IO_STACK_LOCATION:name;
+const unique T.__unnamed_4_d99b6e2b__IO_STATUS_BLOCK:name;
+const unique T.Information__IO_STATUS_BLOCK:name;
+const unique T.Type__IRP:name;
+const unique T.Size__IRP:name;
+const unique T.MdlAddress__IRP:name;
+const unique T.Flags__IRP:name;
+const unique T.AssociatedIrp__IRP:name;
+const unique T.ThreadListEntry__IRP:name;
+const unique T.IoStatus__IRP:name;
+const unique T.RequestorMode__IRP:name;
+const unique T.PendingReturned__IRP:name;
+const unique T.StackCount__IRP:name;
+const unique T.CurrentLocation__IRP:name;
+const unique T.Cancel__IRP:name;
+const unique T.CancelIrql__IRP:name;
+const unique T.ApcEnvironment__IRP:name;
+const unique T.AllocationFlags__IRP:name;
+const unique T.UserIosb__IRP:name;
+const unique T.UserEvent__IRP:name;
+const unique T.Overlay__IRP:name;
+const unique T.CancelRoutine__IRP:name;
+const unique T.UserBuffer__IRP:name;
+const unique T.Tail__IRP:name;
+const unique T.Type__KAPC:name;
+const unique T.SpareByte0__KAPC:name;
+const unique T.Size__KAPC:name;
+const unique T.SpareByte1__KAPC:name;
+const unique T.SpareLong0__KAPC:name;
+const unique T.Thread__KAPC:name;
+const unique T.ApcListEntry__KAPC:name;
+const unique T.KernelRoutine__KAPC:name;
+const unique T.RundownRoutine__KAPC:name;
+const unique T.NormalRoutine__KAPC:name;
+const unique T.NormalContext__KAPC:name;
+const unique T.SystemArgument1__KAPC:name;
+const unique T.SystemArgument2__KAPC:name;
+const unique T.ApcStateIndex__KAPC:name;
+const unique T.ApcMode__KAPC:name;
+const unique T.Inserted__KAPC:name;
+const unique T.Type__KDEVICE_QUEUE:name;
+const unique T.Size__KDEVICE_QUEUE:name;
+const unique T.DeviceListHead__KDEVICE_QUEUE:name;
+const unique T.Lock__KDEVICE_QUEUE:name;
+const unique T.Busy__KDEVICE_QUEUE:name;
+const unique T.DeviceListEntry__KDEVICE_QUEUE_ENTRY:name;
+const unique T.SortKey__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Inserted__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Type__KDPC:name;
+const unique T.Importance__KDPC:name;
+const unique T.Number__KDPC:name;
+const unique T.DpcListEntry__KDPC:name;
+const unique T.DeferredRoutine__KDPC:name;
+const unique T.DeferredContext__KDPC:name;
+const unique T.SystemArgument1__KDPC:name;
+const unique T.SystemArgument2__KDPC:name;
+const unique T.DpcData__KDPC:name;
+const unique T.Header__KEVENT:name;
+const unique T.KeyboardIdentifier__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyboardMode__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfIndicators__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfKeysTotal__KEYBOARD_ATTRIBUTES:name;
+const unique T.InputDataQueueLength__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyRepeatMinimum__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyRepeatMaximum__KEYBOARD_ATTRIBUTES:name;
+const unique T.Type__KEYBOARD_ID:name;
+const unique T.Subtype__KEYBOARD_ID:name;
+const unique T.UnitId__KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T.LedFlags__KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T.UnitId__KEYBOARD_INPUT_DATA:name;
+const unique T.MakeCode__KEYBOARD_INPUT_DATA:name;
+const unique T.Flags__KEYBOARD_INPUT_DATA:name;
+const unique T.Reserved__KEYBOARD_INPUT_DATA:name;
+const unique T.ExtraInformation__KEYBOARD_INPUT_DATA:name;
+const unique T.UnitId__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Rate__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Delay__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Header__KSEMAPHORE:name;
+const unique T.Limit__KSEMAPHORE:name;
+const unique T.__unnamed_8_58ee4a31__LARGE_INTEGER:name;
+const unique T.u__LARGE_INTEGER:name;
+const unique T.QuadPart__LARGE_INTEGER:name;
+const unique T.Flink__LIST_ENTRY:name;
+const unique T.Blink__LIST_ENTRY:name;
+const unique T.LowPart__LUID:name;
+const unique T.HighPart__LUID:name;
+const unique T.Luid__LUID_AND_ATTRIBUTES:name;
+const unique T.Attributes__LUID_AND_ATTRIBUTES:name;
+const unique T.Next__MDL:name;
+const unique T.Size__MDL:name;
+const unique T.MdlFlags__MDL:name;
+const unique T.Process__MDL:name;
+const unique T.MappedSystemVa__MDL:name;
+const unique T.StartVa__MDL:name;
+const unique T.ByteCount__MDL:name;
+const unique T.ByteOffset__MDL:name;
+const unique T.OwnerThread__OWNER_ENTRY:name;
+const unique T.__unnamed_4_6f9ac8e1__OWNER_ENTRY:name;
+const unique T.File__PORT:name;
+const unique T.Port__PORT:name;
+const unique T.Enabled__PORT:name;
+const unique T.Reserved__PORT:name;
+const unique T.Free__PORT:name;
+const unique T.SequenceD1__POWER_SEQUENCE:name;
+const unique T.SequenceD2__POWER_SEQUENCE:name;
+const unique T.SequenceD3__POWER_SEQUENCE:name;
+const unique T.SystemState__POWER_STATE:name;
+const unique T.DeviceState__POWER_STATE:name;
+const unique T.PrivilegeCount__PRIVILEGE_SET:name;
+const unique T.Control__PRIVILEGE_SET:name;
+const unique T.Privilege__PRIVILEGE_SET:name;
+const unique T.DataSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.SharedCacheMap__SECTION_OBJECT_POINTERS:name;
+const unique T.ImageSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.Length__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ImpersonationLevel__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ContextTrackingMode__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.EffectiveOnly__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ClientToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ImpersonationLevel__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.PrimaryToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ProcessAuditId__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.__unnamed_4_3a2fdc5e__SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T.Length__UNICODE_STRING:name;
+const unique T.MaximumLength__UNICODE_STRING:name;
+const unique T.Buffer__UNICODE_STRING:name;
+const unique T.Type__VPB:name;
+const unique T.Size__VPB:name;
+const unique T.Flags__VPB:name;
+const unique T.VolumeLabelLength__VPB:name;
+const unique T.DeviceObject__VPB:name;
+const unique T.RealDevice__VPB:name;
+const unique T.SerialNumber__VPB:name;
+const unique T.ReferenceCount__VPB:name;
+const unique T.VolumeLabel__VPB:name;
+const unique T.WaitQueueEntry__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceRoutine__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceContext__WAIT_CONTEXT_BLOCK:name;
+const unique T.NumberOfMapRegisters__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceObject__WAIT_CONTEXT_BLOCK:name;
+const unique T.CurrentIrp__WAIT_CONTEXT_BLOCK:name;
+const unique T.BufferChainingDpc__WAIT_CONTEXT_BLOCK:name;
+const unique T.GuidCount__WMILIB_CONTEXT:name;
+const unique T.GuidList__WMILIB_CONTEXT:name;
+const unique T.QueryWmiRegInfo__WMILIB_CONTEXT:name;
+const unique T.QueryWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataItem__WMILIB_CONTEXT:name;
+const unique T.ExecuteWmiMethod__WMILIB_CONTEXT:name;
+const unique T.WmiFunctionControl__WMILIB_CONTEXT:name;
+const unique T.Reserved___unnamed_12_0d6a30de:name;
+const unique T.MessageCount___unnamed_12_0d6a30de:name;
+const unique T.Vector___unnamed_12_0d6a30de:name;
+const unique T.Affinity___unnamed_12_0d6a30de:name;
+const unique T.Start___unnamed_12_17f5c211:name;
+const unique T.Length48___unnamed_12_17f5c211:name;
+const unique T.Start___unnamed_12_1fb42e39:name;
+const unique T.Length___unnamed_12_1fb42e39:name;
+const unique T.Reserved___unnamed_12_1fb42e39:name;
+const unique T.Start___unnamed_12_2a1563c6:name;
+const unique T.Length___unnamed_12_2a1563c6:name;
+const unique T.DataSize___unnamed_12_31347272:name;
+const unique T.Reserved1___unnamed_12_31347272:name;
+const unique T.Reserved2___unnamed_12_31347272:name;
+const unique T.Raw___unnamed_12_429aadc0:name;
+const unique T.Translated___unnamed_12_429aadc0:name;
+const unique T.Start___unnamed_12_4719de1a:name;
+const unique T.Length___unnamed_12_4719de1a:name;
+const unique T.Data___unnamed_12_4be56faa:name;
+const unique T.Data___unnamed_12_5ce25b92:name;
+const unique T.Generic___unnamed_12_7a698b72:name;
+const unique T.Port___unnamed_12_7a698b72:name;
+const unique T.Interrupt___unnamed_12_7a698b72:name;
+const unique T.MessageInterrupt___unnamed_12_7a698b72:name;
+const unique T.Memory___unnamed_12_7a698b72:name;
+const unique T.Dma___unnamed_12_7a698b72:name;
+const unique T.DevicePrivate___unnamed_12_7a698b72:name;
+const unique T.BusNumber___unnamed_12_7a698b72:name;
+const unique T.DeviceSpecificData___unnamed_12_7a698b72:name;
+const unique T.Memory40___unnamed_12_7a698b72:name;
+const unique T.Memory48___unnamed_12_7a698b72:name;
+const unique T.Memory64___unnamed_12_7a698b72:name;
+const unique T.Start___unnamed_12_87c0de8d:name;
+const unique T.Length64___unnamed_12_87c0de8d:name;
+const unique T.Start___unnamed_12_98bfc55a:name;
+const unique T.Length40___unnamed_12_98bfc55a:name;
+const unique T.Priority___unnamed_12_ab1bd9d7:name;
+const unique T.Reserved1___unnamed_12_ab1bd9d7:name;
+const unique T.Reserved2___unnamed_12_ab1bd9d7:name;
+const unique T.Level___unnamed_12_b0429be9:name;
+const unique T.Vector___unnamed_12_b0429be9:name;
+const unique T.Affinity___unnamed_12_b0429be9:name;
+const unique T.ListEntry___unnamed_12_b43e8de8:name;
+const unique T.__unnamed_4_f19b65c1___unnamed_12_b43e8de8:name;
+const unique T.Level___unnamed_12_bfdb39ee:name;
+const unique T.Vector___unnamed_12_bfdb39ee:name;
+const unique T.Affinity___unnamed_12_bfdb39ee:name;
+const unique T.Start___unnamed_12_cd42b3c3:name;
+const unique T.Length___unnamed_12_cd42b3c3:name;
+const unique T.__unnamed_12_429aadc0___unnamed_12_e668effc:name;
+const unique T.Channel___unnamed_12_e80d029e:name;
+const unique T.Port___unnamed_12_e80d029e:name;
+const unique T.Reserved1___unnamed_12_e80d029e:name;
+const unique T.Length___unnamed_16_07c0bcc5:name;
+const unique T.MinBusNumber___unnamed_16_07c0bcc5:name;
+const unique T.MaxBusNumber___unnamed_16_07c0bcc5:name;
+const unique T.Reserved___unnamed_16_07c0bcc5:name;
+const unique T.InterfaceType___unnamed_16_29cb9f2f:name;
+const unique T.Size___unnamed_16_29cb9f2f:name;
+const unique T.Version___unnamed_16_29cb9f2f:name;
+const unique T.Interface___unnamed_16_29cb9f2f:name;
+const unique T.InterfaceSpecificData___unnamed_16_29cb9f2f:name;
+const unique T.SecurityContext___unnamed_16_30f11dbf:name;
+const unique T.Options___unnamed_16_30f11dbf:name;
+const unique T.FileAttributes___unnamed_16_30f11dbf:name;
+const unique T.ShareAccess___unnamed_16_30f11dbf:name;
+const unique T.EaLength___unnamed_16_30f11dbf:name;
+const unique T.DriverContext___unnamed_16_35034f68:name;
+const unique T.Length___unnamed_16_487a9498:name;
+const unique T.FileName___unnamed_16_487a9498:name;
+const unique T.FileInformationClass___unnamed_16_487a9498:name;
+const unique T.FileIndex___unnamed_16_487a9498:name;
+const unique T.OutputBufferLength___unnamed_16_5f6a8844:name;
+const unique T.InputBufferLength___unnamed_16_5f6a8844:name;
+const unique T.FsControlCode___unnamed_16_5f6a8844:name;
+const unique T.Type3InputBuffer___unnamed_16_5f6a8844:name;
+const unique T.Length___unnamed_16_7177b9f3:name;
+const unique T.FileInformationClass___unnamed_16_7177b9f3:name;
+const unique T.FileObject___unnamed_16_7177b9f3:name;
+const unique T.__unnamed_4_43913aa5___unnamed_16_7177b9f3:name;
+const unique T.Length___unnamed_16_88e91ef6:name;
+const unique T.Key___unnamed_16_88e91ef6:name;
+const unique T.ByteOffset___unnamed_16_88e91ef6:name;
+const unique T.Length___unnamed_16_8c506c98:name;
+const unique T.Key___unnamed_16_8c506c98:name;
+const unique T.ByteOffset___unnamed_16_8c506c98:name;
+const unique T.WhichSpace___unnamed_16_9ac2e5f8:name;
+const unique T.Buffer___unnamed_16_9ac2e5f8:name;
+const unique T.Offset___unnamed_16_9ac2e5f8:name;
+const unique T.Length___unnamed_16_9ac2e5f8:name;
+const unique T.Create___unnamed_16_b93842ad:name;
+const unique T.Read___unnamed_16_b93842ad:name;
+const unique T.Write___unnamed_16_b93842ad:name;
+const unique T.QueryDirectory___unnamed_16_b93842ad:name;
+const unique T.NotifyDirectory___unnamed_16_b93842ad:name;
+const unique T.QueryFile___unnamed_16_b93842ad:name;
+const unique T.SetFile___unnamed_16_b93842ad:name;
+const unique T.QueryEa___unnamed_16_b93842ad:name;
+const unique T.SetEa___unnamed_16_b93842ad:name;
+const unique T.QueryVolume___unnamed_16_b93842ad:name;
+const unique T.SetVolume___unnamed_16_b93842ad:name;
+const unique T.FileSystemControl___unnamed_16_b93842ad:name;
+const unique T.LockControl___unnamed_16_b93842ad:name;
+const unique T.DeviceIoControl___unnamed_16_b93842ad:name;
+const unique T.QuerySecurity___unnamed_16_b93842ad:name;
+const unique T.SetSecurity___unnamed_16_b93842ad:name;
+const unique T.MountVolume___unnamed_16_b93842ad:name;
+const unique T.VerifyVolume___unnamed_16_b93842ad:name;
+const unique T.Scsi___unnamed_16_b93842ad:name;
+const unique T.QueryQuota___unnamed_16_b93842ad:name;
+const unique T.SetQuota___unnamed_16_b93842ad:name;
+const unique T.QueryDeviceRelations___unnamed_16_b93842ad:name;
+const unique T.QueryInterface___unnamed_16_b93842ad:name;
+const unique T.DeviceCapabilities___unnamed_16_b93842ad:name;
+const unique T.FilterResourceRequirements___unnamed_16_b93842ad:name;
+const unique T.ReadWriteConfig___unnamed_16_b93842ad:name;
+const unique T.SetLock___unnamed_16_b93842ad:name;
+const unique T.QueryId___unnamed_16_b93842ad:name;
+const unique T.QueryDeviceText___unnamed_16_b93842ad:name;
+const unique T.UsageNotification___unnamed_16_b93842ad:name;
+const unique T.WaitWake___unnamed_16_b93842ad:name;
+const unique T.PowerSequence___unnamed_16_b93842ad:name;
+const unique T.Power___unnamed_16_b93842ad:name;
+const unique T.StartDevice___unnamed_16_b93842ad:name;
+const unique T.WMI___unnamed_16_b93842ad:name;
+const unique T.Others___unnamed_16_b93842ad:name;
+const unique T.Length___unnamed_16_b9c62eab:name;
+const unique T.Key___unnamed_16_b9c62eab:name;
+const unique T.ByteOffset___unnamed_16_b9c62eab:name;
+const unique T.__unnamed_4_7d9d0c7e___unnamed_16_bb584060:name;
+const unique T.Type___unnamed_16_bb584060:name;
+const unique T.State___unnamed_16_bb584060:name;
+const unique T.ShutdownType___unnamed_16_bb584060:name;
+const unique T.OutputBufferLength___unnamed_16_dba55c7c:name;
+const unique T.InputBufferLength___unnamed_16_dba55c7c:name;
+const unique T.IoControlCode___unnamed_16_dba55c7c:name;
+const unique T.Type3InputBuffer___unnamed_16_dba55c7c:name;
+const unique T.DeviceQueueEntry___unnamed_16_e70c268b:name;
+const unique T.__unnamed_16_35034f68___unnamed_16_e70c268b:name;
+const unique T.Argument1___unnamed_16_e734d694:name;
+const unique T.Argument2___unnamed_16_e734d694:name;
+const unique T.Argument3___unnamed_16_e734d694:name;
+const unique T.Argument4___unnamed_16_e734d694:name;
+const unique T.ProviderId___unnamed_16_eac6dbea:name;
+const unique T.DataPath___unnamed_16_eac6dbea:name;
+const unique T.BufferSize___unnamed_16_eac6dbea:name;
+const unique T.Buffer___unnamed_16_eac6dbea:name;
+const unique T.Length___unnamed_16_f6cae4c2:name;
+const unique T.EaList___unnamed_16_f6cae4c2:name;
+const unique T.EaListLength___unnamed_16_f6cae4c2:name;
+const unique T.EaIndex___unnamed_16_f6cae4c2:name;
+const unique T.Length___unnamed_16_fe36e4f4:name;
+const unique T.StartSid___unnamed_16_fe36e4f4:name;
+const unique T.SidList___unnamed_16_fe36e4f4:name;
+const unique T.SidListLength___unnamed_16_fe36e4f4:name;
+const unique T.Abandoned___unnamed_1_29794256:name;
+const unique T.Absolute___unnamed_1_29794256:name;
+const unique T.NpxIrql___unnamed_1_29794256:name;
+const unique T.Signalling___unnamed_1_29794256:name;
+const unique T.Inserted___unnamed_1_2dc63b48:name;
+const unique T.DebugActive___unnamed_1_2dc63b48:name;
+const unique T.DpcActive___unnamed_1_2dc63b48:name;
+const unique T.Size___unnamed_1_2ef8da39:name;
+const unique T.Hand___unnamed_1_2ef8da39:name;
+const unique T.Lock___unnamed_1_faa7dc71:name;
+const unique T.MinimumVector___unnamed_20_f4d2e6d8:name;
+const unique T.MaximumVector___unnamed_20_f4d2e6d8:name;
+const unique T.AffinityPolicy___unnamed_20_f4d2e6d8:name;
+const unique T.PriorityPolicy___unnamed_20_f4d2e6d8:name;
+const unique T.TargetedProcessors___unnamed_20_f4d2e6d8:name;
+const unique T.Length___unnamed_24_41cbc8c0:name;
+const unique T.Alignment___unnamed_24_41cbc8c0:name;
+const unique T.MinimumAddress___unnamed_24_41cbc8c0:name;
+const unique T.MaximumAddress___unnamed_24_41cbc8c0:name;
+const unique T.Length48___unnamed_24_5419c914:name;
+const unique T.Alignment48___unnamed_24_5419c914:name;
+const unique T.MinimumAddress___unnamed_24_5419c914:name;
+const unique T.MaximumAddress___unnamed_24_5419c914:name;
+const unique T.Length___unnamed_24_67a5ff10:name;
+const unique T.Alignment___unnamed_24_67a5ff10:name;
+const unique T.MinimumAddress___unnamed_24_67a5ff10:name;
+const unique T.MaximumAddress___unnamed_24_67a5ff10:name;
+const unique T.Port___unnamed_24_72c3976e:name;
+const unique T.Memory___unnamed_24_72c3976e:name;
+const unique T.Interrupt___unnamed_24_72c3976e:name;
+const unique T.Dma___unnamed_24_72c3976e:name;
+const unique T.Generic___unnamed_24_72c3976e:name;
+const unique T.DevicePrivate___unnamed_24_72c3976e:name;
+const unique T.BusNumber___unnamed_24_72c3976e:name;
+const unique T.ConfigData___unnamed_24_72c3976e:name;
+const unique T.Memory40___unnamed_24_72c3976e:name;
+const unique T.Memory48___unnamed_24_72c3976e:name;
+const unique T.Memory64___unnamed_24_72c3976e:name;
+const unique T.Length64___unnamed_24_a26050bb:name;
+const unique T.Alignment64___unnamed_24_a26050bb:name;
+const unique T.MinimumAddress___unnamed_24_a26050bb:name;
+const unique T.MaximumAddress___unnamed_24_a26050bb:name;
+const unique T.Length___unnamed_24_b8f476db:name;
+const unique T.Alignment___unnamed_24_b8f476db:name;
+const unique T.MinimumAddress___unnamed_24_b8f476db:name;
+const unique T.MaximumAddress___unnamed_24_b8f476db:name;
+const unique T.Length40___unnamed_24_d09044b4:name;
+const unique T.Alignment40___unnamed_24_d09044b4:name;
+const unique T.MinimumAddress___unnamed_24_d09044b4:name;
+const unique T.MaximumAddress___unnamed_24_d09044b4:name;
+const unique T.ReplaceIfExists___unnamed_2_46cc4597:name;
+const unique T.AdvanceOnly___unnamed_2_46cc4597:name;
+const unique T.__unnamed_16_e70c268b___unnamed_40_7218f704:name;
+const unique T.Thread___unnamed_40_7218f704:name;
+const unique T.AuxiliaryBuffer___unnamed_40_7218f704:name;
+const unique T.__unnamed_12_b43e8de8___unnamed_40_7218f704:name;
+const unique T.OriginalFileObject___unnamed_40_7218f704:name;
+const unique T.ListEntry___unnamed_40_c55c9377:name;
+const unique T.Wcb___unnamed_40_c55c9377:name;
+const unique T.InitialPrivilegeSet___unnamed_44_5584090d:name;
+const unique T.PrivilegeSet___unnamed_44_5584090d:name;
+const unique T.Overlay___unnamed_48_cf99b13f:name;
+const unique T.Apc___unnamed_48_cf99b13f:name;
+const unique T.CompletionKey___unnamed_48_cf99b13f:name;
+const unique T.PowerState___unnamed_4_069846fb:name;
+const unique T.IdType___unnamed_4_224c32f4:name;
+const unique T.Capabilities___unnamed_4_2de698da:name;
+const unique T.__unnamed_4_c3479730___unnamed_4_3a2fdc5e:name;
+const unique T.ContextAsUlong___unnamed_4_3a2fdc5e:name;
+const unique T.Length___unnamed_4_3a4c1a13:name;
+const unique T.__unnamed_2_46cc4597___unnamed_4_43913aa5:name;
+const unique T.ClusterCount___unnamed_4_43913aa5:name;
+const unique T.DeleteHandle___unnamed_4_43913aa5:name;
+const unique T.UserApcRoutine___unnamed_4_4e8dd2ba:name;
+const unique T.IssuingProcess___unnamed_4_4e8dd2ba:name;
+const unique T.Srb___unnamed_4_52603077:name;
+const unique T.Address___unnamed_4_52c594f7:name;
+const unique T.CreatorBackTraceIndex___unnamed_4_52c594f7:name;
+const unique T.Type___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_29794256___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_2ef8da39___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_2dc63b48___unnamed_4_5ca00198:name;
+const unique T.MasterIrp___unnamed_4_6ac6463c:name;
+const unique T.IrpCount___unnamed_4_6ac6463c:name;
+const unique T.SystemBuffer___unnamed_4_6ac6463c:name;
+const unique T.OwnerCount___unnamed_4_6f9ac8e1:name;
+const unique T.TableSize___unnamed_4_6f9ac8e1:name;
+const unique T.PowerSequence___unnamed_4_7a02167b:name;
+const unique T.SystemContext___unnamed_4_7d9d0c7e:name;
+const unique T.SystemPowerStateContext___unnamed_4_7d9d0c7e:name;
+const unique T.IoResourceRequirementList___unnamed_4_82f7a864:name;
+const unique T.Length___unnamed_4_9aec220b:name;
+const unique T.__unnamed_4_5ca00198___unnamed_4_a97c65a1:name;
+const unique T.Lock___unnamed_4_a97c65a1:name;
+const unique T.Reserved1___unnamed_4_c3479730:name;
+const unique T.TargetSystemState___unnamed_4_c3479730:name;
+const unique T.EffectiveSystemState___unnamed_4_c3479730:name;
+const unique T.CurrentSystemState___unnamed_4_c3479730:name;
+const unique T.IgnoreHibernationPath___unnamed_4_c3479730:name;
+const unique T.PseudoTransition___unnamed_4_c3479730:name;
+const unique T.Reserved2___unnamed_4_c3479730:name;
+const unique T.Status___unnamed_4_d99b6e2b:name;
+const unique T.Pointer___unnamed_4_d99b6e2b:name;
+const unique T.CurrentStackLocation___unnamed_4_f19b65c1:name;
+const unique T.PacketType___unnamed_4_f19b65c1:name;
+const unique T.Type___unnamed_4_fa10fc16:name;
+const unique T.SecurityInformation___unnamed_8_01efa60d:name;
+const unique T.Length___unnamed_8_01efa60d:name;
+const unique T.MinimumChannel___unnamed_8_08d4cef8:name;
+const unique T.MaximumChannel___unnamed_8_08d4cef8:name;
+const unique T.__unnamed_4_4e8dd2ba___unnamed_8_0a898c0c:name;
+const unique T.UserApcContext___unnamed_8_0a898c0c:name;
+const unique T.SecurityInformation___unnamed_8_1330f93a:name;
+const unique T.SecurityDescriptor___unnamed_8_1330f93a:name;
+const unique T.AsynchronousParameters___unnamed_8_181d0de9:name;
+const unique T.AllocationSize___unnamed_8_181d0de9:name;
+const unique T.Vpb___unnamed_8_4812764d:name;
+const unique T.DeviceObject___unnamed_8_4812764d:name;
+const unique T.Length___unnamed_8_559a91e6:name;
+const unique T.FsInformationClass___unnamed_8_559a91e6:name;
+const unique T.Length___unnamed_8_5845b309:name;
+const unique T.FileInformationClass___unnamed_8_5845b309:name;
+const unique T.LowPart___unnamed_8_58ee4a31:name;
+const unique T.HighPart___unnamed_8_58ee4a31:name;
+const unique T.AllocatedResources___unnamed_8_61acf4ce:name;
+const unique T.AllocatedResourcesTranslated___unnamed_8_61acf4ce:name;
+const unique T.DeviceTextType___unnamed_8_6acfee04:name;
+const unique T.LocaleId___unnamed_8_6acfee04:name;
+const unique T.Length___unnamed_8_7f26a9dd:name;
+const unique T.CompletionFilter___unnamed_8_7f26a9dd:name;
+const unique T.Vpb___unnamed_8_87add0bd:name;
+const unique T.DeviceObject___unnamed_8_87add0bd:name;
+const unique T.InPath___unnamed_8_b2773e4c:name;
+const unique T.Reserved___unnamed_8_b2773e4c:name;
+const unique T.Type___unnamed_8_b2773e4c:name;
+const unique T.Length___unnamed_8_de890d4e:name;
+const unique T.FsInformationClass___unnamed_8_de890d4e:name;
+const unique T.LowPart___unnamed_8_ef9ba0d3:name;
+const unique T.HighPart___unnamed_8_ef9ba0d3:name;
+
+// Type declarations
+
+const unique T.A1_CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_LIST:name;
+const unique T.A1_LUID_AND_ATTRIBUTES:name;
+const unique T.A256UINT2:name;
+const unique T.A28PFDRIVER_DISPATCH:name;
+const unique T.A2UCHAR:name;
+const unique T.A2UINT2:name;
+const unique T.A32UINT2:name;
+const unique T.A37CHAR:name;
+const unique T.A3UCHAR:name;
+const unique T.A3UINT4:name;
+const unique T.A3_LUID_AND_ATTRIBUTES:name;
+const unique T.A40CHAR:name;
+const unique T.A4PVOID:name;
+const unique T.A4UINT4:name;
+const unique T.A5_DEVICE_POWER_STATE:name;
+const unique T.A65CHAR:name;
+const unique T.A75CHAR:name;
+const unique T.A76CHAR:name;
+const unique T.A7UINT2:name;
+const unique T.A7_DEVICE_POWER_STATE:name;
+const unique T.A83CHAR:name;
+const unique T.A8UCHAR:name;
+const unique T.A9UINT2:name;
+const unique T.BUS_QUERY_ID_TYPE:name;
+const unique T.CHAR:name;
+const unique T.DEVICE_TEXT_TYPE:name;
+const unique T.F0:name;
+const unique T.F1:name;
+const unique T.F10:name;
+const unique T.F11:name;
+const unique T.F12:name;
+const unique T.F13:name;
+const unique T.F14:name;
+const unique T.F15:name;
+const unique T.F16:name;
+const unique T.F17:name;
+const unique T.F18:name;
+const unique T.F19:name;
+const unique T.F2:name;
+const unique T.F20:name;
+const unique T.F21:name;
+const unique T.F22:name;
+const unique T.F23:name;
+const unique T.F24:name;
+const unique T.F25:name;
+const unique T.F26:name;
+const unique T.F27:name;
+const unique T.F28:name;
+const unique T.F29:name;
+const unique T.F3:name;
+const unique T.F30:name;
+const unique T.F31:name;
+const unique T.F32:name;
+const unique T.F33:name;
+const unique T.F34:name;
+const unique T.F35:name;
+const unique T.F36:name;
+const unique T.F37:name;
+const unique T.F38:name;
+const unique T.F4:name;
+const unique T.F5:name;
+const unique T.F6:name;
+const unique T.F7:name;
+const unique T.F8:name;
+const unique T.F9:name;
+const unique T.FDRIVER_ADD_DEVICE:name;
+const unique T.FDRIVER_CANCEL:name;
+const unique T.FDRIVER_CONTROL:name;
+const unique T.FDRIVER_DISPATCH:name;
+const unique T.FDRIVER_INITIALIZE:name;
+const unique T.FDRIVER_STARTIO:name;
+const unique T.FDRIVER_UNLOAD:name;
+const unique T.FFAST_IO_ACQUIRE_FILE:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.FFAST_IO_DETACH_DEVICE:name;
+const unique T.FFAST_IO_DEVICE_CONTROL:name;
+const unique T.FFAST_IO_LOCK:name;
+const unique T.FFAST_IO_MDL_READ:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.FFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.FFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.FFAST_IO_QUERY_OPEN:name;
+const unique T.FFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.FFAST_IO_READ:name;
+const unique T.FFAST_IO_READ_COMPRESSED:name;
+const unique T.FFAST_IO_RELEASE_FILE:name;
+const unique T.FFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_UNLOCK_ALL:name;
+const unique T.FFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.FFAST_IO_UNLOCK_SINGLE:name;
+const unique T.FFAST_IO_WRITE:name;
+const unique T.FFAST_IO_WRITE_COMPRESSED:name;
+const unique T.FIO_COMPLETION_ROUTINE:name;
+const unique T.FKDEFERRED_ROUTINE:name;
+const unique T.INT2:name;
+const unique T.INT4:name;
+const unique T.INT8:name;
+const unique T.PA2UINT2:name;
+const unique T.PA37CHAR:name;
+const unique T.PA40CHAR:name;
+const unique T.PA4UINT4:name;
+const unique T.PA65CHAR:name;
+const unique T.PA75CHAR:name;
+const unique T.PA76CHAR:name;
+const unique T.PA7UINT2:name;
+const unique T.PA83CHAR:name;
+const unique T.PA9UINT2:name;
+const unique T.PCHAR:name;
+const unique T.PF19:name;
+const unique T.PF21:name;
+const unique T.PF23:name;
+const unique T.PF24:name;
+const unique T.PF25:name;
+const unique T.PF33:name;
+const unique T.PF34:name;
+const unique T.PF35:name;
+const unique T.PF36:name;
+const unique T.PF37:name;
+const unique T.PF38:name;
+const unique T.PFDRIVER_ADD_DEVICE:name;
+const unique T.PFDRIVER_CANCEL:name;
+const unique T.PFDRIVER_CONTROL:name;
+const unique T.PFDRIVER_DISPATCH:name;
+const unique T.PFDRIVER_INITIALIZE:name;
+const unique T.PFDRIVER_STARTIO:name;
+const unique T.PFDRIVER_UNLOAD:name;
+const unique T.PFFAST_IO_ACQUIRE_FILE:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.PFFAST_IO_DETACH_DEVICE:name;
+const unique T.PFFAST_IO_DEVICE_CONTROL:name;
+const unique T.PFFAST_IO_LOCK:name;
+const unique T.PFFAST_IO_MDL_READ:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.PFFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.PFFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.PFFAST_IO_QUERY_OPEN:name;
+const unique T.PFFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.PFFAST_IO_READ:name;
+const unique T.PFFAST_IO_READ_COMPRESSED:name;
+const unique T.PFFAST_IO_RELEASE_FILE:name;
+const unique T.PFFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_UNLOCK_ALL:name;
+const unique T.PFFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.PFFAST_IO_UNLOCK_SINGLE:name;
+const unique T.PFFAST_IO_WRITE:name;
+const unique T.PFFAST_IO_WRITE_COMPRESSED:name;
+const unique T.PFIO_COMPLETION_ROUTINE:name;
+const unique T.PFKDEFERRED_ROUTINE:name;
+const unique T.PINT4:name;
+const unique T.POWER_ACTION:name;
+const unique T.PPCHAR:name;
+const unique T.PPF24:name;
+const unique T.PPPUINT2:name;
+const unique T.PPP_DEVICE_OBJECT:name;
+const unique T.PPUINT2:name;
+const unique T.PPUINT4:name;
+const unique T.PPVOID:name;
+const unique T.PP_DEVICE_EXTENSION:name;
+const unique T.PP_DEVICE_OBJECT:name;
+const unique T.PP_DRIVER_OBJECT:name;
+const unique T.PP_ERESOURCE:name;
+const unique T.PP_FAST_MUTEX:name;
+const unique T.PP_IO_REMOVE_LOCK:name;
+const unique T.PP_LIST_ENTRY:name;
+const unique T.PP_MDL:name;
+const unique T.PP_UNICODE_STRING:name;
+const unique T.PUCHAR:name;
+const unique T.PUINT2:name;
+const unique T.PUINT4:name;
+const unique T.PVOID:name;
+const unique T.PWMIGUIDREGINFO:name;
+const unique T.P_ACCESS_STATE:name;
+const unique T.P_CM_RESOURCE_LIST:name;
+const unique T.P_COMPRESSED_DATA_INFO:name;
+const unique T.P_DEVICE_CAPABILITIES:name;
+const unique T.P_DEVICE_EXTENSION:name;
+const unique T.P_DEVICE_OBJECT:name;
+const unique T.P_DEVOBJ_EXTENSION:name;
+const unique T.P_DRIVER_EXTENSION:name;
+const unique T.P_DRIVER_OBJECT:name;
+const unique T.P_EPROCESS:name;
+const unique T.P_ERESOURCE:name;
+const unique T.P_ETHREAD:name;
+const unique T.P_FAST_IO_DISPATCH:name;
+const unique T.P_FAST_MUTEX:name;
+const unique T.P_FILE_BASIC_INFORMATION:name;
+const unique T.P_FILE_GET_QUOTA_INFORMATION:name;
+const unique T.P_FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.P_FILE_OBJECT:name;
+const unique T.P_FILE_STANDARD_INFORMATION:name;
+const unique T.P_GLOBALS:name;
+const unique T.P_GUID:name;
+const unique T.P_INTERFACE:name;
+const unique T.P_IO_COMPLETION_CONTEXT:name;
+const unique T.P_IO_REMOVE_LOCK:name;
+const unique T.P_IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T.P_IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.P_IO_SECURITY_CONTEXT:name;
+const unique T.P_IO_STACK_LOCATION:name;
+const unique T.P_IO_STATUS_BLOCK:name;
+const unique T.P_IO_TIMER:name;
+const unique T.P_IRP:name;
+const unique T.P_KAPC:name;
+const unique T.P_KDPC:name;
+const unique T.P_KEVENT:name;
+const unique T.P_KEYBOARD_INPUT_DATA:name;
+const unique T.P_KSEMAPHORE:name;
+const unique T.P_KTHREAD:name;
+const unique T.P_LARGE_INTEGER:name;
+const unique T.P_LIST_ENTRY:name;
+const unique T.P_MDL:name;
+const unique T.P_OWNER_ENTRY:name;
+const unique T.P_POOL_TYPE:name;
+const unique T.P_PORT:name;
+const unique T.P_POWER_SEQUENCE:name;
+const unique T.P_SCSI_REQUEST_BLOCK:name;
+const unique T.P_SECTION_OBJECT_POINTERS:name;
+const unique T.P_SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.P_UNICODE_STRING:name;
+const unique T.P_VPB:name;
+const unique T.UCHAR:name;
+const unique T.UINT2:name;
+const unique T.UINT4:name;
+const unique T.VOID:name;
+const unique T.WMIENABLEDISABLECONTROL:name;
+const unique T.WMIGUIDREGINFO:name;
+const unique T._ACCESS_STATE:name;
+const unique T._CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_LIST:name;
+const unique T._CM_RESOURCE_LIST:name;
+const unique T._COMPRESSED_DATA_INFO:name;
+const unique T._DEVICE_CAPABILITIES:name;
+const unique T._DEVICE_EXTENSION:name;
+const unique T._DEVICE_OBJECT:name;
+const unique T._DEVICE_POWER_STATE:name;
+const unique T._DEVICE_RELATION_TYPE:name;
+const unique T._DEVICE_USAGE_NOTIFICATION_TYPE:name;
+const unique T._DEVOBJ_EXTENSION:name;
+const unique T._DISPATCHER_HEADER:name;
+const unique T._DRIVER_EXTENSION:name;
+const unique T._DRIVER_OBJECT:name;
+const unique T._EPROCESS:name;
+const unique T._ERESOURCE:name;
+const unique T._ETHREAD:name;
+const unique T._FAST_IO_DISPATCH:name;
+const unique T._FAST_MUTEX:name;
+const unique T._FILE_BASIC_INFORMATION:name;
+const unique T._FILE_GET_QUOTA_INFORMATION:name;
+const unique T._FILE_INFORMATION_CLASS:name;
+const unique T._FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T._FILE_OBJECT:name;
+const unique T._FILE_STANDARD_INFORMATION:name;
+const unique T._FSINFOCLASS:name;
+const unique T._GLOBALS:name;
+const unique T._GUID:name;
+const unique T._INITIAL_PRIVILEGE_SET:name;
+const unique T._INTERFACE:name;
+const unique T._INTERFACE_TYPE:name;
+const unique T._IO_ALLOCATION_ACTION:name;
+const unique T._IO_COMPLETION_CONTEXT:name;
+const unique T._IO_REMOVE_LOCK:name;
+const unique T._IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T._IO_RESOURCE_DESCRIPTOR:name;
+const unique T._IO_RESOURCE_LIST:name;
+const unique T._IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T._IO_SECURITY_CONTEXT:name;
+const unique T._IO_STACK_LOCATION:name;
+const unique T._IO_STATUS_BLOCK:name;
+const unique T._IO_TIMER:name;
+const unique T._IRP:name;
+const unique T._IRQ_DEVICE_POLICY:name;
+const unique T._IRQ_PRIORITY:name;
+const unique T._KAPC:name;
+const unique T._KDEVICE_QUEUE:name;
+const unique T._KDEVICE_QUEUE_ENTRY:name;
+const unique T._KDPC:name;
+const unique T._KEVENT:name;
+const unique T._KEYBOARD_ATTRIBUTES:name;
+const unique T._KEYBOARD_ID:name;
+const unique T._KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T._KEYBOARD_INPUT_DATA:name;
+const unique T._KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T._KSEMAPHORE:name;
+const unique T._KTHREAD:name;
+const unique T._LARGE_INTEGER:name;
+const unique T._LIST_ENTRY:name;
+const unique T._LUID:name;
+const unique T._LUID_AND_ATTRIBUTES:name;
+const unique T._MDL:name;
+const unique T._OWNER_ENTRY:name;
+const unique T._POOL_TYPE:name;
+const unique T._PORT:name;
+const unique T._POWER_SEQUENCE:name;
+const unique T._POWER_STATE:name;
+const unique T._POWER_STATE_TYPE:name;
+const unique T._PRIVILEGE_SET:name;
+const unique T._SCSI_REQUEST_BLOCK:name;
+const unique T._SECTION_OBJECT_POINTERS:name;
+const unique T._SECURITY_IMPERSONATION_LEVEL:name;
+const unique T._SECURITY_QUALITY_OF_SERVICE:name;
+const unique T._SECURITY_SUBJECT_CONTEXT:name;
+const unique T._SYSTEM_POWER_STATE:name;
+const unique T._SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T._UNICODE_STRING:name;
+const unique T._VPB:name;
+const unique T._WAIT_CONTEXT_BLOCK:name;
+const unique T._WMILIB_CONTEXT:name;
+const unique T.__unnamed_12_0d6a30de:name;
+const unique T.__unnamed_12_17f5c211:name;
+const unique T.__unnamed_12_1fb42e39:name;
+const unique T.__unnamed_12_2a1563c6:name;
+const unique T.__unnamed_12_31347272:name;
+const unique T.__unnamed_12_429aadc0:name;
+const unique T.__unnamed_12_4719de1a:name;
+const unique T.__unnamed_12_4be56faa:name;
+const unique T.__unnamed_12_5ce25b92:name;
+const unique T.__unnamed_12_7a698b72:name;
+const unique T.__unnamed_12_87c0de8d:name;
+const unique T.__unnamed_12_98bfc55a:name;
+const unique T.__unnamed_12_ab1bd9d7:name;
+const unique T.__unnamed_12_b0429be9:name;
+const unique T.__unnamed_12_b43e8de8:name;
+const unique T.__unnamed_12_bfdb39ee:name;
+const unique T.__unnamed_12_cd42b3c3:name;
+const unique T.__unnamed_12_e668effc:name;
+const unique T.__unnamed_12_e80d029e:name;
+const unique T.__unnamed_16_07c0bcc5:name;
+const unique T.__unnamed_16_29cb9f2f:name;
+const unique T.__unnamed_16_30f11dbf:name;
+const unique T.__unnamed_16_35034f68:name;
+const unique T.__unnamed_16_487a9498:name;
+const unique T.__unnamed_16_5f6a8844:name;
+const unique T.__unnamed_16_7177b9f3:name;
+const unique T.__unnamed_16_88e91ef6:name;
+const unique T.__unnamed_16_8c506c98:name;
+const unique T.__unnamed_16_9ac2e5f8:name;
+const unique T.__unnamed_16_b93842ad:name;
+const unique T.__unnamed_16_b9c62eab:name;
+const unique T.__unnamed_16_bb584060:name;
+const unique T.__unnamed_16_dba55c7c:name;
+const unique T.__unnamed_16_e70c268b:name;
+const unique T.__unnamed_16_e734d694:name;
+const unique T.__unnamed_16_eac6dbea:name;
+const unique T.__unnamed_16_f6cae4c2:name;
+const unique T.__unnamed_16_fe36e4f4:name;
+const unique T.__unnamed_1_29794256:name;
+const unique T.__unnamed_1_2dc63b48:name;
+const unique T.__unnamed_1_2ef8da39:name;
+const unique T.__unnamed_1_faa7dc71:name;
+const unique T.__unnamed_20_f4d2e6d8:name;
+const unique T.__unnamed_24_41cbc8c0:name;
+const unique T.__unnamed_24_5419c914:name;
+const unique T.__unnamed_24_67a5ff10:name;
+const unique T.__unnamed_24_72c3976e:name;
+const unique T.__unnamed_24_a26050bb:name;
+const unique T.__unnamed_24_b8f476db:name;
+const unique T.__unnamed_24_d09044b4:name;
+const unique T.__unnamed_2_46cc4597:name;
+const unique T.__unnamed_40_7218f704:name;
+const unique T.__unnamed_40_c55c9377:name;
+const unique T.__unnamed_44_5584090d:name;
+const unique T.__unnamed_48_cf99b13f:name;
+const unique T.__unnamed_4_069846fb:name;
+const unique T.__unnamed_4_224c32f4:name;
+const unique T.__unnamed_4_2de698da:name;
+const unique T.__unnamed_4_3a2fdc5e:name;
+const unique T.__unnamed_4_3a4c1a13:name;
+const unique T.__unnamed_4_43913aa5:name;
+const unique T.__unnamed_4_4e8dd2ba:name;
+const unique T.__unnamed_4_52603077:name;
+const unique T.__unnamed_4_52c594f7:name;
+const unique T.__unnamed_4_5ca00198:name;
+const unique T.__unnamed_4_6ac6463c:name;
+const unique T.__unnamed_4_6f9ac8e1:name;
+const unique T.__unnamed_4_7a02167b:name;
+const unique T.__unnamed_4_7d9d0c7e:name;
+const unique T.__unnamed_4_82f7a864:name;
+const unique T.__unnamed_4_9aec220b:name;
+const unique T.__unnamed_4_a97c65a1:name;
+const unique T.__unnamed_4_c3479730:name;
+const unique T.__unnamed_4_d99b6e2b:name;
+const unique T.__unnamed_4_f19b65c1:name;
+const unique T.__unnamed_4_fa10fc16:name;
+const unique T.__unnamed_8_01efa60d:name;
+const unique T.__unnamed_8_08d4cef8:name;
+const unique T.__unnamed_8_0a898c0c:name;
+const unique T.__unnamed_8_1330f93a:name;
+const unique T.__unnamed_8_181d0de9:name;
+const unique T.__unnamed_8_4812764d:name;
+const unique T.__unnamed_8_559a91e6:name;
+const unique T.__unnamed_8_5845b309:name;
+const unique T.__unnamed_8_58ee4a31:name;
+const unique T.__unnamed_8_61acf4ce:name;
+const unique T.__unnamed_8_6acfee04:name;
+const unique T.__unnamed_8_7f26a9dd:name;
+const unique T.__unnamed_8_87add0bd:name;
+const unique T.__unnamed_8_b2773e4c:name;
+const unique T.__unnamed_8_de890d4e:name;
+const unique T.__unnamed_8_ef9ba0d3:name;
+
+function Abandoned___unnamed_1_29794256(int) returns (int);
+function Abandoned___unnamed_1_29794256Inv(int) returns (int);
+function _S_Abandoned___unnamed_1_29794256([int]bool) returns ([int]bool);
+function _S_Abandoned___unnamed_1_29794256Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Abandoned___unnamed_1_29794256Inv(Abandoned___unnamed_1_29794256(x))} Abandoned___unnamed_1_29794256Inv(Abandoned___unnamed_1_29794256(x)) == x);
+axiom (forall x:int :: {Abandoned___unnamed_1_29794256Inv(x)} Abandoned___unnamed_1_29794256(Abandoned___unnamed_1_29794256Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Abandoned___unnamed_1_29794256(S)[x]} _S_Abandoned___unnamed_1_29794256(S)[x] <==> S[Abandoned___unnamed_1_29794256Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Abandoned___unnamed_1_29794256Inv(S)[x]} _S_Abandoned___unnamed_1_29794256Inv(S)[x] <==> S[Abandoned___unnamed_1_29794256(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Abandoned___unnamed_1_29794256(S)} S[x] ==> _S_Abandoned___unnamed_1_29794256(S)[Abandoned___unnamed_1_29794256(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Abandoned___unnamed_1_29794256Inv(S)} S[x] ==> _S_Abandoned___unnamed_1_29794256Inv(S)[Abandoned___unnamed_1_29794256Inv(x)]);
+
+axiom (forall x:int :: {Abandoned___unnamed_1_29794256(x)} Abandoned___unnamed_1_29794256(x) == x + 0);
+axiom (forall x:int :: {Abandoned___unnamed_1_29794256Inv(x)} Abandoned___unnamed_1_29794256Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Abandoned___unnamed_1_29794256Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Abandoned___unnamed_1_29794256Inv(x));
+function Absolute___unnamed_1_29794256(int) returns (int);
+function Absolute___unnamed_1_29794256Inv(int) returns (int);
+function _S_Absolute___unnamed_1_29794256([int]bool) returns ([int]bool);
+function _S_Absolute___unnamed_1_29794256Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Absolute___unnamed_1_29794256Inv(Absolute___unnamed_1_29794256(x))} Absolute___unnamed_1_29794256Inv(Absolute___unnamed_1_29794256(x)) == x);
+axiom (forall x:int :: {Absolute___unnamed_1_29794256Inv(x)} Absolute___unnamed_1_29794256(Absolute___unnamed_1_29794256Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Absolute___unnamed_1_29794256(S)[x]} _S_Absolute___unnamed_1_29794256(S)[x] <==> S[Absolute___unnamed_1_29794256Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Absolute___unnamed_1_29794256Inv(S)[x]} _S_Absolute___unnamed_1_29794256Inv(S)[x] <==> S[Absolute___unnamed_1_29794256(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Absolute___unnamed_1_29794256(S)} S[x] ==> _S_Absolute___unnamed_1_29794256(S)[Absolute___unnamed_1_29794256(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Absolute___unnamed_1_29794256Inv(S)} S[x] ==> _S_Absolute___unnamed_1_29794256Inv(S)[Absolute___unnamed_1_29794256Inv(x)]);
+
+axiom (forall x:int :: {Absolute___unnamed_1_29794256(x)} Absolute___unnamed_1_29794256(x) == x + 0);
+axiom (forall x:int :: {Absolute___unnamed_1_29794256Inv(x)} Absolute___unnamed_1_29794256Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Absolute___unnamed_1_29794256Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Absolute___unnamed_1_29794256Inv(x));
+function AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x))} AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(S)[AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x)} AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 16);
+axiom (forall x:int :: {AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 16);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1) == AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 16)} MINUS_LEFT_PTR(x, 1, 16) == AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function AllowDisable__DEVICE_EXTENSION(int) returns (int);
+function AllowDisable__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_AllowDisable__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_AllowDisable__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {AllowDisable__DEVICE_EXTENSIONInv(AllowDisable__DEVICE_EXTENSION(x))} AllowDisable__DEVICE_EXTENSIONInv(AllowDisable__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {AllowDisable__DEVICE_EXTENSIONInv(x)} AllowDisable__DEVICE_EXTENSION(AllowDisable__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_AllowDisable__DEVICE_EXTENSION(S)[x]} _S_AllowDisable__DEVICE_EXTENSION(S)[x] <==> S[AllowDisable__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_AllowDisable__DEVICE_EXTENSIONInv(S)[x]} _S_AllowDisable__DEVICE_EXTENSIONInv(S)[x] <==> S[AllowDisable__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AllowDisable__DEVICE_EXTENSION(S)} S[x] ==> _S_AllowDisable__DEVICE_EXTENSION(S)[AllowDisable__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AllowDisable__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_AllowDisable__DEVICE_EXTENSIONInv(S)[AllowDisable__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {AllowDisable__DEVICE_EXTENSION(x)} AllowDisable__DEVICE_EXTENSION(x) == x + 106);
+axiom (forall x:int :: {AllowDisable__DEVICE_EXTENSIONInv(x)} AllowDisable__DEVICE_EXTENSIONInv(x) == x - 106);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 106, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 106, 1) == AllowDisable__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 106)} MINUS_LEFT_PTR(x, 1, 106) == AllowDisable__DEVICE_EXTENSIONInv(x));
+function BaseClassName__GLOBALS(int) returns (int);
+function BaseClassName__GLOBALSInv(int) returns (int);
+function _S_BaseClassName__GLOBALS([int]bool) returns ([int]bool);
+function _S_BaseClassName__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(BaseClassName__GLOBALS(x))} BaseClassName__GLOBALSInv(BaseClassName__GLOBALS(x)) == x);
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(x)} BaseClassName__GLOBALS(BaseClassName__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_BaseClassName__GLOBALS(S)[x]} _S_BaseClassName__GLOBALS(S)[x] <==> S[BaseClassName__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_BaseClassName__GLOBALSInv(S)[x]} _S_BaseClassName__GLOBALSInv(S)[x] <==> S[BaseClassName__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_BaseClassName__GLOBALS(S)} S[x] ==> _S_BaseClassName__GLOBALS(S)[BaseClassName__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_BaseClassName__GLOBALSInv(S)} S[x] ==> _S_BaseClassName__GLOBALSInv(S)[BaseClassName__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {BaseClassName__GLOBALS(x)} BaseClassName__GLOBALS(x) == x + 368);
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(x)} BaseClassName__GLOBALSInv(x) == x - 368);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 368, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 368, 1) == BaseClassName__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 368)} MINUS_LEFT_PTR(x, 1, 368) == BaseClassName__GLOBALSInv(x));
+function Blink__LIST_ENTRY(int) returns (int);
+function Blink__LIST_ENTRYInv(int) returns (int);
+function _S_Blink__LIST_ENTRY([int]bool) returns ([int]bool);
+function _S_Blink__LIST_ENTRYInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Blink__LIST_ENTRYInv(Blink__LIST_ENTRY(x))} Blink__LIST_ENTRYInv(Blink__LIST_ENTRY(x)) == x);
+axiom (forall x:int :: {Blink__LIST_ENTRYInv(x)} Blink__LIST_ENTRY(Blink__LIST_ENTRYInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Blink__LIST_ENTRY(S)[x]} _S_Blink__LIST_ENTRY(S)[x] <==> S[Blink__LIST_ENTRYInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Blink__LIST_ENTRYInv(S)[x]} _S_Blink__LIST_ENTRYInv(S)[x] <==> S[Blink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Blink__LIST_ENTRY(S)} S[x] ==> _S_Blink__LIST_ENTRY(S)[Blink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Blink__LIST_ENTRYInv(S)} S[x] ==> _S_Blink__LIST_ENTRYInv(S)[Blink__LIST_ENTRYInv(x)]);
+
+axiom (forall x:int :: {Blink__LIST_ENTRY(x)} Blink__LIST_ENTRY(x) == x + 4);
+axiom (forall x:int :: {Blink__LIST_ENTRYInv(x)} Blink__LIST_ENTRYInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Blink__LIST_ENTRYInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Blink__LIST_ENTRYInv(x));
+function Blocks__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x))} Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Blocks__IO_REMOVE_LOCK_DBG_BLOCK(Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK(S)[Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x)} Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 56);
+axiom (forall x:int :: {Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 56);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 56, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 56, 1) == Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 56)} MINUS_LEFT_PTR(x, 1, 56) == Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Buffer__UNICODE_STRING(int) returns (int);
+function Buffer__UNICODE_STRINGInv(int) returns (int);
+function _S_Buffer__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Buffer__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x))} Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRING(Buffer__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRING(S)[x]} _S_Buffer__UNICODE_STRING(S)[x] <==> S[Buffer__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRINGInv(S)[x]} _S_Buffer__UNICODE_STRINGInv(S)[x] <==> S[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRING(S)} S[x] ==> _S_Buffer__UNICODE_STRING(S)[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRINGInv(S)} S[x] ==> _S_Buffer__UNICODE_STRINGInv(S)[Buffer__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRING(x)} Buffer__UNICODE_STRING(x) == x + 4);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRINGInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Buffer__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Buffer__UNICODE_STRINGInv(x));
+function Common__IO_REMOVE_LOCK(int) returns (int);
+function Common__IO_REMOVE_LOCKInv(int) returns (int);
+function _S_Common__IO_REMOVE_LOCK([int]bool) returns ([int]bool);
+function _S_Common__IO_REMOVE_LOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Common__IO_REMOVE_LOCKInv(Common__IO_REMOVE_LOCK(x))} Common__IO_REMOVE_LOCKInv(Common__IO_REMOVE_LOCK(x)) == x);
+axiom (forall x:int :: {Common__IO_REMOVE_LOCKInv(x)} Common__IO_REMOVE_LOCK(Common__IO_REMOVE_LOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Common__IO_REMOVE_LOCK(S)[x]} _S_Common__IO_REMOVE_LOCK(S)[x] <==> S[Common__IO_REMOVE_LOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Common__IO_REMOVE_LOCKInv(S)[x]} _S_Common__IO_REMOVE_LOCKInv(S)[x] <==> S[Common__IO_REMOVE_LOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Common__IO_REMOVE_LOCK(S)} S[x] ==> _S_Common__IO_REMOVE_LOCK(S)[Common__IO_REMOVE_LOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Common__IO_REMOVE_LOCKInv(S)} S[x] ==> _S_Common__IO_REMOVE_LOCKInv(S)[Common__IO_REMOVE_LOCKInv(x)]);
+
+axiom (forall x:int :: {Common__IO_REMOVE_LOCK(x)} Common__IO_REMOVE_LOCK(x) == x + 0);
+axiom (forall x:int :: {Common__IO_REMOVE_LOCKInv(x)} Common__IO_REMOVE_LOCKInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Common__IO_REMOVE_LOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Common__IO_REMOVE_LOCKInv(x));
+function ConnectOneClassToOnePort__GLOBALS(int) returns (int);
+function ConnectOneClassToOnePort__GLOBALSInv(int) returns (int);
+function _S_ConnectOneClassToOnePort__GLOBALS([int]bool) returns ([int]bool);
+function _S_ConnectOneClassToOnePort__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {ConnectOneClassToOnePort__GLOBALSInv(ConnectOneClassToOnePort__GLOBALS(x))} ConnectOneClassToOnePort__GLOBALSInv(ConnectOneClassToOnePort__GLOBALS(x)) == x);
+axiom (forall x:int :: {ConnectOneClassToOnePort__GLOBALSInv(x)} ConnectOneClassToOnePort__GLOBALS(ConnectOneClassToOnePort__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_ConnectOneClassToOnePort__GLOBALS(S)[x]} _S_ConnectOneClassToOnePort__GLOBALS(S)[x] <==> S[ConnectOneClassToOnePort__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_ConnectOneClassToOnePort__GLOBALSInv(S)[x]} _S_ConnectOneClassToOnePort__GLOBALSInv(S)[x] <==> S[ConnectOneClassToOnePort__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ConnectOneClassToOnePort__GLOBALS(S)} S[x] ==> _S_ConnectOneClassToOnePort__GLOBALS(S)[ConnectOneClassToOnePort__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ConnectOneClassToOnePort__GLOBALSInv(S)} S[x] ==> _S_ConnectOneClassToOnePort__GLOBALSInv(S)[ConnectOneClassToOnePort__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {ConnectOneClassToOnePort__GLOBALS(x)} ConnectOneClassToOnePort__GLOBALS(x) == x + 56);
+axiom (forall x:int :: {ConnectOneClassToOnePort__GLOBALSInv(x)} ConnectOneClassToOnePort__GLOBALSInv(x) == x - 56);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 56, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 56, 1) == ConnectOneClassToOnePort__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 56)} MINUS_LEFT_PTR(x, 1, 56) == ConnectOneClassToOnePort__GLOBALSInv(x));
+function DataIn__DEVICE_EXTENSION(int) returns (int);
+function DataIn__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataIn__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataIn__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x))} DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSION(DataIn__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSION(S)[x]} _S_DataIn__DEVICE_EXTENSION(S)[x] <==> S[DataIn__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSIONInv(S)[x]} _S_DataIn__DEVICE_EXTENSIONInv(S)[x] <==> S[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSION(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSION(S)[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSIONInv(S)[DataIn__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSION(x)} DataIn__DEVICE_EXTENSION(x) == x + 132);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSIONInv(x) == x - 132);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1) == DataIn__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 132)} MINUS_LEFT_PTR(x, 1, 132) == DataIn__DEVICE_EXTENSIONInv(x));
+function DataOut__DEVICE_EXTENSION(int) returns (int);
+function DataOut__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataOut__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataOut__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x))} DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSION(DataOut__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSION(S)[x]} _S_DataOut__DEVICE_EXTENSION(S)[x] <==> S[DataOut__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSIONInv(S)[x]} _S_DataOut__DEVICE_EXTENSIONInv(S)[x] <==> S[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSION(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSION(S)[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSIONInv(S)[DataOut__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSION(x)} DataOut__DEVICE_EXTENSION(x) == x + 136);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSIONInv(x) == x - 136);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1) == DataOut__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 136)} MINUS_LEFT_PTR(x, 1, 136) == DataOut__DEVICE_EXTENSIONInv(x));
+function Dbg__IO_REMOVE_LOCK(int) returns (int);
+function Dbg__IO_REMOVE_LOCKInv(int) returns (int);
+function _S_Dbg__IO_REMOVE_LOCK([int]bool) returns ([int]bool);
+function _S_Dbg__IO_REMOVE_LOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Dbg__IO_REMOVE_LOCKInv(Dbg__IO_REMOVE_LOCK(x))} Dbg__IO_REMOVE_LOCKInv(Dbg__IO_REMOVE_LOCK(x)) == x);
+axiom (forall x:int :: {Dbg__IO_REMOVE_LOCKInv(x)} Dbg__IO_REMOVE_LOCK(Dbg__IO_REMOVE_LOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Dbg__IO_REMOVE_LOCK(S)[x]} _S_Dbg__IO_REMOVE_LOCK(S)[x] <==> S[Dbg__IO_REMOVE_LOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Dbg__IO_REMOVE_LOCKInv(S)[x]} _S_Dbg__IO_REMOVE_LOCKInv(S)[x] <==> S[Dbg__IO_REMOVE_LOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Dbg__IO_REMOVE_LOCK(S)} S[x] ==> _S_Dbg__IO_REMOVE_LOCK(S)[Dbg__IO_REMOVE_LOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Dbg__IO_REMOVE_LOCKInv(S)} S[x] ==> _S_Dbg__IO_REMOVE_LOCKInv(S)[Dbg__IO_REMOVE_LOCKInv(x)]);
+
+axiom (forall x:int :: {Dbg__IO_REMOVE_LOCK(x)} Dbg__IO_REMOVE_LOCK(x) == x + 24);
+axiom (forall x:int :: {Dbg__IO_REMOVE_LOCKInv(x)} Dbg__IO_REMOVE_LOCKInv(x) == x - 24);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1) == Dbg__IO_REMOVE_LOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 24)} MINUS_LEFT_PTR(x, 1, 24) == Dbg__IO_REMOVE_LOCKInv(x));
+function DebugActive___unnamed_1_2dc63b48(int) returns (int);
+function DebugActive___unnamed_1_2dc63b48Inv(int) returns (int);
+function _S_DebugActive___unnamed_1_2dc63b48([int]bool) returns ([int]bool);
+function _S_DebugActive___unnamed_1_2dc63b48Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DebugActive___unnamed_1_2dc63b48Inv(DebugActive___unnamed_1_2dc63b48(x))} DebugActive___unnamed_1_2dc63b48Inv(DebugActive___unnamed_1_2dc63b48(x)) == x);
+axiom (forall x:int :: {DebugActive___unnamed_1_2dc63b48Inv(x)} DebugActive___unnamed_1_2dc63b48(DebugActive___unnamed_1_2dc63b48Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DebugActive___unnamed_1_2dc63b48(S)[x]} _S_DebugActive___unnamed_1_2dc63b48(S)[x] <==> S[DebugActive___unnamed_1_2dc63b48Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DebugActive___unnamed_1_2dc63b48Inv(S)[x]} _S_DebugActive___unnamed_1_2dc63b48Inv(S)[x] <==> S[DebugActive___unnamed_1_2dc63b48(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DebugActive___unnamed_1_2dc63b48(S)} S[x] ==> _S_DebugActive___unnamed_1_2dc63b48(S)[DebugActive___unnamed_1_2dc63b48(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DebugActive___unnamed_1_2dc63b48Inv(S)} S[x] ==> _S_DebugActive___unnamed_1_2dc63b48Inv(S)[DebugActive___unnamed_1_2dc63b48Inv(x)]);
+
+axiom (forall x:int :: {DebugActive___unnamed_1_2dc63b48(x)} DebugActive___unnamed_1_2dc63b48(x) == x + 0);
+axiom (forall x:int :: {DebugActive___unnamed_1_2dc63b48Inv(x)} DebugActive___unnamed_1_2dc63b48Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == DebugActive___unnamed_1_2dc63b48Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == DebugActive___unnamed_1_2dc63b48Inv(x));
+function Delay__KEYBOARD_TYPEMATIC_PARAMETERS(int) returns (int);
+function Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(int) returns (int);
+function _S_Delay__KEYBOARD_TYPEMATIC_PARAMETERS([int]bool) returns ([int]bool);
+function _S_Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(Delay__KEYBOARD_TYPEMATIC_PARAMETERS(x))} Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(Delay__KEYBOARD_TYPEMATIC_PARAMETERS(x)) == x);
+axiom (forall x:int :: {Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)} Delay__KEYBOARD_TYPEMATIC_PARAMETERS(Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Delay__KEYBOARD_TYPEMATIC_PARAMETERS(S)[x]} _S_Delay__KEYBOARD_TYPEMATIC_PARAMETERS(S)[x] <==> S[Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[x]} _S_Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[x] <==> S[Delay__KEYBOARD_TYPEMATIC_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Delay__KEYBOARD_TYPEMATIC_PARAMETERS(S)} S[x] ==> _S_Delay__KEYBOARD_TYPEMATIC_PARAMETERS(S)[Delay__KEYBOARD_TYPEMATIC_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)} S[x] ==> _S_Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)]);
+
+axiom (forall x:int :: {Delay__KEYBOARD_TYPEMATIC_PARAMETERS(x)} Delay__KEYBOARD_TYPEMATIC_PARAMETERS(x) == x + 4);
+axiom (forall x:int :: {Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)} Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Delay__KEYBOARD_TYPEMATIC_PARAMETERSInv(x));
+function DeviceExtension__DEVICE_OBJECT(int) returns (int);
+function DeviceExtension__DEVICE_OBJECTInv(int) returns (int);
+function _S_DeviceExtension__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_DeviceExtension__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x))} DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECT(DeviceExtension__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECT(S)[x]} _S_DeviceExtension__DEVICE_OBJECT(S)[x] <==> S[DeviceExtension__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECTInv(S)[x]} _S_DeviceExtension__DEVICE_OBJECTInv(S)[x] <==> S[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECT(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECT(S)[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECTInv(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECTInv(S)[DeviceExtension__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECT(x)} DeviceExtension__DEVICE_OBJECT(x) == x + 40);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECTInv(x) == x - 40);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1) == DeviceExtension__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 40)} MINUS_LEFT_PTR(x, 1, 40) == DeviceExtension__DEVICE_OBJECTInv(x));
+function DeviceState__DEVICE_EXTENSION(int) returns (int);
+function DeviceState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DeviceState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DeviceState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DeviceState__DEVICE_EXTENSIONInv(DeviceState__DEVICE_EXTENSION(x))} DeviceState__DEVICE_EXTENSIONInv(DeviceState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DeviceState__DEVICE_EXTENSIONInv(x)} DeviceState__DEVICE_EXTENSION(DeviceState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DeviceState__DEVICE_EXTENSION(S)[x]} _S_DeviceState__DEVICE_EXTENSION(S)[x] <==> S[DeviceState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DeviceState__DEVICE_EXTENSIONInv(S)[x]} _S_DeviceState__DEVICE_EXTENSIONInv(S)[x] <==> S[DeviceState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceState__DEVICE_EXTENSION(S)} S[x] ==> _S_DeviceState__DEVICE_EXTENSION(S)[DeviceState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DeviceState__DEVICE_EXTENSIONInv(S)[DeviceState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DeviceState__DEVICE_EXTENSION(x)} DeviceState__DEVICE_EXTENSION(x) == x + 188);
+axiom (forall x:int :: {DeviceState__DEVICE_EXTENSIONInv(x)} DeviceState__DEVICE_EXTENSIONInv(x) == x - 188);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 188, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 188, 1) == DeviceState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 188)} MINUS_LEFT_PTR(x, 1, 188) == DeviceState__DEVICE_EXTENSIONInv(x));
+function DpcActive___unnamed_1_2dc63b48(int) returns (int);
+function DpcActive___unnamed_1_2dc63b48Inv(int) returns (int);
+function _S_DpcActive___unnamed_1_2dc63b48([int]bool) returns ([int]bool);
+function _S_DpcActive___unnamed_1_2dc63b48Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DpcActive___unnamed_1_2dc63b48Inv(DpcActive___unnamed_1_2dc63b48(x))} DpcActive___unnamed_1_2dc63b48Inv(DpcActive___unnamed_1_2dc63b48(x)) == x);
+axiom (forall x:int :: {DpcActive___unnamed_1_2dc63b48Inv(x)} DpcActive___unnamed_1_2dc63b48(DpcActive___unnamed_1_2dc63b48Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DpcActive___unnamed_1_2dc63b48(S)[x]} _S_DpcActive___unnamed_1_2dc63b48(S)[x] <==> S[DpcActive___unnamed_1_2dc63b48Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DpcActive___unnamed_1_2dc63b48Inv(S)[x]} _S_DpcActive___unnamed_1_2dc63b48Inv(S)[x] <==> S[DpcActive___unnamed_1_2dc63b48(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DpcActive___unnamed_1_2dc63b48(S)} S[x] ==> _S_DpcActive___unnamed_1_2dc63b48(S)[DpcActive___unnamed_1_2dc63b48(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DpcActive___unnamed_1_2dc63b48Inv(S)} S[x] ==> _S_DpcActive___unnamed_1_2dc63b48Inv(S)[DpcActive___unnamed_1_2dc63b48Inv(x)]);
+
+axiom (forall x:int :: {DpcActive___unnamed_1_2dc63b48(x)} DpcActive___unnamed_1_2dc63b48(x) == x + 0);
+axiom (forall x:int :: {DpcActive___unnamed_1_2dc63b48Inv(x)} DpcActive___unnamed_1_2dc63b48Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == DpcActive___unnamed_1_2dc63b48Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == DpcActive___unnamed_1_2dc63b48Inv(x));
+function Enabled__DEVICE_EXTENSION(int) returns (int);
+function Enabled__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Enabled__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Enabled__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(Enabled__DEVICE_EXTENSION(x))} Enabled__DEVICE_EXTENSIONInv(Enabled__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(x)} Enabled__DEVICE_EXTENSION(Enabled__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__DEVICE_EXTENSION(S)[x]} _S_Enabled__DEVICE_EXTENSION(S)[x] <==> S[Enabled__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__DEVICE_EXTENSIONInv(S)[x]} _S_Enabled__DEVICE_EXTENSIONInv(S)[x] <==> S[Enabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__DEVICE_EXTENSION(S)} S[x] ==> _S_Enabled__DEVICE_EXTENSION(S)[Enabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Enabled__DEVICE_EXTENSIONInv(S)[Enabled__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSION(x)} Enabled__DEVICE_EXTENSION(x) == x + 284);
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(x)} Enabled__DEVICE_EXTENSIONInv(x) == x - 284);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 284, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 284, 1) == Enabled__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 284)} MINUS_LEFT_PTR(x, 1, 284) == Enabled__DEVICE_EXTENSIONInv(x));
+function ExecuteWmiMethod__WMILIB_CONTEXT(int) returns (int);
+function ExecuteWmiMethod__WMILIB_CONTEXTInv(int) returns (int);
+function _S_ExecuteWmiMethod__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_ExecuteWmiMethod__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {ExecuteWmiMethod__WMILIB_CONTEXTInv(ExecuteWmiMethod__WMILIB_CONTEXT(x))} ExecuteWmiMethod__WMILIB_CONTEXTInv(ExecuteWmiMethod__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {ExecuteWmiMethod__WMILIB_CONTEXTInv(x)} ExecuteWmiMethod__WMILIB_CONTEXT(ExecuteWmiMethod__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_ExecuteWmiMethod__WMILIB_CONTEXT(S)[x]} _S_ExecuteWmiMethod__WMILIB_CONTEXT(S)[x] <==> S[ExecuteWmiMethod__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_ExecuteWmiMethod__WMILIB_CONTEXTInv(S)[x]} _S_ExecuteWmiMethod__WMILIB_CONTEXTInv(S)[x] <==> S[ExecuteWmiMethod__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ExecuteWmiMethod__WMILIB_CONTEXT(S)} S[x] ==> _S_ExecuteWmiMethod__WMILIB_CONTEXT(S)[ExecuteWmiMethod__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ExecuteWmiMethod__WMILIB_CONTEXTInv(S)} S[x] ==> _S_ExecuteWmiMethod__WMILIB_CONTEXTInv(S)[ExecuteWmiMethod__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {ExecuteWmiMethod__WMILIB_CONTEXT(x)} ExecuteWmiMethod__WMILIB_CONTEXT(x) == x + 24);
+axiom (forall x:int :: {ExecuteWmiMethod__WMILIB_CONTEXTInv(x)} ExecuteWmiMethod__WMILIB_CONTEXTInv(x) == x - 24);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1) == ExecuteWmiMethod__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 24)} MINUS_LEFT_PTR(x, 1, 24) == ExecuteWmiMethod__WMILIB_CONTEXTInv(x));
+function ExtraWaitWakeIrp__DEVICE_EXTENSION(int) returns (int);
+function ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_ExtraWaitWakeIrp__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(ExtraWaitWakeIrp__DEVICE_EXTENSION(x))} ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(ExtraWaitWakeIrp__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)} ExtraWaitWakeIrp__DEVICE_EXTENSION(ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_ExtraWaitWakeIrp__DEVICE_EXTENSION(S)[x]} _S_ExtraWaitWakeIrp__DEVICE_EXTENSION(S)[x] <==> S[ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(S)[x]} _S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(S)[x] <==> S[ExtraWaitWakeIrp__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ExtraWaitWakeIrp__DEVICE_EXTENSION(S)} S[x] ==> _S_ExtraWaitWakeIrp__DEVICE_EXTENSION(S)[ExtraWaitWakeIrp__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(S)[ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {ExtraWaitWakeIrp__DEVICE_EXTENSION(x)} ExtraWaitWakeIrp__DEVICE_EXTENSION(x) == x + 264);
+axiom (forall x:int :: {ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)} ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x) == x - 264);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 264, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 264, 1) == ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 264)} MINUS_LEFT_PTR(x, 1, 264) == ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x));
+function File__DEVICE_EXTENSION(int) returns (int);
+function File__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_File__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_File__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x))} File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSION(File__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSION(S)[x]} _S_File__DEVICE_EXTENSION(S)[x] <==> S[File__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSIONInv(S)[x]} _S_File__DEVICE_EXTENSIONInv(S)[x] <==> S[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSION(S)} S[x] ==> _S_File__DEVICE_EXTENSION(S)[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_File__DEVICE_EXTENSIONInv(S)[File__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSION(x)} File__DEVICE_EXTENSION(x) == x + 280);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSIONInv(x) == x - 280);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 280, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 280, 1) == File__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 280)} MINUS_LEFT_PTR(x, 1, 280) == File__DEVICE_EXTENSIONInv(x));
+function Flags__DEVICE_OBJECT(int) returns (int);
+function Flags__DEVICE_OBJECTInv(int) returns (int);
+function _S_Flags__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_Flags__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(Flags__DEVICE_OBJECT(x))} Flags__DEVICE_OBJECTInv(Flags__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(x)} Flags__DEVICE_OBJECT(Flags__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flags__DEVICE_OBJECT(S)[x]} _S_Flags__DEVICE_OBJECT(S)[x] <==> S[Flags__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flags__DEVICE_OBJECTInv(S)[x]} _S_Flags__DEVICE_OBJECTInv(S)[x] <==> S[Flags__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flags__DEVICE_OBJECT(S)} S[x] ==> _S_Flags__DEVICE_OBJECT(S)[Flags__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flags__DEVICE_OBJECTInv(S)} S[x] ==> _S_Flags__DEVICE_OBJECTInv(S)[Flags__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {Flags__DEVICE_OBJECT(x)} Flags__DEVICE_OBJECT(x) == x + 28);
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(x)} Flags__DEVICE_OBJECTInv(x) == x - 28);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1) == Flags__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 28)} MINUS_LEFT_PTR(x, 1, 28) == Flags__DEVICE_OBJECTInv(x));
+function Flink__LIST_ENTRY(int) returns (int);
+function Flink__LIST_ENTRYInv(int) returns (int);
+function _S_Flink__LIST_ENTRY([int]bool) returns ([int]bool);
+function _S_Flink__LIST_ENTRYInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x))} Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x)) == x);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRY(Flink__LIST_ENTRYInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRY(S)[x]} _S_Flink__LIST_ENTRY(S)[x] <==> S[Flink__LIST_ENTRYInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRYInv(S)[x]} _S_Flink__LIST_ENTRYInv(S)[x] <==> S[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRY(S)} S[x] ==> _S_Flink__LIST_ENTRY(S)[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRYInv(S)} S[x] ==> _S_Flink__LIST_ENTRYInv(S)[Flink__LIST_ENTRYInv(x)]);
+
+axiom (forall x:int :: {Flink__LIST_ENTRY(x)} Flink__LIST_ENTRY(x) == x + 0);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRYInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Flink__LIST_ENTRYInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Flink__LIST_ENTRYInv(x));
+function GrandMaster__GLOBALS(int) returns (int);
+function GrandMaster__GLOBALSInv(int) returns (int);
+function _S_GrandMaster__GLOBALS([int]bool) returns ([int]bool);
+function _S_GrandMaster__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x))} GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x)) == x);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALS(GrandMaster__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALS(S)[x]} _S_GrandMaster__GLOBALS(S)[x] <==> S[GrandMaster__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALSInv(S)[x]} _S_GrandMaster__GLOBALSInv(S)[x] <==> S[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALS(S)} S[x] ==> _S_GrandMaster__GLOBALS(S)[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALSInv(S)} S[x] ==> _S_GrandMaster__GLOBALSInv(S)[GrandMaster__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {GrandMaster__GLOBALS(x)} GrandMaster__GLOBALS(x) == x + 4);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALSInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == GrandMaster__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == GrandMaster__GLOBALSInv(x));
+function GuidCount__WMILIB_CONTEXT(int) returns (int);
+function GuidCount__WMILIB_CONTEXTInv(int) returns (int);
+function _S_GuidCount__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_GuidCount__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GuidCount__WMILIB_CONTEXTInv(GuidCount__WMILIB_CONTEXT(x))} GuidCount__WMILIB_CONTEXTInv(GuidCount__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {GuidCount__WMILIB_CONTEXTInv(x)} GuidCount__WMILIB_CONTEXT(GuidCount__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GuidCount__WMILIB_CONTEXT(S)[x]} _S_GuidCount__WMILIB_CONTEXT(S)[x] <==> S[GuidCount__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GuidCount__WMILIB_CONTEXTInv(S)[x]} _S_GuidCount__WMILIB_CONTEXTInv(S)[x] <==> S[GuidCount__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GuidCount__WMILIB_CONTEXT(S)} S[x] ==> _S_GuidCount__WMILIB_CONTEXT(S)[GuidCount__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GuidCount__WMILIB_CONTEXTInv(S)} S[x] ==> _S_GuidCount__WMILIB_CONTEXTInv(S)[GuidCount__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {GuidCount__WMILIB_CONTEXT(x)} GuidCount__WMILIB_CONTEXT(x) == x + 0);
+axiom (forall x:int :: {GuidCount__WMILIB_CONTEXTInv(x)} GuidCount__WMILIB_CONTEXTInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == GuidCount__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == GuidCount__WMILIB_CONTEXTInv(x));
+function GuidList__WMILIB_CONTEXT(int) returns (int);
+function GuidList__WMILIB_CONTEXTInv(int) returns (int);
+function _S_GuidList__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_GuidList__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GuidList__WMILIB_CONTEXTInv(GuidList__WMILIB_CONTEXT(x))} GuidList__WMILIB_CONTEXTInv(GuidList__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {GuidList__WMILIB_CONTEXTInv(x)} GuidList__WMILIB_CONTEXT(GuidList__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GuidList__WMILIB_CONTEXT(S)[x]} _S_GuidList__WMILIB_CONTEXT(S)[x] <==> S[GuidList__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GuidList__WMILIB_CONTEXTInv(S)[x]} _S_GuidList__WMILIB_CONTEXTInv(S)[x] <==> S[GuidList__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GuidList__WMILIB_CONTEXT(S)} S[x] ==> _S_GuidList__WMILIB_CONTEXT(S)[GuidList__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GuidList__WMILIB_CONTEXTInv(S)} S[x] ==> _S_GuidList__WMILIB_CONTEXTInv(S)[GuidList__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {GuidList__WMILIB_CONTEXT(x)} GuidList__WMILIB_CONTEXT(x) == x + 4);
+axiom (forall x:int :: {GuidList__WMILIB_CONTEXTInv(x)} GuidList__WMILIB_CONTEXTInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == GuidList__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == GuidList__WMILIB_CONTEXTInv(x));
+function Hand___unnamed_1_2ef8da39(int) returns (int);
+function Hand___unnamed_1_2ef8da39Inv(int) returns (int);
+function _S_Hand___unnamed_1_2ef8da39([int]bool) returns ([int]bool);
+function _S_Hand___unnamed_1_2ef8da39Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Hand___unnamed_1_2ef8da39Inv(Hand___unnamed_1_2ef8da39(x))} Hand___unnamed_1_2ef8da39Inv(Hand___unnamed_1_2ef8da39(x)) == x);
+axiom (forall x:int :: {Hand___unnamed_1_2ef8da39Inv(x)} Hand___unnamed_1_2ef8da39(Hand___unnamed_1_2ef8da39Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Hand___unnamed_1_2ef8da39(S)[x]} _S_Hand___unnamed_1_2ef8da39(S)[x] <==> S[Hand___unnamed_1_2ef8da39Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Hand___unnamed_1_2ef8da39Inv(S)[x]} _S_Hand___unnamed_1_2ef8da39Inv(S)[x] <==> S[Hand___unnamed_1_2ef8da39(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Hand___unnamed_1_2ef8da39(S)} S[x] ==> _S_Hand___unnamed_1_2ef8da39(S)[Hand___unnamed_1_2ef8da39(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Hand___unnamed_1_2ef8da39Inv(S)} S[x] ==> _S_Hand___unnamed_1_2ef8da39Inv(S)[Hand___unnamed_1_2ef8da39Inv(x)]);
+
+axiom (forall x:int :: {Hand___unnamed_1_2ef8da39(x)} Hand___unnamed_1_2ef8da39(x) == x + 0);
+axiom (forall x:int :: {Hand___unnamed_1_2ef8da39Inv(x)} Hand___unnamed_1_2ef8da39Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Hand___unnamed_1_2ef8da39Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Hand___unnamed_1_2ef8da39Inv(x));
+function Header__KEVENT(int) returns (int);
+function Header__KEVENTInv(int) returns (int);
+function _S_Header__KEVENT([int]bool) returns ([int]bool);
+function _S_Header__KEVENTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Header__KEVENTInv(Header__KEVENT(x))} Header__KEVENTInv(Header__KEVENT(x)) == x);
+axiom (forall x:int :: {Header__KEVENTInv(x)} Header__KEVENT(Header__KEVENTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Header__KEVENT(S)[x]} _S_Header__KEVENT(S)[x] <==> S[Header__KEVENTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Header__KEVENTInv(S)[x]} _S_Header__KEVENTInv(S)[x] <==> S[Header__KEVENT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Header__KEVENT(S)} S[x] ==> _S_Header__KEVENT(S)[Header__KEVENT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Header__KEVENTInv(S)} S[x] ==> _S_Header__KEVENTInv(S)[Header__KEVENTInv(x)]);
+
+axiom (forall x:int :: {Header__KEVENT(x)} Header__KEVENT(x) == x + 0);
+axiom (forall x:int :: {Header__KEVENTInv(x)} Header__KEVENTInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Header__KEVENTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Header__KEVENTInv(x));
+function HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x))} HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(S)[HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x)} HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 4);
+axiom (forall x:int :: {HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function IndicatorParameters__DEVICE_EXTENSION(int) returns (int);
+function IndicatorParameters__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_IndicatorParameters__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_IndicatorParameters__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {IndicatorParameters__DEVICE_EXTENSIONInv(IndicatorParameters__DEVICE_EXTENSION(x))} IndicatorParameters__DEVICE_EXTENSIONInv(IndicatorParameters__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {IndicatorParameters__DEVICE_EXTENSIONInv(x)} IndicatorParameters__DEVICE_EXTENSION(IndicatorParameters__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_IndicatorParameters__DEVICE_EXTENSION(S)[x]} _S_IndicatorParameters__DEVICE_EXTENSION(S)[x] <==> S[IndicatorParameters__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_IndicatorParameters__DEVICE_EXTENSIONInv(S)[x]} _S_IndicatorParameters__DEVICE_EXTENSIONInv(S)[x] <==> S[IndicatorParameters__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_IndicatorParameters__DEVICE_EXTENSION(S)} S[x] ==> _S_IndicatorParameters__DEVICE_EXTENSION(S)[IndicatorParameters__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_IndicatorParameters__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_IndicatorParameters__DEVICE_EXTENSIONInv(S)[IndicatorParameters__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {IndicatorParameters__DEVICE_EXTENSION(x)} IndicatorParameters__DEVICE_EXTENSION(x) == x + 168);
+axiom (forall x:int :: {IndicatorParameters__DEVICE_EXTENSIONInv(x)} IndicatorParameters__DEVICE_EXTENSIONInv(x) == x - 168);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 168, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 168, 1) == IndicatorParameters__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 168)} MINUS_LEFT_PTR(x, 1, 168) == IndicatorParameters__DEVICE_EXTENSIONInv(x));
+function InputCount__DEVICE_EXTENSION(int) returns (int);
+function InputCount__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_InputCount__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_InputCount__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputCount__DEVICE_EXTENSIONInv(InputCount__DEVICE_EXTENSION(x))} InputCount__DEVICE_EXTENSIONInv(InputCount__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {InputCount__DEVICE_EXTENSIONInv(x)} InputCount__DEVICE_EXTENSION(InputCount__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputCount__DEVICE_EXTENSION(S)[x]} _S_InputCount__DEVICE_EXTENSION(S)[x] <==> S[InputCount__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputCount__DEVICE_EXTENSIONInv(S)[x]} _S_InputCount__DEVICE_EXTENSIONInv(S)[x] <==> S[InputCount__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputCount__DEVICE_EXTENSION(S)} S[x] ==> _S_InputCount__DEVICE_EXTENSION(S)[InputCount__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputCount__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_InputCount__DEVICE_EXTENSIONInv(S)[InputCount__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {InputCount__DEVICE_EXTENSION(x)} InputCount__DEVICE_EXTENSION(x) == x + 116);
+axiom (forall x:int :: {InputCount__DEVICE_EXTENSIONInv(x)} InputCount__DEVICE_EXTENSIONInv(x) == x - 116);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 116, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 116, 1) == InputCount__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 116)} MINUS_LEFT_PTR(x, 1, 116) == InputCount__DEVICE_EXTENSIONInv(x));
+function InputDataQueueLength__KEYBOARD_ATTRIBUTES(int) returns (int);
+function InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(int) returns (int);
+function _S_InputDataQueueLength__KEYBOARD_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_InputDataQueueLength__KEYBOARD_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(InputDataQueueLength__KEYBOARD_ATTRIBUTES(x))} InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(InputDataQueueLength__KEYBOARD_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(x)} InputDataQueueLength__KEYBOARD_ATTRIBUTES(InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputDataQueueLength__KEYBOARD_ATTRIBUTES(S)[x]} _S_InputDataQueueLength__KEYBOARD_ATTRIBUTES(S)[x] <==> S[InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(S)[x]} _S_InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(S)[x] <==> S[InputDataQueueLength__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputDataQueueLength__KEYBOARD_ATTRIBUTES(S)} S[x] ==> _S_InputDataQueueLength__KEYBOARD_ATTRIBUTES(S)[InputDataQueueLength__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(S)} S[x] ==> _S_InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(S)[InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {InputDataQueueLength__KEYBOARD_ATTRIBUTES(x)} InputDataQueueLength__KEYBOARD_ATTRIBUTES(x) == x + 12);
+axiom (forall x:int :: {InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(x)} InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(x) == x - 12);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1) == InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 12)} MINUS_LEFT_PTR(x, 1, 12) == InputDataQueueLength__KEYBOARD_ATTRIBUTESInv(x));
+function InputData__DEVICE_EXTENSION(int) returns (int);
+function InputData__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_InputData__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_InputData__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x))} InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSION(InputData__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSION(S)[x]} _S_InputData__DEVICE_EXTENSION(S)[x] <==> S[InputData__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSIONInv(S)[x]} _S_InputData__DEVICE_EXTENSIONInv(S)[x] <==> S[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSION(S)} S[x] ==> _S_InputData__DEVICE_EXTENSION(S)[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_InputData__DEVICE_EXTENSIONInv(S)[InputData__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSION(x)} InputData__DEVICE_EXTENSION(x) == x + 128);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSIONInv(x) == x - 128);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1) == InputData__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 128)} MINUS_LEFT_PTR(x, 1, 128) == InputData__DEVICE_EXTENSIONInv(x));
+function Inserted___unnamed_1_2dc63b48(int) returns (int);
+function Inserted___unnamed_1_2dc63b48Inv(int) returns (int);
+function _S_Inserted___unnamed_1_2dc63b48([int]bool) returns ([int]bool);
+function _S_Inserted___unnamed_1_2dc63b48Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Inserted___unnamed_1_2dc63b48Inv(Inserted___unnamed_1_2dc63b48(x))} Inserted___unnamed_1_2dc63b48Inv(Inserted___unnamed_1_2dc63b48(x)) == x);
+axiom (forall x:int :: {Inserted___unnamed_1_2dc63b48Inv(x)} Inserted___unnamed_1_2dc63b48(Inserted___unnamed_1_2dc63b48Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Inserted___unnamed_1_2dc63b48(S)[x]} _S_Inserted___unnamed_1_2dc63b48(S)[x] <==> S[Inserted___unnamed_1_2dc63b48Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Inserted___unnamed_1_2dc63b48Inv(S)[x]} _S_Inserted___unnamed_1_2dc63b48Inv(S)[x] <==> S[Inserted___unnamed_1_2dc63b48(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Inserted___unnamed_1_2dc63b48(S)} S[x] ==> _S_Inserted___unnamed_1_2dc63b48(S)[Inserted___unnamed_1_2dc63b48(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Inserted___unnamed_1_2dc63b48Inv(S)} S[x] ==> _S_Inserted___unnamed_1_2dc63b48Inv(S)[Inserted___unnamed_1_2dc63b48Inv(x)]);
+
+axiom (forall x:int :: {Inserted___unnamed_1_2dc63b48(x)} Inserted___unnamed_1_2dc63b48(x) == x + 0);
+axiom (forall x:int :: {Inserted___unnamed_1_2dc63b48Inv(x)} Inserted___unnamed_1_2dc63b48Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Inserted___unnamed_1_2dc63b48Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Inserted___unnamed_1_2dc63b48Inv(x));
+function IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(int) returns (int);
+function IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(int) returns (int);
+function _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK([int]bool) returns ([int]bool);
+function _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x))} IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x)) == x);
+axiom (forall x:int :: {IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x]} _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x] <==> S[IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x]} _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x] <==> S[IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(S)} S[x] ==> _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(S)[IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)} S[x] ==> _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+
+axiom (forall x:int :: {IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x)} IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x) == x + 4);
+axiom (forall x:int :: {IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+function KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(int) returns (int);
+function KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(int) returns (int);
+function _S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(x))} KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(x)} KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(S)[x]} _S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(S)[x] <==> S[KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(S)[x]} _S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(S)[x] <==> S[KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(S)} S[x] ==> _S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(S)[KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(S)} S[x] ==> _S_KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(S)[KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(x)} KeyRepeatMaximum__KEYBOARD_ATTRIBUTES(x) == x + 22);
+axiom (forall x:int :: {KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(x)} KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(x) == x - 22);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 22, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 22, 1) == KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 22)} MINUS_LEFT_PTR(x, 1, 22) == KeyRepeatMaximum__KEYBOARD_ATTRIBUTESInv(x));
+function KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(int) returns (int);
+function KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(int) returns (int);
+function _S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(x))} KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(x)} KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(S)[x]} _S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(S)[x] <==> S[KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(S)[x]} _S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(S)[x] <==> S[KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(S)} S[x] ==> _S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(S)[KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(S)} S[x] ==> _S_KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(S)[KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(x)} KeyRepeatMinimum__KEYBOARD_ATTRIBUTES(x) == x + 16);
+axiom (forall x:int :: {KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(x)} KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(x) == x - 16);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1) == KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 16)} MINUS_LEFT_PTR(x, 1, 16) == KeyRepeatMinimum__KEYBOARD_ATTRIBUTESInv(x));
+function KeyboardAttributes__DEVICE_EXTENSION(int) returns (int);
+function KeyboardAttributes__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_KeyboardAttributes__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_KeyboardAttributes__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {KeyboardAttributes__DEVICE_EXTENSIONInv(KeyboardAttributes__DEVICE_EXTENSION(x))} KeyboardAttributes__DEVICE_EXTENSIONInv(KeyboardAttributes__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {KeyboardAttributes__DEVICE_EXTENSIONInv(x)} KeyboardAttributes__DEVICE_EXTENSION(KeyboardAttributes__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_KeyboardAttributes__DEVICE_EXTENSION(S)[x]} _S_KeyboardAttributes__DEVICE_EXTENSION(S)[x] <==> S[KeyboardAttributes__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_KeyboardAttributes__DEVICE_EXTENSIONInv(S)[x]} _S_KeyboardAttributes__DEVICE_EXTENSIONInv(S)[x] <==> S[KeyboardAttributes__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyboardAttributes__DEVICE_EXTENSION(S)} S[x] ==> _S_KeyboardAttributes__DEVICE_EXTENSION(S)[KeyboardAttributes__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyboardAttributes__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_KeyboardAttributes__DEVICE_EXTENSIONInv(S)[KeyboardAttributes__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {KeyboardAttributes__DEVICE_EXTENSION(x)} KeyboardAttributes__DEVICE_EXTENSION(x) == x + 140);
+axiom (forall x:int :: {KeyboardAttributes__DEVICE_EXTENSIONInv(x)} KeyboardAttributes__DEVICE_EXTENSIONInv(x) == x - 140);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 140, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 140, 1) == KeyboardAttributes__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 140)} MINUS_LEFT_PTR(x, 1, 140) == KeyboardAttributes__DEVICE_EXTENSIONInv(x));
+function KeyboardIdentifier__KEYBOARD_ATTRIBUTES(int) returns (int);
+function KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(int) returns (int);
+function _S_KeyboardIdentifier__KEYBOARD_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(KeyboardIdentifier__KEYBOARD_ATTRIBUTES(x))} KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(KeyboardIdentifier__KEYBOARD_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(x)} KeyboardIdentifier__KEYBOARD_ATTRIBUTES(KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_KeyboardIdentifier__KEYBOARD_ATTRIBUTES(S)[x]} _S_KeyboardIdentifier__KEYBOARD_ATTRIBUTES(S)[x] <==> S[KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(S)[x]} _S_KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(S)[x] <==> S[KeyboardIdentifier__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyboardIdentifier__KEYBOARD_ATTRIBUTES(S)} S[x] ==> _S_KeyboardIdentifier__KEYBOARD_ATTRIBUTES(S)[KeyboardIdentifier__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(S)} S[x] ==> _S_KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(S)[KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {KeyboardIdentifier__KEYBOARD_ATTRIBUTES(x)} KeyboardIdentifier__KEYBOARD_ATTRIBUTES(x) == x + 0);
+axiom (forall x:int :: {KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(x)} KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == KeyboardIdentifier__KEYBOARD_ATTRIBUTESInv(x));
+function KeyboardMode__KEYBOARD_ATTRIBUTES(int) returns (int);
+function KeyboardMode__KEYBOARD_ATTRIBUTESInv(int) returns (int);
+function _S_KeyboardMode__KEYBOARD_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_KeyboardMode__KEYBOARD_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {KeyboardMode__KEYBOARD_ATTRIBUTESInv(KeyboardMode__KEYBOARD_ATTRIBUTES(x))} KeyboardMode__KEYBOARD_ATTRIBUTESInv(KeyboardMode__KEYBOARD_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {KeyboardMode__KEYBOARD_ATTRIBUTESInv(x)} KeyboardMode__KEYBOARD_ATTRIBUTES(KeyboardMode__KEYBOARD_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_KeyboardMode__KEYBOARD_ATTRIBUTES(S)[x]} _S_KeyboardMode__KEYBOARD_ATTRIBUTES(S)[x] <==> S[KeyboardMode__KEYBOARD_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_KeyboardMode__KEYBOARD_ATTRIBUTESInv(S)[x]} _S_KeyboardMode__KEYBOARD_ATTRIBUTESInv(S)[x] <==> S[KeyboardMode__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyboardMode__KEYBOARD_ATTRIBUTES(S)} S[x] ==> _S_KeyboardMode__KEYBOARD_ATTRIBUTES(S)[KeyboardMode__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_KeyboardMode__KEYBOARD_ATTRIBUTESInv(S)} S[x] ==> _S_KeyboardMode__KEYBOARD_ATTRIBUTESInv(S)[KeyboardMode__KEYBOARD_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {KeyboardMode__KEYBOARD_ATTRIBUTES(x)} KeyboardMode__KEYBOARD_ATTRIBUTES(x) == x + 2);
+axiom (forall x:int :: {KeyboardMode__KEYBOARD_ATTRIBUTESInv(x)} KeyboardMode__KEYBOARD_ATTRIBUTESInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == KeyboardMode__KEYBOARD_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == KeyboardMode__KEYBOARD_ATTRIBUTESInv(x));
+function LedFlags__KEYBOARD_INDICATOR_PARAMETERS(int) returns (int);
+function LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(int) returns (int);
+function _S_LedFlags__KEYBOARD_INDICATOR_PARAMETERS([int]bool) returns ([int]bool);
+function _S_LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(LedFlags__KEYBOARD_INDICATOR_PARAMETERS(x))} LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(LedFlags__KEYBOARD_INDICATOR_PARAMETERS(x)) == x);
+axiom (forall x:int :: {LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(x)} LedFlags__KEYBOARD_INDICATOR_PARAMETERS(LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LedFlags__KEYBOARD_INDICATOR_PARAMETERS(S)[x]} _S_LedFlags__KEYBOARD_INDICATOR_PARAMETERS(S)[x] <==> S[LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(S)[x]} _S_LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(S)[x] <==> S[LedFlags__KEYBOARD_INDICATOR_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LedFlags__KEYBOARD_INDICATOR_PARAMETERS(S)} S[x] ==> _S_LedFlags__KEYBOARD_INDICATOR_PARAMETERS(S)[LedFlags__KEYBOARD_INDICATOR_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(S)} S[x] ==> _S_LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(S)[LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(x)]);
+
+axiom (forall x:int :: {LedFlags__KEYBOARD_INDICATOR_PARAMETERS(x)} LedFlags__KEYBOARD_INDICATOR_PARAMETERS(x) == x + 2);
+axiom (forall x:int :: {LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(x)} LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == LedFlags__KEYBOARD_INDICATOR_PARAMETERSInv(x));
+function LegacyDeviceList__GLOBALS(int) returns (int);
+function LegacyDeviceList__GLOBALSInv(int) returns (int);
+function _S_LegacyDeviceList__GLOBALS([int]bool) returns ([int]bool);
+function _S_LegacyDeviceList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x))} LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x)) == x);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALS(LegacyDeviceList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALS(S)[x]} _S_LegacyDeviceList__GLOBALS(S)[x] <==> S[LegacyDeviceList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALSInv(S)[x]} _S_LegacyDeviceList__GLOBALSInv(S)[x] <==> S[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALS(S)} S[x] ==> _S_LegacyDeviceList__GLOBALS(S)[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALSInv(S)} S[x] ==> _S_LegacyDeviceList__GLOBALSInv(S)[LegacyDeviceList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALS(x)} LegacyDeviceList__GLOBALS(x) == x + 888);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALSInv(x) == x - 888);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 888, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 888, 1) == LegacyDeviceList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 888)} MINUS_LEFT_PTR(x, 1, 888) == LegacyDeviceList__GLOBALSInv(x));
+function Length__UNICODE_STRING(int) returns (int);
+function Length__UNICODE_STRINGInv(int) returns (int);
+function _S_Length__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Length__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(Length__UNICODE_STRING(x))} Length__UNICODE_STRINGInv(Length__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(x)} Length__UNICODE_STRING(Length__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Length__UNICODE_STRING(S)[x]} _S_Length__UNICODE_STRING(S)[x] <==> S[Length__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Length__UNICODE_STRINGInv(S)[x]} _S_Length__UNICODE_STRINGInv(S)[x] <==> S[Length__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Length__UNICODE_STRING(S)} S[x] ==> _S_Length__UNICODE_STRING(S)[Length__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Length__UNICODE_STRINGInv(S)} S[x] ==> _S_Length__UNICODE_STRINGInv(S)[Length__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Length__UNICODE_STRING(x)} Length__UNICODE_STRING(x) == x + 0);
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(x)} Length__UNICODE_STRINGInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Length__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Length__UNICODE_STRINGInv(x));
+function Link__DEVICE_EXTENSION(int) returns (int);
+function Link__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Link__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Link__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x))} Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSION(Link__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSION(S)[x]} _S_Link__DEVICE_EXTENSION(S)[x] <==> S[Link__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSIONInv(S)[x]} _S_Link__DEVICE_EXTENSIONInv(S)[x] <==> S[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSION(S)} S[x] ==> _S_Link__DEVICE_EXTENSION(S)[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Link__DEVICE_EXTENSIONInv(S)[Link__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSION(x)} Link__DEVICE_EXTENSION(x) == x + 272);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSIONInv(x) == x - 272);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 272, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 272, 1) == Link__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 272)} MINUS_LEFT_PTR(x, 1, 272) == Link__DEVICE_EXTENSIONInv(x));
+function LockList__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_LockList__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(LockList__IO_REMOVE_LOCK_DBG_BLOCK(x))} LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(LockList__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} LockList__IO_REMOVE_LOCK_DBG_BLOCK(LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LockList__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_LockList__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[LockList__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LockList__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_LockList__IO_REMOVE_LOCK_DBG_BLOCK(S)[LockList__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {LockList__IO_REMOVE_LOCK_DBG_BLOCK(x)} LockList__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 20);
+axiom (forall x:int :: {LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 20);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1) == LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 20)} MINUS_LEFT_PTR(x, 1, 20) == LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Lock___unnamed_4_a97c65a1(int) returns (int);
+function Lock___unnamed_4_a97c65a1Inv(int) returns (int);
+function _S_Lock___unnamed_4_a97c65a1([int]bool) returns ([int]bool);
+function _S_Lock___unnamed_4_a97c65a1Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Lock___unnamed_4_a97c65a1Inv(Lock___unnamed_4_a97c65a1(x))} Lock___unnamed_4_a97c65a1Inv(Lock___unnamed_4_a97c65a1(x)) == x);
+axiom (forall x:int :: {Lock___unnamed_4_a97c65a1Inv(x)} Lock___unnamed_4_a97c65a1(Lock___unnamed_4_a97c65a1Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Lock___unnamed_4_a97c65a1(S)[x]} _S_Lock___unnamed_4_a97c65a1(S)[x] <==> S[Lock___unnamed_4_a97c65a1Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Lock___unnamed_4_a97c65a1Inv(S)[x]} _S_Lock___unnamed_4_a97c65a1Inv(S)[x] <==> S[Lock___unnamed_4_a97c65a1(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Lock___unnamed_4_a97c65a1(S)} S[x] ==> _S_Lock___unnamed_4_a97c65a1(S)[Lock___unnamed_4_a97c65a1(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Lock___unnamed_4_a97c65a1Inv(S)} S[x] ==> _S_Lock___unnamed_4_a97c65a1Inv(S)[Lock___unnamed_4_a97c65a1Inv(x)]);
+
+axiom (forall x:int :: {Lock___unnamed_4_a97c65a1(x)} Lock___unnamed_4_a97c65a1(x) == x + 0);
+axiom (forall x:int :: {Lock___unnamed_4_a97c65a1Inv(x)} Lock___unnamed_4_a97c65a1Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Lock___unnamed_4_a97c65a1Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Lock___unnamed_4_a97c65a1Inv(x));
+function LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x))} LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(S)[LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x)} LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 32);
+axiom (forall x:int :: {LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 32);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 32, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 32, 1) == LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 32)} MINUS_LEFT_PTR(x, 1, 32) == LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x))} MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(S)[MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x)} MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 8);
+axiom (forall x:int :: {MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function MaximumLength__UNICODE_STRING(int) returns (int);
+function MaximumLength__UNICODE_STRINGInv(int) returns (int);
+function _S_MaximumLength__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_MaximumLength__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(MaximumLength__UNICODE_STRING(x))} MaximumLength__UNICODE_STRINGInv(MaximumLength__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(x)} MaximumLength__UNICODE_STRING(MaximumLength__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MaximumLength__UNICODE_STRING(S)[x]} _S_MaximumLength__UNICODE_STRING(S)[x] <==> S[MaximumLength__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MaximumLength__UNICODE_STRINGInv(S)[x]} _S_MaximumLength__UNICODE_STRINGInv(S)[x] <==> S[MaximumLength__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaximumLength__UNICODE_STRING(S)} S[x] ==> _S_MaximumLength__UNICODE_STRING(S)[MaximumLength__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaximumLength__UNICODE_STRINGInv(S)} S[x] ==> _S_MaximumLength__UNICODE_STRINGInv(S)[MaximumLength__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {MaximumLength__UNICODE_STRING(x)} MaximumLength__UNICODE_STRING(x) == x + 2);
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(x)} MaximumLength__UNICODE_STRINGInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == MaximumLength__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == MaximumLength__UNICODE_STRINGInv(x));
+function MinDeviceWakeState__DEVICE_EXTENSION(int) returns (int);
+function MinDeviceWakeState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_MinDeviceWakeState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_MinDeviceWakeState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MinDeviceWakeState__DEVICE_EXTENSIONInv(MinDeviceWakeState__DEVICE_EXTENSION(x))} MinDeviceWakeState__DEVICE_EXTENSIONInv(MinDeviceWakeState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {MinDeviceWakeState__DEVICE_EXTENSIONInv(x)} MinDeviceWakeState__DEVICE_EXTENSION(MinDeviceWakeState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MinDeviceWakeState__DEVICE_EXTENSION(S)[x]} _S_MinDeviceWakeState__DEVICE_EXTENSION(S)[x] <==> S[MinDeviceWakeState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MinDeviceWakeState__DEVICE_EXTENSIONInv(S)[x]} _S_MinDeviceWakeState__DEVICE_EXTENSIONInv(S)[x] <==> S[MinDeviceWakeState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MinDeviceWakeState__DEVICE_EXTENSION(S)} S[x] ==> _S_MinDeviceWakeState__DEVICE_EXTENSION(S)[MinDeviceWakeState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MinDeviceWakeState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_MinDeviceWakeState__DEVICE_EXTENSIONInv(S)[MinDeviceWakeState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {MinDeviceWakeState__DEVICE_EXTENSION(x)} MinDeviceWakeState__DEVICE_EXTENSION(x) == x + 252);
+axiom (forall x:int :: {MinDeviceWakeState__DEVICE_EXTENSIONInv(x)} MinDeviceWakeState__DEVICE_EXTENSIONInv(x) == x - 252);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 252, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 252, 1) == MinDeviceWakeState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 252)} MINUS_LEFT_PTR(x, 1, 252) == MinDeviceWakeState__DEVICE_EXTENSIONInv(x));
+function MinSystemWakeState__DEVICE_EXTENSION(int) returns (int);
+function MinSystemWakeState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_MinSystemWakeState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_MinSystemWakeState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MinSystemWakeState__DEVICE_EXTENSIONInv(MinSystemWakeState__DEVICE_EXTENSION(x))} MinSystemWakeState__DEVICE_EXTENSIONInv(MinSystemWakeState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {MinSystemWakeState__DEVICE_EXTENSIONInv(x)} MinSystemWakeState__DEVICE_EXTENSION(MinSystemWakeState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MinSystemWakeState__DEVICE_EXTENSION(S)[x]} _S_MinSystemWakeState__DEVICE_EXTENSION(S)[x] <==> S[MinSystemWakeState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MinSystemWakeState__DEVICE_EXTENSIONInv(S)[x]} _S_MinSystemWakeState__DEVICE_EXTENSIONInv(S)[x] <==> S[MinSystemWakeState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MinSystemWakeState__DEVICE_EXTENSION(S)} S[x] ==> _S_MinSystemWakeState__DEVICE_EXTENSION(S)[MinSystemWakeState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MinSystemWakeState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_MinSystemWakeState__DEVICE_EXTENSIONInv(S)[MinSystemWakeState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {MinSystemWakeState__DEVICE_EXTENSION(x)} MinSystemWakeState__DEVICE_EXTENSION(x) == x + 256);
+axiom (forall x:int :: {MinSystemWakeState__DEVICE_EXTENSIONInv(x)} MinSystemWakeState__DEVICE_EXTENSIONInv(x) == x - 256);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 256, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 256, 1) == MinSystemWakeState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 256)} MINUS_LEFT_PTR(x, 1, 256) == MinSystemWakeState__DEVICE_EXTENSIONInv(x));
+function Mutex__GLOBALS(int) returns (int);
+function Mutex__GLOBALSInv(int) returns (int);
+function _S_Mutex__GLOBALS([int]bool) returns ([int]bool);
+function _S_Mutex__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Mutex__GLOBALSInv(Mutex__GLOBALS(x))} Mutex__GLOBALSInv(Mutex__GLOBALS(x)) == x);
+axiom (forall x:int :: {Mutex__GLOBALSInv(x)} Mutex__GLOBALS(Mutex__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Mutex__GLOBALS(S)[x]} _S_Mutex__GLOBALS(S)[x] <==> S[Mutex__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Mutex__GLOBALSInv(S)[x]} _S_Mutex__GLOBALSInv(S)[x] <==> S[Mutex__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Mutex__GLOBALS(S)} S[x] ==> _S_Mutex__GLOBALS(S)[Mutex__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Mutex__GLOBALSInv(S)} S[x] ==> _S_Mutex__GLOBALSInv(S)[Mutex__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {Mutex__GLOBALS(x)} Mutex__GLOBALS(x) == x + 24);
+axiom (forall x:int :: {Mutex__GLOBALSInv(x)} Mutex__GLOBALSInv(x) == x - 24);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1) == Mutex__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 24)} MINUS_LEFT_PTR(x, 1, 24) == Mutex__GLOBALSInv(x));
+function NpxIrql___unnamed_1_29794256(int) returns (int);
+function NpxIrql___unnamed_1_29794256Inv(int) returns (int);
+function _S_NpxIrql___unnamed_1_29794256([int]bool) returns ([int]bool);
+function _S_NpxIrql___unnamed_1_29794256Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NpxIrql___unnamed_1_29794256Inv(NpxIrql___unnamed_1_29794256(x))} NpxIrql___unnamed_1_29794256Inv(NpxIrql___unnamed_1_29794256(x)) == x);
+axiom (forall x:int :: {NpxIrql___unnamed_1_29794256Inv(x)} NpxIrql___unnamed_1_29794256(NpxIrql___unnamed_1_29794256Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NpxIrql___unnamed_1_29794256(S)[x]} _S_NpxIrql___unnamed_1_29794256(S)[x] <==> S[NpxIrql___unnamed_1_29794256Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NpxIrql___unnamed_1_29794256Inv(S)[x]} _S_NpxIrql___unnamed_1_29794256Inv(S)[x] <==> S[NpxIrql___unnamed_1_29794256(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NpxIrql___unnamed_1_29794256(S)} S[x] ==> _S_NpxIrql___unnamed_1_29794256(S)[NpxIrql___unnamed_1_29794256(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NpxIrql___unnamed_1_29794256Inv(S)} S[x] ==> _S_NpxIrql___unnamed_1_29794256Inv(S)[NpxIrql___unnamed_1_29794256Inv(x)]);
+
+axiom (forall x:int :: {NpxIrql___unnamed_1_29794256(x)} NpxIrql___unnamed_1_29794256(x) == x + 0);
+axiom (forall x:int :: {NpxIrql___unnamed_1_29794256Inv(x)} NpxIrql___unnamed_1_29794256Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == NpxIrql___unnamed_1_29794256Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == NpxIrql___unnamed_1_29794256Inv(x));
+function NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(int) returns (int);
+function NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(int) returns (int);
+function _S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(x))} NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(x)} NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(S)[x]} _S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(S)[x] <==> S[NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(S)[x]} _S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(S)[x] <==> S[NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(S)} S[x] ==> _S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(S)[NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(S)} S[x] ==> _S_NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(S)[NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(x)} NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES(x) == x + 4);
+axiom (forall x:int :: {NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(x)} NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == NumberOfFunctionKeys__KEYBOARD_ATTRIBUTESInv(x));
+function NumberOfIndicators__KEYBOARD_ATTRIBUTES(int) returns (int);
+function NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(int) returns (int);
+function _S_NumberOfIndicators__KEYBOARD_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_NumberOfIndicators__KEYBOARD_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(NumberOfIndicators__KEYBOARD_ATTRIBUTES(x))} NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(NumberOfIndicators__KEYBOARD_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(x)} NumberOfIndicators__KEYBOARD_ATTRIBUTES(NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NumberOfIndicators__KEYBOARD_ATTRIBUTES(S)[x]} _S_NumberOfIndicators__KEYBOARD_ATTRIBUTES(S)[x] <==> S[NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(S)[x]} _S_NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(S)[x] <==> S[NumberOfIndicators__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberOfIndicators__KEYBOARD_ATTRIBUTES(S)} S[x] ==> _S_NumberOfIndicators__KEYBOARD_ATTRIBUTES(S)[NumberOfIndicators__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(S)} S[x] ==> _S_NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(S)[NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {NumberOfIndicators__KEYBOARD_ATTRIBUTES(x)} NumberOfIndicators__KEYBOARD_ATTRIBUTES(x) == x + 6);
+axiom (forall x:int :: {NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(x)} NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(x) == x - 6);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 6, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 6, 1) == NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 6)} MINUS_LEFT_PTR(x, 1, 6) == NumberOfIndicators__KEYBOARD_ATTRIBUTESInv(x));
+function NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(int) returns (int);
+function NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(int) returns (int);
+function _S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(x))} NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(x)} NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(S)[x]} _S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(S)[x] <==> S[NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(S)[x]} _S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(S)[x] <==> S[NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(S)} S[x] ==> _S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(S)[NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(S)} S[x] ==> _S_NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(S)[NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(x)} NumberOfKeysTotal__KEYBOARD_ATTRIBUTES(x) == x + 8);
+axiom (forall x:int :: {NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(x)} NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == NumberOfKeysTotal__KEYBOARD_ATTRIBUTESInv(x));
+function OkayToLogOverflow__DEVICE_EXTENSION(int) returns (int);
+function OkayToLogOverflow__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_OkayToLogOverflow__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_OkayToLogOverflow__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {OkayToLogOverflow__DEVICE_EXTENSIONInv(OkayToLogOverflow__DEVICE_EXTENSION(x))} OkayToLogOverflow__DEVICE_EXTENSIONInv(OkayToLogOverflow__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {OkayToLogOverflow__DEVICE_EXTENSIONInv(x)} OkayToLogOverflow__DEVICE_EXTENSION(OkayToLogOverflow__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_OkayToLogOverflow__DEVICE_EXTENSION(S)[x]} _S_OkayToLogOverflow__DEVICE_EXTENSION(S)[x] <==> S[OkayToLogOverflow__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_OkayToLogOverflow__DEVICE_EXTENSIONInv(S)[x]} _S_OkayToLogOverflow__DEVICE_EXTENSIONInv(S)[x] <==> S[OkayToLogOverflow__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_OkayToLogOverflow__DEVICE_EXTENSION(S)} S[x] ==> _S_OkayToLogOverflow__DEVICE_EXTENSION(S)[OkayToLogOverflow__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_OkayToLogOverflow__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_OkayToLogOverflow__DEVICE_EXTENSIONInv(S)[OkayToLogOverflow__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {OkayToLogOverflow__DEVICE_EXTENSION(x)} OkayToLogOverflow__DEVICE_EXTENSION(x) == x + 285);
+axiom (forall x:int :: {OkayToLogOverflow__DEVICE_EXTENSIONInv(x)} OkayToLogOverflow__DEVICE_EXTENSIONInv(x) == x - 285);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 285, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 285, 1) == OkayToLogOverflow__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 285)} MINUS_LEFT_PTR(x, 1, 285) == OkayToLogOverflow__DEVICE_EXTENSIONInv(x));
+function PDO__DEVICE_EXTENSION(int) returns (int);
+function PDO__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_PDO__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_PDO__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PDO__DEVICE_EXTENSIONInv(PDO__DEVICE_EXTENSION(x))} PDO__DEVICE_EXTENSIONInv(PDO__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {PDO__DEVICE_EXTENSIONInv(x)} PDO__DEVICE_EXTENSION(PDO__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PDO__DEVICE_EXTENSION(S)[x]} _S_PDO__DEVICE_EXTENSION(S)[x] <==> S[PDO__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PDO__DEVICE_EXTENSIONInv(S)[x]} _S_PDO__DEVICE_EXTENSIONInv(S)[x] <==> S[PDO__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PDO__DEVICE_EXTENSION(S)} S[x] ==> _S_PDO__DEVICE_EXTENSION(S)[PDO__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PDO__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_PDO__DEVICE_EXTENSIONInv(S)[PDO__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {PDO__DEVICE_EXTENSION(x)} PDO__DEVICE_EXTENSION(x) == x + 12);
+axiom (forall x:int :: {PDO__DEVICE_EXTENSIONInv(x)} PDO__DEVICE_EXTENSIONInv(x) == x - 12);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1) == PDO__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 12)} MINUS_LEFT_PTR(x, 1, 12) == PDO__DEVICE_EXTENSIONInv(x));
+function PnP__DEVICE_EXTENSION(int) returns (int);
+function PnP__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_PnP__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_PnP__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x))} PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSION(PnP__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSION(S)[x]} _S_PnP__DEVICE_EXTENSION(S)[x] <==> S[PnP__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSIONInv(S)[x]} _S_PnP__DEVICE_EXTENSIONInv(S)[x] <==> S[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSION(S)} S[x] ==> _S_PnP__DEVICE_EXTENSION(S)[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_PnP__DEVICE_EXTENSIONInv(S)[PnP__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSION(x)} PnP__DEVICE_EXTENSION(x) == x + 104);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSIONInv(x) == x - 104);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1) == PnP__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 104)} MINUS_LEFT_PTR(x, 1, 104) == PnP__DEVICE_EXTENSIONInv(x));
+function QueryWmiDataBlock__WMILIB_CONTEXT(int) returns (int);
+function QueryWmiDataBlock__WMILIB_CONTEXTInv(int) returns (int);
+function _S_QueryWmiDataBlock__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_QueryWmiDataBlock__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {QueryWmiDataBlock__WMILIB_CONTEXTInv(QueryWmiDataBlock__WMILIB_CONTEXT(x))} QueryWmiDataBlock__WMILIB_CONTEXTInv(QueryWmiDataBlock__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {QueryWmiDataBlock__WMILIB_CONTEXTInv(x)} QueryWmiDataBlock__WMILIB_CONTEXT(QueryWmiDataBlock__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_QueryWmiDataBlock__WMILIB_CONTEXT(S)[x]} _S_QueryWmiDataBlock__WMILIB_CONTEXT(S)[x] <==> S[QueryWmiDataBlock__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_QueryWmiDataBlock__WMILIB_CONTEXTInv(S)[x]} _S_QueryWmiDataBlock__WMILIB_CONTEXTInv(S)[x] <==> S[QueryWmiDataBlock__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_QueryWmiDataBlock__WMILIB_CONTEXT(S)} S[x] ==> _S_QueryWmiDataBlock__WMILIB_CONTEXT(S)[QueryWmiDataBlock__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_QueryWmiDataBlock__WMILIB_CONTEXTInv(S)} S[x] ==> _S_QueryWmiDataBlock__WMILIB_CONTEXTInv(S)[QueryWmiDataBlock__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {QueryWmiDataBlock__WMILIB_CONTEXT(x)} QueryWmiDataBlock__WMILIB_CONTEXT(x) == x + 12);
+axiom (forall x:int :: {QueryWmiDataBlock__WMILIB_CONTEXTInv(x)} QueryWmiDataBlock__WMILIB_CONTEXTInv(x) == x - 12);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1) == QueryWmiDataBlock__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 12)} MINUS_LEFT_PTR(x, 1, 12) == QueryWmiDataBlock__WMILIB_CONTEXTInv(x));
+function QueryWmiRegInfo__WMILIB_CONTEXT(int) returns (int);
+function QueryWmiRegInfo__WMILIB_CONTEXTInv(int) returns (int);
+function _S_QueryWmiRegInfo__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_QueryWmiRegInfo__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {QueryWmiRegInfo__WMILIB_CONTEXTInv(QueryWmiRegInfo__WMILIB_CONTEXT(x))} QueryWmiRegInfo__WMILIB_CONTEXTInv(QueryWmiRegInfo__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {QueryWmiRegInfo__WMILIB_CONTEXTInv(x)} QueryWmiRegInfo__WMILIB_CONTEXT(QueryWmiRegInfo__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_QueryWmiRegInfo__WMILIB_CONTEXT(S)[x]} _S_QueryWmiRegInfo__WMILIB_CONTEXT(S)[x] <==> S[QueryWmiRegInfo__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_QueryWmiRegInfo__WMILIB_CONTEXTInv(S)[x]} _S_QueryWmiRegInfo__WMILIB_CONTEXTInv(S)[x] <==> S[QueryWmiRegInfo__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_QueryWmiRegInfo__WMILIB_CONTEXT(S)} S[x] ==> _S_QueryWmiRegInfo__WMILIB_CONTEXT(S)[QueryWmiRegInfo__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_QueryWmiRegInfo__WMILIB_CONTEXTInv(S)} S[x] ==> _S_QueryWmiRegInfo__WMILIB_CONTEXTInv(S)[QueryWmiRegInfo__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {QueryWmiRegInfo__WMILIB_CONTEXT(x)} QueryWmiRegInfo__WMILIB_CONTEXT(x) == x + 8);
+axiom (forall x:int :: {QueryWmiRegInfo__WMILIB_CONTEXTInv(x)} QueryWmiRegInfo__WMILIB_CONTEXTInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == QueryWmiRegInfo__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == QueryWmiRegInfo__WMILIB_CONTEXTInv(x));
+function Rate__KEYBOARD_TYPEMATIC_PARAMETERS(int) returns (int);
+function Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(int) returns (int);
+function _S_Rate__KEYBOARD_TYPEMATIC_PARAMETERS([int]bool) returns ([int]bool);
+function _S_Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(Rate__KEYBOARD_TYPEMATIC_PARAMETERS(x))} Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(Rate__KEYBOARD_TYPEMATIC_PARAMETERS(x)) == x);
+axiom (forall x:int :: {Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)} Rate__KEYBOARD_TYPEMATIC_PARAMETERS(Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Rate__KEYBOARD_TYPEMATIC_PARAMETERS(S)[x]} _S_Rate__KEYBOARD_TYPEMATIC_PARAMETERS(S)[x] <==> S[Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[x]} _S_Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[x] <==> S[Rate__KEYBOARD_TYPEMATIC_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Rate__KEYBOARD_TYPEMATIC_PARAMETERS(S)} S[x] ==> _S_Rate__KEYBOARD_TYPEMATIC_PARAMETERS(S)[Rate__KEYBOARD_TYPEMATIC_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)} S[x] ==> _S_Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)]);
+
+axiom (forall x:int :: {Rate__KEYBOARD_TYPEMATIC_PARAMETERS(x)} Rate__KEYBOARD_TYPEMATIC_PARAMETERS(x) == x + 2);
+axiom (forall x:int :: {Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)} Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == Rate__KEYBOARD_TYPEMATIC_PARAMETERSInv(x));
+function ReadQueue__DEVICE_EXTENSION(int) returns (int);
+function ReadQueue__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_ReadQueue__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_ReadQueue__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {ReadQueue__DEVICE_EXTENSIONInv(ReadQueue__DEVICE_EXTENSION(x))} ReadQueue__DEVICE_EXTENSIONInv(ReadQueue__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {ReadQueue__DEVICE_EXTENSIONInv(x)} ReadQueue__DEVICE_EXTENSION(ReadQueue__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_ReadQueue__DEVICE_EXTENSION(S)[x]} _S_ReadQueue__DEVICE_EXTENSION(S)[x] <==> S[ReadQueue__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_ReadQueue__DEVICE_EXTENSIONInv(S)[x]} _S_ReadQueue__DEVICE_EXTENSIONInv(S)[x] <==> S[ReadQueue__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ReadQueue__DEVICE_EXTENSION(S)} S[x] ==> _S_ReadQueue__DEVICE_EXTENSION(S)[ReadQueue__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ReadQueue__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_ReadQueue__DEVICE_EXTENSIONInv(S)[ReadQueue__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {ReadQueue__DEVICE_EXTENSION(x)} ReadQueue__DEVICE_EXTENSION(x) == x + 176);
+axiom (forall x:int :: {ReadQueue__DEVICE_EXTENSIONInv(x)} ReadQueue__DEVICE_EXTENSIONInv(x) == x - 176);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 176, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 176, 1) == ReadQueue__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 176)} MINUS_LEFT_PTR(x, 1, 176) == ReadQueue__DEVICE_EXTENSIONInv(x));
+function RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(int) returns (int);
+function RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(int) returns (int);
+function _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK([int]bool) returns ([int]bool);
+function _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x))} RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x)) == x);
+axiom (forall x:int :: {RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x]} _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x] <==> S[RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x]} _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x] <==> S[RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(S)} S[x] ==> _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(S)[RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)} S[x] ==> _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+
+axiom (forall x:int :: {RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x)} RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x) == x + 8);
+axiom (forall x:int :: {RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+function RemoveLock__DEVICE_EXTENSION(int) returns (int);
+function RemoveLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_RemoveLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_RemoveLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {RemoveLock__DEVICE_EXTENSIONInv(RemoveLock__DEVICE_EXTENSION(x))} RemoveLock__DEVICE_EXTENSIONInv(RemoveLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {RemoveLock__DEVICE_EXTENSIONInv(x)} RemoveLock__DEVICE_EXTENSION(RemoveLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_RemoveLock__DEVICE_EXTENSION(S)[x]} _S_RemoveLock__DEVICE_EXTENSION(S)[x] <==> S[RemoveLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_RemoveLock__DEVICE_EXTENSIONInv(S)[x]} _S_RemoveLock__DEVICE_EXTENSIONInv(S)[x] <==> S[RemoveLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RemoveLock__DEVICE_EXTENSION(S)} S[x] ==> _S_RemoveLock__DEVICE_EXTENSION(S)[RemoveLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RemoveLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_RemoveLock__DEVICE_EXTENSIONInv(S)[RemoveLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {RemoveLock__DEVICE_EXTENSION(x)} RemoveLock__DEVICE_EXTENSION(x) == x + 16);
+axiom (forall x:int :: {RemoveLock__DEVICE_EXTENSIONInv(x)} RemoveLock__DEVICE_EXTENSIONInv(x) == x - 16);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1) == RemoveLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 16)} MINUS_LEFT_PTR(x, 1, 16) == RemoveLock__DEVICE_EXTENSIONInv(x));
+function Removed__IO_REMOVE_LOCK_COMMON_BLOCK(int) returns (int);
+function Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(int) returns (int);
+function _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK([int]bool) returns ([int]bool);
+function _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x))} Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x)) == x);
+axiom (forall x:int :: {Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} Removed__IO_REMOVE_LOCK_COMMON_BLOCK(Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x]} _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x] <==> S[Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x]} _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x] <==> S[Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK(S)} S[x] ==> _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK(S)[Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)} S[x] ==> _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x)} Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x) == x + 0);
+axiom (forall x:int :: {Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+function Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x))} Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(S)[Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x)} Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 36);
+axiom (forall x:int :: {Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 36);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 36, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 36, 1) == Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 36)} MINUS_LEFT_PTR(x, 1, 36) == Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x))} Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(S)[Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x)} Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 52);
+axiom (forall x:int :: {Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 52);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 52, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 52, 1) == Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 52)} MINUS_LEFT_PTR(x, 1, 52) == Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(int) returns (int);
+function Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(int) returns (int);
+function _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK([int]bool) returns ([int]bool);
+function _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x))} Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x)) == x);
+axiom (forall x:int :: {Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x]} _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x] <==> S[Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x]} _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x] <==> S[Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(S)} S[x] ==> _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(S)[Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)} S[x] ==> _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x)} Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x) == x + 1);
+axiom (forall x:int :: {Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x) == x - 1);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1) == Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 1)} MINUS_LEFT_PTR(x, 1, 1) == Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+function Self__DEVICE_EXTENSION(int) returns (int);
+function Self__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Self__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Self__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x))} Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSION(Self__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSION(S)[x]} _S_Self__DEVICE_EXTENSION(S)[x] <==> S[Self__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSIONInv(S)[x]} _S_Self__DEVICE_EXTENSIONInv(S)[x] <==> S[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSION(S)} S[x] ==> _S_Self__DEVICE_EXTENSION(S)[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Self__DEVICE_EXTENSIONInv(S)[Self__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSION(x)} Self__DEVICE_EXTENSION(x) == x + 0);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSIONInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Self__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Self__DEVICE_EXTENSIONInv(x));
+function SequenceNumber__DEVICE_EXTENSION(int) returns (int);
+function SequenceNumber__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SequenceNumber__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SequenceNumber__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SequenceNumber__DEVICE_EXTENSIONInv(SequenceNumber__DEVICE_EXTENSION(x))} SequenceNumber__DEVICE_EXTENSIONInv(SequenceNumber__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SequenceNumber__DEVICE_EXTENSIONInv(x)} SequenceNumber__DEVICE_EXTENSION(SequenceNumber__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SequenceNumber__DEVICE_EXTENSION(S)[x]} _S_SequenceNumber__DEVICE_EXTENSION(S)[x] <==> S[SequenceNumber__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SequenceNumber__DEVICE_EXTENSIONInv(S)[x]} _S_SequenceNumber__DEVICE_EXTENSIONInv(S)[x] <==> S[SequenceNumber__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SequenceNumber__DEVICE_EXTENSION(S)} S[x] ==> _S_SequenceNumber__DEVICE_EXTENSION(S)[SequenceNumber__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SequenceNumber__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SequenceNumber__DEVICE_EXTENSIONInv(S)[SequenceNumber__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SequenceNumber__DEVICE_EXTENSION(x)} SequenceNumber__DEVICE_EXTENSION(x) == x + 184);
+axiom (forall x:int :: {SequenceNumber__DEVICE_EXTENSIONInv(x)} SequenceNumber__DEVICE_EXTENSIONInv(x) == x - 184);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 184, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 184, 1) == SequenceNumber__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 184)} MINUS_LEFT_PTR(x, 1, 184) == SequenceNumber__DEVICE_EXTENSIONInv(x));
+function SetWmiDataBlock__WMILIB_CONTEXT(int) returns (int);
+function SetWmiDataBlock__WMILIB_CONTEXTInv(int) returns (int);
+function _S_SetWmiDataBlock__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_SetWmiDataBlock__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SetWmiDataBlock__WMILIB_CONTEXTInv(SetWmiDataBlock__WMILIB_CONTEXT(x))} SetWmiDataBlock__WMILIB_CONTEXTInv(SetWmiDataBlock__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {SetWmiDataBlock__WMILIB_CONTEXTInv(x)} SetWmiDataBlock__WMILIB_CONTEXT(SetWmiDataBlock__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SetWmiDataBlock__WMILIB_CONTEXT(S)[x]} _S_SetWmiDataBlock__WMILIB_CONTEXT(S)[x] <==> S[SetWmiDataBlock__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SetWmiDataBlock__WMILIB_CONTEXTInv(S)[x]} _S_SetWmiDataBlock__WMILIB_CONTEXTInv(S)[x] <==> S[SetWmiDataBlock__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SetWmiDataBlock__WMILIB_CONTEXT(S)} S[x] ==> _S_SetWmiDataBlock__WMILIB_CONTEXT(S)[SetWmiDataBlock__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SetWmiDataBlock__WMILIB_CONTEXTInv(S)} S[x] ==> _S_SetWmiDataBlock__WMILIB_CONTEXTInv(S)[SetWmiDataBlock__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {SetWmiDataBlock__WMILIB_CONTEXT(x)} SetWmiDataBlock__WMILIB_CONTEXT(x) == x + 16);
+axiom (forall x:int :: {SetWmiDataBlock__WMILIB_CONTEXTInv(x)} SetWmiDataBlock__WMILIB_CONTEXTInv(x) == x - 16);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1) == SetWmiDataBlock__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 16)} MINUS_LEFT_PTR(x, 1, 16) == SetWmiDataBlock__WMILIB_CONTEXTInv(x));
+function SetWmiDataItem__WMILIB_CONTEXT(int) returns (int);
+function SetWmiDataItem__WMILIB_CONTEXTInv(int) returns (int);
+function _S_SetWmiDataItem__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_SetWmiDataItem__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SetWmiDataItem__WMILIB_CONTEXTInv(SetWmiDataItem__WMILIB_CONTEXT(x))} SetWmiDataItem__WMILIB_CONTEXTInv(SetWmiDataItem__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {SetWmiDataItem__WMILIB_CONTEXTInv(x)} SetWmiDataItem__WMILIB_CONTEXT(SetWmiDataItem__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SetWmiDataItem__WMILIB_CONTEXT(S)[x]} _S_SetWmiDataItem__WMILIB_CONTEXT(S)[x] <==> S[SetWmiDataItem__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SetWmiDataItem__WMILIB_CONTEXTInv(S)[x]} _S_SetWmiDataItem__WMILIB_CONTEXTInv(S)[x] <==> S[SetWmiDataItem__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SetWmiDataItem__WMILIB_CONTEXT(S)} S[x] ==> _S_SetWmiDataItem__WMILIB_CONTEXT(S)[SetWmiDataItem__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SetWmiDataItem__WMILIB_CONTEXTInv(S)} S[x] ==> _S_SetWmiDataItem__WMILIB_CONTEXTInv(S)[SetWmiDataItem__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {SetWmiDataItem__WMILIB_CONTEXT(x)} SetWmiDataItem__WMILIB_CONTEXT(x) == x + 20);
+axiom (forall x:int :: {SetWmiDataItem__WMILIB_CONTEXTInv(x)} SetWmiDataItem__WMILIB_CONTEXTInv(x) == x - 20);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1) == SetWmiDataItem__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 20)} MINUS_LEFT_PTR(x, 1, 20) == SetWmiDataItem__WMILIB_CONTEXTInv(x));
+function SignalState__DISPATCHER_HEADER(int) returns (int);
+function SignalState__DISPATCHER_HEADERInv(int) returns (int);
+function _S_SignalState__DISPATCHER_HEADER([int]bool) returns ([int]bool);
+function _S_SignalState__DISPATCHER_HEADERInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SignalState__DISPATCHER_HEADERInv(SignalState__DISPATCHER_HEADER(x))} SignalState__DISPATCHER_HEADERInv(SignalState__DISPATCHER_HEADER(x)) == x);
+axiom (forall x:int :: {SignalState__DISPATCHER_HEADERInv(x)} SignalState__DISPATCHER_HEADER(SignalState__DISPATCHER_HEADERInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SignalState__DISPATCHER_HEADER(S)[x]} _S_SignalState__DISPATCHER_HEADER(S)[x] <==> S[SignalState__DISPATCHER_HEADERInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SignalState__DISPATCHER_HEADERInv(S)[x]} _S_SignalState__DISPATCHER_HEADERInv(S)[x] <==> S[SignalState__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SignalState__DISPATCHER_HEADER(S)} S[x] ==> _S_SignalState__DISPATCHER_HEADER(S)[SignalState__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SignalState__DISPATCHER_HEADERInv(S)} S[x] ==> _S_SignalState__DISPATCHER_HEADERInv(S)[SignalState__DISPATCHER_HEADERInv(x)]);
+
+axiom (forall x:int :: {SignalState__DISPATCHER_HEADER(x)} SignalState__DISPATCHER_HEADER(x) == x + 4);
+axiom (forall x:int :: {SignalState__DISPATCHER_HEADERInv(x)} SignalState__DISPATCHER_HEADERInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == SignalState__DISPATCHER_HEADERInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == SignalState__DISPATCHER_HEADERInv(x));
+function Signalling___unnamed_1_29794256(int) returns (int);
+function Signalling___unnamed_1_29794256Inv(int) returns (int);
+function _S_Signalling___unnamed_1_29794256([int]bool) returns ([int]bool);
+function _S_Signalling___unnamed_1_29794256Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Signalling___unnamed_1_29794256Inv(Signalling___unnamed_1_29794256(x))} Signalling___unnamed_1_29794256Inv(Signalling___unnamed_1_29794256(x)) == x);
+axiom (forall x:int :: {Signalling___unnamed_1_29794256Inv(x)} Signalling___unnamed_1_29794256(Signalling___unnamed_1_29794256Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Signalling___unnamed_1_29794256(S)[x]} _S_Signalling___unnamed_1_29794256(S)[x] <==> S[Signalling___unnamed_1_29794256Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Signalling___unnamed_1_29794256Inv(S)[x]} _S_Signalling___unnamed_1_29794256Inv(S)[x] <==> S[Signalling___unnamed_1_29794256(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Signalling___unnamed_1_29794256(S)} S[x] ==> _S_Signalling___unnamed_1_29794256(S)[Signalling___unnamed_1_29794256(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Signalling___unnamed_1_29794256Inv(S)} S[x] ==> _S_Signalling___unnamed_1_29794256Inv(S)[Signalling___unnamed_1_29794256Inv(x)]);
+
+axiom (forall x:int :: {Signalling___unnamed_1_29794256(x)} Signalling___unnamed_1_29794256(x) == x + 0);
+axiom (forall x:int :: {Signalling___unnamed_1_29794256Inv(x)} Signalling___unnamed_1_29794256Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Signalling___unnamed_1_29794256Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Signalling___unnamed_1_29794256Inv(x));
+function Signature__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Signature__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(Signature__IO_REMOVE_LOCK_DBG_BLOCK(x))} Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(Signature__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Signature__IO_REMOVE_LOCK_DBG_BLOCK(Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Signature__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Signature__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Signature__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Signature__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Signature__IO_REMOVE_LOCK_DBG_BLOCK(S)[Signature__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Signature__IO_REMOVE_LOCK_DBG_BLOCK(x)} Signature__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 0);
+axiom (forall x:int :: {Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Size___unnamed_1_2ef8da39(int) returns (int);
+function Size___unnamed_1_2ef8da39Inv(int) returns (int);
+function _S_Size___unnamed_1_2ef8da39([int]bool) returns ([int]bool);
+function _S_Size___unnamed_1_2ef8da39Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Size___unnamed_1_2ef8da39Inv(Size___unnamed_1_2ef8da39(x))} Size___unnamed_1_2ef8da39Inv(Size___unnamed_1_2ef8da39(x)) == x);
+axiom (forall x:int :: {Size___unnamed_1_2ef8da39Inv(x)} Size___unnamed_1_2ef8da39(Size___unnamed_1_2ef8da39Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Size___unnamed_1_2ef8da39(S)[x]} _S_Size___unnamed_1_2ef8da39(S)[x] <==> S[Size___unnamed_1_2ef8da39Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Size___unnamed_1_2ef8da39Inv(S)[x]} _S_Size___unnamed_1_2ef8da39Inv(S)[x] <==> S[Size___unnamed_1_2ef8da39(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Size___unnamed_1_2ef8da39(S)} S[x] ==> _S_Size___unnamed_1_2ef8da39(S)[Size___unnamed_1_2ef8da39(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Size___unnamed_1_2ef8da39Inv(S)} S[x] ==> _S_Size___unnamed_1_2ef8da39Inv(S)[Size___unnamed_1_2ef8da39Inv(x)]);
+
+axiom (forall x:int :: {Size___unnamed_1_2ef8da39(x)} Size___unnamed_1_2ef8da39(x) == x + 0);
+axiom (forall x:int :: {Size___unnamed_1_2ef8da39Inv(x)} Size___unnamed_1_2ef8da39Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Size___unnamed_1_2ef8da39Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Size___unnamed_1_2ef8da39Inv(x));
+function SpinLock__DEVICE_EXTENSION(int) returns (int);
+function SpinLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SpinLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SpinLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(SpinLock__DEVICE_EXTENSION(x))} SpinLock__DEVICE_EXTENSIONInv(SpinLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(x)} SpinLock__DEVICE_EXTENSION(SpinLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SpinLock__DEVICE_EXTENSION(S)[x]} _S_SpinLock__DEVICE_EXTENSION(S)[x] <==> S[SpinLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SpinLock__DEVICE_EXTENSIONInv(S)[x]} _S_SpinLock__DEVICE_EXTENSIONInv(S)[x] <==> S[SpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SpinLock__DEVICE_EXTENSION(S)} S[x] ==> _S_SpinLock__DEVICE_EXTENSION(S)[SpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SpinLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SpinLock__DEVICE_EXTENSIONInv(S)[SpinLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSION(x)} SpinLock__DEVICE_EXTENSION(x) == x + 172);
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(x)} SpinLock__DEVICE_EXTENSIONInv(x) == x - 172);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 172, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 172, 1) == SpinLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 172)} MINUS_LEFT_PTR(x, 1, 172) == SpinLock__DEVICE_EXTENSIONInv(x));
+function Spin__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Spin__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(Spin__IO_REMOVE_LOCK_DBG_BLOCK(x))} Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(Spin__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Spin__IO_REMOVE_LOCK_DBG_BLOCK(Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Spin__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Spin__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Spin__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Spin__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Spin__IO_REMOVE_LOCK_DBG_BLOCK(S)[Spin__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Spin__IO_REMOVE_LOCK_DBG_BLOCK(x)} Spin__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 28);
+axiom (forall x:int :: {Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 28);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1) == Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 28)} MINUS_LEFT_PTR(x, 1, 28) == Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Started__DEVICE_EXTENSION(int) returns (int);
+function Started__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Started__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Started__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x))} Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSION(Started__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSION(S)[x]} _S_Started__DEVICE_EXTENSION(S)[x] <==> S[Started__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSIONInv(S)[x]} _S_Started__DEVICE_EXTENSIONInv(S)[x] <==> S[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSION(S)} S[x] ==> _S_Started__DEVICE_EXTENSION(S)[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Started__DEVICE_EXTENSIONInv(S)[Started__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSION(x)} Started__DEVICE_EXTENSION(x) == x + 105);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSIONInv(x) == x - 105);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1) == Started__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 105)} MINUS_LEFT_PTR(x, 1, 105) == Started__DEVICE_EXTENSIONInv(x));
+function Subtype__KEYBOARD_ID(int) returns (int);
+function Subtype__KEYBOARD_IDInv(int) returns (int);
+function _S_Subtype__KEYBOARD_ID([int]bool) returns ([int]bool);
+function _S_Subtype__KEYBOARD_IDInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Subtype__KEYBOARD_IDInv(Subtype__KEYBOARD_ID(x))} Subtype__KEYBOARD_IDInv(Subtype__KEYBOARD_ID(x)) == x);
+axiom (forall x:int :: {Subtype__KEYBOARD_IDInv(x)} Subtype__KEYBOARD_ID(Subtype__KEYBOARD_IDInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Subtype__KEYBOARD_ID(S)[x]} _S_Subtype__KEYBOARD_ID(S)[x] <==> S[Subtype__KEYBOARD_IDInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Subtype__KEYBOARD_IDInv(S)[x]} _S_Subtype__KEYBOARD_IDInv(S)[x] <==> S[Subtype__KEYBOARD_ID(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Subtype__KEYBOARD_ID(S)} S[x] ==> _S_Subtype__KEYBOARD_ID(S)[Subtype__KEYBOARD_ID(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Subtype__KEYBOARD_IDInv(S)} S[x] ==> _S_Subtype__KEYBOARD_IDInv(S)[Subtype__KEYBOARD_IDInv(x)]);
+
+axiom (forall x:int :: {Subtype__KEYBOARD_ID(x)} Subtype__KEYBOARD_ID(x) == x + 1);
+axiom (forall x:int :: {Subtype__KEYBOARD_IDInv(x)} Subtype__KEYBOARD_IDInv(x) == x - 1);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1) == Subtype__KEYBOARD_IDInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 1)} MINUS_LEFT_PTR(x, 1, 1) == Subtype__KEYBOARD_IDInv(x));
+function SurpriseRemoved__DEVICE_EXTENSION(int) returns (int);
+function SurpriseRemoved__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SurpriseRemoved__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SurpriseRemoved__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SurpriseRemoved__DEVICE_EXTENSIONInv(SurpriseRemoved__DEVICE_EXTENSION(x))} SurpriseRemoved__DEVICE_EXTENSIONInv(SurpriseRemoved__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SurpriseRemoved__DEVICE_EXTENSIONInv(x)} SurpriseRemoved__DEVICE_EXTENSION(SurpriseRemoved__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SurpriseRemoved__DEVICE_EXTENSION(S)[x]} _S_SurpriseRemoved__DEVICE_EXTENSION(S)[x] <==> S[SurpriseRemoved__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SurpriseRemoved__DEVICE_EXTENSIONInv(S)[x]} _S_SurpriseRemoved__DEVICE_EXTENSIONInv(S)[x] <==> S[SurpriseRemoved__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SurpriseRemoved__DEVICE_EXTENSION(S)} S[x] ==> _S_SurpriseRemoved__DEVICE_EXTENSION(S)[SurpriseRemoved__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SurpriseRemoved__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SurpriseRemoved__DEVICE_EXTENSIONInv(S)[SurpriseRemoved__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SurpriseRemoved__DEVICE_EXTENSION(x)} SurpriseRemoved__DEVICE_EXTENSION(x) == x + 287);
+axiom (forall x:int :: {SurpriseRemoved__DEVICE_EXTENSIONInv(x)} SurpriseRemoved__DEVICE_EXTENSIONInv(x) == x - 287);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 287, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 287, 1) == SurpriseRemoved__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 287)} MINUS_LEFT_PTR(x, 1, 287) == SurpriseRemoved__DEVICE_EXTENSIONInv(x));
+function SymbolicLinkName__DEVICE_EXTENSION(int) returns (int);
+function SymbolicLinkName__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SymbolicLinkName__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SymbolicLinkName__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SymbolicLinkName__DEVICE_EXTENSIONInv(SymbolicLinkName__DEVICE_EXTENSION(x))} SymbolicLinkName__DEVICE_EXTENSIONInv(SymbolicLinkName__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SymbolicLinkName__DEVICE_EXTENSIONInv(x)} SymbolicLinkName__DEVICE_EXTENSION(SymbolicLinkName__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SymbolicLinkName__DEVICE_EXTENSION(S)[x]} _S_SymbolicLinkName__DEVICE_EXTENSION(S)[x] <==> S[SymbolicLinkName__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SymbolicLinkName__DEVICE_EXTENSIONInv(S)[x]} _S_SymbolicLinkName__DEVICE_EXTENSIONInv(S)[x] <==> S[SymbolicLinkName__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SymbolicLinkName__DEVICE_EXTENSION(S)} S[x] ==> _S_SymbolicLinkName__DEVICE_EXTENSION(S)[SymbolicLinkName__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SymbolicLinkName__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SymbolicLinkName__DEVICE_EXTENSIONInv(S)[SymbolicLinkName__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SymbolicLinkName__DEVICE_EXTENSION(x)} SymbolicLinkName__DEVICE_EXTENSION(x) == x + 120);
+axiom (forall x:int :: {SymbolicLinkName__DEVICE_EXTENSIONInv(x)} SymbolicLinkName__DEVICE_EXTENSIONInv(x) == x - 120);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 120, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 120, 1) == SymbolicLinkName__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 120)} MINUS_LEFT_PTR(x, 1, 120) == SymbolicLinkName__DEVICE_EXTENSIONInv(x));
+function SystemState__DEVICE_EXTENSION(int) returns (int);
+function SystemState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SystemState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SystemState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SystemState__DEVICE_EXTENSIONInv(SystemState__DEVICE_EXTENSION(x))} SystemState__DEVICE_EXTENSIONInv(SystemState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SystemState__DEVICE_EXTENSIONInv(x)} SystemState__DEVICE_EXTENSION(SystemState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SystemState__DEVICE_EXTENSION(S)[x]} _S_SystemState__DEVICE_EXTENSION(S)[x] <==> S[SystemState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SystemState__DEVICE_EXTENSIONInv(S)[x]} _S_SystemState__DEVICE_EXTENSIONInv(S)[x] <==> S[SystemState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SystemState__DEVICE_EXTENSION(S)} S[x] ==> _S_SystemState__DEVICE_EXTENSION(S)[SystemState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SystemState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SystemState__DEVICE_EXTENSIONInv(S)[SystemState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SystemState__DEVICE_EXTENSION(x)} SystemState__DEVICE_EXTENSION(x) == x + 192);
+axiom (forall x:int :: {SystemState__DEVICE_EXTENSIONInv(x)} SystemState__DEVICE_EXTENSIONInv(x) == x - 192);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 192, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 192, 1) == SystemState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 192)} MINUS_LEFT_PTR(x, 1, 192) == SystemState__DEVICE_EXTENSIONInv(x));
+function SystemToDeviceState__DEVICE_EXTENSION(int) returns (int);
+function SystemToDeviceState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SystemToDeviceState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SystemToDeviceState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SystemToDeviceState__DEVICE_EXTENSIONInv(SystemToDeviceState__DEVICE_EXTENSION(x))} SystemToDeviceState__DEVICE_EXTENSIONInv(SystemToDeviceState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SystemToDeviceState__DEVICE_EXTENSIONInv(x)} SystemToDeviceState__DEVICE_EXTENSION(SystemToDeviceState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SystemToDeviceState__DEVICE_EXTENSION(S)[x]} _S_SystemToDeviceState__DEVICE_EXTENSION(S)[x] <==> S[SystemToDeviceState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SystemToDeviceState__DEVICE_EXTENSIONInv(S)[x]} _S_SystemToDeviceState__DEVICE_EXTENSIONInv(S)[x] <==> S[SystemToDeviceState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SystemToDeviceState__DEVICE_EXTENSION(S)} S[x] ==> _S_SystemToDeviceState__DEVICE_EXTENSION(S)[SystemToDeviceState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SystemToDeviceState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SystemToDeviceState__DEVICE_EXTENSIONInv(S)[SystemToDeviceState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SystemToDeviceState__DEVICE_EXTENSION(x)} SystemToDeviceState__DEVICE_EXTENSION(x) == x + 232);
+axiom (forall x:int :: {SystemToDeviceState__DEVICE_EXTENSIONInv(x)} SystemToDeviceState__DEVICE_EXTENSIONInv(x) == x - 232);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 232, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 232, 1) == SystemToDeviceState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 232)} MINUS_LEFT_PTR(x, 1, 232) == SystemToDeviceState__DEVICE_EXTENSIONInv(x));
+function TargetNotifyHandle__DEVICE_EXTENSION(int) returns (int);
+function TargetNotifyHandle__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TargetNotifyHandle__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TargetNotifyHandle__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TargetNotifyHandle__DEVICE_EXTENSIONInv(TargetNotifyHandle__DEVICE_EXTENSION(x))} TargetNotifyHandle__DEVICE_EXTENSIONInv(TargetNotifyHandle__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TargetNotifyHandle__DEVICE_EXTENSIONInv(x)} TargetNotifyHandle__DEVICE_EXTENSION(TargetNotifyHandle__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TargetNotifyHandle__DEVICE_EXTENSION(S)[x]} _S_TargetNotifyHandle__DEVICE_EXTENSION(S)[x] <==> S[TargetNotifyHandle__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TargetNotifyHandle__DEVICE_EXTENSIONInv(S)[x]} _S_TargetNotifyHandle__DEVICE_EXTENSIONInv(S)[x] <==> S[TargetNotifyHandle__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TargetNotifyHandle__DEVICE_EXTENSION(S)} S[x] ==> _S_TargetNotifyHandle__DEVICE_EXTENSION(S)[TargetNotifyHandle__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TargetNotifyHandle__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TargetNotifyHandle__DEVICE_EXTENSIONInv(S)[TargetNotifyHandle__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TargetNotifyHandle__DEVICE_EXTENSION(x)} TargetNotifyHandle__DEVICE_EXTENSION(x) == x + 268);
+axiom (forall x:int :: {TargetNotifyHandle__DEVICE_EXTENSIONInv(x)} TargetNotifyHandle__DEVICE_EXTENSIONInv(x) == x - 268);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 268, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 268, 1) == TargetNotifyHandle__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 268)} MINUS_LEFT_PTR(x, 1, 268) == TargetNotifyHandle__DEVICE_EXTENSIONInv(x));
+function TopPort__DEVICE_EXTENSION(int) returns (int);
+function TopPort__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TopPort__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TopPort__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x))} TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSION(TopPort__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSION(S)[x]} _S_TopPort__DEVICE_EXTENSION(S)[x] <==> S[TopPort__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSIONInv(S)[x]} _S_TopPort__DEVICE_EXTENSIONInv(S)[x] <==> S[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSION(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSION(S)[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSIONInv(S)[TopPort__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSION(x)} TopPort__DEVICE_EXTENSION(x) == x + 8);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSIONInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == TopPort__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == TopPort__DEVICE_EXTENSIONInv(x));
+function TrueClassDevice__DEVICE_EXTENSION(int) returns (int);
+function TrueClassDevice__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TrueClassDevice__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TrueClassDevice__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TrueClassDevice__DEVICE_EXTENSIONInv(TrueClassDevice__DEVICE_EXTENSION(x))} TrueClassDevice__DEVICE_EXTENSIONInv(TrueClassDevice__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TrueClassDevice__DEVICE_EXTENSIONInv(x)} TrueClassDevice__DEVICE_EXTENSION(TrueClassDevice__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TrueClassDevice__DEVICE_EXTENSION(S)[x]} _S_TrueClassDevice__DEVICE_EXTENSION(S)[x] <==> S[TrueClassDevice__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TrueClassDevice__DEVICE_EXTENSIONInv(S)[x]} _S_TrueClassDevice__DEVICE_EXTENSIONInv(S)[x] <==> S[TrueClassDevice__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TrueClassDevice__DEVICE_EXTENSION(S)} S[x] ==> _S_TrueClassDevice__DEVICE_EXTENSION(S)[TrueClassDevice__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TrueClassDevice__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TrueClassDevice__DEVICE_EXTENSIONInv(S)[TrueClassDevice__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TrueClassDevice__DEVICE_EXTENSION(x)} TrueClassDevice__DEVICE_EXTENSION(x) == x + 4);
+axiom (forall x:int :: {TrueClassDevice__DEVICE_EXTENSIONInv(x)} TrueClassDevice__DEVICE_EXTENSIONInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == TrueClassDevice__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == TrueClassDevice__DEVICE_EXTENSIONInv(x));
+function TrustedSubsystemCount__DEVICE_EXTENSION(int) returns (int);
+function TrustedSubsystemCount__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TrustedSubsystemCount__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TrustedSubsystemCount__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TrustedSubsystemCount__DEVICE_EXTENSIONInv(TrustedSubsystemCount__DEVICE_EXTENSION(x))} TrustedSubsystemCount__DEVICE_EXTENSIONInv(TrustedSubsystemCount__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)} TrustedSubsystemCount__DEVICE_EXTENSION(TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TrustedSubsystemCount__DEVICE_EXTENSION(S)[x]} _S_TrustedSubsystemCount__DEVICE_EXTENSION(S)[x] <==> S[TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TrustedSubsystemCount__DEVICE_EXTENSIONInv(S)[x]} _S_TrustedSubsystemCount__DEVICE_EXTENSIONInv(S)[x] <==> S[TrustedSubsystemCount__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TrustedSubsystemCount__DEVICE_EXTENSION(S)} S[x] ==> _S_TrustedSubsystemCount__DEVICE_EXTENSION(S)[TrustedSubsystemCount__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TrustedSubsystemCount__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TrustedSubsystemCount__DEVICE_EXTENSIONInv(S)[TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TrustedSubsystemCount__DEVICE_EXTENSION(x)} TrustedSubsystemCount__DEVICE_EXTENSION(x) == x + 112);
+axiom (forall x:int :: {TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)} TrustedSubsystemCount__DEVICE_EXTENSIONInv(x) == x - 112);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 112, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 112, 1) == TrustedSubsystemCount__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 112)} MINUS_LEFT_PTR(x, 1, 112) == TrustedSubsystemCount__DEVICE_EXTENSIONInv(x));
+function Type__KEYBOARD_ID(int) returns (int);
+function Type__KEYBOARD_IDInv(int) returns (int);
+function _S_Type__KEYBOARD_ID([int]bool) returns ([int]bool);
+function _S_Type__KEYBOARD_IDInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Type__KEYBOARD_IDInv(Type__KEYBOARD_ID(x))} Type__KEYBOARD_IDInv(Type__KEYBOARD_ID(x)) == x);
+axiom (forall x:int :: {Type__KEYBOARD_IDInv(x)} Type__KEYBOARD_ID(Type__KEYBOARD_IDInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Type__KEYBOARD_ID(S)[x]} _S_Type__KEYBOARD_ID(S)[x] <==> S[Type__KEYBOARD_IDInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Type__KEYBOARD_IDInv(S)[x]} _S_Type__KEYBOARD_IDInv(S)[x] <==> S[Type__KEYBOARD_ID(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Type__KEYBOARD_ID(S)} S[x] ==> _S_Type__KEYBOARD_ID(S)[Type__KEYBOARD_ID(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Type__KEYBOARD_IDInv(S)} S[x] ==> _S_Type__KEYBOARD_IDInv(S)[Type__KEYBOARD_IDInv(x)]);
+
+axiom (forall x:int :: {Type__KEYBOARD_ID(x)} Type__KEYBOARD_ID(x) == x + 0);
+axiom (forall x:int :: {Type__KEYBOARD_IDInv(x)} Type__KEYBOARD_IDInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Type__KEYBOARD_IDInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Type__KEYBOARD_IDInv(x));
+function Type___unnamed_4_5ca00198(int) returns (int);
+function Type___unnamed_4_5ca00198Inv(int) returns (int);
+function _S_Type___unnamed_4_5ca00198([int]bool) returns ([int]bool);
+function _S_Type___unnamed_4_5ca00198Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Type___unnamed_4_5ca00198Inv(Type___unnamed_4_5ca00198(x))} Type___unnamed_4_5ca00198Inv(Type___unnamed_4_5ca00198(x)) == x);
+axiom (forall x:int :: {Type___unnamed_4_5ca00198Inv(x)} Type___unnamed_4_5ca00198(Type___unnamed_4_5ca00198Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Type___unnamed_4_5ca00198(S)[x]} _S_Type___unnamed_4_5ca00198(S)[x] <==> S[Type___unnamed_4_5ca00198Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Type___unnamed_4_5ca00198Inv(S)[x]} _S_Type___unnamed_4_5ca00198Inv(S)[x] <==> S[Type___unnamed_4_5ca00198(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Type___unnamed_4_5ca00198(S)} S[x] ==> _S_Type___unnamed_4_5ca00198(S)[Type___unnamed_4_5ca00198(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Type___unnamed_4_5ca00198Inv(S)} S[x] ==> _S_Type___unnamed_4_5ca00198Inv(S)[Type___unnamed_4_5ca00198Inv(x)]);
+
+axiom (forall x:int :: {Type___unnamed_4_5ca00198(x)} Type___unnamed_4_5ca00198(x) == x + 0);
+axiom (forall x:int :: {Type___unnamed_4_5ca00198Inv(x)} Type___unnamed_4_5ca00198Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Type___unnamed_4_5ca00198Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Type___unnamed_4_5ca00198Inv(x));
+function UnitId__DEVICE_EXTENSION(int) returns (int);
+function UnitId__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_UnitId__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_UnitId__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x))} UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSION(UnitId__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSION(S)[x]} _S_UnitId__DEVICE_EXTENSION(S)[x] <==> S[UnitId__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSIONInv(S)[x]} _S_UnitId__DEVICE_EXTENSIONInv(S)[x] <==> S[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSION(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSION(S)[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSIONInv(S)[UnitId__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSION(x)} UnitId__DEVICE_EXTENSION(x) == x + 196);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSIONInv(x) == x - 196);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 196, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 196, 1) == UnitId__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 196)} MINUS_LEFT_PTR(x, 1, 196) == UnitId__DEVICE_EXTENSIONInv(x));
+function UnitId__KEYBOARD_INDICATOR_PARAMETERS(int) returns (int);
+function UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(int) returns (int);
+function _S_UnitId__KEYBOARD_INDICATOR_PARAMETERS([int]bool) returns ([int]bool);
+function _S_UnitId__KEYBOARD_INDICATOR_PARAMETERSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(UnitId__KEYBOARD_INDICATOR_PARAMETERS(x))} UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(UnitId__KEYBOARD_INDICATOR_PARAMETERS(x)) == x);
+axiom (forall x:int :: {UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(x)} UnitId__KEYBOARD_INDICATOR_PARAMETERS(UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__KEYBOARD_INDICATOR_PARAMETERS(S)[x]} _S_UnitId__KEYBOARD_INDICATOR_PARAMETERS(S)[x] <==> S[UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(S)[x]} _S_UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(S)[x] <==> S[UnitId__KEYBOARD_INDICATOR_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__KEYBOARD_INDICATOR_PARAMETERS(S)} S[x] ==> _S_UnitId__KEYBOARD_INDICATOR_PARAMETERS(S)[UnitId__KEYBOARD_INDICATOR_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(S)} S[x] ==> _S_UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(S)[UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(x)]);
+
+axiom (forall x:int :: {UnitId__KEYBOARD_INDICATOR_PARAMETERS(x)} UnitId__KEYBOARD_INDICATOR_PARAMETERS(x) == x + 0);
+axiom (forall x:int :: {UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(x)} UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == UnitId__KEYBOARD_INDICATOR_PARAMETERSInv(x));
+function UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(int) returns (int);
+function UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(int) returns (int);
+function _S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERS([int]bool) returns ([int]bool);
+function _S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(x))} UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(x)) == x);
+axiom (forall x:int :: {UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)} UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(S)[x]} _S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(S)[x] <==> S[UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[x]} _S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[x] <==> S[UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(S)} S[x] ==> _S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(S)[UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)} S[x] ==> _S_UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(S)[UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)]);
+
+axiom (forall x:int :: {UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(x)} UnitId__KEYBOARD_TYPEMATIC_PARAMETERS(x) == x + 0);
+axiom (forall x:int :: {UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(x)} UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == UnitId__KEYBOARD_TYPEMATIC_PARAMETERSInv(x));
+function WaitListHead__DISPATCHER_HEADER(int) returns (int);
+function WaitListHead__DISPATCHER_HEADERInv(int) returns (int);
+function _S_WaitListHead__DISPATCHER_HEADER([int]bool) returns ([int]bool);
+function _S_WaitListHead__DISPATCHER_HEADERInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitListHead__DISPATCHER_HEADERInv(WaitListHead__DISPATCHER_HEADER(x))} WaitListHead__DISPATCHER_HEADERInv(WaitListHead__DISPATCHER_HEADER(x)) == x);
+axiom (forall x:int :: {WaitListHead__DISPATCHER_HEADERInv(x)} WaitListHead__DISPATCHER_HEADER(WaitListHead__DISPATCHER_HEADERInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitListHead__DISPATCHER_HEADER(S)[x]} _S_WaitListHead__DISPATCHER_HEADER(S)[x] <==> S[WaitListHead__DISPATCHER_HEADERInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitListHead__DISPATCHER_HEADERInv(S)[x]} _S_WaitListHead__DISPATCHER_HEADERInv(S)[x] <==> S[WaitListHead__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitListHead__DISPATCHER_HEADER(S)} S[x] ==> _S_WaitListHead__DISPATCHER_HEADER(S)[WaitListHead__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitListHead__DISPATCHER_HEADERInv(S)} S[x] ==> _S_WaitListHead__DISPATCHER_HEADERInv(S)[WaitListHead__DISPATCHER_HEADERInv(x)]);
+
+axiom (forall x:int :: {WaitListHead__DISPATCHER_HEADER(x)} WaitListHead__DISPATCHER_HEADER(x) == x + 8);
+axiom (forall x:int :: {WaitListHead__DISPATCHER_HEADERInv(x)} WaitListHead__DISPATCHER_HEADERInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == WaitListHead__DISPATCHER_HEADERInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == WaitListHead__DISPATCHER_HEADERInv(x));
+function WaitWakeEnabled__DEVICE_EXTENSION(int) returns (int);
+function WaitWakeEnabled__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WaitWakeEnabled__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WaitWakeEnabled__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitWakeEnabled__DEVICE_EXTENSIONInv(WaitWakeEnabled__DEVICE_EXTENSION(x))} WaitWakeEnabled__DEVICE_EXTENSIONInv(WaitWakeEnabled__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WaitWakeEnabled__DEVICE_EXTENSIONInv(x)} WaitWakeEnabled__DEVICE_EXTENSION(WaitWakeEnabled__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeEnabled__DEVICE_EXTENSION(S)[x]} _S_WaitWakeEnabled__DEVICE_EXTENSION(S)[x] <==> S[WaitWakeEnabled__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeEnabled__DEVICE_EXTENSIONInv(S)[x]} _S_WaitWakeEnabled__DEVICE_EXTENSIONInv(S)[x] <==> S[WaitWakeEnabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeEnabled__DEVICE_EXTENSION(S)} S[x] ==> _S_WaitWakeEnabled__DEVICE_EXTENSION(S)[WaitWakeEnabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeEnabled__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WaitWakeEnabled__DEVICE_EXTENSIONInv(S)[WaitWakeEnabled__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WaitWakeEnabled__DEVICE_EXTENSION(x)} WaitWakeEnabled__DEVICE_EXTENSION(x) == x + 286);
+axiom (forall x:int :: {WaitWakeEnabled__DEVICE_EXTENSIONInv(x)} WaitWakeEnabled__DEVICE_EXTENSIONInv(x) == x - 286);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 286, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 286, 1) == WaitWakeEnabled__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 286)} MINUS_LEFT_PTR(x, 1, 286) == WaitWakeEnabled__DEVICE_EXTENSIONInv(x));
+function WaitWakeIrp__DEVICE_EXTENSION(int) returns (int);
+function WaitWakeIrp__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WaitWakeIrp__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WaitWakeIrp__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitWakeIrp__DEVICE_EXTENSIONInv(WaitWakeIrp__DEVICE_EXTENSION(x))} WaitWakeIrp__DEVICE_EXTENSIONInv(WaitWakeIrp__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WaitWakeIrp__DEVICE_EXTENSIONInv(x)} WaitWakeIrp__DEVICE_EXTENSION(WaitWakeIrp__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeIrp__DEVICE_EXTENSION(S)[x]} _S_WaitWakeIrp__DEVICE_EXTENSION(S)[x] <==> S[WaitWakeIrp__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeIrp__DEVICE_EXTENSIONInv(S)[x]} _S_WaitWakeIrp__DEVICE_EXTENSIONInv(S)[x] <==> S[WaitWakeIrp__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeIrp__DEVICE_EXTENSION(S)} S[x] ==> _S_WaitWakeIrp__DEVICE_EXTENSION(S)[WaitWakeIrp__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeIrp__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WaitWakeIrp__DEVICE_EXTENSIONInv(S)[WaitWakeIrp__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WaitWakeIrp__DEVICE_EXTENSION(x)} WaitWakeIrp__DEVICE_EXTENSION(x) == x + 260);
+axiom (forall x:int :: {WaitWakeIrp__DEVICE_EXTENSIONInv(x)} WaitWakeIrp__DEVICE_EXTENSIONInv(x) == x - 260);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 260, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 260, 1) == WaitWakeIrp__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 260)} MINUS_LEFT_PTR(x, 1, 260) == WaitWakeIrp__DEVICE_EXTENSIONInv(x));
+function WaitWakeSpinLock__DEVICE_EXTENSION(int) returns (int);
+function WaitWakeSpinLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WaitWakeSpinLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(WaitWakeSpinLock__DEVICE_EXTENSION(x))} WaitWakeSpinLock__DEVICE_EXTENSIONInv(WaitWakeSpinLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)} WaitWakeSpinLock__DEVICE_EXTENSION(WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[x]} _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[x] <==> S[WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[x]} _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[x] <==> S[WaitWakeSpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)} S[x] ==> _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[WaitWakeSpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSION(x)} WaitWakeSpinLock__DEVICE_EXTENSION(x) == x + 108);
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)} WaitWakeSpinLock__DEVICE_EXTENSIONInv(x) == x - 108);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 108, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 108, 1) == WaitWakeSpinLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 108)} MINUS_LEFT_PTR(x, 1, 108) == WaitWakeSpinLock__DEVICE_EXTENSIONInv(x));
+function WmiFunctionControl__WMILIB_CONTEXT(int) returns (int);
+function WmiFunctionControl__WMILIB_CONTEXTInv(int) returns (int);
+function _S_WmiFunctionControl__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_WmiFunctionControl__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WmiFunctionControl__WMILIB_CONTEXTInv(WmiFunctionControl__WMILIB_CONTEXT(x))} WmiFunctionControl__WMILIB_CONTEXTInv(WmiFunctionControl__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {WmiFunctionControl__WMILIB_CONTEXTInv(x)} WmiFunctionControl__WMILIB_CONTEXT(WmiFunctionControl__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WmiFunctionControl__WMILIB_CONTEXT(S)[x]} _S_WmiFunctionControl__WMILIB_CONTEXT(S)[x] <==> S[WmiFunctionControl__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WmiFunctionControl__WMILIB_CONTEXTInv(S)[x]} _S_WmiFunctionControl__WMILIB_CONTEXTInv(S)[x] <==> S[WmiFunctionControl__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WmiFunctionControl__WMILIB_CONTEXT(S)} S[x] ==> _S_WmiFunctionControl__WMILIB_CONTEXT(S)[WmiFunctionControl__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WmiFunctionControl__WMILIB_CONTEXTInv(S)} S[x] ==> _S_WmiFunctionControl__WMILIB_CONTEXTInv(S)[WmiFunctionControl__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {WmiFunctionControl__WMILIB_CONTEXT(x)} WmiFunctionControl__WMILIB_CONTEXT(x) == x + 28);
+axiom (forall x:int :: {WmiFunctionControl__WMILIB_CONTEXTInv(x)} WmiFunctionControl__WMILIB_CONTEXTInv(x) == x - 28);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1) == WmiFunctionControl__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 28)} MINUS_LEFT_PTR(x, 1, 28) == WmiFunctionControl__WMILIB_CONTEXTInv(x));
+function WmiLibInfo__DEVICE_EXTENSION(int) returns (int);
+function WmiLibInfo__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WmiLibInfo__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WmiLibInfo__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WmiLibInfo__DEVICE_EXTENSIONInv(WmiLibInfo__DEVICE_EXTENSION(x))} WmiLibInfo__DEVICE_EXTENSIONInv(WmiLibInfo__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WmiLibInfo__DEVICE_EXTENSIONInv(x)} WmiLibInfo__DEVICE_EXTENSION(WmiLibInfo__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WmiLibInfo__DEVICE_EXTENSION(S)[x]} _S_WmiLibInfo__DEVICE_EXTENSION(S)[x] <==> S[WmiLibInfo__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WmiLibInfo__DEVICE_EXTENSIONInv(S)[x]} _S_WmiLibInfo__DEVICE_EXTENSIONInv(S)[x] <==> S[WmiLibInfo__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WmiLibInfo__DEVICE_EXTENSION(S)} S[x] ==> _S_WmiLibInfo__DEVICE_EXTENSION(S)[WmiLibInfo__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WmiLibInfo__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WmiLibInfo__DEVICE_EXTENSIONInv(S)[WmiLibInfo__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WmiLibInfo__DEVICE_EXTENSION(x)} WmiLibInfo__DEVICE_EXTENSION(x) == x + 200);
+axiom (forall x:int :: {WmiLibInfo__DEVICE_EXTENSIONInv(x)} WmiLibInfo__DEVICE_EXTENSIONInv(x) == x - 200);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 200, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 200, 1) == WmiLibInfo__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 200)} MINUS_LEFT_PTR(x, 1, 200) == WmiLibInfo__DEVICE_EXTENSIONInv(x));
+function __unnamed_1_29794256___unnamed_4_5ca00198(int) returns (int);
+function __unnamed_1_29794256___unnamed_4_5ca00198Inv(int) returns (int);
+function _S___unnamed_1_29794256___unnamed_4_5ca00198([int]bool) returns ([int]bool);
+function _S___unnamed_1_29794256___unnamed_4_5ca00198Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_1_29794256___unnamed_4_5ca00198Inv(__unnamed_1_29794256___unnamed_4_5ca00198(x))} __unnamed_1_29794256___unnamed_4_5ca00198Inv(__unnamed_1_29794256___unnamed_4_5ca00198(x)) == x);
+axiom (forall x:int :: {__unnamed_1_29794256___unnamed_4_5ca00198Inv(x)} __unnamed_1_29794256___unnamed_4_5ca00198(__unnamed_1_29794256___unnamed_4_5ca00198Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_29794256___unnamed_4_5ca00198(S)[x]} _S___unnamed_1_29794256___unnamed_4_5ca00198(S)[x] <==> S[__unnamed_1_29794256___unnamed_4_5ca00198Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_29794256___unnamed_4_5ca00198Inv(S)[x]} _S___unnamed_1_29794256___unnamed_4_5ca00198Inv(S)[x] <==> S[__unnamed_1_29794256___unnamed_4_5ca00198(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_29794256___unnamed_4_5ca00198(S)} S[x] ==> _S___unnamed_1_29794256___unnamed_4_5ca00198(S)[__unnamed_1_29794256___unnamed_4_5ca00198(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_29794256___unnamed_4_5ca00198Inv(S)} S[x] ==> _S___unnamed_1_29794256___unnamed_4_5ca00198Inv(S)[__unnamed_1_29794256___unnamed_4_5ca00198Inv(x)]);
+
+axiom (forall x:int :: {__unnamed_1_29794256___unnamed_4_5ca00198(x)} __unnamed_1_29794256___unnamed_4_5ca00198(x) == x + 1);
+axiom (forall x:int :: {__unnamed_1_29794256___unnamed_4_5ca00198Inv(x)} __unnamed_1_29794256___unnamed_4_5ca00198Inv(x) == x - 1);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1) == __unnamed_1_29794256___unnamed_4_5ca00198Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 1)} MINUS_LEFT_PTR(x, 1, 1) == __unnamed_1_29794256___unnamed_4_5ca00198Inv(x));
+function __unnamed_1_2dc63b48___unnamed_4_5ca00198(int) returns (int);
+function __unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(int) returns (int);
+function _S___unnamed_1_2dc63b48___unnamed_4_5ca00198([int]bool) returns ([int]bool);
+function _S___unnamed_1_2dc63b48___unnamed_4_5ca00198Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(__unnamed_1_2dc63b48___unnamed_4_5ca00198(x))} __unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(__unnamed_1_2dc63b48___unnamed_4_5ca00198(x)) == x);
+axiom (forall x:int :: {__unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(x)} __unnamed_1_2dc63b48___unnamed_4_5ca00198(__unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_2dc63b48___unnamed_4_5ca00198(S)[x]} _S___unnamed_1_2dc63b48___unnamed_4_5ca00198(S)[x] <==> S[__unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(S)[x]} _S___unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(S)[x] <==> S[__unnamed_1_2dc63b48___unnamed_4_5ca00198(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_2dc63b48___unnamed_4_5ca00198(S)} S[x] ==> _S___unnamed_1_2dc63b48___unnamed_4_5ca00198(S)[__unnamed_1_2dc63b48___unnamed_4_5ca00198(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(S)} S[x] ==> _S___unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(S)[__unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(x)]);
+
+axiom (forall x:int :: {__unnamed_1_2dc63b48___unnamed_4_5ca00198(x)} __unnamed_1_2dc63b48___unnamed_4_5ca00198(x) == x + 3);
+axiom (forall x:int :: {__unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(x)} __unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(x) == x - 3);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 3, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 3, 1) == __unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 3)} MINUS_LEFT_PTR(x, 1, 3) == __unnamed_1_2dc63b48___unnamed_4_5ca00198Inv(x));
+function __unnamed_1_2ef8da39___unnamed_4_5ca00198(int) returns (int);
+function __unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(int) returns (int);
+function _S___unnamed_1_2ef8da39___unnamed_4_5ca00198([int]bool) returns ([int]bool);
+function _S___unnamed_1_2ef8da39___unnamed_4_5ca00198Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(__unnamed_1_2ef8da39___unnamed_4_5ca00198(x))} __unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(__unnamed_1_2ef8da39___unnamed_4_5ca00198(x)) == x);
+axiom (forall x:int :: {__unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(x)} __unnamed_1_2ef8da39___unnamed_4_5ca00198(__unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_2ef8da39___unnamed_4_5ca00198(S)[x]} _S___unnamed_1_2ef8da39___unnamed_4_5ca00198(S)[x] <==> S[__unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(S)[x]} _S___unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(S)[x] <==> S[__unnamed_1_2ef8da39___unnamed_4_5ca00198(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_2ef8da39___unnamed_4_5ca00198(S)} S[x] ==> _S___unnamed_1_2ef8da39___unnamed_4_5ca00198(S)[__unnamed_1_2ef8da39___unnamed_4_5ca00198(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(S)} S[x] ==> _S___unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(S)[__unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(x)]);
+
+axiom (forall x:int :: {__unnamed_1_2ef8da39___unnamed_4_5ca00198(x)} __unnamed_1_2ef8da39___unnamed_4_5ca00198(x) == x + 2);
+axiom (forall x:int :: {__unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(x)} __unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == __unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == __unnamed_1_2ef8da39___unnamed_4_5ca00198Inv(x));
+function __unnamed_4_5ca00198___unnamed_4_a97c65a1(int) returns (int);
+function __unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(int) returns (int);
+function _S___unnamed_4_5ca00198___unnamed_4_a97c65a1([int]bool) returns ([int]bool);
+function _S___unnamed_4_5ca00198___unnamed_4_a97c65a1Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(__unnamed_4_5ca00198___unnamed_4_a97c65a1(x))} __unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(__unnamed_4_5ca00198___unnamed_4_a97c65a1(x)) == x);
+axiom (forall x:int :: {__unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(x)} __unnamed_4_5ca00198___unnamed_4_a97c65a1(__unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_4_5ca00198___unnamed_4_a97c65a1(S)[x]} _S___unnamed_4_5ca00198___unnamed_4_a97c65a1(S)[x] <==> S[__unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(S)[x]} _S___unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(S)[x] <==> S[__unnamed_4_5ca00198___unnamed_4_a97c65a1(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_4_5ca00198___unnamed_4_a97c65a1(S)} S[x] ==> _S___unnamed_4_5ca00198___unnamed_4_a97c65a1(S)[__unnamed_4_5ca00198___unnamed_4_a97c65a1(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(S)} S[x] ==> _S___unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(S)[__unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(x)]);
+
+axiom (forall x:int :: {__unnamed_4_5ca00198___unnamed_4_a97c65a1(x)} __unnamed_4_5ca00198___unnamed_4_a97c65a1(x) == x + 0);
+axiom (forall x:int :: {__unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(x)} __unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == __unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == __unnamed_4_5ca00198___unnamed_4_a97c65a1Inv(x));
+function __unnamed_4_a97c65a1__DISPATCHER_HEADER(int) returns (int);
+function __unnamed_4_a97c65a1__DISPATCHER_HEADERInv(int) returns (int);
+function _S___unnamed_4_a97c65a1__DISPATCHER_HEADER([int]bool) returns ([int]bool);
+function _S___unnamed_4_a97c65a1__DISPATCHER_HEADERInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_4_a97c65a1__DISPATCHER_HEADERInv(__unnamed_4_a97c65a1__DISPATCHER_HEADER(x))} __unnamed_4_a97c65a1__DISPATCHER_HEADERInv(__unnamed_4_a97c65a1__DISPATCHER_HEADER(x)) == x);
+axiom (forall x:int :: {__unnamed_4_a97c65a1__DISPATCHER_HEADERInv(x)} __unnamed_4_a97c65a1__DISPATCHER_HEADER(__unnamed_4_a97c65a1__DISPATCHER_HEADERInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_4_a97c65a1__DISPATCHER_HEADER(S)[x]} _S___unnamed_4_a97c65a1__DISPATCHER_HEADER(S)[x] <==> S[__unnamed_4_a97c65a1__DISPATCHER_HEADERInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_4_a97c65a1__DISPATCHER_HEADERInv(S)[x]} _S___unnamed_4_a97c65a1__DISPATCHER_HEADERInv(S)[x] <==> S[__unnamed_4_a97c65a1__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_4_a97c65a1__DISPATCHER_HEADER(S)} S[x] ==> _S___unnamed_4_a97c65a1__DISPATCHER_HEADER(S)[__unnamed_4_a97c65a1__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_4_a97c65a1__DISPATCHER_HEADERInv(S)} S[x] ==> _S___unnamed_4_a97c65a1__DISPATCHER_HEADERInv(S)[__unnamed_4_a97c65a1__DISPATCHER_HEADERInv(x)]);
+
+axiom (forall x:int :: {__unnamed_4_a97c65a1__DISPATCHER_HEADER(x)} __unnamed_4_a97c65a1__DISPATCHER_HEADER(x) == x + 0);
+axiom (forall x:int :: {__unnamed_4_a97c65a1__DISPATCHER_HEADERInv(x)} __unnamed_4_a97c65a1__DISPATCHER_HEADERInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == __unnamed_4_a97c65a1__DISPATCHER_HEADERInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == __unnamed_4_a97c65a1__DISPATCHER_HEADERInv(x));
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom (forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom (forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:int, b:int) returns (x:int);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == 0);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == 0 || b == 0 ==> BIT_BAND(a,b) == 0);
+
+function BIT_BOR(a:int, b:int) returns (x:int);
+
+function BIT_BXOR(a:int, b:int) returns (x:int);
+
+function BIT_BNOT(a:int) returns (int);
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+
+
+
+procedure havoc_assert(i:int);
+requires (i != 0);
+
+procedure havoc_assume(i:int);
+ensures (i != 0);
+
+procedure __HAVOC_free(a:int);
+modifies alloc;
+ensures (forall x:int :: {alloc[x]} x == a || old(alloc)[x] == alloc[x]);
+ensures (alloc[a] == FREED);
+// Additional checks guarded by tranlator flags
+// requires alloc[a] == ALLOCATED;
+// requires Base(a) == a;
+
+procedure __HAVOC_malloc(obj_size:int) returns (new:int);
+requires obj_size >= 0;
+modifies alloc;
+ensures (new > 0);
+ensures (forall x:int :: {Base(x)} new <= x && x < new+obj_size ==> Base(x) == new);
+ensures (forall x:int :: {alloc[x]} x == new || old(alloc)[x] == alloc[x]);
+ensures old(alloc)[new] == UNALLOCATED && alloc[new] == ALLOCATED;
+
+procedure nondet_choice() returns (x:int);
+
+procedure _strdup(str:int) returns (new:int);
+
+procedure _xstrcasecmp(a0:int, a1:int) returns (ret:int);
+
+procedure _xstrcmp(a0:int, a1:int) returns (ret:int);
+
+var Res_DEVICE_STACK:[int]int;
+var Res_DEV_EXTN:[int]int;
+var Res_DEV_OBJ_INIT:[int]int;
+var Res_SPIN_LOCK:[int]int;
+
+
+
+////////////////////
+// Between predicate
+////////////////////
+function ReachBetween(f: [int]int, x: int, y: int, z: int) returns (bool);
+function ReachAvoiding(f: [int]int, x: int, y: int, z: int) returns (bool);
+
+
+//////////////////////////
+// Between set constructor
+//////////////////////////
+function ReachBetweenSet(f: [int]int, x: int, z: int) returns ([int]bool);
+
+////////////////////////////////////////////////////
+// axioms relating ReachBetween and ReachBetweenSet
+////////////////////////////////////////////////////
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetweenSet(f, x, z)[y]} ReachBetweenSet(f, x, z)[y] <==> ReachBetween(f, x, y, z));
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z), ReachBetweenSet(f, x, z)} ReachBetween(f, x, y, z) ==> ReachBetweenSet(f, x, z)[y]);
+axiom(forall f: [int]int, x: int, z: int :: {ReachBetweenSet(f, x, z)} ReachBetween(f, x, x, x));
+
+
+//////////////////////////
+// Axioms for ReachBetween
+//////////////////////////
+
+// reflexive
+axiom(forall f: [int]int, x: int :: ReachBetween(f, x, x, x));
+
+// step
+//axiom(forall f: [int]int, x: int :: {f[x]} ReachBetween(f, x, f[x], f[x]));
+axiom(forall f: [int]int, x: int, y: int, z: int, w:int :: {ReachBetween(f, y, z, w), f[x]} ReachBetween(f, x, f[x], f[x]));
+
+// reach
+axiom(forall f: [int]int, x: int, y: int :: {f[x], ReachBetween(f, x, y, y)} ReachBetween(f, x, y, y) ==> x == y || ReachBetween(f, x, f[x], y));
+
+// cycle
+axiom(forall f: [int]int, x: int, y:int :: {f[x], ReachBetween(f, x, y, y)} f[x] == x && ReachBetween(f, x, y, y) ==> x == y);
+
+// sandwich
+axiom(forall f: [int]int, x: int, y: int :: {ReachBetween(f, x, y, x)} ReachBetween(f, x, y, x) ==> x == y);
+
+// order1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, x, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, x, z, z) ==> ReachBetween(f, x, y, z) || ReachBetween(f, x, z, y));
+
+// order2
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z)} ReachBetween(f, x, y, z) ==> ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z));
+
+// transitive1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, y, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z) ==> ReachBetween(f, x, z, z));
+
+// transitive2
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, y, w, z)} ReachBetween(f, x, y, z) && ReachBetween(f, y, w, z) ==> ReachBetween(f, x, y, w) && ReachBetween(f, x, w, z));
+
+// transitive3
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, x, w, y)} ReachBetween(f, x, y, z) && ReachBetween(f, x, w, y) ==> ReachBetween(f, x, w, z) && ReachBetween(f, w, y, z));
+
+// This axiom is required to deal with the incompleteness of the trigger for the reflexive axiom.
+// It cannot be proved using the rest of the axioms.
+axiom(forall f: [int]int, u:int, x: int :: {ReachBetween(f, u, x, x)} ReachBetween(f, u, x, x) ==> ReachBetween(f, u, u, x));
+
+// relation between ReachAvoiding and ReachBetween
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachAvoiding(f, x, y, z)}{ReachBetween(f, x, y, z)} ReachAvoiding(f, x, y, z) <==> (ReachBetween(f, x, y, z) || (ReachBetween(f, x, y, y) && !ReachBetween(f, x, z, z))));
+
+// update
+axiom(forall f: [int]int, u: int, v: int, x: int, p: int, q: int :: {ReachAvoiding(f[p := q], u, v, x)} ReachAvoiding(f[p := q], u, v, x) <==> ((ReachAvoiding(f, u, v, p) && ReachAvoiding(f, u, v, x)) || (ReachAvoiding(f, u, p, x) && p != x && ReachAvoiding(f, q, v, p) && ReachAvoiding(f, q, v, x))));
+ ///////////////////////////////
+ // Shifts for linking fields
+ ///////////////////////////////
+function Shift_Flink__LIST_ENTRY(f: [int]int) returns ([int]int);
+axiom( forall f: [int]int, __x:int :: {f[Flink__LIST_ENTRY(__x)],Shift_Flink__LIST_ENTRY(f)} {Shift_Flink__LIST_ENTRY(f)[__x]} Shift_Flink__LIST_ENTRY(f)[__x] == f[Flink__LIST_ENTRY(__x)]);
+axiom(forall f: [int]int, __x:int, __v:int :: {Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v])} Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v]) == Shift_Flink__LIST_ENTRY(f)[__x := __v]);
+
+const unique Globals : int;
+axiom(Globals != 0);
+// the set of constants for 64 bit integers that Boogie doesn't parse
+const unique BOOGIE_LARGE_INT_4294967273:int;
+
+
+
+procedure ExAcquireFastMutex($FastMutex$1$15000.16$ExAcquireFastMutex$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExAllocatePoolWithTag($PoolType$1$14789.57$ExAllocatePoolWithTag$121:int, $NumberOfBytes$2$14790.16$ExAllocatePoolWithTag$121:int, $Tag$3$14791.15$ExAllocatePoolWithTag$121:int) returns ($result.ExAllocatePoolWithTag$14788.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExFreePoolWithTag($P$1$14901.35$ExFreePoolWithTag$81:int, $Tag$2$14902.15$ExFreePoolWithTag$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExReleaseFastMutex($FastMutex$1$15013.16$ExReleaseFastMutex$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure InitializeListHead_IRP($ListHead$1$12.44$InitializeListHead_IRP$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoCreateDevice($DriverObject$1$21226.25$IoCreateDevice$281:int, $DeviceExtensionSize$2$21227.16$IoCreateDevice$281:int, $DeviceName$3$21228.29$IoCreateDevice$281:int, $DeviceType$4$21229.22$IoCreateDevice$281:int, $DeviceCharacteristics$5$21230.16$IoCreateDevice$281:int, $Exclusive$6$21231.18$IoCreateDevice$281:int, $DeviceObject$7$21237.20$IoCreateDevice$281:int) returns ($result.IoCreateDevice$21225.0$1$:int);
+
+//TAG: ensures (LONG)__return >= 0 ==> *DeviceObject != (void *)0
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> (Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> (*DeviceObject)->DeviceExtension != (void *)0
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_EXTN", (*DeviceObject)->DeviceExtension) == 1
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]] == 1));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_OBJ_INIT", *DeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension)) == 1
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]] == 1)));
+//TAG: ensures (LONG)__return >= 0 ==> __old_resource("DEV_OBJ_INIT", *DeviceObject) == 0 && __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension)) == 0
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> ((old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]] == 0) && (old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]] == 0)));
+//TAG: ensures (LONG)__return >= 0 ==> __updates_resource("DEV_OBJ_INIT", *DeviceObject, 1) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension), 1)
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281] := 1]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])] := 1])));
+//TAG: ensures !((LONG)__return >= 0) ==> __resource("DEV_OBJ_INIT", *DeviceObject) == __old_resource("DEV_OBJ_INIT", *DeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension))
+ensures((!($result.IoCreateDevice$21225.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]] == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]])));
+//TAG: ensures !((LONG)__return >= 0) ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!($result.IoCreateDevice$21225.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+//TAG: ensures (LONG)__return >= 0 ==> !(__resource("DEV_OBJ_INIT", ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension))->Self) == 1)
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> (!(Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])])]] == 1)));
+//TAG: ensures !((LONG)__return >= 0) ==> *DeviceObject == __old(*DeviceObject)
+ensures((!($result.IoCreateDevice$21225.0$1$ >= 0)) ==> (Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281] == old(Mem)[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures (LONG)__return >= 0 ==> __return == 0
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> ($result.IoCreateDevice$21225.0$1$ == 0));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, *DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || (Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281] == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty, DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($DeviceObject$7$21237.20$IoCreateDevice$281))) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || (_m == $DeviceObject$7$21237.20$IoCreateDevice$281) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoDeleteDevice($DeviceObject$1$21328.67$IoDeleteDevice$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: requires 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 1
+requires((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 1)));
+//TAG: ensures 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 0 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 0
+ensures((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 0) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 0)));
+//TAG: ensures 1 ==> __updates_resource("DEV_OBJ_INIT", DeviceObject, 0) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension), 0)
+ensures((true) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41 := 0]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] := 0])));
+//TAG: ensures !1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == __old_resource("DEV_OBJ_INIT", DeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension))
+ensures((!(true)) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]])));
+//TAG: ensures !1 ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!(true)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($DeviceObject$1$21328.67$IoDeleteDevice$41))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || ($DeviceObject$1$21328.67$IoDeleteDevice$41 == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoInitializeRemoveLockEx($Lock$1$22135.25$IoInitializeRemoveLockEx$201:int, $AllocateTag$2$22136.16$IoInitializeRemoveLockEx$201:int, $MaxLockedMinutes$3$22137.16$IoInitializeRemoveLockEx$201:int, $HighWatermark$4$22138.16$IoInitializeRemoveLockEx$201:int, $RemlockSize$5$22139.16$IoInitializeRemoveLockEx$201:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KbdInitializeDataQueue($Context$1$557.13$KbdInitializeDataQueue$41:int);
+
+//TAG: requires __resource("DEV_EXTN", Context) == 1
+requires(Res_DEV_EXTN[$Context$1$557.13$KbdInitializeDataQueue$41] == 1);
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __resource("DEV_EXTN", Context) == 1
+ensures(Res_DEV_EXTN[$Context$1$557.13$KbdInitializeDataQueue$41] == 1);
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KeInitializeSpinLock($SpinLock$1$13860.22$KeInitializeSpinLock$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KeyboardClassLogError($Object$1$580.10$KeyboardClassLogError$281:int, $ErrorCode$2$581.10$KeyboardClassLogError$281:int, $UniqueErrorValue$3$582.10$KeyboardClassLogError$281:int, $FinalStatus$4$583.13$KeyboardClassLogError$281:int, $DumpCount$5$584.10$KeyboardClassLogError$281:int, $DumpData$6$585.11$KeyboardClassLogError$281:int, $MajorFunction$7$586.10$KeyboardClassLogError$281:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlAppendUnicodeToString($Destination$1$7421.28$RtlAppendUnicodeToString$81:int, $Source$2$7422.20$RtlAppendUnicodeToString$81:int) returns ($result.RtlAppendUnicodeToString$7420.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlFreeUnicodeString($UnicodeString$1$7452.28$RtlFreeUnicodeString$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure __PREfastPagedCode();
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KbdCreateClassObject($DriverObject$1$3354.28$KbdCreateClassObject$201:int, $TmpDeviceExtension$2$3355.28$KbdCreateClassObject$201:int, $ClassDeviceObject$3$3356.28$KbdCreateClassObject$201:int, $FullDeviceName$4$3357.35$KbdCreateClassObject$201:int, $Legacy$5$3358.28$KbdCreateClassObject$201:int) returns ($result.KbdCreateClassObject$3353.0$1$:int)
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures (LONG)__return >= 0 ==> *ClassDeviceObject != (void *)0
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> (*ClassDeviceObject)->DeviceExtension != (void *)0
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_EXTN", (*ClassDeviceObject)->DeviceExtension) == 1
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]] == 1));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_OBJ_INIT", *ClassDeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == 1
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]] == 1)));
+//TAG: ensures (LONG)__return >= 0 ==> __old_resource("DEV_OBJ_INIT", *ClassDeviceObject) == 0 && __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == 0
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> ((old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]] == 0) && (old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]] == 0)));
+//TAG: ensures (LONG)__return >= 0 ==> __updates_resource("DEV_OBJ_INIT", *ClassDeviceObject, 1) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension), 1)
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201] := 1]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])] := 1])));
+//TAG: ensures !((LONG)__return >= 0) ==> __resource("DEV_OBJ_INIT", *ClassDeviceObject) == __old_resource("DEV_OBJ_INIT", *ClassDeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension))
+ensures((!($result.KbdCreateClassObject$3353.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]] == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]])));
+//TAG: ensures !((LONG)__return >= 0) ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!($result.KbdCreateClassObject$3353.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+modifies alloc;
+free ensures(forall f:int :: {alloc[Base(f)]} old(alloc)[Base(f)] == UNALLOCATED || old(alloc)[Base(f)] == alloc[Base(f)]);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, *ClassDeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201] == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_true
+ensures (Subset(Empty(), Union(Empty(), SetTrue())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (SetTrue()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty, ClassDeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($ClassDeviceObject$3$3356.28$KbdCreateClassObject$201))) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || (_m == $ClassDeviceObject$3$3356.28$KbdCreateClassObject$201) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+{
+var havoc_stringTemp:int;
+var condVal:int;
+var $ClassDeviceObject$3$3356.28$KbdCreateClassObject$20 : int;
+var $DriverObject$1$3354.28$KbdCreateClassObject$20 : int;
+var $ExAllocatePoolWithTag.arg.2$4$ : int;
+var $FullDeviceName$4$3357.35$KbdCreateClassObject$20 : int;
+var $KbdDebugPrint.arg.2$15$ : int;
+var $KbdDebugPrint.arg.2$18$ : int;
+var $KbdDebugPrint.arg.2$2$ : int;
+var $KbdDebugPrint.arg.2$20$ : int;
+var $KbdDebugPrint.arg.2$22$ : int;
+var $KbdDebugPrint.arg.2$5$ : int;
+var $Legacy$5$3358.28$KbdCreateClassObject$20 : int;
+var $RtlAppendUnicodeToString.arg.2$12$ : int;
+var $RtlAppendUnicodeToString.arg.2$14$ : int;
+var $RtlAppendUnicodeToString.arg.2$9$ : int;
+var $TmpDeviceExtension$2$3355.28$KbdCreateClassObject$20 : int;
+var $deviceExtension$8$3388.24$KbdCreateClassObject$20 : int;
+var $dumpCount$11$3391.24$KbdCreateClassObject$20 : int;
+var $dumpData$12$3392.24$KbdCreateClassObject$20 : int;
+var $errorCode$9$3389.24$KbdCreateClassObject$20 : int;
+var $fullClassName$10$3390.24$KbdCreateClassObject$20 : int;
+var $i$13$3393.24$KbdCreateClassObject$20 : int;
+var $memset.arg.3$7$ : int;
+var $nameIndex$14$3394.24$KbdCreateClassObject$20 : int;
+var $result.ExAllocatePoolWithTag$3441.0$3$ : int;
+var $result.ExAllocatePoolWithTag$3557.0$19$ : int;
+var $result.IoCreateDevice$3485.35$16$ : int;
+var $result.IoCreateDevice$3499.31$17$ : int;
+var $result.RtlAppendUnicodeToString$3460.32$8$ : int;
+var $result.RtlAppendUnicodeToString$3461.32$10$ : int;
+var $result.RtlAppendUnicodeToString$3464.36$11$ : int;
+var $result.RtlAppendUnicodeToString$3467.32$13$ : int;
+var $result.memset$3459.8$6$ : int;
+var $result.question.21$ : int;
+var $status$6$3386.24$KbdCreateClassObject$20 : int;
+var $uniqueErrorValue$7$3387.24$KbdCreateClassObject$20 : int;
+var tempBoogie0:int;
+var tempBoogie1:int;
+var tempBoogie2:int;
+var tempBoogie3:int;
+var tempBoogie4:int;
+var tempBoogie5:int;
+var tempBoogie6:int;
+var tempBoogie7:int;
+var tempBoogie8:int;
+var tempBoogie9:int;
+var tempBoogie10:int;
+var tempBoogie11:int;
+var tempBoogie12:int;
+var tempBoogie13:int;
+var tempBoogie14:int;
+var tempBoogie15:int;
+var tempBoogie16:int;
+var tempBoogie17:int;
+var tempBoogie18:int;
+var tempBoogie19:int;
+var LOOP_78_alloc:[int]name;
+var LOOP_78_Mem:[name][int]int;
+var LOOP_78_Res_DEVICE_STACK:[int]int;
+var LOOP_78_Res_DEV_EXTN:[int]int;
+var LOOP_78_Res_DEV_OBJ_INIT:[int]int;
+var LOOP_78_Res_SPIN_LOCK:[int]int;
+
+
+start:
+
+assume (alloc[$DriverObject$1$3354.28$KbdCreateClassObject$201] != UNALLOCATED);
+assume (alloc[$TmpDeviceExtension$2$3355.28$KbdCreateClassObject$201] != UNALLOCATED);
+assume (alloc[$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201] != UNALLOCATED);
+assume (alloc[$FullDeviceName$4$3357.35$KbdCreateClassObject$201] != UNALLOCATED);
+call $dumpData$12$3392.24$KbdCreateClassObject$20 := __HAVOC_malloc(16);
+call $fullClassName$10$3390.24$KbdCreateClassObject$20 := __HAVOC_malloc(8);
+$DriverObject$1$3354.28$KbdCreateClassObject$20 := $DriverObject$1$3354.28$KbdCreateClassObject$201;
+$TmpDeviceExtension$2$3355.28$KbdCreateClassObject$20 := $TmpDeviceExtension$2$3355.28$KbdCreateClassObject$201;
+$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20 := $ClassDeviceObject$3$3356.28$KbdCreateClassObject$201;
+$FullDeviceName$4$3357.35$KbdCreateClassObject$20 := $FullDeviceName$4$3357.35$KbdCreateClassObject$201;
+$Legacy$5$3358.28$KbdCreateClassObject$20 := $Legacy$5$3358.28$KbdCreateClassObject$201;
+goto label_3;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3627)
+label_1:
+call __HAVOC_free($dumpData$12$3392.24$KbdCreateClassObject$20);
+call __HAVOC_free($fullClassName$10$3390.24$KbdCreateClassObject$20);
+assume (forall m:int:: {Res_DEVICE_STACK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEVICE_STACK[m] == old(Res_DEVICE_STACK)[m]);
+assume (forall m:int:: {Res_DEV_EXTN[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_EXTN[m] == old(Res_DEV_EXTN)[m]);
+assume (forall m:int:: {Res_DEV_OBJ_INIT[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_OBJ_INIT[m] == old(Res_DEV_OBJ_INIT)[m]);
+assume (forall m:int:: {Res_SPIN_LOCK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_SPIN_LOCK[m] == old(Res_SPIN_LOCK)[m]);
+assume (forall m:int :: {Mem[T.A2UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A2UINT2][m] == old(Mem[T.A2UINT2])[m]);
+assume (forall m:int :: {Mem[T.A37CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A37CHAR][m] == old(Mem[T.A37CHAR])[m]);
+assume (forall m:int :: {Mem[T.A40CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A40CHAR][m] == old(Mem[T.A40CHAR])[m]);
+assume (forall m:int :: {Mem[T.A4UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A4UINT4][m] == old(Mem[T.A4UINT4])[m]);
+assume (forall m:int :: {Mem[T.A65CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A65CHAR][m] == old(Mem[T.A65CHAR])[m]);
+assume (forall m:int :: {Mem[T.A75CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A75CHAR][m] == old(Mem[T.A75CHAR])[m]);
+assume (forall m:int :: {Mem[T.A76CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A76CHAR][m] == old(Mem[T.A76CHAR])[m]);
+assume (forall m:int :: {Mem[T.A7UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A7UINT2][m] == old(Mem[T.A7UINT2])[m]);
+assume (forall m:int :: {Mem[T.A83CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A83CHAR][m] == old(Mem[T.A83CHAR])[m]);
+assume (forall m:int :: {Mem[T.A9UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A9UINT2][m] == old(Mem[T.A9UINT2])[m]);
+assume (forall m:int :: {Mem[T.Abandoned___unnamed_1_29794256][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Abandoned___unnamed_1_29794256][m] == old(Mem[T.Abandoned___unnamed_1_29794256])[m]);
+assume (forall m:int :: {Mem[T.Absolute___unnamed_1_29794256][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Absolute___unnamed_1_29794256][m] == old(Mem[T.Absolute___unnamed_1_29794256])[m]);
+assume (forall m:int :: {Mem[T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.AllowDisable__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.AllowDisable__DEVICE_EXTENSION][m] == old(Mem[T.AllowDisable__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.BaseClassName__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.BaseClassName__GLOBALS][m] == old(Mem[T.BaseClassName__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Blink__LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Blink__LIST_ENTRY][m] == old(Mem[T.Blink__LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Buffer__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Buffer__UNICODE_STRING][m] == old(Mem[T.Buffer__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.ConnectOneClassToOnePort__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.ConnectOneClassToOnePort__GLOBALS][m] == old(Mem[T.ConnectOneClassToOnePort__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][m] == old(Mem[T.CurrentStackLocation___unnamed_4_f19b65c1])[m]);
+assume (forall m:int :: {Mem[T.DataIn__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataIn__DEVICE_EXTENSION][m] == old(Mem[T.DataIn__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DataOut__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataOut__DEVICE_EXTENSION][m] == old(Mem[T.DataOut__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DebugActive___unnamed_1_2dc63b48][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DebugActive___unnamed_1_2dc63b48][m] == old(Mem[T.DebugActive___unnamed_1_2dc63b48])[m]);
+assume (forall m:int :: {Mem[T.Delay__KEYBOARD_TYPEMATIC_PARAMETERS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Delay__KEYBOARD_TYPEMATIC_PARAMETERS][m] == old(Mem[T.Delay__KEYBOARD_TYPEMATIC_PARAMETERS])[m]);
+assume (forall m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DeviceExtension__DEVICE_OBJECT][m] == old(Mem[T.DeviceExtension__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.DeviceState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DeviceState__DEVICE_EXTENSION][m] == old(Mem[T.DeviceState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DpcActive___unnamed_1_2dc63b48][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DpcActive___unnamed_1_2dc63b48][m] == old(Mem[T.DpcActive___unnamed_1_2dc63b48])[m]);
+assume (forall m:int :: {Mem[T.Enabled__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Enabled__DEVICE_EXTENSION][m] == old(Mem[T.Enabled__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.ExecuteWmiMethod__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.ExecuteWmiMethod__WMILIB_CONTEXT][m] == old(Mem[T.ExecuteWmiMethod__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.ExtraWaitWakeIrp__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.ExtraWaitWakeIrp__DEVICE_EXTENSION][m] == old(Mem[T.ExtraWaitWakeIrp__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.File__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__DEVICE_EXTENSION][m] == old(Mem[T.File__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Flags__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flags__DEVICE_OBJECT][m] == old(Mem[T.Flags__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Flink__LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flink__LIST_ENTRY][m] == old(Mem[T.Flink__LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.GrandMaster__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GrandMaster__GLOBALS][m] == old(Mem[T.GrandMaster__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.GuidCount__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GuidCount__WMILIB_CONTEXT][m] == old(Mem[T.GuidCount__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.GuidList__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GuidList__WMILIB_CONTEXT][m] == old(Mem[T.GuidList__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.Hand___unnamed_1_2ef8da39][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Hand___unnamed_1_2ef8da39][m] == old(Mem[T.Hand___unnamed_1_2ef8da39])[m]);
+assume (forall m:int :: {Mem[T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.INT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.INT4][m] == old(Mem[T.INT4])[m]);
+assume (forall m:int :: {Mem[T.InputCount__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputCount__DEVICE_EXTENSION][m] == old(Mem[T.InputCount__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.InputDataQueueLength__KEYBOARD_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputDataQueueLength__KEYBOARD_ATTRIBUTES][m] == old(Mem[T.InputDataQueueLength__KEYBOARD_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.InputData__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputData__DEVICE_EXTENSION][m] == old(Mem[T.InputData__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Inserted___unnamed_1_2dc63b48][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Inserted___unnamed_1_2dc63b48][m] == old(Mem[T.Inserted___unnamed_1_2dc63b48])[m]);
+assume (forall m:int :: {Mem[T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK][m] == old(Mem[T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.KeyboardAttributes__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.KeyboardAttributes__DEVICE_EXTENSION][m] == old(Mem[T.KeyboardAttributes__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.KeyboardMode__KEYBOARD_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.KeyboardMode__KEYBOARD_ATTRIBUTES][m] == old(Mem[T.KeyboardMode__KEYBOARD_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.LedFlags__KEYBOARD_INDICATOR_PARAMETERS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LedFlags__KEYBOARD_INDICATOR_PARAMETERS][m] == old(Mem[T.LedFlags__KEYBOARD_INDICATOR_PARAMETERS])[m]);
+assume (forall m:int :: {Mem[T.LegacyDeviceList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LegacyDeviceList__GLOBALS][m] == old(Mem[T.LegacyDeviceList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Length__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Length__UNICODE_STRING][m] == old(Mem[T.Length__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.Link__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Link__DEVICE_EXTENSION][m] == old(Mem[T.Link__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Lock___unnamed_4_a97c65a1][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Lock___unnamed_4_a97c65a1][m] == old(Mem[T.Lock___unnamed_4_a97c65a1])[m]);
+assume (forall m:int :: {Mem[T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.MaximumLength__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MaximumLength__UNICODE_STRING][m] == old(Mem[T.MaximumLength__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.MinDeviceWakeState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinDeviceWakeState__DEVICE_EXTENSION][m] == old(Mem[T.MinDeviceWakeState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MinSystemWakeState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinSystemWakeState__DEVICE_EXTENSION][m] == old(Mem[T.MinSystemWakeState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinorFunction__IO_STACK_LOCATION][m] == old(Mem[T.MinorFunction__IO_STACK_LOCATION])[m]);
+assume (forall m:int :: {Mem[T.Mutex__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Mutex__GLOBALS][m] == old(Mem[T.Mutex__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.NpxIrql___unnamed_1_29794256][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NpxIrql___unnamed_1_29794256][m] == old(Mem[T.NpxIrql___unnamed_1_29794256])[m]);
+assume (forall m:int :: {Mem[T.NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES][m] == old(Mem[T.NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.NumberOfIndicators__KEYBOARD_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NumberOfIndicators__KEYBOARD_ATTRIBUTES][m] == old(Mem[T.NumberOfIndicators__KEYBOARD_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.NumberOfKeysTotal__KEYBOARD_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NumberOfKeysTotal__KEYBOARD_ATTRIBUTES][m] == old(Mem[T.NumberOfKeysTotal__KEYBOARD_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.OkayToLogOverflow__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.OkayToLogOverflow__DEVICE_EXTENSION][m] == old(Mem[T.OkayToLogOverflow__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.PCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PCHAR][m] == old(Mem[T.PCHAR])[m]);
+assume (forall m:int :: {Mem[T.PDO__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PDO__DEVICE_EXTENSION][m] == old(Mem[T.PDO__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.PUINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT2][m] == old(Mem[T.PUINT2])[m]);
+assume (forall m:int :: {Mem[T.PUINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT4][m] == old(Mem[T.PUINT4])[m]);
+assume (forall m:int :: {Mem[T.PVOID][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PVOID][m] == old(Mem[T.PVOID])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_EXTENSION][m] == old(Mem[T.P_DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_OBJECT][m] == old(Mem[T.P_DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_DRIVER_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DRIVER_OBJECT][m] == old(Mem[T.P_DRIVER_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_FAST_MUTEX][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_FAST_MUTEX][m] == old(Mem[T.P_FAST_MUTEX])[m]);
+assume (forall m:int :: {Mem[T.P_IO_REMOVE_LOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_IO_REMOVE_LOCK][m] == old(Mem[T.P_IO_REMOVE_LOCK])[m]);
+assume (forall m:int :: {Mem[T.P_KEYBOARD_INPUT_DATA][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_KEYBOARD_INPUT_DATA][m] == old(Mem[T.P_KEYBOARD_INPUT_DATA])[m]);
+assume (forall m:int :: {Mem[T.P_LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_LIST_ENTRY][m] == old(Mem[T.P_LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.P_UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_UNICODE_STRING][m] == old(Mem[T.P_UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.PnP__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PnP__DEVICE_EXTENSION][m] == old(Mem[T.PnP__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.QueryWmiDataBlock__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.QueryWmiDataBlock__WMILIB_CONTEXT][m] == old(Mem[T.QueryWmiDataBlock__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.QueryWmiRegInfo__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.QueryWmiRegInfo__WMILIB_CONTEXT][m] == old(Mem[T.QueryWmiRegInfo__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.Rate__KEYBOARD_TYPEMATIC_PARAMETERS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Rate__KEYBOARD_TYPEMATIC_PARAMETERS][m] == old(Mem[T.Rate__KEYBOARD_TYPEMATIC_PARAMETERS])[m]);
+assume (forall m:int :: {Mem[T.ReadQueue__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.ReadQueue__DEVICE_EXTENSION][m] == old(Mem[T.ReadQueue__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.RemoveLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.RemoveLock__DEVICE_EXTENSION][m] == old(Mem[T.RemoveLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK][m] == old(Mem[T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK][m] == old(Mem[T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Self__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Self__DEVICE_EXTENSION][m] == old(Mem[T.Self__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SequenceNumber__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SequenceNumber__DEVICE_EXTENSION][m] == old(Mem[T.SequenceNumber__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SetWmiDataBlock__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SetWmiDataBlock__WMILIB_CONTEXT][m] == old(Mem[T.SetWmiDataBlock__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.SetWmiDataItem__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SetWmiDataItem__WMILIB_CONTEXT][m] == old(Mem[T.SetWmiDataItem__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.SignalState__DISPATCHER_HEADER][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SignalState__DISPATCHER_HEADER][m] == old(Mem[T.SignalState__DISPATCHER_HEADER])[m]);
+assume (forall m:int :: {Mem[T.Signalling___unnamed_1_29794256][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Signalling___unnamed_1_29794256][m] == old(Mem[T.Signalling___unnamed_1_29794256])[m]);
+assume (forall m:int :: {Mem[T.Signature__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Signature__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Signature__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Size___unnamed_1_2ef8da39][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Size___unnamed_1_2ef8da39][m] == old(Mem[T.Size___unnamed_1_2ef8da39])[m]);
+assume (forall m:int :: {Mem[T.SpinLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SpinLock__DEVICE_EXTENSION][m] == old(Mem[T.SpinLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Spin__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Spin__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Spin__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Started__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Started__DEVICE_EXTENSION][m] == old(Mem[T.Started__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Subtype__KEYBOARD_ID][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Subtype__KEYBOARD_ID][m] == old(Mem[T.Subtype__KEYBOARD_ID])[m]);
+assume (forall m:int :: {Mem[T.SurpriseRemoved__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SurpriseRemoved__DEVICE_EXTENSION][m] == old(Mem[T.SurpriseRemoved__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SystemState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SystemState__DEVICE_EXTENSION][m] == old(Mem[T.SystemState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SystemToDeviceState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SystemToDeviceState__DEVICE_EXTENSION][m] == old(Mem[T.SystemToDeviceState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TargetNotifyHandle__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TargetNotifyHandle__DEVICE_EXTENSION][m] == old(Mem[T.TargetNotifyHandle__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TopPort__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TopPort__DEVICE_EXTENSION][m] == old(Mem[T.TopPort__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TrueClassDevice__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TrueClassDevice__DEVICE_EXTENSION][m] == old(Mem[T.TrueClassDevice__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION][m] == old(Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Type__KEYBOARD_ID][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Type__KEYBOARD_ID][m] == old(Mem[T.Type__KEYBOARD_ID])[m]);
+assume (forall m:int :: {Mem[T.Type___unnamed_4_5ca00198][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Type___unnamed_4_5ca00198][m] == old(Mem[T.Type___unnamed_4_5ca00198])[m]);
+assume (forall m:int :: {Mem[T.UCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UCHAR][m] == old(Mem[T.UCHAR])[m]);
+assume (forall m:int :: {Mem[T.UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT2][m] == old(Mem[T.UINT2])[m]);
+assume (forall m:int :: {Mem[T.UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT4][m] == old(Mem[T.UINT4])[m]);
+assume (forall m:int :: {Mem[T.UnitId__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UnitId__DEVICE_EXTENSION][m] == old(Mem[T.UnitId__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.UnitId__KEYBOARD_INDICATOR_PARAMETERS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UnitId__KEYBOARD_INDICATOR_PARAMETERS][m] == old(Mem[T.UnitId__KEYBOARD_INDICATOR_PARAMETERS])[m]);
+assume (forall m:int :: {Mem[T.UnitId__KEYBOARD_TYPEMATIC_PARAMETERS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UnitId__KEYBOARD_TYPEMATIC_PARAMETERS][m] == old(Mem[T.UnitId__KEYBOARD_TYPEMATIC_PARAMETERS])[m]);
+assume (forall m:int :: {Mem[T.WaitWakeEnabled__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WaitWakeEnabled__DEVICE_EXTENSION][m] == old(Mem[T.WaitWakeEnabled__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WaitWakeIrp__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WaitWakeIrp__DEVICE_EXTENSION][m] == old(Mem[T.WaitWakeIrp__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION][m] == old(Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WmiFunctionControl__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WmiFunctionControl__WMILIB_CONTEXT][m] == old(Mem[T.WmiFunctionControl__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T._POOL_TYPE][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T._POOL_TYPE][m] == old(Mem[T._POOL_TYPE])[m]);
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3627)
+label_2:
+assume false;
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3386)
+label_3:
+goto label_4;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3387)
+label_4:
+goto label_5;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3388)
+label_5:
+goto label_6;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3388)
+label_6:
+$deviceExtension$8$3388.24$KbdCreateClassObject$20 := 0 ;
+goto label_7;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3389)
+label_7:
+goto label_8;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3389)
+label_8:
+$errorCode$9$3389.24$KbdCreateClassObject$20 := 0 ;
+goto label_9;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3390)
+label_9:
+goto label_10;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3390)
+label_10:
+// Skipping Structure assignment due to the flag SkipStructAssignments
+goto label_11;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3391)
+label_11:
+goto label_12;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3391)
+label_12:
+$dumpCount$11$3391.24$KbdCreateClassObject$20 := 0 ;
+goto label_13;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3392)
+label_13:
+goto label_14;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3393)
+label_14:
+goto label_15;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3394)
+label_15:
+goto label_16;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3396)
+label_16:
+call __PREfastPagedCode ();
+goto label_22;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3398)
+label_19:
+// skip KbdDebugPrint
+goto label_23;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3398)
+label_22:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$2$ := havoc_stringTemp ;
+goto label_19;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3404)
+label_23:
+call ExAcquireFastMutex (Mutex__GLOBALS(Globals));
+goto label_26;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3409)
+label_26:
+Mem[T.P_DEVICE_OBJECT] := Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20 := 0];
+goto label_27;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3411)
+label_27:
+goto label_27_true , label_27_false ;
+
+
+label_27_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_89;
+
+
+label_27_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_28;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3415)
+label_28:
+call ExReleaseFastMutex (Mutex__GLOBALS(Globals));
+goto label_31;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3421)
+label_31:
+goto label_31_true , label_31_false ;
+
+
+label_31_true :
+assume (BOOGIE_LARGE_INT_4294967273 < Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING(BaseClassName__GLOBALS(Globals))]);
+goto label_32;
+
+
+label_31_false :
+assume !(BOOGIE_LARGE_INT_4294967273 < Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING(BaseClassName__GLOBALS(Globals))]);
+goto label_37;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3422)
+label_32:
+$status$6$3386.24$KbdCreateClassObject$20 := -1073741823 ;
+goto label_33;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3423)
+label_33:
+$errorCode$9$3389.24$KbdCreateClassObject$20 := -1073414143 ;
+goto label_34;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3424)
+label_34:
+$uniqueErrorValue$7$3387.24$KbdCreateClassObject$20 := 10006 ;
+goto label_35;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3425)
+label_35:
+Mem[T.UINT4] := Mem[T.UINT4][PLUS($dumpData$12$3392.24$KbdCreateClassObject$20, 4, 0) := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)]];
+goto label_36;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3426)
+label_36:
+$dumpCount$11$3391.24$KbdCreateClassObject$20 := 1 ;
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3433)
+label_37:
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20) := PLUS(PLUS(18, 1, Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING(BaseClassName__GLOBALS(Globals))]), 1, 4)];
+goto label_38;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3437)
+label_38:
+goto label_38_true , label_38_false ;
+
+
+label_38_true :
+assume (Mem[T.ConnectOneClassToOnePort__GLOBALS][ConnectOneClassToOnePort__GLOBALS(Globals)] != 0);
+goto label_39;
+
+
+label_38_false :
+assume (Mem[T.ConnectOneClassToOnePort__GLOBALS][ConnectOneClassToOnePort__GLOBALS(Globals)] == 0);
+goto label_44;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3437)
+label_39:
+goto label_39_true , label_39_false ;
+
+
+label_39_true :
+assume ($Legacy$5$3358.28$KbdCreateClassObject$20 != 0);
+goto label_40;
+
+
+label_39_false :
+assume ($Legacy$5$3358.28$KbdCreateClassObject$20 == 0);
+goto label_44;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3438)
+label_40:
+tempBoogie0 := PLUS(Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)], 1, 14) ;
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20) := tempBoogie0];
+goto label_44;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3441)
+label_41:
+call $result.ExAllocatePoolWithTag$3441.0$3$ := ExAllocatePoolWithTag (1, $ExAllocatePoolWithTag.arg.2$4$, 1130652235);
+goto label_45;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3441)
+label_44:
+$ExAllocatePoolWithTag.arg.2$4$ := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)] ;
+goto label_41;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3441)
+label_45:
+Mem[T.Buffer__UNICODE_STRING] := Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20) := $result.ExAllocatePoolWithTag$3441.0$3$];
+goto label_46;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3444)
+label_46:
+goto label_46_true , label_46_false ;
+
+
+label_46_true :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)] != 0);
+goto label_59;
+
+
+label_46_false :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)] == 0);
+goto label_50;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3446)
+label_47:
+// skip KbdDebugPrint
+goto label_51;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3446)
+label_50:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$5$ := havoc_stringTemp ;
+goto label_47;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3451)
+label_51:
+$status$6$3386.24$KbdCreateClassObject$20 := -1073741823 ;
+goto label_52;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3452)
+label_52:
+$errorCode$9$3389.24$KbdCreateClassObject$20 := -1073414143 ;
+goto label_53;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3453)
+label_53:
+$uniqueErrorValue$7$3387.24$KbdCreateClassObject$20 := 10006 ;
+goto label_54;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3454)
+label_54:
+Mem[T.UINT4] := Mem[T.UINT4][PLUS($dumpData$12$3392.24$KbdCreateClassObject$20, 4, 0) := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)]];
+goto label_55;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3455)
+label_55:
+$dumpCount$11$3391.24$KbdCreateClassObject$20 := 1 ;
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3459)
+label_56:
+// ignoring intrinsic intrinsic.memset
+havoc $result.memset$3459.8$6$;
+goto label_63;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3459)
+label_59:
+$memset.arg.3$7$ := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)] ;
+goto label_56;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3460)
+label_60:
+call $result.RtlAppendUnicodeToString$3460.32$8$ := RtlAppendUnicodeToString ($fullClassName$10$3390.24$KbdCreateClassObject$20, $RtlAppendUnicodeToString.arg.2$9$);
+goto label_64;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3460)
+label_63:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$9$ := havoc_stringTemp ;
+goto label_60;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3461)
+label_64:
+call $result.RtlAppendUnicodeToString$3461.32$10$ := RtlAppendUnicodeToString ($fullClassName$10$3390.24$KbdCreateClassObject$20, Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING(BaseClassName__GLOBALS(Globals))]);
+goto label_67;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3463)
+label_67:
+goto label_67_true , label_67_false ;
+
+
+label_67_true :
+assume (Mem[T.ConnectOneClassToOnePort__GLOBALS][ConnectOneClassToOnePort__GLOBALS(Globals)] != 0);
+goto label_68;
+
+
+label_67_false :
+assume (Mem[T.ConnectOneClassToOnePort__GLOBALS][ConnectOneClassToOnePort__GLOBALS(Globals)] == 0);
+goto label_76;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3463)
+label_68:
+goto label_68_true , label_68_false ;
+
+
+label_68_true :
+assume ($Legacy$5$3358.28$KbdCreateClassObject$20 != 0);
+goto label_72;
+
+
+label_68_false :
+assume ($Legacy$5$3358.28$KbdCreateClassObject$20 == 0);
+goto label_76;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3464)
+label_69:
+call $result.RtlAppendUnicodeToString$3464.36$11$ := RtlAppendUnicodeToString ($fullClassName$10$3390.24$KbdCreateClassObject$20, $RtlAppendUnicodeToString.arg.2$12$);
+goto label_76;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3464)
+label_72:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$12$ := havoc_stringTemp ;
+goto label_69;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3467)
+label_73:
+call $result.RtlAppendUnicodeToString$3467.32$13$ := RtlAppendUnicodeToString ($fullClassName$10$3390.24$KbdCreateClassObject$20, $RtlAppendUnicodeToString.arg.2$14$);
+goto label_77;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3467)
+label_76:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$14$ := havoc_stringTemp ;
+goto label_73;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3473)
+label_77:
+$nameIndex$14$3394.24$KbdCreateClassObject$20 := 0 ;
+goto label_78;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3477)
+label_78:
+// loop entry initialization...
+LOOP_78_alloc := alloc;
+LOOP_78_Mem := Mem;
+LOOP_78_Res_DEVICE_STACK := Res_DEVICE_STACK;
+LOOP_78_Res_DEV_EXTN := Res_DEV_EXTN;
+LOOP_78_Res_DEV_OBJ_INIT := Res_DEV_OBJ_INIT;
+LOOP_78_Res_SPIN_LOCK := Res_SPIN_LOCK;
+goto label_78_head;
+
+
+label_78_head:
+// loop head assertions...
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+assert((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+assert((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+assert((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+assert((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+assert((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+assert((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: requires __preserves_resource("DEV_OBJ_INIT")
+assert(Res_DEV_OBJ_INIT == LOOP_78_Res_DEV_OBJ_INIT);
+//TAG: requires __preserves_resource("DEV_EXTN")
+assert(Res_DEV_EXTN == LOOP_78_Res_DEV_EXTN);
+//TAG: requires __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+assert(Mem[T.Flink__LIST_ENTRY] == LOOP_78_Mem[T.Flink__LIST_ENTRY]);
+assume(forall f:int :: {alloc[Base(f)]} LOOP_78_alloc[Base(f)] == UNALLOCATED || LOOP_78_alloc[Base(f)] == alloc[Base(f)]);
+
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || LOOP_78_Res_DEVICE_STACK[r] == Res_DEVICE_STACK[r]));
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || LOOP_78_Res_DEV_EXTN[r] == Res_DEV_EXTN[r]));
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || LOOP_78_Res_DEV_OBJ_INIT[r] == Res_DEV_OBJ_INIT[r]));
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || LOOP_78_Res_SPIN_LOCK[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == LOOP_78_Mem[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == LOOP_78_Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == LOOP_78_Mem[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_true, __set_empty
+assert (Subset(Empty(), Union(Union(Empty(), SetTrue()), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (SetTrue()[_m]) || (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == LOOP_78_Mem[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == LOOP_78_Mem[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == LOOP_78_Mem[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == LOOP_78_Mem[T.P_DEVICE_OBJECT][_m]));
+
+// end loop head assertions
+
+Mem[T.UINT2] := Mem[T.UINT2][PLUS(Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)], 2, MINUS_BOTH_PTR_OR_BOTH_INT( BINARY_BOTH_INT(Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)], 2), 1, 1)) := PLUS(48, 1, $nameIndex$14$3394.24$KbdCreateClassObject$20)];
+$nameIndex$14$3394.24$KbdCreateClassObject$20 := PLUS($nameIndex$14$3394.24$KbdCreateClassObject$20, 1, 1) ;
+goto label_82;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3479)
+label_79:
+// skip KbdDebugPrint
+goto label_83;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3479)
+label_82:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$15$ := havoc_stringTemp ;
+goto label_79;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3485)
+label_83:
+call $result.IoCreateDevice$3485.35$16$ := IoCreateDevice ($DriverObject$1$3354.28$KbdCreateClassObject$20, 288, $fullClassName$10$3390.24$KbdCreateClassObject$20, 11, 0, 0, $ClassDeviceObject$3$3356.28$KbdCreateClassObject$20);
+goto label_86;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3485)
+label_86:
+$status$6$3386.24$KbdCreateClassObject$20 := $result.IoCreateDevice$3485.35$16$ ;
+goto label_87;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3493)
+label_87:
+goto label_87_true , label_87_false ;
+
+
+label_87_true :
+assume (-1073741771 == $status$6$3386.24$KbdCreateClassObject$20);
+goto label_78_head;
+
+
+label_87_false :
+assume !(-1073741771 == $status$6$3386.24$KbdCreateClassObject$20);
+goto label_88;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3495)
+label_88:
+Mem[T.PUINT2] := Mem[T.PUINT2][$FullDeviceName$4$3357.35$KbdCreateClassObject$20 := Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)]];
+goto label_97;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3498)
+label_89:
+call ExReleaseFastMutex (Mutex__GLOBALS(Globals));
+goto label_92;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3499)
+label_92:
+call $result.IoCreateDevice$3499.31$17$ := IoCreateDevice ($DriverObject$1$3354.28$KbdCreateClassObject$20, 288, 0, 11, 0, 0, $ClassDeviceObject$3$3356.28$KbdCreateClassObject$20);
+goto label_95;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3499)
+label_95:
+$status$6$3386.24$KbdCreateClassObject$20 := $result.IoCreateDevice$3499.31$17$ ;
+goto label_96;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3506)
+label_96:
+Mem[T.PUINT2] := Mem[T.PUINT2][$FullDeviceName$4$3357.35$KbdCreateClassObject$20 := 0];
+goto label_97;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3509)
+label_97:
+goto label_97_true , label_97_false ;
+
+
+label_97_true :
+assume (0 <= $status$6$3386.24$KbdCreateClassObject$20);
+goto label_98;
+
+
+label_97_false :
+assume !(0 <= $status$6$3386.24$KbdCreateClassObject$20);
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3509)
+label_98:
+goto label_98_true , label_98_false ;
+
+
+label_98_true :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20] != 0);
+goto label_107;
+
+
+label_98_false :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20] == 0);
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3510)
+label_99:
+// skip KbdDebugPrint
+goto label_103;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3510)
+label_102:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$18$ := havoc_stringTemp ;
+goto label_99;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3516)
+label_103:
+$errorCode$9$3389.24$KbdCreateClassObject$20 := -1073414131 ;
+goto label_104;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3517)
+label_104:
+$uniqueErrorValue$7$3387.24$KbdCreateClassObject$20 := 10006 ;
+goto label_105;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3518)
+label_105:
+Mem[T.UINT4] := Mem[T.UINT4][PLUS($dumpData$12$3392.24$KbdCreateClassObject$20, 4, 0) := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3390.24$KbdCreateClassObject$20)]];
+goto label_106;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3519)
+label_106:
+$dumpCount$11$3391.24$KbdCreateClassObject$20 := 1 ;
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3528)
+label_107:
+assume (forall r:int :: {BIT_BAND(BIT_BOR(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20])], 4),r)} BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20])],r)!= 0 || BIT_BAND(4,r)!= 0 <==> BIT_BAND(BIT_BOR(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20])], 4),r)!= 0);
+tempBoogie0 := BIT_BOR(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20])], 4) ;
+Mem[T.Flags__DEVICE_OBJECT] := Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20]) := tempBoogie0];
+goto label_108;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3529)
+label_108:
+$deviceExtension$8$3388.24$KbdCreateClassObject$20 := Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20])] ;
+goto label_109;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3531)
+label_109:
+// Skipping Structure assignment due to the flag SkipStructAssignments
+goto label_110;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3533)
+label_110:
+Mem[T.Self__DEVICE_EXTENSION] := Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20) := Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20]];
+goto label_111;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3534)
+label_111:
+call IoInitializeRemoveLockEx (RemoveLock__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20), 1130652235, 0, 0, 88);
+goto label_114;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3539)
+label_114:
+assume (Mem[T.SpinLock__DEVICE_EXTENSION][SpinLock__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20)] == Mem[T.UINT4][SpinLock__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20)]);
+call KeInitializeSpinLock (SpinLock__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20));
+Mem[T.SpinLock__DEVICE_EXTENSION] := Mem[T.SpinLock__DEVICE_EXTENSION][SpinLock__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20) := Mem[T.UINT4][SpinLock__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20)]];
+goto label_117;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3544)
+label_117:
+call InitializeListHead_IRP (ReadQueue__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20));
+goto label_120;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3550)
+label_120:
+Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION] := Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION][TrustedSubsystemCount__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20) := 0];
+goto label_121;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3557)
+label_121:
+call $result.ExAllocatePoolWithTag$3557.0$19$ := ExAllocatePoolWithTag (0, Mem[T.InputDataQueueLength__KEYBOARD_ATTRIBUTES][InputDataQueueLength__KEYBOARD_ATTRIBUTES(KeyboardAttributes__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20))], 1130652235);
+goto label_124;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3556)
+label_124:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20) := $result.ExAllocatePoolWithTag$3557.0$19$];
+goto label_125;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3562)
+label_125:
+goto label_125_true , label_125_false ;
+
+
+label_125_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20)] != 0);
+goto label_133;
+
+
+label_125_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20)] == 0);
+goto label_129;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3568)
+label_126:
+// skip KbdDebugPrint
+goto label_130;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3568)
+label_129:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$20$ := havoc_stringTemp ;
+goto label_126;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3574)
+label_130:
+$status$6$3386.24$KbdCreateClassObject$20 := -1073741670 ;
+goto label_131;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3580)
+label_131:
+$errorCode$9$3389.24$KbdCreateClassObject$20 := -1073414142 ;
+goto label_132;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3581)
+label_132:
+$uniqueErrorValue$7$3387.24$KbdCreateClassObject$20 := 10020 ;
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3589)
+label_133:
+call KbdInitializeDataQueue ($deviceExtension$8$3388.24$KbdCreateClassObject$20);
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3593)
+label_136:
+goto label_136_true , label_136_false ;
+
+
+label_136_true :
+assume ($status$6$3386.24$KbdCreateClassObject$20 != 0);
+goto label_137;
+
+
+label_136_false :
+assume ($status$6$3386.24$KbdCreateClassObject$20 == 0);
+goto label_162;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3599)
+label_137:
+call RtlFreeUnicodeString ($fullClassName$10$3390.24$KbdCreateClassObject$20);
+goto label_140;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3600)
+label_140:
+Mem[T.PUINT2] := Mem[T.PUINT2][$FullDeviceName$4$3357.35$KbdCreateClassObject$20 := 0];
+goto label_141;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3602)
+label_141:
+goto label_141_true , label_141_false ;
+
+
+label_141_true :
+assume ($errorCode$9$3389.24$KbdCreateClassObject$20 != 0);
+goto label_145;
+
+
+label_141_false :
+assume ($errorCode$9$3389.24$KbdCreateClassObject$20 == 0);
+goto label_148;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3603)
+label_142:
+call KeyboardClassLogError ($result.question.21$, $errorCode$9$3389.24$KbdCreateClassObject$20, $uniqueErrorValue$7$3387.24$KbdCreateClassObject$20, $status$6$3386.24$KbdCreateClassObject$20, $dumpCount$11$3391.24$KbdCreateClassObject$20, $dumpData$12$3392.24$KbdCreateClassObject$20, 0);
+goto label_148;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3604)
+label_145:
+goto label_145_true , label_145_false ;
+
+
+label_145_true :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20] != 0);
+goto label_147;
+
+
+label_145_false :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20] == 0);
+goto label_146;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3604)
+label_146:
+$result.question.21$ := $DriverObject$1$3354.28$KbdCreateClassObject$20 ;
+goto label_142;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3604)
+label_147:
+$result.question.21$ := Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20] ;
+goto label_142;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3614)
+label_148:
+goto label_148_true , label_148_false ;
+
+
+label_148_true :
+assume ($deviceExtension$8$3388.24$KbdCreateClassObject$20 != 0);
+goto label_149;
+
+
+label_148_false :
+assume ($deviceExtension$8$3388.24$KbdCreateClassObject$20 == 0);
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3614)
+label_149:
+goto label_149_true , label_149_false ;
+
+
+label_149_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20)] != 0);
+goto label_150;
+
+
+label_149_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20)] == 0);
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3615)
+label_150:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20)], 0);
+goto label_153;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3616)
+label_153:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3388.24$KbdCreateClassObject$20) := 0];
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3618)
+label_154:
+goto label_154_true , label_154_false ;
+
+
+label_154_true :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20] != 0);
+goto label_155;
+
+
+label_154_false :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20] == 0);
+goto label_162;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3619)
+label_155:
+call IoDeleteDevice (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20]);
+goto label_158;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3620)
+label_158:
+Mem[T.P_DEVICE_OBJECT] := Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$20 := 0];
+goto label_162;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3624)
+label_159:
+// skip KbdDebugPrint
+goto label_163;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3624)
+label_162:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$22$ := havoc_stringTemp ;
+goto label_159;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3626)
+label_163:
+$result.KbdCreateClassObject$3353.0$1$ := $status$6$3386.24$KbdCreateClassObject$20 ;
+goto label_1;
+
+}
+
diff --git a/Test/havoc0/KeyboardClassFindMorePorts.bpl b/Test/havoc0/KeyboardClassFindMorePorts.bpl
new file mode 100644
index 00000000..28e0dd09
--- /dev/null
+++ b/Test/havoc0/KeyboardClassFindMorePorts.bpl
@@ -0,0 +1,3780 @@
+type byte, name;
+function OneByteToInt(byte) returns (int);
+function TwoBytesToInt(byte, byte) returns (int);
+function FourBytesToInt(byte, byte, byte, byte) returns (int);
+axiom(forall b0:byte, c0:byte :: {OneByteToInt(b0), OneByteToInt(c0)} OneByteToInt(b0) == OneByteToInt(c0) ==> b0 == c0);
+axiom(forall b0:byte, b1: byte, c0:byte, c1:byte :: {TwoBytesToInt(b0, b1), TwoBytesToInt(c0, c1)} TwoBytesToInt(b0, b1) == TwoBytesToInt(c0, c1) ==> b0 == c0 && b1 == c1);
+axiom(forall b0:byte, b1: byte, b2:byte, b3:byte, c0:byte, c1:byte, c2:byte, c3:byte :: {FourBytesToInt(b0, b1, b2, b3), FourBytesToInt(c0, c1, c2, c3)} FourBytesToInt(b0, b1, b2, b3) == FourBytesToInt(c0, c1, c2, c3) ==> b0 == c0 && b1 == c1 && b2 == c2 && b3 == c3);
+
+// Mutable
+var Mem_BYTE:[int]byte;
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function SetTrue() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+/*
+function AtLeast(int, int) returns ([int]bool);
+function ModEqual(int, int, int) returns (bool);
+axiom(forall n:int, x:int :: ModEqual(n,x,x));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> ModEqual(n,y,x));
+axiom(forall n:int, x:int, y:int, z:int :: {ModEqual(n,x,y), ModEqual(n,y,z)} ModEqual(n,x,y) && ModEqual(n,y,z) ==> ModEqual(n,x,z));
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} ModEqual(n,x,PLUS(x,n,z)));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> (exists k:int :: x - y == n*k));
+axiom(forall x:int, n:int, y:int :: {AtLeast(n,x)[y]}{ModEqual(n,x,y)} AtLeast(n,x)[y] <==> x <= y && ModEqual(n,x,y));
+axiom(forall x:int, n:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+*/
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int :: SetTrue()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]}{Union(S,T),S[x]}{Union(S,T),T[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]}{Intersection(S,T),S[x]}{Intersection(S,T),T[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]}{Difference(S,T),S[x]}{Difference(S,T),T[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Subset(S,T)}{T[x],Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Disjoint(S,T)}{T[x],Disjoint(S,T)} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f,y), f[x]} Inverse(f,y)[x] ==> f[x] == y);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name, m:[name][int]int) returns (bool);
+function Values(t:name, m:[name][int]int) returns ([int]bool);
+function T.Ptr(t:name) returns (name);
+
+axiom(forall v:int, t:name, m:[name][int]int :: {Values(t, m)[v]} Values(t, m)[v] ==> HasType(v, t, m));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, t, m), Values(t, m)} HasType(v, t, m) ==> Values(t, m)[v]);
+
+axiom(forall a:int, t:name :: {Match(a, T.Ptr(t))} Match(a, T.Ptr(t)) <==> Field(a) == T.Ptr(t));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, T.Ptr(t), m)} HasType(v, T.Ptr(t), m) <==> (v == 0 || (v > 0 && Match(v, t))));
+
+axiom(forall v:int, t:name, m1:[name][int]int, m2:[name][int]int :: {HasType(v, t, m1), HasType(v, t, m2)}
+ (HasType(v, t, m1) <==> HasType(v, t, m2)));
+
+// Field declarations
+
+const unique T.Guid_WMIGUIDREGINFO:name;
+const unique T.InstanceCount_WMIGUIDREGINFO:name;
+const unique T.Flags_WMIGUIDREGINFO:name;
+const unique T.OperationID__ACCESS_STATE:name;
+const unique T.SecurityEvaluated__ACCESS_STATE:name;
+const unique T.GenerateAudit__ACCESS_STATE:name;
+const unique T.GenerateOnClose__ACCESS_STATE:name;
+const unique T.PrivilegesAllocated__ACCESS_STATE:name;
+const unique T.Flags__ACCESS_STATE:name;
+const unique T.RemainingDesiredAccess__ACCESS_STATE:name;
+const unique T.PreviouslyGrantedAccess__ACCESS_STATE:name;
+const unique T.OriginalDesiredAccess__ACCESS_STATE:name;
+const unique T.SubjectSecurityContext__ACCESS_STATE:name;
+const unique T.SecurityDescriptor__ACCESS_STATE:name;
+const unique T.AuxData__ACCESS_STATE:name;
+const unique T.Privileges__ACCESS_STATE:name;
+const unique T.AuditPrivileges__ACCESS_STATE:name;
+const unique T.ObjectName__ACCESS_STATE:name;
+const unique T.ObjectTypeName__ACCESS_STATE:name;
+const unique T.InterfaceType__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.BusNumber__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.PartialResourceList__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.u__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Revision__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.PartialDescriptors__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_RESOURCE_LIST:name;
+const unique T.List__CM_RESOURCE_LIST:name;
+const unique T.Size__DEVICE_CAPABILITIES:name;
+const unique T.Version__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD1__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD2__DEVICE_CAPABILITIES:name;
+const unique T.LockSupported__DEVICE_CAPABILITIES:name;
+const unique T.EjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.Removable__DEVICE_CAPABILITIES:name;
+const unique T.DockDevice__DEVICE_CAPABILITIES:name;
+const unique T.UniqueID__DEVICE_CAPABILITIES:name;
+const unique T.SilentInstall__DEVICE_CAPABILITIES:name;
+const unique T.RawDeviceOK__DEVICE_CAPABILITIES:name;
+const unique T.SurpriseRemovalOK__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD0__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD1__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD2__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD3__DEVICE_CAPABILITIES:name;
+const unique T.HardwareDisabled__DEVICE_CAPABILITIES:name;
+const unique T.NonDynamic__DEVICE_CAPABILITIES:name;
+const unique T.WarmEjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.NoDisplayInUI__DEVICE_CAPABILITIES:name;
+const unique T.Reserved__DEVICE_CAPABILITIES:name;
+const unique T.Address__DEVICE_CAPABILITIES:name;
+const unique T.UINumber__DEVICE_CAPABILITIES:name;
+const unique T.DeviceState__DEVICE_CAPABILITIES:name;
+const unique T.SystemWake__DEVICE_CAPABILITIES:name;
+const unique T.DeviceWake__DEVICE_CAPABILITIES:name;
+const unique T.D1Latency__DEVICE_CAPABILITIES:name;
+const unique T.D2Latency__DEVICE_CAPABILITIES:name;
+const unique T.D3Latency__DEVICE_CAPABILITIES:name;
+const unique T.Self__DEVICE_EXTENSION:name;
+const unique T.TrueClassDevice__DEVICE_EXTENSION:name;
+const unique T.TopPort__DEVICE_EXTENSION:name;
+const unique T.PDO__DEVICE_EXTENSION:name;
+const unique T.RemoveLock__DEVICE_EXTENSION:name;
+const unique T.PnP__DEVICE_EXTENSION:name;
+const unique T.Started__DEVICE_EXTENSION:name;
+const unique T.AllowDisable__DEVICE_EXTENSION:name;
+const unique T.WaitWakeSpinLock__DEVICE_EXTENSION:name;
+const unique T.TrustedSubsystemCount__DEVICE_EXTENSION:name;
+const unique T.InputCount__DEVICE_EXTENSION:name;
+const unique T.SymbolicLinkName__DEVICE_EXTENSION:name;
+const unique T.InputData__DEVICE_EXTENSION:name;
+const unique T.DataIn__DEVICE_EXTENSION:name;
+const unique T.DataOut__DEVICE_EXTENSION:name;
+const unique T.KeyboardAttributes__DEVICE_EXTENSION:name;
+const unique T.IndicatorParameters__DEVICE_EXTENSION:name;
+const unique T.SpinLock__DEVICE_EXTENSION:name;
+const unique T.ReadQueue__DEVICE_EXTENSION:name;
+const unique T.SequenceNumber__DEVICE_EXTENSION:name;
+const unique T.DeviceState__DEVICE_EXTENSION:name;
+const unique T.SystemState__DEVICE_EXTENSION:name;
+const unique T.UnitId__DEVICE_EXTENSION:name;
+const unique T.WmiLibInfo__DEVICE_EXTENSION:name;
+const unique T.SystemToDeviceState__DEVICE_EXTENSION:name;
+const unique T.MinDeviceWakeState__DEVICE_EXTENSION:name;
+const unique T.MinSystemWakeState__DEVICE_EXTENSION:name;
+const unique T.WaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.ExtraWaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.TargetNotifyHandle__DEVICE_EXTENSION:name;
+const unique T.Link__DEVICE_EXTENSION:name;
+const unique T.File__DEVICE_EXTENSION:name;
+const unique T.Enabled__DEVICE_EXTENSION:name;
+const unique T.OkayToLogOverflow__DEVICE_EXTENSION:name;
+const unique T.WaitWakeEnabled__DEVICE_EXTENSION:name;
+const unique T.SurpriseRemoved__DEVICE_EXTENSION:name;
+const unique T.Type__DEVICE_OBJECT:name;
+const unique T.Size__DEVICE_OBJECT:name;
+const unique T.ReferenceCount__DEVICE_OBJECT:name;
+const unique T.DriverObject__DEVICE_OBJECT:name;
+const unique T.NextDevice__DEVICE_OBJECT:name;
+const unique T.AttachedDevice__DEVICE_OBJECT:name;
+const unique T.CurrentIrp__DEVICE_OBJECT:name;
+const unique T.Timer__DEVICE_OBJECT:name;
+const unique T.Flags__DEVICE_OBJECT:name;
+const unique T.Characteristics__DEVICE_OBJECT:name;
+const unique T.Vpb__DEVICE_OBJECT:name;
+const unique T.DeviceExtension__DEVICE_OBJECT:name;
+const unique T.DeviceType__DEVICE_OBJECT:name;
+const unique T.StackSize__DEVICE_OBJECT:name;
+const unique T.Queue__DEVICE_OBJECT:name;
+const unique T.AlignmentRequirement__DEVICE_OBJECT:name;
+const unique T.DeviceQueue__DEVICE_OBJECT:name;
+const unique T.Dpc__DEVICE_OBJECT:name;
+const unique T.ActiveThreadCount__DEVICE_OBJECT:name;
+const unique T.SecurityDescriptor__DEVICE_OBJECT:name;
+const unique T.DeviceLock__DEVICE_OBJECT:name;
+const unique T.SectorSize__DEVICE_OBJECT:name;
+const unique T.Spare1__DEVICE_OBJECT:name;
+const unique T.DeviceObjectExtension__DEVICE_OBJECT:name;
+const unique T.Reserved__DEVICE_OBJECT:name;
+const unique T.Type__DEVOBJ_EXTENSION:name;
+const unique T.Size__DEVOBJ_EXTENSION:name;
+const unique T.DeviceObject__DEVOBJ_EXTENSION:name;
+const unique T.__unnamed_4_a97c65a1__DISPATCHER_HEADER:name;
+const unique T.SignalState__DISPATCHER_HEADER:name;
+const unique T.WaitListHead__DISPATCHER_HEADER:name;
+const unique T.DriverObject__DRIVER_EXTENSION:name;
+const unique T.AddDevice__DRIVER_EXTENSION:name;
+const unique T.Count__DRIVER_EXTENSION:name;
+const unique T.ServiceKeyName__DRIVER_EXTENSION:name;
+const unique T.Type__DRIVER_OBJECT:name;
+const unique T.Size__DRIVER_OBJECT:name;
+const unique T.DeviceObject__DRIVER_OBJECT:name;
+const unique T.Flags__DRIVER_OBJECT:name;
+const unique T.DriverStart__DRIVER_OBJECT:name;
+const unique T.DriverSize__DRIVER_OBJECT:name;
+const unique T.DriverSection__DRIVER_OBJECT:name;
+const unique T.DriverExtension__DRIVER_OBJECT:name;
+const unique T.DriverName__DRIVER_OBJECT:name;
+const unique T.HardwareDatabase__DRIVER_OBJECT:name;
+const unique T.FastIoDispatch__DRIVER_OBJECT:name;
+const unique T.DriverInit__DRIVER_OBJECT:name;
+const unique T.DriverStartIo__DRIVER_OBJECT:name;
+const unique T.DriverUnload__DRIVER_OBJECT:name;
+const unique T.MajorFunction__DRIVER_OBJECT:name;
+const unique T.SystemResourcesList__ERESOURCE:name;
+const unique T.OwnerTable__ERESOURCE:name;
+const unique T.ActiveCount__ERESOURCE:name;
+const unique T.Flag__ERESOURCE:name;
+const unique T.SharedWaiters__ERESOURCE:name;
+const unique T.ExclusiveWaiters__ERESOURCE:name;
+const unique T.OwnerEntry__ERESOURCE:name;
+const unique T.ActiveEntries__ERESOURCE:name;
+const unique T.ContentionCount__ERESOURCE:name;
+const unique T.NumberOfSharedWaiters__ERESOURCE:name;
+const unique T.NumberOfExclusiveWaiters__ERESOURCE:name;
+const unique T.__unnamed_4_52c594f7__ERESOURCE:name;
+const unique T.SpinLock__ERESOURCE:name;
+const unique T.SizeOfFastIoDispatch__FAST_IO_DISPATCH:name;
+const unique T.FastIoCheckIfPossible__FAST_IO_DISPATCH:name;
+const unique T.FastIoRead__FAST_IO_DISPATCH:name;
+const unique T.FastIoWrite__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryBasicInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryStandardInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoLock__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockSingle__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAll__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAllByKey__FAST_IO_DISPATCH:name;
+const unique T.FastIoDeviceControl__FAST_IO_DISPATCH:name;
+const unique T.AcquireFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.ReleaseFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.FastIoDetachDevice__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryNetworkOpenInfo__FAST_IO_DISPATCH:name;
+const unique T.AcquireForModWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlRead__FAST_IO_DISPATCH:name;
+const unique T.MdlReadComplete__FAST_IO_DISPATCH:name;
+const unique T.PrepareMdlWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteComplete__FAST_IO_DISPATCH:name;
+const unique T.FastIoReadCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoWriteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlReadCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryOpen__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForModWrite__FAST_IO_DISPATCH:name;
+const unique T.AcquireForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.Count__FAST_MUTEX:name;
+const unique T.Owner__FAST_MUTEX:name;
+const unique T.Contention__FAST_MUTEX:name;
+const unique T.Gate__FAST_MUTEX:name;
+const unique T.OldIrql__FAST_MUTEX:name;
+const unique T.CreationTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastAccessTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastWriteTime__FILE_BASIC_INFORMATION:name;
+const unique T.ChangeTime__FILE_BASIC_INFORMATION:name;
+const unique T.FileAttributes__FILE_BASIC_INFORMATION:name;
+const unique T.CreationTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastAccessTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastWriteTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.ChangeTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.AllocationSize__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.EndOfFile__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.FileAttributes__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.Type__FILE_OBJECT:name;
+const unique T.Size__FILE_OBJECT:name;
+const unique T.DeviceObject__FILE_OBJECT:name;
+const unique T.Vpb__FILE_OBJECT:name;
+const unique T.FsContext__FILE_OBJECT:name;
+const unique T.FsContext2__FILE_OBJECT:name;
+const unique T.SectionObjectPointer__FILE_OBJECT:name;
+const unique T.PrivateCacheMap__FILE_OBJECT:name;
+const unique T.FinalStatus__FILE_OBJECT:name;
+const unique T.RelatedFileObject__FILE_OBJECT:name;
+const unique T.LockOperation__FILE_OBJECT:name;
+const unique T.DeletePending__FILE_OBJECT:name;
+const unique T.ReadAccess__FILE_OBJECT:name;
+const unique T.WriteAccess__FILE_OBJECT:name;
+const unique T.DeleteAccess__FILE_OBJECT:name;
+const unique T.SharedRead__FILE_OBJECT:name;
+const unique T.SharedWrite__FILE_OBJECT:name;
+const unique T.SharedDelete__FILE_OBJECT:name;
+const unique T.Flags__FILE_OBJECT:name;
+const unique T.FileName__FILE_OBJECT:name;
+const unique T.CurrentByteOffset__FILE_OBJECT:name;
+const unique T.Waiters__FILE_OBJECT:name;
+const unique T.Busy__FILE_OBJECT:name;
+const unique T.LastLock__FILE_OBJECT:name;
+const unique T.Lock__FILE_OBJECT:name;
+const unique T.Event__FILE_OBJECT:name;
+const unique T.CompletionContext__FILE_OBJECT:name;
+const unique T.IrpListLock__FILE_OBJECT:name;
+const unique T.IrpList__FILE_OBJECT:name;
+const unique T.FileObjectExtension__FILE_OBJECT:name;
+const unique T.AllocationSize__FILE_STANDARD_INFORMATION:name;
+const unique T.EndOfFile__FILE_STANDARD_INFORMATION:name;
+const unique T.NumberOfLinks__FILE_STANDARD_INFORMATION:name;
+const unique T.DeletePending__FILE_STANDARD_INFORMATION:name;
+const unique T.Directory__FILE_STANDARD_INFORMATION:name;
+const unique T.Debug__GLOBALS:name;
+const unique T.GrandMaster__GLOBALS:name;
+const unique T.AssocClassList__GLOBALS:name;
+const unique T.NumAssocClass__GLOBALS:name;
+const unique T.Opens__GLOBALS:name;
+const unique T.NumberLegacyPorts__GLOBALS:name;
+const unique T.Mutex__GLOBALS:name;
+const unique T.ConnectOneClassToOnePort__GLOBALS:name;
+const unique T.SendOutputToAllPorts__GLOBALS:name;
+const unique T.PortsServiced__GLOBALS:name;
+const unique T.InitExtension__GLOBALS:name;
+const unique T.RegistryPath__GLOBALS:name;
+const unique T.BaseClassName__GLOBALS:name;
+const unique T.BaseClassBuffer__GLOBALS:name;
+const unique T.LegacyDeviceList__GLOBALS:name;
+const unique T.Data1__GUID:name;
+const unique T.Data2__GUID:name;
+const unique T.Data3__GUID:name;
+const unique T.Data4__GUID:name;
+const unique T.PrivilegeCount__INITIAL_PRIVILEGE_SET:name;
+const unique T.Control__INITIAL_PRIVILEGE_SET:name;
+const unique T.Privilege__INITIAL_PRIVILEGE_SET:name;
+const unique T.Size__INTERFACE:name;
+const unique T.Version__INTERFACE:name;
+const unique T.Context__INTERFACE:name;
+const unique T.InterfaceReference__INTERFACE:name;
+const unique T.InterfaceDereference__INTERFACE:name;
+const unique T.Port__IO_COMPLETION_CONTEXT:name;
+const unique T.Key__IO_COMPLETION_CONTEXT:name;
+const unique T.Common__IO_REMOVE_LOCK:name;
+const unique T.Dbg__IO_REMOVE_LOCK:name;
+const unique T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Signature__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LockList__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Spin__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Option__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare1__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare2__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.u__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__IO_RESOURCE_LIST:name;
+const unique T.Revision__IO_RESOURCE_LIST:name;
+const unique T.Count__IO_RESOURCE_LIST:name;
+const unique T.Descriptors__IO_RESOURCE_LIST:name;
+const unique T.ListSize__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.InterfaceType__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.BusNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SlotNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.Reserved__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.AlternativeLists__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.List__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SecurityQos__IO_SECURITY_CONTEXT:name;
+const unique T.AccessState__IO_SECURITY_CONTEXT:name;
+const unique T.DesiredAccess__IO_SECURITY_CONTEXT:name;
+const unique T.FullCreateOptions__IO_SECURITY_CONTEXT:name;
+const unique T.MajorFunction__IO_STACK_LOCATION:name;
+const unique T.MinorFunction__IO_STACK_LOCATION:name;
+const unique T.Flags__IO_STACK_LOCATION:name;
+const unique T.Control__IO_STACK_LOCATION:name;
+const unique T.Parameters__IO_STACK_LOCATION:name;
+const unique T.DeviceObject__IO_STACK_LOCATION:name;
+const unique T.FileObject__IO_STACK_LOCATION:name;
+const unique T.CompletionRoutine__IO_STACK_LOCATION:name;
+const unique T.Context__IO_STACK_LOCATION:name;
+const unique T.__unnamed_4_d99b6e2b__IO_STATUS_BLOCK:name;
+const unique T.Information__IO_STATUS_BLOCK:name;
+const unique T.Type__IRP:name;
+const unique T.Size__IRP:name;
+const unique T.MdlAddress__IRP:name;
+const unique T.Flags__IRP:name;
+const unique T.AssociatedIrp__IRP:name;
+const unique T.ThreadListEntry__IRP:name;
+const unique T.IoStatus__IRP:name;
+const unique T.RequestorMode__IRP:name;
+const unique T.PendingReturned__IRP:name;
+const unique T.StackCount__IRP:name;
+const unique T.CurrentLocation__IRP:name;
+const unique T.Cancel__IRP:name;
+const unique T.CancelIrql__IRP:name;
+const unique T.ApcEnvironment__IRP:name;
+const unique T.AllocationFlags__IRP:name;
+const unique T.UserIosb__IRP:name;
+const unique T.UserEvent__IRP:name;
+const unique T.Overlay__IRP:name;
+const unique T.CancelRoutine__IRP:name;
+const unique T.UserBuffer__IRP:name;
+const unique T.Tail__IRP:name;
+const unique T.Type__KAPC:name;
+const unique T.SpareByte0__KAPC:name;
+const unique T.Size__KAPC:name;
+const unique T.SpareByte1__KAPC:name;
+const unique T.SpareLong0__KAPC:name;
+const unique T.Thread__KAPC:name;
+const unique T.ApcListEntry__KAPC:name;
+const unique T.KernelRoutine__KAPC:name;
+const unique T.RundownRoutine__KAPC:name;
+const unique T.NormalRoutine__KAPC:name;
+const unique T.NormalContext__KAPC:name;
+const unique T.SystemArgument1__KAPC:name;
+const unique T.SystemArgument2__KAPC:name;
+const unique T.ApcStateIndex__KAPC:name;
+const unique T.ApcMode__KAPC:name;
+const unique T.Inserted__KAPC:name;
+const unique T.Type__KDEVICE_QUEUE:name;
+const unique T.Size__KDEVICE_QUEUE:name;
+const unique T.DeviceListHead__KDEVICE_QUEUE:name;
+const unique T.Lock__KDEVICE_QUEUE:name;
+const unique T.Busy__KDEVICE_QUEUE:name;
+const unique T.DeviceListEntry__KDEVICE_QUEUE_ENTRY:name;
+const unique T.SortKey__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Inserted__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Type__KDPC:name;
+const unique T.Importance__KDPC:name;
+const unique T.Number__KDPC:name;
+const unique T.DpcListEntry__KDPC:name;
+const unique T.DeferredRoutine__KDPC:name;
+const unique T.DeferredContext__KDPC:name;
+const unique T.SystemArgument1__KDPC:name;
+const unique T.SystemArgument2__KDPC:name;
+const unique T.DpcData__KDPC:name;
+const unique T.Header__KEVENT:name;
+const unique T.KeyboardIdentifier__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyboardMode__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfIndicators__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfKeysTotal__KEYBOARD_ATTRIBUTES:name;
+const unique T.InputDataQueueLength__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyRepeatMinimum__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyRepeatMaximum__KEYBOARD_ATTRIBUTES:name;
+const unique T.Type__KEYBOARD_ID:name;
+const unique T.Subtype__KEYBOARD_ID:name;
+const unique T.UnitId__KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T.LedFlags__KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T.UnitId__KEYBOARD_INPUT_DATA:name;
+const unique T.MakeCode__KEYBOARD_INPUT_DATA:name;
+const unique T.Flags__KEYBOARD_INPUT_DATA:name;
+const unique T.Reserved__KEYBOARD_INPUT_DATA:name;
+const unique T.ExtraInformation__KEYBOARD_INPUT_DATA:name;
+const unique T.UnitId__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Rate__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Delay__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Header__KSEMAPHORE:name;
+const unique T.Limit__KSEMAPHORE:name;
+const unique T.__unnamed_8_58ee4a31__LARGE_INTEGER:name;
+const unique T.u__LARGE_INTEGER:name;
+const unique T.QuadPart__LARGE_INTEGER:name;
+const unique T.Flink__LIST_ENTRY:name;
+const unique T.Blink__LIST_ENTRY:name;
+const unique T.LowPart__LUID:name;
+const unique T.HighPart__LUID:name;
+const unique T.Luid__LUID_AND_ATTRIBUTES:name;
+const unique T.Attributes__LUID_AND_ATTRIBUTES:name;
+const unique T.Next__MDL:name;
+const unique T.Size__MDL:name;
+const unique T.MdlFlags__MDL:name;
+const unique T.Process__MDL:name;
+const unique T.MappedSystemVa__MDL:name;
+const unique T.StartVa__MDL:name;
+const unique T.ByteCount__MDL:name;
+const unique T.ByteOffset__MDL:name;
+const unique T.OwnerThread__OWNER_ENTRY:name;
+const unique T.__unnamed_4_6f9ac8e1__OWNER_ENTRY:name;
+const unique T.File__PORT:name;
+const unique T.Port__PORT:name;
+const unique T.Enabled__PORT:name;
+const unique T.Reserved__PORT:name;
+const unique T.Free__PORT:name;
+const unique T.SequenceD1__POWER_SEQUENCE:name;
+const unique T.SequenceD2__POWER_SEQUENCE:name;
+const unique T.SequenceD3__POWER_SEQUENCE:name;
+const unique T.SystemState__POWER_STATE:name;
+const unique T.DeviceState__POWER_STATE:name;
+const unique T.PrivilegeCount__PRIVILEGE_SET:name;
+const unique T.Control__PRIVILEGE_SET:name;
+const unique T.Privilege__PRIVILEGE_SET:name;
+const unique T.DataSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.SharedCacheMap__SECTION_OBJECT_POINTERS:name;
+const unique T.ImageSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.Length__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ImpersonationLevel__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ContextTrackingMode__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.EffectiveOnly__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ClientToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ImpersonationLevel__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.PrimaryToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ProcessAuditId__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.__unnamed_4_3a2fdc5e__SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T.Length__UNICODE_STRING:name;
+const unique T.MaximumLength__UNICODE_STRING:name;
+const unique T.Buffer__UNICODE_STRING:name;
+const unique T.Type__VPB:name;
+const unique T.Size__VPB:name;
+const unique T.Flags__VPB:name;
+const unique T.VolumeLabelLength__VPB:name;
+const unique T.DeviceObject__VPB:name;
+const unique T.RealDevice__VPB:name;
+const unique T.SerialNumber__VPB:name;
+const unique T.ReferenceCount__VPB:name;
+const unique T.VolumeLabel__VPB:name;
+const unique T.WaitQueueEntry__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceRoutine__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceContext__WAIT_CONTEXT_BLOCK:name;
+const unique T.NumberOfMapRegisters__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceObject__WAIT_CONTEXT_BLOCK:name;
+const unique T.CurrentIrp__WAIT_CONTEXT_BLOCK:name;
+const unique T.BufferChainingDpc__WAIT_CONTEXT_BLOCK:name;
+const unique T.GuidCount__WMILIB_CONTEXT:name;
+const unique T.GuidList__WMILIB_CONTEXT:name;
+const unique T.QueryWmiRegInfo__WMILIB_CONTEXT:name;
+const unique T.QueryWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataItem__WMILIB_CONTEXT:name;
+const unique T.ExecuteWmiMethod__WMILIB_CONTEXT:name;
+const unique T.WmiFunctionControl__WMILIB_CONTEXT:name;
+const unique T.Reserved___unnamed_12_0d6a30de:name;
+const unique T.MessageCount___unnamed_12_0d6a30de:name;
+const unique T.Vector___unnamed_12_0d6a30de:name;
+const unique T.Affinity___unnamed_12_0d6a30de:name;
+const unique T.Start___unnamed_12_17f5c211:name;
+const unique T.Length48___unnamed_12_17f5c211:name;
+const unique T.Start___unnamed_12_1fb42e39:name;
+const unique T.Length___unnamed_12_1fb42e39:name;
+const unique T.Reserved___unnamed_12_1fb42e39:name;
+const unique T.Start___unnamed_12_2a1563c6:name;
+const unique T.Length___unnamed_12_2a1563c6:name;
+const unique T.DataSize___unnamed_12_31347272:name;
+const unique T.Reserved1___unnamed_12_31347272:name;
+const unique T.Reserved2___unnamed_12_31347272:name;
+const unique T.Raw___unnamed_12_429aadc0:name;
+const unique T.Translated___unnamed_12_429aadc0:name;
+const unique T.Start___unnamed_12_4719de1a:name;
+const unique T.Length___unnamed_12_4719de1a:name;
+const unique T.Data___unnamed_12_4be56faa:name;
+const unique T.Data___unnamed_12_5ce25b92:name;
+const unique T.Generic___unnamed_12_7a698b72:name;
+const unique T.Port___unnamed_12_7a698b72:name;
+const unique T.Interrupt___unnamed_12_7a698b72:name;
+const unique T.MessageInterrupt___unnamed_12_7a698b72:name;
+const unique T.Memory___unnamed_12_7a698b72:name;
+const unique T.Dma___unnamed_12_7a698b72:name;
+const unique T.DevicePrivate___unnamed_12_7a698b72:name;
+const unique T.BusNumber___unnamed_12_7a698b72:name;
+const unique T.DeviceSpecificData___unnamed_12_7a698b72:name;
+const unique T.Memory40___unnamed_12_7a698b72:name;
+const unique T.Memory48___unnamed_12_7a698b72:name;
+const unique T.Memory64___unnamed_12_7a698b72:name;
+const unique T.Start___unnamed_12_87c0de8d:name;
+const unique T.Length64___unnamed_12_87c0de8d:name;
+const unique T.Start___unnamed_12_98bfc55a:name;
+const unique T.Length40___unnamed_12_98bfc55a:name;
+const unique T.Priority___unnamed_12_ab1bd9d7:name;
+const unique T.Reserved1___unnamed_12_ab1bd9d7:name;
+const unique T.Reserved2___unnamed_12_ab1bd9d7:name;
+const unique T.Level___unnamed_12_b0429be9:name;
+const unique T.Vector___unnamed_12_b0429be9:name;
+const unique T.Affinity___unnamed_12_b0429be9:name;
+const unique T.ListEntry___unnamed_12_b43e8de8:name;
+const unique T.__unnamed_4_f19b65c1___unnamed_12_b43e8de8:name;
+const unique T.Level___unnamed_12_bfdb39ee:name;
+const unique T.Vector___unnamed_12_bfdb39ee:name;
+const unique T.Affinity___unnamed_12_bfdb39ee:name;
+const unique T.Start___unnamed_12_cd42b3c3:name;
+const unique T.Length___unnamed_12_cd42b3c3:name;
+const unique T.__unnamed_12_429aadc0___unnamed_12_e668effc:name;
+const unique T.Channel___unnamed_12_e80d029e:name;
+const unique T.Port___unnamed_12_e80d029e:name;
+const unique T.Reserved1___unnamed_12_e80d029e:name;
+const unique T.Length___unnamed_16_07c0bcc5:name;
+const unique T.MinBusNumber___unnamed_16_07c0bcc5:name;
+const unique T.MaxBusNumber___unnamed_16_07c0bcc5:name;
+const unique T.Reserved___unnamed_16_07c0bcc5:name;
+const unique T.InterfaceType___unnamed_16_29cb9f2f:name;
+const unique T.Size___unnamed_16_29cb9f2f:name;
+const unique T.Version___unnamed_16_29cb9f2f:name;
+const unique T.Interface___unnamed_16_29cb9f2f:name;
+const unique T.InterfaceSpecificData___unnamed_16_29cb9f2f:name;
+const unique T.SecurityContext___unnamed_16_30f11dbf:name;
+const unique T.Options___unnamed_16_30f11dbf:name;
+const unique T.FileAttributes___unnamed_16_30f11dbf:name;
+const unique T.ShareAccess___unnamed_16_30f11dbf:name;
+const unique T.EaLength___unnamed_16_30f11dbf:name;
+const unique T.DriverContext___unnamed_16_35034f68:name;
+const unique T.Length___unnamed_16_487a9498:name;
+const unique T.FileName___unnamed_16_487a9498:name;
+const unique T.FileInformationClass___unnamed_16_487a9498:name;
+const unique T.FileIndex___unnamed_16_487a9498:name;
+const unique T.OutputBufferLength___unnamed_16_5f6a8844:name;
+const unique T.InputBufferLength___unnamed_16_5f6a8844:name;
+const unique T.FsControlCode___unnamed_16_5f6a8844:name;
+const unique T.Type3InputBuffer___unnamed_16_5f6a8844:name;
+const unique T.Length___unnamed_16_7177b9f3:name;
+const unique T.FileInformationClass___unnamed_16_7177b9f3:name;
+const unique T.FileObject___unnamed_16_7177b9f3:name;
+const unique T.__unnamed_4_43913aa5___unnamed_16_7177b9f3:name;
+const unique T.Length___unnamed_16_88e91ef6:name;
+const unique T.Key___unnamed_16_88e91ef6:name;
+const unique T.ByteOffset___unnamed_16_88e91ef6:name;
+const unique T.Length___unnamed_16_8c506c98:name;
+const unique T.Key___unnamed_16_8c506c98:name;
+const unique T.ByteOffset___unnamed_16_8c506c98:name;
+const unique T.WhichSpace___unnamed_16_9ac2e5f8:name;
+const unique T.Buffer___unnamed_16_9ac2e5f8:name;
+const unique T.Offset___unnamed_16_9ac2e5f8:name;
+const unique T.Length___unnamed_16_9ac2e5f8:name;
+const unique T.Create___unnamed_16_b93842ad:name;
+const unique T.Read___unnamed_16_b93842ad:name;
+const unique T.Write___unnamed_16_b93842ad:name;
+const unique T.QueryDirectory___unnamed_16_b93842ad:name;
+const unique T.NotifyDirectory___unnamed_16_b93842ad:name;
+const unique T.QueryFile___unnamed_16_b93842ad:name;
+const unique T.SetFile___unnamed_16_b93842ad:name;
+const unique T.QueryEa___unnamed_16_b93842ad:name;
+const unique T.SetEa___unnamed_16_b93842ad:name;
+const unique T.QueryVolume___unnamed_16_b93842ad:name;
+const unique T.SetVolume___unnamed_16_b93842ad:name;
+const unique T.FileSystemControl___unnamed_16_b93842ad:name;
+const unique T.LockControl___unnamed_16_b93842ad:name;
+const unique T.DeviceIoControl___unnamed_16_b93842ad:name;
+const unique T.QuerySecurity___unnamed_16_b93842ad:name;
+const unique T.SetSecurity___unnamed_16_b93842ad:name;
+const unique T.MountVolume___unnamed_16_b93842ad:name;
+const unique T.VerifyVolume___unnamed_16_b93842ad:name;
+const unique T.Scsi___unnamed_16_b93842ad:name;
+const unique T.QueryQuota___unnamed_16_b93842ad:name;
+const unique T.SetQuota___unnamed_16_b93842ad:name;
+const unique T.QueryDeviceRelations___unnamed_16_b93842ad:name;
+const unique T.QueryInterface___unnamed_16_b93842ad:name;
+const unique T.DeviceCapabilities___unnamed_16_b93842ad:name;
+const unique T.FilterResourceRequirements___unnamed_16_b93842ad:name;
+const unique T.ReadWriteConfig___unnamed_16_b93842ad:name;
+const unique T.SetLock___unnamed_16_b93842ad:name;
+const unique T.QueryId___unnamed_16_b93842ad:name;
+const unique T.QueryDeviceText___unnamed_16_b93842ad:name;
+const unique T.UsageNotification___unnamed_16_b93842ad:name;
+const unique T.WaitWake___unnamed_16_b93842ad:name;
+const unique T.PowerSequence___unnamed_16_b93842ad:name;
+const unique T.Power___unnamed_16_b93842ad:name;
+const unique T.StartDevice___unnamed_16_b93842ad:name;
+const unique T.WMI___unnamed_16_b93842ad:name;
+const unique T.Others___unnamed_16_b93842ad:name;
+const unique T.Length___unnamed_16_b9c62eab:name;
+const unique T.Key___unnamed_16_b9c62eab:name;
+const unique T.ByteOffset___unnamed_16_b9c62eab:name;
+const unique T.__unnamed_4_7d9d0c7e___unnamed_16_bb584060:name;
+const unique T.Type___unnamed_16_bb584060:name;
+const unique T.State___unnamed_16_bb584060:name;
+const unique T.ShutdownType___unnamed_16_bb584060:name;
+const unique T.OutputBufferLength___unnamed_16_dba55c7c:name;
+const unique T.InputBufferLength___unnamed_16_dba55c7c:name;
+const unique T.IoControlCode___unnamed_16_dba55c7c:name;
+const unique T.Type3InputBuffer___unnamed_16_dba55c7c:name;
+const unique T.DeviceQueueEntry___unnamed_16_e70c268b:name;
+const unique T.__unnamed_16_35034f68___unnamed_16_e70c268b:name;
+const unique T.Argument1___unnamed_16_e734d694:name;
+const unique T.Argument2___unnamed_16_e734d694:name;
+const unique T.Argument3___unnamed_16_e734d694:name;
+const unique T.Argument4___unnamed_16_e734d694:name;
+const unique T.ProviderId___unnamed_16_eac6dbea:name;
+const unique T.DataPath___unnamed_16_eac6dbea:name;
+const unique T.BufferSize___unnamed_16_eac6dbea:name;
+const unique T.Buffer___unnamed_16_eac6dbea:name;
+const unique T.Length___unnamed_16_f6cae4c2:name;
+const unique T.EaList___unnamed_16_f6cae4c2:name;
+const unique T.EaListLength___unnamed_16_f6cae4c2:name;
+const unique T.EaIndex___unnamed_16_f6cae4c2:name;
+const unique T.Length___unnamed_16_fe36e4f4:name;
+const unique T.StartSid___unnamed_16_fe36e4f4:name;
+const unique T.SidList___unnamed_16_fe36e4f4:name;
+const unique T.SidListLength___unnamed_16_fe36e4f4:name;
+const unique T.Abandoned___unnamed_1_29794256:name;
+const unique T.Absolute___unnamed_1_29794256:name;
+const unique T.NpxIrql___unnamed_1_29794256:name;
+const unique T.Signalling___unnamed_1_29794256:name;
+const unique T.Inserted___unnamed_1_2dc63b48:name;
+const unique T.DebugActive___unnamed_1_2dc63b48:name;
+const unique T.DpcActive___unnamed_1_2dc63b48:name;
+const unique T.Size___unnamed_1_2ef8da39:name;
+const unique T.Hand___unnamed_1_2ef8da39:name;
+const unique T.Lock___unnamed_1_faa7dc71:name;
+const unique T.MinimumVector___unnamed_20_f4d2e6d8:name;
+const unique T.MaximumVector___unnamed_20_f4d2e6d8:name;
+const unique T.AffinityPolicy___unnamed_20_f4d2e6d8:name;
+const unique T.PriorityPolicy___unnamed_20_f4d2e6d8:name;
+const unique T.TargetedProcessors___unnamed_20_f4d2e6d8:name;
+const unique T.Length___unnamed_24_41cbc8c0:name;
+const unique T.Alignment___unnamed_24_41cbc8c0:name;
+const unique T.MinimumAddress___unnamed_24_41cbc8c0:name;
+const unique T.MaximumAddress___unnamed_24_41cbc8c0:name;
+const unique T.Length48___unnamed_24_5419c914:name;
+const unique T.Alignment48___unnamed_24_5419c914:name;
+const unique T.MinimumAddress___unnamed_24_5419c914:name;
+const unique T.MaximumAddress___unnamed_24_5419c914:name;
+const unique T.Length___unnamed_24_67a5ff10:name;
+const unique T.Alignment___unnamed_24_67a5ff10:name;
+const unique T.MinimumAddress___unnamed_24_67a5ff10:name;
+const unique T.MaximumAddress___unnamed_24_67a5ff10:name;
+const unique T.Port___unnamed_24_72c3976e:name;
+const unique T.Memory___unnamed_24_72c3976e:name;
+const unique T.Interrupt___unnamed_24_72c3976e:name;
+const unique T.Dma___unnamed_24_72c3976e:name;
+const unique T.Generic___unnamed_24_72c3976e:name;
+const unique T.DevicePrivate___unnamed_24_72c3976e:name;
+const unique T.BusNumber___unnamed_24_72c3976e:name;
+const unique T.ConfigData___unnamed_24_72c3976e:name;
+const unique T.Memory40___unnamed_24_72c3976e:name;
+const unique T.Memory48___unnamed_24_72c3976e:name;
+const unique T.Memory64___unnamed_24_72c3976e:name;
+const unique T.Length64___unnamed_24_a26050bb:name;
+const unique T.Alignment64___unnamed_24_a26050bb:name;
+const unique T.MinimumAddress___unnamed_24_a26050bb:name;
+const unique T.MaximumAddress___unnamed_24_a26050bb:name;
+const unique T.Length___unnamed_24_b8f476db:name;
+const unique T.Alignment___unnamed_24_b8f476db:name;
+const unique T.MinimumAddress___unnamed_24_b8f476db:name;
+const unique T.MaximumAddress___unnamed_24_b8f476db:name;
+const unique T.Length40___unnamed_24_d09044b4:name;
+const unique T.Alignment40___unnamed_24_d09044b4:name;
+const unique T.MinimumAddress___unnamed_24_d09044b4:name;
+const unique T.MaximumAddress___unnamed_24_d09044b4:name;
+const unique T.ReplaceIfExists___unnamed_2_46cc4597:name;
+const unique T.AdvanceOnly___unnamed_2_46cc4597:name;
+const unique T.__unnamed_16_e70c268b___unnamed_40_7218f704:name;
+const unique T.Thread___unnamed_40_7218f704:name;
+const unique T.AuxiliaryBuffer___unnamed_40_7218f704:name;
+const unique T.__unnamed_12_b43e8de8___unnamed_40_7218f704:name;
+const unique T.OriginalFileObject___unnamed_40_7218f704:name;
+const unique T.ListEntry___unnamed_40_c55c9377:name;
+const unique T.Wcb___unnamed_40_c55c9377:name;
+const unique T.InitialPrivilegeSet___unnamed_44_5584090d:name;
+const unique T.PrivilegeSet___unnamed_44_5584090d:name;
+const unique T.Overlay___unnamed_48_cf99b13f:name;
+const unique T.Apc___unnamed_48_cf99b13f:name;
+const unique T.CompletionKey___unnamed_48_cf99b13f:name;
+const unique T.PowerState___unnamed_4_069846fb:name;
+const unique T.IdType___unnamed_4_224c32f4:name;
+const unique T.Capabilities___unnamed_4_2de698da:name;
+const unique T.__unnamed_4_c3479730___unnamed_4_3a2fdc5e:name;
+const unique T.ContextAsUlong___unnamed_4_3a2fdc5e:name;
+const unique T.Length___unnamed_4_3a4c1a13:name;
+const unique T.__unnamed_2_46cc4597___unnamed_4_43913aa5:name;
+const unique T.ClusterCount___unnamed_4_43913aa5:name;
+const unique T.DeleteHandle___unnamed_4_43913aa5:name;
+const unique T.UserApcRoutine___unnamed_4_4e8dd2ba:name;
+const unique T.IssuingProcess___unnamed_4_4e8dd2ba:name;
+const unique T.Srb___unnamed_4_52603077:name;
+const unique T.Address___unnamed_4_52c594f7:name;
+const unique T.CreatorBackTraceIndex___unnamed_4_52c594f7:name;
+const unique T.Type___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_29794256___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_2ef8da39___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_2dc63b48___unnamed_4_5ca00198:name;
+const unique T.MasterIrp___unnamed_4_6ac6463c:name;
+const unique T.IrpCount___unnamed_4_6ac6463c:name;
+const unique T.SystemBuffer___unnamed_4_6ac6463c:name;
+const unique T.OwnerCount___unnamed_4_6f9ac8e1:name;
+const unique T.TableSize___unnamed_4_6f9ac8e1:name;
+const unique T.PowerSequence___unnamed_4_7a02167b:name;
+const unique T.SystemContext___unnamed_4_7d9d0c7e:name;
+const unique T.SystemPowerStateContext___unnamed_4_7d9d0c7e:name;
+const unique T.IoResourceRequirementList___unnamed_4_82f7a864:name;
+const unique T.Length___unnamed_4_9aec220b:name;
+const unique T.__unnamed_4_5ca00198___unnamed_4_a97c65a1:name;
+const unique T.Lock___unnamed_4_a97c65a1:name;
+const unique T.Reserved1___unnamed_4_c3479730:name;
+const unique T.TargetSystemState___unnamed_4_c3479730:name;
+const unique T.EffectiveSystemState___unnamed_4_c3479730:name;
+const unique T.CurrentSystemState___unnamed_4_c3479730:name;
+const unique T.IgnoreHibernationPath___unnamed_4_c3479730:name;
+const unique T.PseudoTransition___unnamed_4_c3479730:name;
+const unique T.Reserved2___unnamed_4_c3479730:name;
+const unique T.Status___unnamed_4_d99b6e2b:name;
+const unique T.Pointer___unnamed_4_d99b6e2b:name;
+const unique T.CurrentStackLocation___unnamed_4_f19b65c1:name;
+const unique T.PacketType___unnamed_4_f19b65c1:name;
+const unique T.Type___unnamed_4_fa10fc16:name;
+const unique T.SecurityInformation___unnamed_8_01efa60d:name;
+const unique T.Length___unnamed_8_01efa60d:name;
+const unique T.MinimumChannel___unnamed_8_08d4cef8:name;
+const unique T.MaximumChannel___unnamed_8_08d4cef8:name;
+const unique T.__unnamed_4_4e8dd2ba___unnamed_8_0a898c0c:name;
+const unique T.UserApcContext___unnamed_8_0a898c0c:name;
+const unique T.SecurityInformation___unnamed_8_1330f93a:name;
+const unique T.SecurityDescriptor___unnamed_8_1330f93a:name;
+const unique T.AsynchronousParameters___unnamed_8_181d0de9:name;
+const unique T.AllocationSize___unnamed_8_181d0de9:name;
+const unique T.Vpb___unnamed_8_4812764d:name;
+const unique T.DeviceObject___unnamed_8_4812764d:name;
+const unique T.Length___unnamed_8_559a91e6:name;
+const unique T.FsInformationClass___unnamed_8_559a91e6:name;
+const unique T.Length___unnamed_8_5845b309:name;
+const unique T.FileInformationClass___unnamed_8_5845b309:name;
+const unique T.LowPart___unnamed_8_58ee4a31:name;
+const unique T.HighPart___unnamed_8_58ee4a31:name;
+const unique T.AllocatedResources___unnamed_8_61acf4ce:name;
+const unique T.AllocatedResourcesTranslated___unnamed_8_61acf4ce:name;
+const unique T.DeviceTextType___unnamed_8_6acfee04:name;
+const unique T.LocaleId___unnamed_8_6acfee04:name;
+const unique T.Length___unnamed_8_7f26a9dd:name;
+const unique T.CompletionFilter___unnamed_8_7f26a9dd:name;
+const unique T.Vpb___unnamed_8_87add0bd:name;
+const unique T.DeviceObject___unnamed_8_87add0bd:name;
+const unique T.InPath___unnamed_8_b2773e4c:name;
+const unique T.Reserved___unnamed_8_b2773e4c:name;
+const unique T.Type___unnamed_8_b2773e4c:name;
+const unique T.Length___unnamed_8_de890d4e:name;
+const unique T.FsInformationClass___unnamed_8_de890d4e:name;
+const unique T.LowPart___unnamed_8_ef9ba0d3:name;
+const unique T.HighPart___unnamed_8_ef9ba0d3:name;
+
+// Type declarations
+
+const unique T.A1_CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_LIST:name;
+const unique T.A1_LUID_AND_ATTRIBUTES:name;
+const unique T.A256UINT2:name;
+const unique T.A28PFDRIVER_DISPATCH:name;
+const unique T.A2UCHAR:name;
+const unique T.A2UINT2:name;
+const unique T.A32UINT2:name;
+const unique T.A3UCHAR:name;
+const unique T.A3UINT4:name;
+const unique T.A3_LUID_AND_ATTRIBUTES:name;
+const unique T.A4PVOID:name;
+const unique T.A4UINT4:name;
+const unique T.A5UINT2:name;
+const unique T.A5_DEVICE_POWER_STATE:name;
+const unique T.A7_DEVICE_POWER_STATE:name;
+const unique T.A88CHAR:name;
+const unique T.A8UCHAR:name;
+const unique T.A9UINT2:name;
+const unique T.BUS_QUERY_ID_TYPE:name;
+const unique T.CHAR:name;
+const unique T.DEVICE_TEXT_TYPE:name;
+const unique T.F0:name;
+const unique T.F1:name;
+const unique T.F10:name;
+const unique T.F11:name;
+const unique T.F12:name;
+const unique T.F13:name;
+const unique T.F14:name;
+const unique T.F15:name;
+const unique T.F16:name;
+const unique T.F17:name;
+const unique T.F18:name;
+const unique T.F19:name;
+const unique T.F2:name;
+const unique T.F20:name;
+const unique T.F21:name;
+const unique T.F22:name;
+const unique T.F23:name;
+const unique T.F24:name;
+const unique T.F25:name;
+const unique T.F26:name;
+const unique T.F27:name;
+const unique T.F28:name;
+const unique T.F29:name;
+const unique T.F3:name;
+const unique T.F30:name;
+const unique T.F31:name;
+const unique T.F32:name;
+const unique T.F33:name;
+const unique T.F34:name;
+const unique T.F35:name;
+const unique T.F36:name;
+const unique T.F37:name;
+const unique T.F38:name;
+const unique T.F4:name;
+const unique T.F5:name;
+const unique T.F6:name;
+const unique T.F7:name;
+const unique T.F8:name;
+const unique T.F9:name;
+const unique T.FDRIVER_ADD_DEVICE:name;
+const unique T.FDRIVER_CANCEL:name;
+const unique T.FDRIVER_CONTROL:name;
+const unique T.FDRIVER_DISPATCH:name;
+const unique T.FDRIVER_INITIALIZE:name;
+const unique T.FDRIVER_STARTIO:name;
+const unique T.FDRIVER_UNLOAD:name;
+const unique T.FFAST_IO_ACQUIRE_FILE:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.FFAST_IO_DETACH_DEVICE:name;
+const unique T.FFAST_IO_DEVICE_CONTROL:name;
+const unique T.FFAST_IO_LOCK:name;
+const unique T.FFAST_IO_MDL_READ:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.FFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.FFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.FFAST_IO_QUERY_OPEN:name;
+const unique T.FFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.FFAST_IO_READ:name;
+const unique T.FFAST_IO_READ_COMPRESSED:name;
+const unique T.FFAST_IO_RELEASE_FILE:name;
+const unique T.FFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_UNLOCK_ALL:name;
+const unique T.FFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.FFAST_IO_UNLOCK_SINGLE:name;
+const unique T.FFAST_IO_WRITE:name;
+const unique T.FFAST_IO_WRITE_COMPRESSED:name;
+const unique T.FIO_COMPLETION_ROUTINE:name;
+const unique T.FKDEFERRED_ROUTINE:name;
+const unique T.INT2:name;
+const unique T.INT4:name;
+const unique T.INT8:name;
+const unique T.PA256UINT2:name;
+const unique T.PA2UINT2:name;
+const unique T.PA4UINT4:name;
+const unique T.PA5UINT2:name;
+const unique T.PA88CHAR:name;
+const unique T.PA9UINT2:name;
+const unique T.PCHAR:name;
+const unique T.PF19:name;
+const unique T.PF21:name;
+const unique T.PF23:name;
+const unique T.PF24:name;
+const unique T.PF25:name;
+const unique T.PF33:name;
+const unique T.PF34:name;
+const unique T.PF35:name;
+const unique T.PF36:name;
+const unique T.PF37:name;
+const unique T.PF38:name;
+const unique T.PFDRIVER_ADD_DEVICE:name;
+const unique T.PFDRIVER_CANCEL:name;
+const unique T.PFDRIVER_CONTROL:name;
+const unique T.PFDRIVER_DISPATCH:name;
+const unique T.PFDRIVER_INITIALIZE:name;
+const unique T.PFDRIVER_STARTIO:name;
+const unique T.PFDRIVER_UNLOAD:name;
+const unique T.PFFAST_IO_ACQUIRE_FILE:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.PFFAST_IO_DETACH_DEVICE:name;
+const unique T.PFFAST_IO_DEVICE_CONTROL:name;
+const unique T.PFFAST_IO_LOCK:name;
+const unique T.PFFAST_IO_MDL_READ:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.PFFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.PFFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.PFFAST_IO_QUERY_OPEN:name;
+const unique T.PFFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.PFFAST_IO_READ:name;
+const unique T.PFFAST_IO_READ_COMPRESSED:name;
+const unique T.PFFAST_IO_RELEASE_FILE:name;
+const unique T.PFFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_UNLOCK_ALL:name;
+const unique T.PFFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.PFFAST_IO_UNLOCK_SINGLE:name;
+const unique T.PFFAST_IO_WRITE:name;
+const unique T.PFFAST_IO_WRITE_COMPRESSED:name;
+const unique T.PFIO_COMPLETION_ROUTINE:name;
+const unique T.PFKDEFERRED_ROUTINE:name;
+const unique T.PINT4:name;
+const unique T.POWER_ACTION:name;
+const unique T.PPCHAR:name;
+const unique T.PPF24:name;
+const unique T.PPPUINT2:name;
+const unique T.PPP_DEVICE_OBJECT:name;
+const unique T.PPP_FILE_OBJECT:name;
+const unique T.PPUINT2:name;
+const unique T.PPUINT4:name;
+const unique T.PPVOID:name;
+const unique T.PP_DEVICE_EXTENSION:name;
+const unique T.PP_DEVICE_OBJECT:name;
+const unique T.PP_DRIVER_OBJECT:name;
+const unique T.PP_ERESOURCE:name;
+const unique T.PP_FAST_MUTEX:name;
+const unique T.PP_FILE_OBJECT:name;
+const unique T.PP_LIST_ENTRY:name;
+const unique T.PP_MDL:name;
+const unique T.PP_PORT:name;
+const unique T.PP_UNICODE_STRING:name;
+const unique T.PUCHAR:name;
+const unique T.PUINT2:name;
+const unique T.PUINT4:name;
+const unique T.PVOID:name;
+const unique T.PWMIGUIDREGINFO:name;
+const unique T.P_ACCESS_STATE:name;
+const unique T.P_CM_RESOURCE_LIST:name;
+const unique T.P_COMPRESSED_DATA_INFO:name;
+const unique T.P_DEVICE_CAPABILITIES:name;
+const unique T.P_DEVICE_EXTENSION:name;
+const unique T.P_DEVICE_OBJECT:name;
+const unique T.P_DEVOBJ_EXTENSION:name;
+const unique T.P_DRIVER_EXTENSION:name;
+const unique T.P_DRIVER_OBJECT:name;
+const unique T.P_EPROCESS:name;
+const unique T.P_ERESOURCE:name;
+const unique T.P_ETHREAD:name;
+const unique T.P_FAST_IO_DISPATCH:name;
+const unique T.P_FAST_MUTEX:name;
+const unique T.P_FILE_BASIC_INFORMATION:name;
+const unique T.P_FILE_GET_QUOTA_INFORMATION:name;
+const unique T.P_FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.P_FILE_OBJECT:name;
+const unique T.P_FILE_STANDARD_INFORMATION:name;
+const unique T.P_GLOBALS:name;
+const unique T.P_GUID:name;
+const unique T.P_INTERFACE:name;
+const unique T.P_IO_COMPLETION_CONTEXT:name;
+const unique T.P_IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T.P_IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.P_IO_SECURITY_CONTEXT:name;
+const unique T.P_IO_STACK_LOCATION:name;
+const unique T.P_IO_STATUS_BLOCK:name;
+const unique T.P_IO_TIMER:name;
+const unique T.P_IRP:name;
+const unique T.P_KAPC:name;
+const unique T.P_KDPC:name;
+const unique T.P_KEVENT:name;
+const unique T.P_KEYBOARD_INPUT_DATA:name;
+const unique T.P_KSEMAPHORE:name;
+const unique T.P_KTHREAD:name;
+const unique T.P_LARGE_INTEGER:name;
+const unique T.P_LIST_ENTRY:name;
+const unique T.P_MDL:name;
+const unique T.P_OWNER_ENTRY:name;
+const unique T.P_POOL_TYPE:name;
+const unique T.P_PORT:name;
+const unique T.P_POWER_SEQUENCE:name;
+const unique T.P_SCSI_REQUEST_BLOCK:name;
+const unique T.P_SECTION_OBJECT_POINTERS:name;
+const unique T.P_SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.P_UNICODE_STRING:name;
+const unique T.P_VPB:name;
+const unique T.UCHAR:name;
+const unique T.UINT2:name;
+const unique T.UINT4:name;
+const unique T.VOID:name;
+const unique T.WMIENABLEDISABLECONTROL:name;
+const unique T.WMIGUIDREGINFO:name;
+const unique T._ACCESS_STATE:name;
+const unique T._CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_LIST:name;
+const unique T._CM_RESOURCE_LIST:name;
+const unique T._COMPRESSED_DATA_INFO:name;
+const unique T._DEVICE_CAPABILITIES:name;
+const unique T._DEVICE_EXTENSION:name;
+const unique T._DEVICE_OBJECT:name;
+const unique T._DEVICE_POWER_STATE:name;
+const unique T._DEVICE_RELATION_TYPE:name;
+const unique T._DEVICE_USAGE_NOTIFICATION_TYPE:name;
+const unique T._DEVOBJ_EXTENSION:name;
+const unique T._DISPATCHER_HEADER:name;
+const unique T._DRIVER_EXTENSION:name;
+const unique T._DRIVER_OBJECT:name;
+const unique T._EPROCESS:name;
+const unique T._ERESOURCE:name;
+const unique T._ETHREAD:name;
+const unique T._FAST_IO_DISPATCH:name;
+const unique T._FAST_MUTEX:name;
+const unique T._FILE_BASIC_INFORMATION:name;
+const unique T._FILE_GET_QUOTA_INFORMATION:name;
+const unique T._FILE_INFORMATION_CLASS:name;
+const unique T._FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T._FILE_OBJECT:name;
+const unique T._FILE_STANDARD_INFORMATION:name;
+const unique T._FSINFOCLASS:name;
+const unique T._GLOBALS:name;
+const unique T._GUID:name;
+const unique T._INITIAL_PRIVILEGE_SET:name;
+const unique T._INTERFACE:name;
+const unique T._INTERFACE_TYPE:name;
+const unique T._IO_ALLOCATION_ACTION:name;
+const unique T._IO_COMPLETION_CONTEXT:name;
+const unique T._IO_REMOVE_LOCK:name;
+const unique T._IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T._IO_RESOURCE_DESCRIPTOR:name;
+const unique T._IO_RESOURCE_LIST:name;
+const unique T._IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T._IO_SECURITY_CONTEXT:name;
+const unique T._IO_STACK_LOCATION:name;
+const unique T._IO_STATUS_BLOCK:name;
+const unique T._IO_TIMER:name;
+const unique T._IRP:name;
+const unique T._IRQ_DEVICE_POLICY:name;
+const unique T._IRQ_PRIORITY:name;
+const unique T._KAPC:name;
+const unique T._KDEVICE_QUEUE:name;
+const unique T._KDEVICE_QUEUE_ENTRY:name;
+const unique T._KDPC:name;
+const unique T._KEVENT:name;
+const unique T._KEYBOARD_ATTRIBUTES:name;
+const unique T._KEYBOARD_ID:name;
+const unique T._KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T._KEYBOARD_INPUT_DATA:name;
+const unique T._KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T._KSEMAPHORE:name;
+const unique T._KTHREAD:name;
+const unique T._LARGE_INTEGER:name;
+const unique T._LIST_ENTRY:name;
+const unique T._LUID:name;
+const unique T._LUID_AND_ATTRIBUTES:name;
+const unique T._MDL:name;
+const unique T._OWNER_ENTRY:name;
+const unique T._POOL_TYPE:name;
+const unique T._PORT:name;
+const unique T._POWER_SEQUENCE:name;
+const unique T._POWER_STATE:name;
+const unique T._POWER_STATE_TYPE:name;
+const unique T._PRIVILEGE_SET:name;
+const unique T._SCSI_REQUEST_BLOCK:name;
+const unique T._SECTION_OBJECT_POINTERS:name;
+const unique T._SECURITY_IMPERSONATION_LEVEL:name;
+const unique T._SECURITY_QUALITY_OF_SERVICE:name;
+const unique T._SECURITY_SUBJECT_CONTEXT:name;
+const unique T._SYSTEM_POWER_STATE:name;
+const unique T._SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T._UNICODE_STRING:name;
+const unique T._VPB:name;
+const unique T._WAIT_CONTEXT_BLOCK:name;
+const unique T._WMILIB_CONTEXT:name;
+const unique T.__unnamed_12_0d6a30de:name;
+const unique T.__unnamed_12_17f5c211:name;
+const unique T.__unnamed_12_1fb42e39:name;
+const unique T.__unnamed_12_2a1563c6:name;
+const unique T.__unnamed_12_31347272:name;
+const unique T.__unnamed_12_429aadc0:name;
+const unique T.__unnamed_12_4719de1a:name;
+const unique T.__unnamed_12_4be56faa:name;
+const unique T.__unnamed_12_5ce25b92:name;
+const unique T.__unnamed_12_7a698b72:name;
+const unique T.__unnamed_12_87c0de8d:name;
+const unique T.__unnamed_12_98bfc55a:name;
+const unique T.__unnamed_12_ab1bd9d7:name;
+const unique T.__unnamed_12_b0429be9:name;
+const unique T.__unnamed_12_b43e8de8:name;
+const unique T.__unnamed_12_bfdb39ee:name;
+const unique T.__unnamed_12_cd42b3c3:name;
+const unique T.__unnamed_12_e668effc:name;
+const unique T.__unnamed_12_e80d029e:name;
+const unique T.__unnamed_16_07c0bcc5:name;
+const unique T.__unnamed_16_29cb9f2f:name;
+const unique T.__unnamed_16_30f11dbf:name;
+const unique T.__unnamed_16_35034f68:name;
+const unique T.__unnamed_16_487a9498:name;
+const unique T.__unnamed_16_5f6a8844:name;
+const unique T.__unnamed_16_7177b9f3:name;
+const unique T.__unnamed_16_88e91ef6:name;
+const unique T.__unnamed_16_8c506c98:name;
+const unique T.__unnamed_16_9ac2e5f8:name;
+const unique T.__unnamed_16_b93842ad:name;
+const unique T.__unnamed_16_b9c62eab:name;
+const unique T.__unnamed_16_bb584060:name;
+const unique T.__unnamed_16_dba55c7c:name;
+const unique T.__unnamed_16_e70c268b:name;
+const unique T.__unnamed_16_e734d694:name;
+const unique T.__unnamed_16_eac6dbea:name;
+const unique T.__unnamed_16_f6cae4c2:name;
+const unique T.__unnamed_16_fe36e4f4:name;
+const unique T.__unnamed_1_29794256:name;
+const unique T.__unnamed_1_2dc63b48:name;
+const unique T.__unnamed_1_2ef8da39:name;
+const unique T.__unnamed_1_faa7dc71:name;
+const unique T.__unnamed_20_f4d2e6d8:name;
+const unique T.__unnamed_24_41cbc8c0:name;
+const unique T.__unnamed_24_5419c914:name;
+const unique T.__unnamed_24_67a5ff10:name;
+const unique T.__unnamed_24_72c3976e:name;
+const unique T.__unnamed_24_a26050bb:name;
+const unique T.__unnamed_24_b8f476db:name;
+const unique T.__unnamed_24_d09044b4:name;
+const unique T.__unnamed_2_46cc4597:name;
+const unique T.__unnamed_40_7218f704:name;
+const unique T.__unnamed_40_c55c9377:name;
+const unique T.__unnamed_44_5584090d:name;
+const unique T.__unnamed_48_cf99b13f:name;
+const unique T.__unnamed_4_069846fb:name;
+const unique T.__unnamed_4_224c32f4:name;
+const unique T.__unnamed_4_2de698da:name;
+const unique T.__unnamed_4_3a2fdc5e:name;
+const unique T.__unnamed_4_3a4c1a13:name;
+const unique T.__unnamed_4_43913aa5:name;
+const unique T.__unnamed_4_4e8dd2ba:name;
+const unique T.__unnamed_4_52603077:name;
+const unique T.__unnamed_4_52c594f7:name;
+const unique T.__unnamed_4_5ca00198:name;
+const unique T.__unnamed_4_6ac6463c:name;
+const unique T.__unnamed_4_6f9ac8e1:name;
+const unique T.__unnamed_4_7a02167b:name;
+const unique T.__unnamed_4_7d9d0c7e:name;
+const unique T.__unnamed_4_82f7a864:name;
+const unique T.__unnamed_4_9aec220b:name;
+const unique T.__unnamed_4_a97c65a1:name;
+const unique T.__unnamed_4_c3479730:name;
+const unique T.__unnamed_4_d99b6e2b:name;
+const unique T.__unnamed_4_f19b65c1:name;
+const unique T.__unnamed_4_fa10fc16:name;
+const unique T.__unnamed_8_01efa60d:name;
+const unique T.__unnamed_8_08d4cef8:name;
+const unique T.__unnamed_8_0a898c0c:name;
+const unique T.__unnamed_8_1330f93a:name;
+const unique T.__unnamed_8_181d0de9:name;
+const unique T.__unnamed_8_4812764d:name;
+const unique T.__unnamed_8_559a91e6:name;
+const unique T.__unnamed_8_5845b309:name;
+const unique T.__unnamed_8_58ee4a31:name;
+const unique T.__unnamed_8_61acf4ce:name;
+const unique T.__unnamed_8_6acfee04:name;
+const unique T.__unnamed_8_7f26a9dd:name;
+const unique T.__unnamed_8_87add0bd:name;
+const unique T.__unnamed_8_b2773e4c:name;
+const unique T.__unnamed_8_de890d4e:name;
+const unique T.__unnamed_8_ef9ba0d3:name;
+
+function AssocClassList__GLOBALS(int) returns (int);
+function AssocClassList__GLOBALSInv(int) returns (int);
+function _S_AssocClassList__GLOBALS([int]bool) returns ([int]bool);
+function _S_AssocClassList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(AssocClassList__GLOBALS(x))} AssocClassList__GLOBALSInv(AssocClassList__GLOBALS(x)) == x);
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(x)} AssocClassList__GLOBALS(AssocClassList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_AssocClassList__GLOBALS(S)[x]} _S_AssocClassList__GLOBALS(S)[x] <==> S[AssocClassList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_AssocClassList__GLOBALSInv(S)[x]} _S_AssocClassList__GLOBALSInv(S)[x] <==> S[AssocClassList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AssocClassList__GLOBALS(S)} S[x] ==> _S_AssocClassList__GLOBALS(S)[AssocClassList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AssocClassList__GLOBALSInv(S)} S[x] ==> _S_AssocClassList__GLOBALSInv(S)[AssocClassList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {AssocClassList__GLOBALS(x)} AssocClassList__GLOBALS(x) == x + 8);
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(x)} AssocClassList__GLOBALSInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == AssocClassList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == AssocClassList__GLOBALSInv(x));
+function BaseClassName__GLOBALS(int) returns (int);
+function BaseClassName__GLOBALSInv(int) returns (int);
+function _S_BaseClassName__GLOBALS([int]bool) returns ([int]bool);
+function _S_BaseClassName__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(BaseClassName__GLOBALS(x))} BaseClassName__GLOBALSInv(BaseClassName__GLOBALS(x)) == x);
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(x)} BaseClassName__GLOBALS(BaseClassName__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_BaseClassName__GLOBALS(S)[x]} _S_BaseClassName__GLOBALS(S)[x] <==> S[BaseClassName__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_BaseClassName__GLOBALSInv(S)[x]} _S_BaseClassName__GLOBALSInv(S)[x] <==> S[BaseClassName__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_BaseClassName__GLOBALS(S)} S[x] ==> _S_BaseClassName__GLOBALS(S)[BaseClassName__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_BaseClassName__GLOBALSInv(S)} S[x] ==> _S_BaseClassName__GLOBALSInv(S)[BaseClassName__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {BaseClassName__GLOBALS(x)} BaseClassName__GLOBALS(x) == x + 368);
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(x)} BaseClassName__GLOBALSInv(x) == x - 368);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 368, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 368, 1) == BaseClassName__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 368)} MINUS_LEFT_PTR(x, 1, 368) == BaseClassName__GLOBALSInv(x));
+function Buffer__UNICODE_STRING(int) returns (int);
+function Buffer__UNICODE_STRINGInv(int) returns (int);
+function _S_Buffer__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Buffer__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x))} Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRING(Buffer__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRING(S)[x]} _S_Buffer__UNICODE_STRING(S)[x] <==> S[Buffer__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRINGInv(S)[x]} _S_Buffer__UNICODE_STRINGInv(S)[x] <==> S[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRING(S)} S[x] ==> _S_Buffer__UNICODE_STRING(S)[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRINGInv(S)} S[x] ==> _S_Buffer__UNICODE_STRINGInv(S)[Buffer__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRING(x)} Buffer__UNICODE_STRING(x) == x + 4);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRINGInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Buffer__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Buffer__UNICODE_STRINGInv(x));
+function DataIn__DEVICE_EXTENSION(int) returns (int);
+function DataIn__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataIn__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataIn__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x))} DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSION(DataIn__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSION(S)[x]} _S_DataIn__DEVICE_EXTENSION(S)[x] <==> S[DataIn__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSIONInv(S)[x]} _S_DataIn__DEVICE_EXTENSIONInv(S)[x] <==> S[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSION(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSION(S)[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSIONInv(S)[DataIn__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSION(x)} DataIn__DEVICE_EXTENSION(x) == x + 132);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSIONInv(x) == x - 132);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1) == DataIn__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 132)} MINUS_LEFT_PTR(x, 1, 132) == DataIn__DEVICE_EXTENSIONInv(x));
+function DataOut__DEVICE_EXTENSION(int) returns (int);
+function DataOut__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataOut__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataOut__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x))} DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSION(DataOut__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSION(S)[x]} _S_DataOut__DEVICE_EXTENSION(S)[x] <==> S[DataOut__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSIONInv(S)[x]} _S_DataOut__DEVICE_EXTENSIONInv(S)[x] <==> S[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSION(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSION(S)[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSIONInv(S)[DataOut__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSION(x)} DataOut__DEVICE_EXTENSION(x) == x + 136);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSIONInv(x) == x - 136);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1) == DataOut__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 136)} MINUS_LEFT_PTR(x, 1, 136) == DataOut__DEVICE_EXTENSIONInv(x));
+function DeviceExtension__DEVICE_OBJECT(int) returns (int);
+function DeviceExtension__DEVICE_OBJECTInv(int) returns (int);
+function _S_DeviceExtension__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_DeviceExtension__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x))} DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECT(DeviceExtension__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECT(S)[x]} _S_DeviceExtension__DEVICE_OBJECT(S)[x] <==> S[DeviceExtension__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECTInv(S)[x]} _S_DeviceExtension__DEVICE_OBJECTInv(S)[x] <==> S[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECT(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECT(S)[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECTInv(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECTInv(S)[DeviceExtension__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECT(x)} DeviceExtension__DEVICE_OBJECT(x) == x + 40);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECTInv(x) == x - 40);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1) == DeviceExtension__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 40)} MINUS_LEFT_PTR(x, 1, 40) == DeviceExtension__DEVICE_OBJECTInv(x));
+function File__DEVICE_EXTENSION(int) returns (int);
+function File__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_File__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_File__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x))} File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSION(File__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSION(S)[x]} _S_File__DEVICE_EXTENSION(S)[x] <==> S[File__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSIONInv(S)[x]} _S_File__DEVICE_EXTENSIONInv(S)[x] <==> S[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSION(S)} S[x] ==> _S_File__DEVICE_EXTENSION(S)[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_File__DEVICE_EXTENSIONInv(S)[File__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSION(x)} File__DEVICE_EXTENSION(x) == x + 280);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSIONInv(x) == x - 280);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 280, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 280, 1) == File__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 280)} MINUS_LEFT_PTR(x, 1, 280) == File__DEVICE_EXTENSIONInv(x));
+function File__PORT(int) returns (int);
+function File__PORTInv(int) returns (int);
+function _S_File__PORT([int]bool) returns ([int]bool);
+function _S_File__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__PORTInv(File__PORT(x))} File__PORTInv(File__PORT(x)) == x);
+axiom (forall x:int :: {File__PORTInv(x)} File__PORT(File__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__PORT(S)[x]} _S_File__PORT(S)[x] <==> S[File__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__PORTInv(S)[x]} _S_File__PORTInv(S)[x] <==> S[File__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__PORT(S)} S[x] ==> _S_File__PORT(S)[File__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__PORTInv(S)} S[x] ==> _S_File__PORTInv(S)[File__PORTInv(x)]);
+
+axiom (forall x:int :: {File__PORT(x)} File__PORT(x) == x + 0);
+axiom (forall x:int :: {File__PORTInv(x)} File__PORTInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == File__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == File__PORTInv(x));
+function Flags__DEVICE_OBJECT(int) returns (int);
+function Flags__DEVICE_OBJECTInv(int) returns (int);
+function _S_Flags__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_Flags__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(Flags__DEVICE_OBJECT(x))} Flags__DEVICE_OBJECTInv(Flags__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(x)} Flags__DEVICE_OBJECT(Flags__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flags__DEVICE_OBJECT(S)[x]} _S_Flags__DEVICE_OBJECT(S)[x] <==> S[Flags__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flags__DEVICE_OBJECTInv(S)[x]} _S_Flags__DEVICE_OBJECTInv(S)[x] <==> S[Flags__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flags__DEVICE_OBJECT(S)} S[x] ==> _S_Flags__DEVICE_OBJECT(S)[Flags__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flags__DEVICE_OBJECTInv(S)} S[x] ==> _S_Flags__DEVICE_OBJECTInv(S)[Flags__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {Flags__DEVICE_OBJECT(x)} Flags__DEVICE_OBJECT(x) == x + 28);
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(x)} Flags__DEVICE_OBJECTInv(x) == x - 28);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1) == Flags__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 28)} MINUS_LEFT_PTR(x, 1, 28) == Flags__DEVICE_OBJECTInv(x));
+function Flink__LIST_ENTRY(int) returns (int);
+function Flink__LIST_ENTRYInv(int) returns (int);
+function _S_Flink__LIST_ENTRY([int]bool) returns ([int]bool);
+function _S_Flink__LIST_ENTRYInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x))} Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x)) == x);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRY(Flink__LIST_ENTRYInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRY(S)[x]} _S_Flink__LIST_ENTRY(S)[x] <==> S[Flink__LIST_ENTRYInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRYInv(S)[x]} _S_Flink__LIST_ENTRYInv(S)[x] <==> S[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRY(S)} S[x] ==> _S_Flink__LIST_ENTRY(S)[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRYInv(S)} S[x] ==> _S_Flink__LIST_ENTRYInv(S)[Flink__LIST_ENTRYInv(x)]);
+
+axiom (forall x:int :: {Flink__LIST_ENTRY(x)} Flink__LIST_ENTRY(x) == x + 0);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRYInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Flink__LIST_ENTRYInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Flink__LIST_ENTRYInv(x));
+function Free__PORT(int) returns (int);
+function Free__PORTInv(int) returns (int);
+function _S_Free__PORT([int]bool) returns ([int]bool);
+function _S_Free__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Free__PORTInv(Free__PORT(x))} Free__PORTInv(Free__PORT(x)) == x);
+axiom (forall x:int :: {Free__PORTInv(x)} Free__PORT(Free__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Free__PORT(S)[x]} _S_Free__PORT(S)[x] <==> S[Free__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Free__PORTInv(S)[x]} _S_Free__PORTInv(S)[x] <==> S[Free__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Free__PORT(S)} S[x] ==> _S_Free__PORT(S)[Free__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Free__PORTInv(S)} S[x] ==> _S_Free__PORTInv(S)[Free__PORTInv(x)]);
+
+axiom (forall x:int :: {Free__PORT(x)} Free__PORT(x) == x + 11);
+axiom (forall x:int :: {Free__PORTInv(x)} Free__PORTInv(x) == x - 11);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 11, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 11, 1) == Free__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 11)} MINUS_LEFT_PTR(x, 1, 11) == Free__PORTInv(x));
+function GrandMaster__GLOBALS(int) returns (int);
+function GrandMaster__GLOBALSInv(int) returns (int);
+function _S_GrandMaster__GLOBALS([int]bool) returns ([int]bool);
+function _S_GrandMaster__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x))} GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x)) == x);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALS(GrandMaster__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALS(S)[x]} _S_GrandMaster__GLOBALS(S)[x] <==> S[GrandMaster__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALSInv(S)[x]} _S_GrandMaster__GLOBALSInv(S)[x] <==> S[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALS(S)} S[x] ==> _S_GrandMaster__GLOBALS(S)[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALSInv(S)} S[x] ==> _S_GrandMaster__GLOBALSInv(S)[GrandMaster__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {GrandMaster__GLOBALS(x)} GrandMaster__GLOBALS(x) == x + 4);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALSInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == GrandMaster__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == GrandMaster__GLOBALSInv(x));
+function InitExtension__GLOBALS(int) returns (int);
+function InitExtension__GLOBALSInv(int) returns (int);
+function _S_InitExtension__GLOBALS([int]bool) returns ([int]bool);
+function _S_InitExtension__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InitExtension__GLOBALSInv(InitExtension__GLOBALS(x))} InitExtension__GLOBALSInv(InitExtension__GLOBALS(x)) == x);
+axiom (forall x:int :: {InitExtension__GLOBALSInv(x)} InitExtension__GLOBALS(InitExtension__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InitExtension__GLOBALS(S)[x]} _S_InitExtension__GLOBALS(S)[x] <==> S[InitExtension__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InitExtension__GLOBALSInv(S)[x]} _S_InitExtension__GLOBALSInv(S)[x] <==> S[InitExtension__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InitExtension__GLOBALS(S)} S[x] ==> _S_InitExtension__GLOBALS(S)[InitExtension__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InitExtension__GLOBALSInv(S)} S[x] ==> _S_InitExtension__GLOBALSInv(S)[InitExtension__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {InitExtension__GLOBALS(x)} InitExtension__GLOBALS(x) == x + 72);
+axiom (forall x:int :: {InitExtension__GLOBALSInv(x)} InitExtension__GLOBALSInv(x) == x - 72);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 72, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 72, 1) == InitExtension__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 72)} MINUS_LEFT_PTR(x, 1, 72) == InitExtension__GLOBALSInv(x));
+function InputData__DEVICE_EXTENSION(int) returns (int);
+function InputData__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_InputData__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_InputData__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x))} InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSION(InputData__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSION(S)[x]} _S_InputData__DEVICE_EXTENSION(S)[x] <==> S[InputData__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSIONInv(S)[x]} _S_InputData__DEVICE_EXTENSIONInv(S)[x] <==> S[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSION(S)} S[x] ==> _S_InputData__DEVICE_EXTENSION(S)[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_InputData__DEVICE_EXTENSIONInv(S)[InputData__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSION(x)} InputData__DEVICE_EXTENSION(x) == x + 128);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSIONInv(x) == x - 128);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1) == InputData__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 128)} MINUS_LEFT_PTR(x, 1, 128) == InputData__DEVICE_EXTENSIONInv(x));
+function LegacyDeviceList__GLOBALS(int) returns (int);
+function LegacyDeviceList__GLOBALSInv(int) returns (int);
+function _S_LegacyDeviceList__GLOBALS([int]bool) returns ([int]bool);
+function _S_LegacyDeviceList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x))} LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x)) == x);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALS(LegacyDeviceList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALS(S)[x]} _S_LegacyDeviceList__GLOBALS(S)[x] <==> S[LegacyDeviceList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALSInv(S)[x]} _S_LegacyDeviceList__GLOBALSInv(S)[x] <==> S[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALS(S)} S[x] ==> _S_LegacyDeviceList__GLOBALS(S)[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALSInv(S)} S[x] ==> _S_LegacyDeviceList__GLOBALSInv(S)[LegacyDeviceList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALS(x)} LegacyDeviceList__GLOBALS(x) == x + 888);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALSInv(x) == x - 888);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 888, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 888, 1) == LegacyDeviceList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 888)} MINUS_LEFT_PTR(x, 1, 888) == LegacyDeviceList__GLOBALSInv(x));
+function Length__UNICODE_STRING(int) returns (int);
+function Length__UNICODE_STRINGInv(int) returns (int);
+function _S_Length__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Length__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(Length__UNICODE_STRING(x))} Length__UNICODE_STRINGInv(Length__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(x)} Length__UNICODE_STRING(Length__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Length__UNICODE_STRING(S)[x]} _S_Length__UNICODE_STRING(S)[x] <==> S[Length__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Length__UNICODE_STRINGInv(S)[x]} _S_Length__UNICODE_STRINGInv(S)[x] <==> S[Length__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Length__UNICODE_STRING(S)} S[x] ==> _S_Length__UNICODE_STRING(S)[Length__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Length__UNICODE_STRINGInv(S)} S[x] ==> _S_Length__UNICODE_STRINGInv(S)[Length__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Length__UNICODE_STRING(x)} Length__UNICODE_STRING(x) == x + 0);
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(x)} Length__UNICODE_STRINGInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Length__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Length__UNICODE_STRINGInv(x));
+function Link__DEVICE_EXTENSION(int) returns (int);
+function Link__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Link__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Link__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x))} Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSION(Link__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSION(S)[x]} _S_Link__DEVICE_EXTENSION(S)[x] <==> S[Link__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSIONInv(S)[x]} _S_Link__DEVICE_EXTENSIONInv(S)[x] <==> S[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSION(S)} S[x] ==> _S_Link__DEVICE_EXTENSION(S)[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Link__DEVICE_EXTENSIONInv(S)[Link__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSION(x)} Link__DEVICE_EXTENSION(x) == x + 272);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSIONInv(x) == x - 272);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 272, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 272, 1) == Link__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 272)} MINUS_LEFT_PTR(x, 1, 272) == Link__DEVICE_EXTENSIONInv(x));
+function MaximumLength__UNICODE_STRING(int) returns (int);
+function MaximumLength__UNICODE_STRINGInv(int) returns (int);
+function _S_MaximumLength__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_MaximumLength__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(MaximumLength__UNICODE_STRING(x))} MaximumLength__UNICODE_STRINGInv(MaximumLength__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(x)} MaximumLength__UNICODE_STRING(MaximumLength__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MaximumLength__UNICODE_STRING(S)[x]} _S_MaximumLength__UNICODE_STRING(S)[x] <==> S[MaximumLength__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MaximumLength__UNICODE_STRINGInv(S)[x]} _S_MaximumLength__UNICODE_STRINGInv(S)[x] <==> S[MaximumLength__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaximumLength__UNICODE_STRING(S)} S[x] ==> _S_MaximumLength__UNICODE_STRING(S)[MaximumLength__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaximumLength__UNICODE_STRINGInv(S)} S[x] ==> _S_MaximumLength__UNICODE_STRINGInv(S)[MaximumLength__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {MaximumLength__UNICODE_STRING(x)} MaximumLength__UNICODE_STRING(x) == x + 2);
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(x)} MaximumLength__UNICODE_STRINGInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == MaximumLength__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == MaximumLength__UNICODE_STRINGInv(x));
+function Mutex__GLOBALS(int) returns (int);
+function Mutex__GLOBALSInv(int) returns (int);
+function _S_Mutex__GLOBALS([int]bool) returns ([int]bool);
+function _S_Mutex__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Mutex__GLOBALSInv(Mutex__GLOBALS(x))} Mutex__GLOBALSInv(Mutex__GLOBALS(x)) == x);
+axiom (forall x:int :: {Mutex__GLOBALSInv(x)} Mutex__GLOBALS(Mutex__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Mutex__GLOBALS(S)[x]} _S_Mutex__GLOBALS(S)[x] <==> S[Mutex__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Mutex__GLOBALSInv(S)[x]} _S_Mutex__GLOBALSInv(S)[x] <==> S[Mutex__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Mutex__GLOBALS(S)} S[x] ==> _S_Mutex__GLOBALS(S)[Mutex__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Mutex__GLOBALSInv(S)} S[x] ==> _S_Mutex__GLOBALSInv(S)[Mutex__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {Mutex__GLOBALS(x)} Mutex__GLOBALS(x) == x + 24);
+axiom (forall x:int :: {Mutex__GLOBALSInv(x)} Mutex__GLOBALSInv(x) == x - 24);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1) == Mutex__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 24)} MINUS_LEFT_PTR(x, 1, 24) == Mutex__GLOBALSInv(x));
+function NumberLegacyPorts__GLOBALS(int) returns (int);
+function NumberLegacyPorts__GLOBALSInv(int) returns (int);
+function _S_NumberLegacyPorts__GLOBALS([int]bool) returns ([int]bool);
+function _S_NumberLegacyPorts__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NumberLegacyPorts__GLOBALSInv(NumberLegacyPorts__GLOBALS(x))} NumberLegacyPorts__GLOBALSInv(NumberLegacyPorts__GLOBALS(x)) == x);
+axiom (forall x:int :: {NumberLegacyPorts__GLOBALSInv(x)} NumberLegacyPorts__GLOBALS(NumberLegacyPorts__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NumberLegacyPorts__GLOBALS(S)[x]} _S_NumberLegacyPorts__GLOBALS(S)[x] <==> S[NumberLegacyPorts__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NumberLegacyPorts__GLOBALSInv(S)[x]} _S_NumberLegacyPorts__GLOBALSInv(S)[x] <==> S[NumberLegacyPorts__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberLegacyPorts__GLOBALS(S)} S[x] ==> _S_NumberLegacyPorts__GLOBALS(S)[NumberLegacyPorts__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberLegacyPorts__GLOBALSInv(S)} S[x] ==> _S_NumberLegacyPorts__GLOBALSInv(S)[NumberLegacyPorts__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {NumberLegacyPorts__GLOBALS(x)} NumberLegacyPorts__GLOBALS(x) == x + 20);
+axiom (forall x:int :: {NumberLegacyPorts__GLOBALSInv(x)} NumberLegacyPorts__GLOBALSInv(x) == x - 20);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1) == NumberLegacyPorts__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 20)} MINUS_LEFT_PTR(x, 1, 20) == NumberLegacyPorts__GLOBALSInv(x));
+function PnP__DEVICE_EXTENSION(int) returns (int);
+function PnP__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_PnP__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_PnP__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x))} PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSION(PnP__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSION(S)[x]} _S_PnP__DEVICE_EXTENSION(S)[x] <==> S[PnP__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSIONInv(S)[x]} _S_PnP__DEVICE_EXTENSIONInv(S)[x] <==> S[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSION(S)} S[x] ==> _S_PnP__DEVICE_EXTENSION(S)[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_PnP__DEVICE_EXTENSIONInv(S)[PnP__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSION(x)} PnP__DEVICE_EXTENSION(x) == x + 104);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSIONInv(x) == x - 104);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1) == PnP__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 104)} MINUS_LEFT_PTR(x, 1, 104) == PnP__DEVICE_EXTENSIONInv(x));
+function Port__PORT(int) returns (int);
+function Port__PORTInv(int) returns (int);
+function _S_Port__PORT([int]bool) returns ([int]bool);
+function _S_Port__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Port__PORTInv(Port__PORT(x))} Port__PORTInv(Port__PORT(x)) == x);
+axiom (forall x:int :: {Port__PORTInv(x)} Port__PORT(Port__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Port__PORT(S)[x]} _S_Port__PORT(S)[x] <==> S[Port__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Port__PORTInv(S)[x]} _S_Port__PORTInv(S)[x] <==> S[Port__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Port__PORT(S)} S[x] ==> _S_Port__PORT(S)[Port__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Port__PORTInv(S)} S[x] ==> _S_Port__PORTInv(S)[Port__PORTInv(x)]);
+
+axiom (forall x:int :: {Port__PORT(x)} Port__PORT(x) == x + 4);
+axiom (forall x:int :: {Port__PORTInv(x)} Port__PORTInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Port__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Port__PORTInv(x));
+function PortsServiced__GLOBALS(int) returns (int);
+function PortsServiced__GLOBALSInv(int) returns (int);
+function _S_PortsServiced__GLOBALS([int]bool) returns ([int]bool);
+function _S_PortsServiced__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PortsServiced__GLOBALSInv(PortsServiced__GLOBALS(x))} PortsServiced__GLOBALSInv(PortsServiced__GLOBALS(x)) == x);
+axiom (forall x:int :: {PortsServiced__GLOBALSInv(x)} PortsServiced__GLOBALS(PortsServiced__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PortsServiced__GLOBALS(S)[x]} _S_PortsServiced__GLOBALS(S)[x] <==> S[PortsServiced__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PortsServiced__GLOBALSInv(S)[x]} _S_PortsServiced__GLOBALSInv(S)[x] <==> S[PortsServiced__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PortsServiced__GLOBALS(S)} S[x] ==> _S_PortsServiced__GLOBALS(S)[PortsServiced__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PortsServiced__GLOBALSInv(S)} S[x] ==> _S_PortsServiced__GLOBALSInv(S)[PortsServiced__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {PortsServiced__GLOBALS(x)} PortsServiced__GLOBALS(x) == x + 64);
+axiom (forall x:int :: {PortsServiced__GLOBALSInv(x)} PortsServiced__GLOBALSInv(x) == x - 64);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 64, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 64, 1) == PortsServiced__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 64)} MINUS_LEFT_PTR(x, 1, 64) == PortsServiced__GLOBALSInv(x));
+function Self__DEVICE_EXTENSION(int) returns (int);
+function Self__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Self__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Self__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x))} Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSION(Self__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSION(S)[x]} _S_Self__DEVICE_EXTENSION(S)[x] <==> S[Self__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSIONInv(S)[x]} _S_Self__DEVICE_EXTENSIONInv(S)[x] <==> S[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSION(S)} S[x] ==> _S_Self__DEVICE_EXTENSION(S)[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Self__DEVICE_EXTENSIONInv(S)[Self__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSION(x)} Self__DEVICE_EXTENSION(x) == x + 0);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSIONInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Self__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Self__DEVICE_EXTENSIONInv(x));
+function StackSize__DEVICE_OBJECT(int) returns (int);
+function StackSize__DEVICE_OBJECTInv(int) returns (int);
+function _S_StackSize__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_StackSize__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(StackSize__DEVICE_OBJECT(x))} StackSize__DEVICE_OBJECTInv(StackSize__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(x)} StackSize__DEVICE_OBJECT(StackSize__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_StackSize__DEVICE_OBJECT(S)[x]} _S_StackSize__DEVICE_OBJECT(S)[x] <==> S[StackSize__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_StackSize__DEVICE_OBJECTInv(S)[x]} _S_StackSize__DEVICE_OBJECTInv(S)[x] <==> S[StackSize__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_StackSize__DEVICE_OBJECT(S)} S[x] ==> _S_StackSize__DEVICE_OBJECT(S)[StackSize__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_StackSize__DEVICE_OBJECTInv(S)} S[x] ==> _S_StackSize__DEVICE_OBJECTInv(S)[StackSize__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {StackSize__DEVICE_OBJECT(x)} StackSize__DEVICE_OBJECT(x) == x + 48);
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(x)} StackSize__DEVICE_OBJECTInv(x) == x - 48);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 48, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 48, 1) == StackSize__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 48)} MINUS_LEFT_PTR(x, 1, 48) == StackSize__DEVICE_OBJECTInv(x));
+function Started__DEVICE_EXTENSION(int) returns (int);
+function Started__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Started__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Started__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x))} Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSION(Started__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSION(S)[x]} _S_Started__DEVICE_EXTENSION(S)[x] <==> S[Started__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSIONInv(S)[x]} _S_Started__DEVICE_EXTENSIONInv(S)[x] <==> S[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSION(S)} S[x] ==> _S_Started__DEVICE_EXTENSION(S)[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Started__DEVICE_EXTENSIONInv(S)[Started__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSION(x)} Started__DEVICE_EXTENSION(x) == x + 105);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSIONInv(x) == x - 105);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1) == Started__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 105)} MINUS_LEFT_PTR(x, 1, 105) == Started__DEVICE_EXTENSIONInv(x));
+function TopPort__DEVICE_EXTENSION(int) returns (int);
+function TopPort__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TopPort__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TopPort__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x))} TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSION(TopPort__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSION(S)[x]} _S_TopPort__DEVICE_EXTENSION(S)[x] <==> S[TopPort__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSIONInv(S)[x]} _S_TopPort__DEVICE_EXTENSIONInv(S)[x] <==> S[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSION(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSION(S)[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSIONInv(S)[TopPort__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSION(x)} TopPort__DEVICE_EXTENSION(x) == x + 8);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSIONInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == TopPort__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == TopPort__DEVICE_EXTENSIONInv(x));
+function UnitId__DEVICE_EXTENSION(int) returns (int);
+function UnitId__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_UnitId__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_UnitId__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x))} UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSION(UnitId__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSION(S)[x]} _S_UnitId__DEVICE_EXTENSION(S)[x] <==> S[UnitId__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSIONInv(S)[x]} _S_UnitId__DEVICE_EXTENSIONInv(S)[x] <==> S[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSION(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSION(S)[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSIONInv(S)[UnitId__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSION(x)} UnitId__DEVICE_EXTENSION(x) == x + 196);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSIONInv(x) == x - 196);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 196, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 196, 1) == UnitId__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 196)} MINUS_LEFT_PTR(x, 1, 196) == UnitId__DEVICE_EXTENSIONInv(x));
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom (forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom (forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:int, b:int) returns (x:int);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == 0);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == 0 || b == 0 ==> BIT_BAND(a,b) == 0);
+
+function BIT_BOR(a:int, b:int) returns (x:int);
+
+function BIT_BXOR(a:int, b:int) returns (x:int);
+
+function BIT_BNOT(a:int) returns (int);
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+
+
+
+procedure havoc_assert(i:int);
+requires (i != 0);
+
+procedure havoc_assume(i:int);
+ensures (i != 0);
+
+procedure __HAVOC_free(a:int);
+modifies alloc;
+ensures (forall x:int :: {alloc[x]} x == a || old(alloc)[x] == alloc[x]);
+ensures (alloc[a] == FREED);
+// Additional checks guarded by tranlator flags
+// requires alloc[a] == ALLOCATED;
+// requires Base(a) == a;
+
+procedure __HAVOC_malloc(obj_size:int) returns (new:int);
+requires obj_size >= 0;
+modifies alloc;
+ensures (new > 0);
+ensures (forall x:int :: {Base(x)} new <= x && x < new+obj_size ==> Base(x) == new);
+ensures (forall x:int :: {alloc[x]} x == new || old(alloc)[x] == alloc[x]);
+ensures old(alloc)[new] == UNALLOCATED && alloc[new] == ALLOCATED;
+
+procedure nondet_choice() returns (x:int);
+
+procedure _strdup(str:int) returns (new:int);
+
+procedure _xstrcasecmp(a0:int, a1:int) returns (ret:int);
+
+procedure _xstrcmp(a0:int, a1:int) returns (ret:int);
+
+var Res_DEVICE_STACK:[int]int;
+var Res_DEV_EXTN:[int]int;
+var Res_DEV_OBJ_INIT:[int]int;
+var Res_SPIN_LOCK:[int]int;
+
+
+
+////////////////////
+// Between predicate
+////////////////////
+function ReachBetween(f: [int]int, x: int, y: int, z: int) returns (bool);
+function ReachAvoiding(f: [int]int, x: int, y: int, z: int) returns (bool);
+
+
+//////////////////////////
+// Between set constructor
+//////////////////////////
+function ReachBetweenSet(f: [int]int, x: int, z: int) returns ([int]bool);
+
+////////////////////////////////////////////////////
+// axioms relating ReachBetween and ReachBetweenSet
+////////////////////////////////////////////////////
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetweenSet(f, x, z)[y]} ReachBetweenSet(f, x, z)[y] <==> ReachBetween(f, x, y, z));
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z), ReachBetweenSet(f, x, z)} ReachBetween(f, x, y, z) ==> ReachBetweenSet(f, x, z)[y]);
+axiom(forall f: [int]int, x: int, z: int :: {ReachBetweenSet(f, x, z)} ReachBetween(f, x, x, x));
+
+
+//////////////////////////
+// Axioms for ReachBetween
+//////////////////////////
+
+// reflexive
+axiom(forall f: [int]int, x: int :: ReachBetween(f, x, x, x));
+
+// step
+//axiom(forall f: [int]int, x: int :: {f[x]} ReachBetween(f, x, f[x], f[x]));
+axiom(forall f: [int]int, x: int, y: int, z: int, w:int :: {ReachBetween(f, y, z, w), f[x]} ReachBetween(f, x, f[x], f[x]));
+
+// reach
+axiom(forall f: [int]int, x: int, y: int :: {f[x], ReachBetween(f, x, y, y)} ReachBetween(f, x, y, y) ==> x == y || ReachBetween(f, x, f[x], y));
+
+// cycle
+axiom(forall f: [int]int, x: int, y:int :: {f[x], ReachBetween(f, x, y, y)} f[x] == x && ReachBetween(f, x, y, y) ==> x == y);
+
+// sandwich
+axiom(forall f: [int]int, x: int, y: int :: {ReachBetween(f, x, y, x)} ReachBetween(f, x, y, x) ==> x == y);
+
+// order1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, x, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, x, z, z) ==> ReachBetween(f, x, y, z) || ReachBetween(f, x, z, y));
+
+// order2
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z)} ReachBetween(f, x, y, z) ==> ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z));
+
+// transitive1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, y, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z) ==> ReachBetween(f, x, z, z));
+
+// transitive2
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, y, w, z)} ReachBetween(f, x, y, z) && ReachBetween(f, y, w, z) ==> ReachBetween(f, x, y, w) && ReachBetween(f, x, w, z));
+
+// transitive3
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, x, w, y)} ReachBetween(f, x, y, z) && ReachBetween(f, x, w, y) ==> ReachBetween(f, x, w, z) && ReachBetween(f, w, y, z));
+
+// This axiom is required to deal with the incompleteness of the trigger for the reflexive axiom.
+// It cannot be proved using the rest of the axioms.
+axiom(forall f: [int]int, u:int, x: int :: {ReachBetween(f, u, x, x)} ReachBetween(f, u, x, x) ==> ReachBetween(f, u, u, x));
+
+// relation between ReachAvoiding and ReachBetween
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachAvoiding(f, x, y, z)}{ReachBetween(f, x, y, z)} ReachAvoiding(f, x, y, z) <==> (ReachBetween(f, x, y, z) || (ReachBetween(f, x, y, y) && !ReachBetween(f, x, z, z))));
+
+// update
+axiom(forall f: [int]int, u: int, v: int, x: int, p: int, q: int :: {ReachAvoiding(f[p := q], u, v, x)} ReachAvoiding(f[p := q], u, v, x) <==> ((ReachAvoiding(f, u, v, p) && ReachAvoiding(f, u, v, x)) || (ReachAvoiding(f, u, p, x) && p != x && ReachAvoiding(f, q, v, p) && ReachAvoiding(f, q, v, x))));
+ ///////////////////////////////
+ // Shifts for linking fields
+ ///////////////////////////////
+function Shift_Flink__LIST_ENTRY(f: [int]int) returns ([int]int);
+axiom( forall f: [int]int, __x:int :: {f[Flink__LIST_ENTRY(__x)],Shift_Flink__LIST_ENTRY(f)} {Shift_Flink__LIST_ENTRY(f)[__x]} Shift_Flink__LIST_ENTRY(f)[__x] == f[Flink__LIST_ENTRY(__x)]);
+axiom(forall f: [int]int, __x:int, __v:int :: {Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v])} Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v]) == Shift_Flink__LIST_ENTRY(f)[__x := __v]);
+
+const unique Globals : int;
+axiom(Globals != 0);
+// the set of constants for 64 bit integers that Boogie doesn't parse
+const unique BOOGIE_LARGE_INT_3221553153:int;
+
+
+
+procedure ExAcquireFastMutex($FastMutex$1$15000.16$ExAcquireFastMutex$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExAllocatePoolWithTag($PoolType$1$14789.57$ExAllocatePoolWithTag$121:int, $NumberOfBytes$2$14790.16$ExAllocatePoolWithTag$121:int, $Tag$3$14791.15$ExAllocatePoolWithTag$121:int) returns ($result.ExAllocatePoolWithTag$14788.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExFreePoolWithTag($P$1$14901.35$ExFreePoolWithTag$81:int, $Tag$2$14902.15$ExFreePoolWithTag$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExReleaseFastMutex($FastMutex$1$15013.16$ExReleaseFastMutex$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure InsertTailList($ListHead$1$6980.24$InsertTailList$81:int, $Entry$2$6981.41$InsertTailList$81:int);
+
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+//TAG: ensures __seteq(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), ListHead->Flink, ListHead), __setunion(__old(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), ListHead->Flink, ListHead)), __set(Entry)))
+ensures((Subset(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($ListHead$1$6980.24$InsertTailList$81)], $ListHead$1$6980.24$InsertTailList$81), Union(ReachBetweenSet(Shift_Flink__LIST_ENTRY(old(Mem)[T.Flink__LIST_ENTRY]), old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($ListHead$1$6980.24$InsertTailList$81)], $ListHead$1$6980.24$InsertTailList$81), Singleton($Entry$2$6981.41$InsertTailList$81))) && Subset(Union(ReachBetweenSet(Shift_Flink__LIST_ENTRY(old(Mem)[T.Flink__LIST_ENTRY]), old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($ListHead$1$6980.24$InsertTailList$81)], $ListHead$1$6980.24$InsertTailList$81), Singleton($Entry$2$6981.41$InsertTailList$81)), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($ListHead$1$6980.24$InsertTailList$81)], $ListHead$1$6980.24$InsertTailList$81))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoDeleteDevice($DeviceObject$1$21328.67$IoDeleteDevice$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: requires 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 1
+requires((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 1)));
+//TAG: ensures 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 0 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 0
+ensures((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 0) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 0)));
+//TAG: ensures 1 ==> __updates_resource("DEV_OBJ_INIT", DeviceObject, 0) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension), 0)
+ensures((true) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41 := 0]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] := 0])));
+//TAG: ensures !1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == __old_resource("DEV_OBJ_INIT", DeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension))
+ensures((!(true)) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]])));
+//TAG: ensures !1 ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!(true)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($DeviceObject$1$21328.67$IoDeleteDevice$41))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || ($DeviceObject$1$21328.67$IoDeleteDevice$41 == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoGetDeviceObjectPointer($ObjectName$1$21492.26$IoGetDeviceObjectPointer$161:int, $DesiredAccess$2$21493.22$IoGetDeviceObjectPointer$161:int, $FileObject$3$21494.24$IoGetDeviceObjectPointer$161:int, $DeviceObject$4$21495.26$IoGetDeviceObjectPointer$161:int) returns ($result.IoGetDeviceObjectPointer$21491.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KbdCreateClassObject($DriverObject$1$3354.28$KbdCreateClassObject$201:int, $TmpDeviceExtension$2$3355.28$KbdCreateClassObject$201:int, $ClassDeviceObject$3$3356.28$KbdCreateClassObject$201:int, $FullDeviceName$4$3357.35$KbdCreateClassObject$201:int, $Legacy$5$3358.28$KbdCreateClassObject$201:int) returns ($result.KbdCreateClassObject$3353.0$1$:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures (LONG)__return >= 0 ==> *ClassDeviceObject != (void *)0
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> (*ClassDeviceObject)->DeviceExtension != (void *)0
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_EXTN", (*ClassDeviceObject)->DeviceExtension) == 1
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]] == 1));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_OBJ_INIT", *ClassDeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == 1
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]] == 1)));
+//TAG: ensures (LONG)__return >= 0 ==> __old_resource("DEV_OBJ_INIT", *ClassDeviceObject) == 0 && __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == 0
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> ((old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]] == 0) && (old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]] == 0)));
+//TAG: ensures (LONG)__return >= 0 ==> __updates_resource("DEV_OBJ_INIT", *ClassDeviceObject, 1) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension), 1)
+ensures(($result.KbdCreateClassObject$3353.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201] := 1]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])] := 1])));
+//TAG: ensures !((LONG)__return >= 0) ==> __resource("DEV_OBJ_INIT", *ClassDeviceObject) == __old_resource("DEV_OBJ_INIT", *ClassDeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension))
+ensures((!($result.KbdCreateClassObject$3353.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]] == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]])));
+//TAG: ensures !((LONG)__return >= 0) ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!($result.KbdCreateClassObject$3353.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201])] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, *ClassDeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201]))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3356.28$KbdCreateClassObject$201] == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_true
+ensures (Subset(Empty(), Union(Empty(), SetTrue())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (SetTrue()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty, ClassDeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($ClassDeviceObject$3$3356.28$KbdCreateClassObject$201))) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || (_m == $ClassDeviceObject$3$3356.28$KbdCreateClassObject$201) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KbdDeterminePortsServiced($BasePortName$1$3676.23$KbdDeterminePortsServiced$81:int, $NumberPortsServiced$2$3677.18$KbdDeterminePortsServiced$81:int) returns ($result.KbdDeterminePortsServiced$3675.0$1$:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KeyboardAddDeviceEx($ClassData$1$819.28$KeyboardAddDeviceEx$121:int, $FullClassName$2$820.28$KeyboardAddDeviceEx$121:int, $File$3$821.28$KeyboardAddDeviceEx$121:int) returns ($result.KeyboardAddDeviceEx$818.0$1$:int);
+
+//TAG: requires __resource("DEV_EXTN", ClassData) == 1
+requires(Res_DEV_EXTN[$ClassData$1$819.28$KeyboardAddDeviceEx$121] == 1);
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __resource("DEV_EXTN", ClassData) == 1
+ensures(Res_DEV_EXTN[$ClassData$1$819.28$KeyboardAddDeviceEx$121] == 1);
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KeyboardClassLogError($Object$1$4824.10$KeyboardClassLogError$281:int, $ErrorCode$2$4825.10$KeyboardClassLogError$281:int, $UniqueErrorValue$3$4826.10$KeyboardClassLogError$281:int, $FinalStatus$4$4827.13$KeyboardClassLogError$281:int, $DumpCount$5$4828.10$KeyboardClassLogError$281:int, $DumpData$6$4829.11$KeyboardClassLogError$281:int, $MajorFunction$7$4830.10$KeyboardClassLogError$281:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ObfDereferenceObject($Object$1$24931.15$ObfDereferenceObject$41:int) returns ($result.ObfDereferenceObject$24930.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlAppendUnicodeToString($Destination$1$7421.28$RtlAppendUnicodeToString$81:int, $Source$2$7422.20$RtlAppendUnicodeToString$81:int) returns ($result.RtlAppendUnicodeToString$7420.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlCopyUnicodeString($DestinationString$1$7401.28$RtlCopyUnicodeString$81:int, $SourceString$2$7402.30$RtlCopyUnicodeString$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlInitUnicodeString($DestinationString$1$7281.26$RtlInitUnicodeString$81:int, $SourceString$2$7282.37$RtlInitUnicodeString$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure __PREfastPagedCode();
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KeyboardClassFindMorePorts($DriverObject$1$4861.20$KeyboardClassFindMorePorts$121:int, $Context$2$4862.20$KeyboardClassFindMorePorts$121:int, $Count$3$4863.20$KeyboardClassFindMorePorts$121:int)
+
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z) && __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires(((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z)))) && ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true)))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z) && __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures(((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z)))) && ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true)))));
+modifies alloc;
+free ensures(forall f:int :: {alloc[Base(f)]} old(alloc)[Base(f)] == UNALLOCATED || old(alloc)[Base(f)] == alloc[Base(f)]);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for:
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for:
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for:
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for:
+
+//TAG: havoc memory locations by default
+modifies Mem;
+{
+var havoc_stringTemp:int;
+var condVal:int;
+var $Context$2$4862.20$KeyboardClassFindMorePorts$12 : int;
+var $Count$3$4863.20$KeyboardClassFindMorePorts$12 : int;
+var $DriverObject$1$4861.20$KeyboardClassFindMorePorts$12 : int;
+var $ExAllocatePoolWithTag.arg.2$5$ : int;
+var $KbdDebugPrint.arg.2$6$ : int;
+var $RtlAppendUnicodeToString.arg.2$10$ : int;
+var $RtlAppendUnicodeToString.arg.2$13$ : int;
+var $RtlAppendUnicodeToString.arg.2$3$ : int;
+var $basePortBuffer$13$4895.28$KeyboardClassFindMorePorts$12 : int;
+var $basePortName$11$4893.28$KeyboardClassFindMorePorts$12 : int;
+var $classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12 : int;
+var $deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12 : int;
+var $dumpData$7$4889.28$KeyboardClassFindMorePorts$12 : int;
+var $file$15$4897.28$KeyboardClassFindMorePorts$12 : int;
+var $fullClassName$14$4896.28$KeyboardClassFindMorePorts$12 : int;
+var $fullPortName$12$4894.28$KeyboardClassFindMorePorts$12 : int;
+var $i$8$4890.28$KeyboardClassFindMorePorts$12 : int;
+var $memset.arg.3$8$ : int;
+var $numPorts$9$4891.28$KeyboardClassFindMorePorts$12 : int;
+var $port$16$5029.22$KeyboardClassFindMorePorts$12 : int;
+var $result.ExAllocatePoolWithTag$4926.0$4$ : int;
+var $result.IoGetDeviceObjectPointer$5001.42$16$ : int;
+var $result.KbdCreateClassObject$4978.38$15$ : int;
+var $result.KbdDeterminePortsServiced$4954.29$14$ : int;
+var $result.KeyboardAddDeviceEx$5013.37$17$ : int;
+var $result.ObfDereferenceObject$5042.16$18$ : int;
+var $result.RtlAppendUnicodeToString$4915.28$2$ : int;
+var $result.RtlAppendUnicodeToString$4950.28$9$ : int;
+var $result.RtlAppendUnicodeToString$4951.28$11$ : int;
+var $result.RtlAppendUnicodeToString$4952.28$12$ : int;
+var $result.memset$4903.4$1$ : int;
+var $result.memset$4949.4$7$ : int;
+var $status$4$4886.28$KeyboardClassFindMorePorts$12 : int;
+var $successfulCreates$10$4892.28$KeyboardClassFindMorePorts$12 : int;
+var tempBoogie0:int;
+var tempBoogie1:int;
+var tempBoogie2:int;
+var tempBoogie3:int;
+var tempBoogie4:int;
+var tempBoogie5:int;
+var tempBoogie6:int;
+var tempBoogie7:int;
+var tempBoogie8:int;
+var tempBoogie9:int;
+var tempBoogie10:int;
+var tempBoogie11:int;
+var tempBoogie12:int;
+var tempBoogie13:int;
+var tempBoogie14:int;
+var tempBoogie15:int;
+var tempBoogie16:int;
+var tempBoogie17:int;
+var tempBoogie18:int;
+var tempBoogie19:int;
+var LOOP_74_alloc:[int]name;
+var LOOP_74_Mem:[name][int]int;
+var LOOP_74_Res_DEVICE_STACK:[int]int;
+var LOOP_74_Res_DEV_EXTN:[int]int;
+var LOOP_74_Res_DEV_OBJ_INIT:[int]int;
+var LOOP_74_Res_SPIN_LOCK:[int]int;
+
+
+start:
+
+assume (alloc[$DriverObject$1$4861.20$KeyboardClassFindMorePorts$121] != UNALLOCATED);
+assume (alloc[$Context$2$4862.20$KeyboardClassFindMorePorts$121] != UNALLOCATED);
+call $basePortBuffer$13$4895.28$KeyboardClassFindMorePorts$12 := __HAVOC_malloc(512);
+call $basePortName$11$4893.28$KeyboardClassFindMorePorts$12 := __HAVOC_malloc(8);
+call $classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12 := __HAVOC_malloc(4);
+call $dumpData$7$4889.28$KeyboardClassFindMorePorts$12 := __HAVOC_malloc(16);
+call $file$15$4897.28$KeyboardClassFindMorePorts$12 := __HAVOC_malloc(4);
+call $fullClassName$14$4896.28$KeyboardClassFindMorePorts$12 := __HAVOC_malloc(4);
+call $fullPortName$12$4894.28$KeyboardClassFindMorePorts$12 := __HAVOC_malloc(8);
+call $numPorts$9$4891.28$KeyboardClassFindMorePorts$12 := __HAVOC_malloc(4);
+$DriverObject$1$4861.20$KeyboardClassFindMorePorts$12 := $DriverObject$1$4861.20$KeyboardClassFindMorePorts$121;
+$Context$2$4862.20$KeyboardClassFindMorePorts$12 := $Context$2$4862.20$KeyboardClassFindMorePorts$121;
+$Count$3$4863.20$KeyboardClassFindMorePorts$12 := $Count$3$4863.20$KeyboardClassFindMorePorts$121;
+goto label_3;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5070)
+label_1:
+call __HAVOC_free($basePortBuffer$13$4895.28$KeyboardClassFindMorePorts$12);
+call __HAVOC_free($basePortName$11$4893.28$KeyboardClassFindMorePorts$12);
+call __HAVOC_free($classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12);
+call __HAVOC_free($dumpData$7$4889.28$KeyboardClassFindMorePorts$12);
+call __HAVOC_free($file$15$4897.28$KeyboardClassFindMorePorts$12);
+call __HAVOC_free($fullClassName$14$4896.28$KeyboardClassFindMorePorts$12);
+call __HAVOC_free($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12);
+call __HAVOC_free($numPorts$9$4891.28$KeyboardClassFindMorePorts$12);
+assume (forall m:int:: {Res_DEVICE_STACK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEVICE_STACK[m] == old(Res_DEVICE_STACK)[m]);
+assume (forall m:int:: {Res_DEV_EXTN[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_EXTN[m] == old(Res_DEV_EXTN)[m]);
+assume (forall m:int:: {Res_DEV_OBJ_INIT[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_OBJ_INIT[m] == old(Res_DEV_OBJ_INIT)[m]);
+assume (forall m:int:: {Res_SPIN_LOCK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_SPIN_LOCK[m] == old(Res_SPIN_LOCK)[m]);
+assume (forall m:int :: {Mem[T.A256UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A256UINT2][m] == old(Mem[T.A256UINT2])[m]);
+assume (forall m:int :: {Mem[T.A2UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A2UINT2][m] == old(Mem[T.A2UINT2])[m]);
+assume (forall m:int :: {Mem[T.A4UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A4UINT4][m] == old(Mem[T.A4UINT4])[m]);
+assume (forall m:int :: {Mem[T.A5UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A5UINT2][m] == old(Mem[T.A5UINT2])[m]);
+assume (forall m:int :: {Mem[T.A88CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A88CHAR][m] == old(Mem[T.A88CHAR])[m]);
+assume (forall m:int :: {Mem[T.A9UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A9UINT2][m] == old(Mem[T.A9UINT2])[m]);
+assume (forall m:int :: {Mem[T.AssocClassList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.AssocClassList__GLOBALS][m] == old(Mem[T.AssocClassList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.BaseClassName__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.BaseClassName__GLOBALS][m] == old(Mem[T.BaseClassName__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Buffer__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Buffer__UNICODE_STRING][m] == old(Mem[T.Buffer__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.CHAR][m] == old(Mem[T.CHAR])[m]);
+assume (forall m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][m] == old(Mem[T.CurrentStackLocation___unnamed_4_f19b65c1])[m]);
+assume (forall m:int :: {Mem[T.DataIn__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataIn__DEVICE_EXTENSION][m] == old(Mem[T.DataIn__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DataOut__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataOut__DEVICE_EXTENSION][m] == old(Mem[T.DataOut__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DeviceExtension__DEVICE_OBJECT][m] == old(Mem[T.DeviceExtension__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.File__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__DEVICE_EXTENSION][m] == old(Mem[T.File__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.File__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__PORT][m] == old(Mem[T.File__PORT])[m]);
+assume (forall m:int :: {Mem[T.Flags__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flags__DEVICE_OBJECT][m] == old(Mem[T.Flags__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Flink__LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flink__LIST_ENTRY][m] == old(Mem[T.Flink__LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.Free__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Free__PORT][m] == old(Mem[T.Free__PORT])[m]);
+assume (forall m:int :: {Mem[T.GrandMaster__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GrandMaster__GLOBALS][m] == old(Mem[T.GrandMaster__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.INT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.INT4][m] == old(Mem[T.INT4])[m]);
+assume (forall m:int :: {Mem[T.InitExtension__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InitExtension__GLOBALS][m] == old(Mem[T.InitExtension__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.InputData__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputData__DEVICE_EXTENSION][m] == old(Mem[T.InputData__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.LegacyDeviceList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LegacyDeviceList__GLOBALS][m] == old(Mem[T.LegacyDeviceList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Length__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Length__UNICODE_STRING][m] == old(Mem[T.Length__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.Link__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Link__DEVICE_EXTENSION][m] == old(Mem[T.Link__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MaximumLength__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MaximumLength__UNICODE_STRING][m] == old(Mem[T.MaximumLength__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinorFunction__IO_STACK_LOCATION][m] == old(Mem[T.MinorFunction__IO_STACK_LOCATION])[m]);
+assume (forall m:int :: {Mem[T.Mutex__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Mutex__GLOBALS][m] == old(Mem[T.Mutex__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.NumberLegacyPorts__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NumberLegacyPorts__GLOBALS][m] == old(Mem[T.NumberLegacyPorts__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.PCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PCHAR][m] == old(Mem[T.PCHAR])[m]);
+assume (forall m:int :: {Mem[T.PPUINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PPUINT2][m] == old(Mem[T.PPUINT2])[m]);
+assume (forall m:int :: {Mem[T.PP_DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PP_DEVICE_OBJECT][m] == old(Mem[T.PP_DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.PP_FILE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PP_FILE_OBJECT][m] == old(Mem[T.PP_FILE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.PUINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT2][m] == old(Mem[T.PUINT2])[m]);
+assume (forall m:int :: {Mem[T.PUINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT4][m] == old(Mem[T.PUINT4])[m]);
+assume (forall m:int :: {Mem[T.PVOID][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PVOID][m] == old(Mem[T.PVOID])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_EXTENSION][m] == old(Mem[T.P_DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_OBJECT][m] == old(Mem[T.P_DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_DRIVER_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DRIVER_OBJECT][m] == old(Mem[T.P_DRIVER_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_FAST_MUTEX][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_FAST_MUTEX][m] == old(Mem[T.P_FAST_MUTEX])[m]);
+assume (forall m:int :: {Mem[T.P_FILE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_FILE_OBJECT][m] == old(Mem[T.P_FILE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_KEYBOARD_INPUT_DATA][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_KEYBOARD_INPUT_DATA][m] == old(Mem[T.P_KEYBOARD_INPUT_DATA])[m]);
+assume (forall m:int :: {Mem[T.P_LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_LIST_ENTRY][m] == old(Mem[T.P_LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.P_UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_UNICODE_STRING][m] == old(Mem[T.P_UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.PnP__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PnP__DEVICE_EXTENSION][m] == old(Mem[T.PnP__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Port__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Port__PORT][m] == old(Mem[T.Port__PORT])[m]);
+assume (forall m:int :: {Mem[T.PortsServiced__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PortsServiced__GLOBALS][m] == old(Mem[T.PortsServiced__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Self__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Self__DEVICE_EXTENSION][m] == old(Mem[T.Self__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.StackSize__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.StackSize__DEVICE_OBJECT][m] == old(Mem[T.StackSize__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Started__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Started__DEVICE_EXTENSION][m] == old(Mem[T.Started__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TopPort__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TopPort__DEVICE_EXTENSION][m] == old(Mem[T.TopPort__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.UCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UCHAR][m] == old(Mem[T.UCHAR])[m]);
+assume (forall m:int :: {Mem[T.UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT2][m] == old(Mem[T.UINT2])[m]);
+assume (forall m:int :: {Mem[T.UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT4][m] == old(Mem[T.UINT4])[m]);
+assume (forall m:int :: {Mem[T.UnitId__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UnitId__DEVICE_EXTENSION][m] == old(Mem[T.UnitId__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T._POOL_TYPE][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T._POOL_TYPE][m] == old(Mem[T._POOL_TYPE])[m]);
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5070)
+label_2:
+assume false;
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4886)
+label_3:
+goto label_4;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4887)
+label_4:
+goto label_5;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4887)
+label_5:
+$deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12 := 0 ;
+goto label_6;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4888)
+label_6:
+goto label_7;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4888)
+label_7:
+Mem[T.P_DEVICE_OBJECT] := Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12 := 0];
+goto label_8;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4889)
+label_8:
+goto label_9;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4890)
+label_9:
+goto label_10;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4891)
+label_10:
+goto label_11;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4892)
+label_11:
+goto label_12;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4893)
+label_12:
+goto label_13;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4894)
+label_13:
+goto label_14;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4895)
+label_14:
+goto label_15;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4896)
+label_15:
+goto label_16;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4896)
+label_16:
+Mem[T.PUINT2] := Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12 := 0];
+goto label_17;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4897)
+label_17:
+goto label_18;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4899)
+label_18:
+call __PREfastPagedCode ();
+goto label_21;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4901)
+label_21:
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12) := 0];
+goto label_22;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4903)
+label_22:
+// ignoring intrinsic intrinsic.memset
+havoc $result.memset$4903.4$1$;
+goto label_25;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4904)
+label_25:
+Mem[T.Buffer__UNICODE_STRING] := Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($basePortName$11$4893.28$KeyboardClassFindMorePorts$12) := $basePortBuffer$13$4895.28$KeyboardClassFindMorePorts$12];
+goto label_26;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4905)
+label_26:
+Mem[T.Length__UNICODE_STRING] := Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($basePortName$11$4893.28$KeyboardClassFindMorePorts$12) := 0];
+goto label_27;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4906)
+label_27:
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($basePortName$11$4893.28$KeyboardClassFindMorePorts$12) := 512];
+goto label_28;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4913)
+label_28:
+call RtlCopyUnicodeString ($basePortName$11$4893.28$KeyboardClassFindMorePorts$12, BaseClassName__GLOBALS(Globals));
+goto label_31;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4914)
+label_31:
+tempBoogie0 := MINUS_BOTH_PTR_OR_BOTH_INT( Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($basePortName$11$4893.28$KeyboardClassFindMorePorts$12)], 10, 1) ;
+Mem[T.Length__UNICODE_STRING] := Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($basePortName$11$4893.28$KeyboardClassFindMorePorts$12) := tempBoogie0];
+goto label_35;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4915)
+label_32:
+call $result.RtlAppendUnicodeToString$4915.28$2$ := RtlAppendUnicodeToString ($basePortName$11$4893.28$KeyboardClassFindMorePorts$12, $RtlAppendUnicodeToString.arg.2$3$);
+goto label_36;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4915)
+label_35:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$3$ := havoc_stringTemp ;
+goto label_32;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4920)
+label_36:
+call RtlInitUnicodeString ($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12, 0);
+goto label_39;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4922)
+label_39:
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12) := PLUS(PLUS(18, 1, Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($basePortName$11$4893.28$KeyboardClassFindMorePorts$12)]), 1, 2)];
+goto label_43;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4926)
+label_40:
+call $result.ExAllocatePoolWithTag$4926.0$4$ := ExAllocatePoolWithTag (1, $ExAllocatePoolWithTag.arg.2$5$, 1130652235);
+goto label_44;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4926)
+label_43:
+$ExAllocatePoolWithTag.arg.2$5$ := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)] ;
+goto label_40;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4926)
+label_44:
+Mem[T.Buffer__UNICODE_STRING] := Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12) := $result.ExAllocatePoolWithTag$4926.0$4$];
+goto label_45;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4929)
+label_45:
+goto label_45_true , label_45_false ;
+
+
+label_45_true :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)] != 0);
+goto label_57;
+
+
+label_45_false :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)] == 0);
+goto label_49;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4931)
+label_46:
+// skip KbdDebugPrint
+goto label_50;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4931)
+label_49:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$6$ := havoc_stringTemp ;
+goto label_46;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4936)
+label_50:
+Mem[T.UINT4] := Mem[T.UINT4][PLUS($dumpData$7$4889.28$KeyboardClassFindMorePorts$12, 4, 0) := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)]];
+goto label_51;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4937)
+label_51:
+call KeyboardClassLogError ($DriverObject$1$4861.20$KeyboardClassFindMorePorts$12, BOOGIE_LARGE_INT_3221553153, 10008, -1073741823, 1, $dumpData$7$4889.28$KeyboardClassFindMorePorts$12, 0);
+goto label_151;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4949)
+label_54:
+// ignoring intrinsic intrinsic.memset
+havoc $result.memset$4949.4$7$;
+goto label_61;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4949)
+label_57:
+$memset.arg.3$8$ := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)] ;
+goto label_54;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4950)
+label_58:
+call $result.RtlAppendUnicodeToString$4950.28$9$ := RtlAppendUnicodeToString ($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12, $RtlAppendUnicodeToString.arg.2$10$);
+goto label_62;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4950)
+label_61:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$10$ := havoc_stringTemp ;
+goto label_58;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4951)
+label_62:
+call $result.RtlAppendUnicodeToString$4951.28$11$ := RtlAppendUnicodeToString ($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12, Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($basePortName$11$4893.28$KeyboardClassFindMorePorts$12)]);
+goto label_68;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4952)
+label_65:
+call $result.RtlAppendUnicodeToString$4952.28$12$ := RtlAppendUnicodeToString ($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12, $RtlAppendUnicodeToString.arg.2$13$);
+goto label_69;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4952)
+label_68:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$13$ := havoc_stringTemp ;
+goto label_65;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4954)
+label_69:
+call $result.KbdDeterminePortsServiced$4954.29$14$ := KbdDeterminePortsServiced ($basePortName$11$4893.28$KeyboardClassFindMorePorts$12, $numPorts$9$4891.28$KeyboardClassFindMorePorts$12);
+goto label_72;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4961)
+label_72:
+$i$8$4890.28$KeyboardClassFindMorePorts$12 := Mem[T.NumberLegacyPorts__GLOBALS][NumberLegacyPorts__GLOBALS(Globals)] ;
+goto label_73;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4961)
+label_73:
+$successfulCreates$10$4892.28$KeyboardClassFindMorePorts$12 := 0 ;
+goto label_74;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4962)
+label_74:
+// loop entry initialization...
+LOOP_74_alloc := alloc;
+LOOP_74_Mem := Mem;
+LOOP_74_Res_DEVICE_STACK := Res_DEVICE_STACK;
+LOOP_74_Res_DEV_EXTN := Res_DEV_EXTN;
+LOOP_74_Res_DEV_OBJ_INIT := Res_DEV_OBJ_INIT;
+LOOP_74_Res_SPIN_LOCK := Res_SPIN_LOCK;
+goto label_74_head;
+
+
+label_74_head:
+// loop head assertions...
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+assert((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+assert((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+assert((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+assert((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+assert((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+assert((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+assume(forall f:int :: {alloc[Base(f)]} LOOP_74_alloc[Base(f)] == UNALLOCATED || LOOP_74_alloc[Base(f)] == alloc[Base(f)]);
+
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || LOOP_74_Res_DEVICE_STACK[r] == Res_DEVICE_STACK[r]));
+
+//TAG: net change in resource DEV_EXTN only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_DEV_EXTN[r]} (SetTrue()[r]) || LOOP_74_Res_DEV_EXTN[r] == Res_DEV_EXTN[r]));
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (SetTrue()[r]) || LOOP_74_Res_DEV_OBJ_INIT[r] == Res_DEV_OBJ_INIT[r]));
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || LOOP_74_Res_SPIN_LOCK[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == LOOP_74_Mem[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == LOOP_74_Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == LOOP_74_Mem[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (SetTrue()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == LOOP_74_Mem[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == LOOP_74_Mem[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == LOOP_74_Mem[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (SetTrue()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == LOOP_74_Mem[T.P_DEVICE_OBJECT][_m]));
+
+// end loop head assertions
+
+goto label_74_true , label_74_false ;
+
+
+label_74_true :
+assume ($i$8$4890.28$KeyboardClassFindMorePorts$12 < Mem[T.PortsServiced__GLOBALS][PortsServiced__GLOBALS(Globals)]);
+goto label_75;
+
+
+label_74_false :
+assume !($i$8$4890.28$KeyboardClassFindMorePorts$12 < Mem[T.PortsServiced__GLOBALS][PortsServiced__GLOBALS(Globals)]);
+goto label_150;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4962)
+label_75:
+goto label_75_true , label_75_false ;
+
+
+label_75_true :
+assume ($i$8$4890.28$KeyboardClassFindMorePorts$12 < Mem[T.UINT4][$numPorts$9$4891.28$KeyboardClassFindMorePorts$12]);
+goto label_76;
+
+
+label_75_false :
+assume !($i$8$4890.28$KeyboardClassFindMorePorts$12 < Mem[T.UINT4][$numPorts$9$4891.28$KeyboardClassFindMorePorts$12]);
+goto label_150;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4973)
+label_76:
+Mem[T.UINT2] := Mem[T.UINT2][PLUS(Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)], 2, MINUS_BOTH_PTR_OR_BOTH_INT( BINARY_BOTH_INT(Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)], 2), 1, 1)) := PLUS(48, 1, $i$8$4890.28$KeyboardClassFindMorePorts$12)];
+goto label_77;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4978)
+label_77:
+call $result.KbdCreateClassObject$4978.38$15$ := KbdCreateClassObject ($DriverObject$1$4861.20$KeyboardClassFindMorePorts$12, InitExtension__GLOBALS(Globals), $classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12, $fullClassName$14$4896.28$KeyboardClassFindMorePorts$12, 1);
+goto label_80;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4978)
+label_80:
+$status$4$4886.28$KeyboardClassFindMorePorts$12 := $result.KbdCreateClassObject$4978.38$15$ ;
+goto label_81;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4984)
+label_81:
+goto label_81_true , label_81_false ;
+
+
+label_81_true :
+assume (0 <= $status$4$4886.28$KeyboardClassFindMorePorts$12);
+goto label_85;
+
+
+label_81_false :
+assume !(0 <= $status$4$4886.28$KeyboardClassFindMorePorts$12);
+goto label_82;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4985)
+label_82:
+call KeyboardClassLogError ($DriverObject$1$4861.20$KeyboardClassFindMorePorts$12, BOOGIE_LARGE_INT_3221553153, 10008, $status$4$4886.28$KeyboardClassFindMorePorts$12, 0, 0, 0);
+goto label_149;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4995)
+label_85:
+$deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12 := Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12])] ;
+goto label_86;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4996)
+label_86:
+Mem[T.PnP__DEVICE_EXTENSION] := Mem[T.PnP__DEVICE_EXTENSION][PnP__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := 0];
+goto label_87;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5001)
+label_87:
+assume (Mem[T.TopPort__DEVICE_EXTENSION][TopPort__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)] == Mem[T.P_DEVICE_OBJECT][TopPort__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]);
+call $result.IoGetDeviceObjectPointer$5001.42$16$ := IoGetDeviceObjectPointer ($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12, 128, $file$15$4897.28$KeyboardClassFindMorePorts$12, TopPort__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12));
+Mem[T.TopPort__DEVICE_EXTENSION] := Mem[T.TopPort__DEVICE_EXTENSION][TopPort__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := Mem[T.P_DEVICE_OBJECT][TopPort__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]];
+goto label_90;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5001)
+label_90:
+$status$4$4886.28$KeyboardClassFindMorePorts$12 := $result.IoGetDeviceObjectPointer$5001.42$16$ ;
+goto label_91;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5006)
+label_91:
+goto label_91_true , label_91_false ;
+
+
+label_91_true :
+assume ($status$4$4886.28$KeyboardClassFindMorePorts$12 != 0);
+goto label_92;
+
+
+label_91_false :
+assume ($status$4$4886.28$KeyboardClassFindMorePorts$12 == 0);
+goto label_103;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5008)
+label_92:
+goto label_92_true , label_92_false ;
+
+
+label_92_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)] != 0);
+goto label_93;
+
+
+label_92_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)] == 0);
+goto label_99;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5008)
+label_93:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)], 0);
+goto label_96;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5008)
+label_96:
+Mem[T.DataOut__DEVICE_EXTENSION] := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := 0];
+goto label_97;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5008)
+label_97:
+Mem[T.DataIn__DEVICE_EXTENSION] := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]];
+goto label_98;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5008)
+label_98:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]];
+goto label_99;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5008)
+label_99:
+call IoDeleteDevice (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]);
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5008)
+label_102:
+$deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12 := 0 ;
+goto label_149;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5012)
+label_103:
+Mem[T.StackSize__DEVICE_OBJECT] := Mem[T.StackSize__DEVICE_OBJECT][StackSize__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12]) := PLUS(1, 1, Mem[T.StackSize__DEVICE_OBJECT][StackSize__DEVICE_OBJECT(Mem[T.TopPort__DEVICE_EXTENSION][TopPort__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)])])];
+goto label_104;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5013)
+label_104:
+call $result.KeyboardAddDeviceEx$5013.37$17$ := KeyboardAddDeviceEx ($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12, Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12], Mem[T.P_FILE_OBJECT][$file$15$4897.28$KeyboardClassFindMorePorts$12]);
+goto label_107;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5013)
+label_107:
+$status$4$4886.28$KeyboardClassFindMorePorts$12 := $result.KeyboardAddDeviceEx$5013.37$17$ ;
+goto label_108;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5014)
+label_108:
+assume (forall r:int :: {BIT_BAND(BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12])], BIT_BNOT(128)),r)} (POW2(r) && POW2(128) && r != 128) ==> (BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12])],r)!= 0 <==> BIT_BAND(BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12])], BIT_BNOT(128)),r)!= 0));
+assume (BIT_BAND(BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12])], BIT_BNOT(128)),128) == 0);
+tempBoogie0 := BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12])], BIT_BNOT(128)) ;
+Mem[T.Flags__DEVICE_OBJECT] := Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4888.28$KeyboardClassFindMorePorts$12]) := tempBoogie0];
+goto label_109;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5016)
+label_109:
+goto label_109_true , label_109_false ;
+
+
+label_109_true :
+assume (Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12] != 0);
+goto label_110;
+
+
+label_109_false :
+assume (Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12] == 0);
+goto label_114;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5017)
+label_110:
+call ExFreePoolWithTag (Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12], 0);
+goto label_113;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5018)
+label_113:
+Mem[T.PUINT2] := Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12 := 0];
+goto label_114;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5021)
+label_114:
+goto label_114_true , label_114_false ;
+
+
+label_114_true :
+assume (0 <= $status$4$4886.28$KeyboardClassFindMorePorts$12);
+goto label_145;
+
+
+label_114_false :
+assume !(0 <= $status$4$4886.28$KeyboardClassFindMorePorts$12);
+goto label_115;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5022)
+label_115:
+goto label_115_true , label_115_false ;
+
+
+label_115_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_119;
+
+
+label_115_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_116;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5023)
+label_116:
+goto label_116_true , label_116_false ;
+
+
+label_116_true :
+assume (Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)] != 0);
+goto label_117;
+
+
+label_116_false :
+assume (Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)] == 0);
+goto label_130;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5024)
+label_117:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$15$4897.28$KeyboardClassFindMorePorts$12 := Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]];
+goto label_118;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5025)
+label_118:
+Mem[T.File__DEVICE_EXTENSION] := Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := 0];
+goto label_130;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5029)
+label_119:
+goto label_120;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5031)
+label_120:
+call ExAcquireFastMutex (Mutex__GLOBALS(Globals));
+goto label_123;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5033)
+label_123:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$15$4897.28$KeyboardClassFindMorePorts$12 := Mem[T.File__PORT][File__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]))]];
+goto label_124;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5034)
+label_124:
+Mem[T.File__PORT] := Mem[T.File__PORT][File__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)])) := 0];
+goto label_125;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5035)
+label_125:
+Mem[T.Free__PORT] := Mem[T.Free__PORT][Free__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)])) := 1];
+goto label_126;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5036)
+label_126:
+Mem[T.Port__PORT] := Mem[T.Port__PORT][Port__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)])) := 0];
+goto label_127;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5038)
+label_127:
+call ExReleaseFastMutex (Mutex__GLOBALS(Globals));
+goto label_130;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5041)
+label_130:
+goto label_130_true , label_130_false ;
+
+
+label_130_true :
+assume (Mem[T.P_FILE_OBJECT][$file$15$4897.28$KeyboardClassFindMorePorts$12] != 0);
+goto label_131;
+
+
+label_130_false :
+assume (Mem[T.P_FILE_OBJECT][$file$15$4897.28$KeyboardClassFindMorePorts$12] == 0);
+goto label_134;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5042)
+label_131:
+call $result.ObfDereferenceObject$5042.16$18$ := ObfDereferenceObject (Mem[T.P_FILE_OBJECT][$file$15$4897.28$KeyboardClassFindMorePorts$12]);
+goto label_134;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5045)
+label_134:
+goto label_134_true , label_134_false ;
+
+
+label_134_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)] != 0);
+goto label_135;
+
+
+label_134_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)] == 0);
+goto label_141;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5045)
+label_135:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)], 0);
+goto label_138;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5045)
+label_138:
+Mem[T.DataOut__DEVICE_EXTENSION] := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := 0];
+goto label_139;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5045)
+label_139:
+Mem[T.DataIn__DEVICE_EXTENSION] := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]];
+goto label_140;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5045)
+label_140:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12) := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]];
+goto label_141;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5045)
+label_141:
+call IoDeleteDevice (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12)]);
+goto label_144;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5045)
+label_144:
+$deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12 := 0 ;
+goto label_149;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5052)
+label_145:
+call InsertTailList (LegacyDeviceList__GLOBALS(Globals), Link__DEVICE_EXTENSION($deviceExtension$5$4887.28$KeyboardClassFindMorePorts$12));
+goto label_148;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5053)
+label_148:
+$successfulCreates$10$4892.28$KeyboardClassFindMorePorts$12 := PLUS($successfulCreates$10$4892.28$KeyboardClassFindMorePorts$12, 1, 1) ;
+goto label_149;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(4963)
+label_149:
+$i$8$4890.28$KeyboardClassFindMorePorts$12 := PLUS($i$8$4890.28$KeyboardClassFindMorePorts$12, 1, 1) ;
+goto label_74_head;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5055)
+label_150:
+Mem[T.NumberLegacyPorts__GLOBALS] := Mem[T.NumberLegacyPorts__GLOBALS][NumberLegacyPorts__GLOBALS(Globals) := $i$8$4890.28$KeyboardClassFindMorePorts$12];
+goto label_151;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5063)
+label_151:
+goto label_151_true , label_151_false ;
+
+
+label_151_true :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)] != 0);
+goto label_152;
+
+
+label_151_false :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)] == 0);
+goto label_155;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5064)
+label_152:
+call ExFreePoolWithTag (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4894.28$KeyboardClassFindMorePorts$12)], 0);
+goto label_155;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5067)
+label_155:
+goto label_155_true , label_155_false ;
+
+
+label_155_true :
+assume (Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12] != 0);
+goto label_156;
+
+
+label_155_false :
+assume (Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12] == 0);
+goto label_1;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(5068)
+label_156:
+call ExFreePoolWithTag (Mem[T.PUINT2][$fullClassName$14$4896.28$KeyboardClassFindMorePorts$12], 0);
+goto label_1;
+
+}
+
diff --git a/Test/havoc0/KeyboardClassUnload.bpl b/Test/havoc0/KeyboardClassUnload.bpl
new file mode 100644
index 00000000..3deae4cd
--- /dev/null
+++ b/Test/havoc0/KeyboardClassUnload.bpl
@@ -0,0 +1,3333 @@
+type byte, name;
+function OneByteToInt(byte) returns (int);
+function TwoBytesToInt(byte, byte) returns (int);
+function FourBytesToInt(byte, byte, byte, byte) returns (int);
+axiom(forall b0:byte, c0:byte :: {OneByteToInt(b0), OneByteToInt(c0)} OneByteToInt(b0) == OneByteToInt(c0) ==> b0 == c0);
+axiom(forall b0:byte, b1: byte, c0:byte, c1:byte :: {TwoBytesToInt(b0, b1), TwoBytesToInt(c0, c1)} TwoBytesToInt(b0, b1) == TwoBytesToInt(c0, c1) ==> b0 == c0 && b1 == c1);
+axiom(forall b0:byte, b1: byte, b2:byte, b3:byte, c0:byte, c1:byte, c2:byte, c3:byte :: {FourBytesToInt(b0, b1, b2, b3), FourBytesToInt(c0, c1, c2, c3)} FourBytesToInt(b0, b1, b2, b3) == FourBytesToInt(c0, c1, c2, c3) ==> b0 == c0 && b1 == c1 && b2 == c2 && b3 == c3);
+
+// Mutable
+var Mem_BYTE:[int]byte;
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function SetTrue() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+/*
+function AtLeast(int, int) returns ([int]bool);
+function ModEqual(int, int, int) returns (bool);
+axiom(forall n:int, x:int :: ModEqual(n,x,x));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> ModEqual(n,y,x));
+axiom(forall n:int, x:int, y:int, z:int :: {ModEqual(n,x,y), ModEqual(n,y,z)} ModEqual(n,x,y) && ModEqual(n,y,z) ==> ModEqual(n,x,z));
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} ModEqual(n,x,PLUS(x,n,z)));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> (exists k:int :: x - y == n*k));
+axiom(forall x:int, n:int, y:int :: {AtLeast(n,x)[y]}{ModEqual(n,x,y)} AtLeast(n,x)[y] <==> x <= y && ModEqual(n,x,y));
+axiom(forall x:int, n:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+*/
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int :: SetTrue()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]}{Union(S,T),S[x]}{Union(S,T),T[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]}{Intersection(S,T),S[x]}{Intersection(S,T),T[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]}{Difference(S,T),S[x]}{Difference(S,T),T[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Subset(S,T)}{T[x],Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Disjoint(S,T)}{T[x],Disjoint(S,T)} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f,y), f[x]} Inverse(f,y)[x] ==> f[x] == y);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name, m:[name][int]int) returns (bool);
+function Values(t:name, m:[name][int]int) returns ([int]bool);
+function T.Ptr(t:name) returns (name);
+
+axiom(forall v:int, t:name, m:[name][int]int :: {Values(t, m)[v]} Values(t, m)[v] ==> HasType(v, t, m));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, t, m), Values(t, m)} HasType(v, t, m) ==> Values(t, m)[v]);
+
+axiom(forall a:int, t:name :: {Match(a, T.Ptr(t))} Match(a, T.Ptr(t)) <==> Field(a) == T.Ptr(t));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, T.Ptr(t), m)} HasType(v, T.Ptr(t), m) <==> (v == 0 || (v > 0 && Match(v, t))));
+
+axiom(forall v:int, t:name, m1:[name][int]int, m2:[name][int]int :: {HasType(v, t, m1), HasType(v, t, m2)}
+ (HasType(v, t, m1) <==> HasType(v, t, m2)));
+
+// Field declarations
+
+const unique T.Guid_WMIGUIDREGINFO:name;
+const unique T.InstanceCount_WMIGUIDREGINFO:name;
+const unique T.Flags_WMIGUIDREGINFO:name;
+const unique T.OperationID__ACCESS_STATE:name;
+const unique T.SecurityEvaluated__ACCESS_STATE:name;
+const unique T.GenerateAudit__ACCESS_STATE:name;
+const unique T.GenerateOnClose__ACCESS_STATE:name;
+const unique T.PrivilegesAllocated__ACCESS_STATE:name;
+const unique T.Flags__ACCESS_STATE:name;
+const unique T.RemainingDesiredAccess__ACCESS_STATE:name;
+const unique T.PreviouslyGrantedAccess__ACCESS_STATE:name;
+const unique T.OriginalDesiredAccess__ACCESS_STATE:name;
+const unique T.SubjectSecurityContext__ACCESS_STATE:name;
+const unique T.SecurityDescriptor__ACCESS_STATE:name;
+const unique T.AuxData__ACCESS_STATE:name;
+const unique T.Privileges__ACCESS_STATE:name;
+const unique T.AuditPrivileges__ACCESS_STATE:name;
+const unique T.ObjectName__ACCESS_STATE:name;
+const unique T.ObjectTypeName__ACCESS_STATE:name;
+const unique T.InterfaceType__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.BusNumber__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.PartialResourceList__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.u__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Revision__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.PartialDescriptors__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_RESOURCE_LIST:name;
+const unique T.List__CM_RESOURCE_LIST:name;
+const unique T.Size__DEVICE_CAPABILITIES:name;
+const unique T.Version__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD1__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD2__DEVICE_CAPABILITIES:name;
+const unique T.LockSupported__DEVICE_CAPABILITIES:name;
+const unique T.EjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.Removable__DEVICE_CAPABILITIES:name;
+const unique T.DockDevice__DEVICE_CAPABILITIES:name;
+const unique T.UniqueID__DEVICE_CAPABILITIES:name;
+const unique T.SilentInstall__DEVICE_CAPABILITIES:name;
+const unique T.RawDeviceOK__DEVICE_CAPABILITIES:name;
+const unique T.SurpriseRemovalOK__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD0__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD1__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD2__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD3__DEVICE_CAPABILITIES:name;
+const unique T.HardwareDisabled__DEVICE_CAPABILITIES:name;
+const unique T.NonDynamic__DEVICE_CAPABILITIES:name;
+const unique T.WarmEjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.NoDisplayInUI__DEVICE_CAPABILITIES:name;
+const unique T.Reserved__DEVICE_CAPABILITIES:name;
+const unique T.Address__DEVICE_CAPABILITIES:name;
+const unique T.UINumber__DEVICE_CAPABILITIES:name;
+const unique T.DeviceState__DEVICE_CAPABILITIES:name;
+const unique T.SystemWake__DEVICE_CAPABILITIES:name;
+const unique T.DeviceWake__DEVICE_CAPABILITIES:name;
+const unique T.D1Latency__DEVICE_CAPABILITIES:name;
+const unique T.D2Latency__DEVICE_CAPABILITIES:name;
+const unique T.D3Latency__DEVICE_CAPABILITIES:name;
+const unique T.Self__DEVICE_EXTENSION:name;
+const unique T.TrueClassDevice__DEVICE_EXTENSION:name;
+const unique T.TopPort__DEVICE_EXTENSION:name;
+const unique T.PDO__DEVICE_EXTENSION:name;
+const unique T.RemoveLock__DEVICE_EXTENSION:name;
+const unique T.PnP__DEVICE_EXTENSION:name;
+const unique T.Started__DEVICE_EXTENSION:name;
+const unique T.AllowDisable__DEVICE_EXTENSION:name;
+const unique T.WaitWakeSpinLock__DEVICE_EXTENSION:name;
+const unique T.TrustedSubsystemCount__DEVICE_EXTENSION:name;
+const unique T.InputCount__DEVICE_EXTENSION:name;
+const unique T.SymbolicLinkName__DEVICE_EXTENSION:name;
+const unique T.InputData__DEVICE_EXTENSION:name;
+const unique T.DataIn__DEVICE_EXTENSION:name;
+const unique T.DataOut__DEVICE_EXTENSION:name;
+const unique T.KeyboardAttributes__DEVICE_EXTENSION:name;
+const unique T.IndicatorParameters__DEVICE_EXTENSION:name;
+const unique T.SpinLock__DEVICE_EXTENSION:name;
+const unique T.ReadQueue__DEVICE_EXTENSION:name;
+const unique T.SequenceNumber__DEVICE_EXTENSION:name;
+const unique T.DeviceState__DEVICE_EXTENSION:name;
+const unique T.SystemState__DEVICE_EXTENSION:name;
+const unique T.UnitId__DEVICE_EXTENSION:name;
+const unique T.WmiLibInfo__DEVICE_EXTENSION:name;
+const unique T.SystemToDeviceState__DEVICE_EXTENSION:name;
+const unique T.MinDeviceWakeState__DEVICE_EXTENSION:name;
+const unique T.MinSystemWakeState__DEVICE_EXTENSION:name;
+const unique T.WaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.ExtraWaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.TargetNotifyHandle__DEVICE_EXTENSION:name;
+const unique T.Link__DEVICE_EXTENSION:name;
+const unique T.File__DEVICE_EXTENSION:name;
+const unique T.Enabled__DEVICE_EXTENSION:name;
+const unique T.OkayToLogOverflow__DEVICE_EXTENSION:name;
+const unique T.WaitWakeEnabled__DEVICE_EXTENSION:name;
+const unique T.SurpriseRemoved__DEVICE_EXTENSION:name;
+const unique T.Type__DEVICE_OBJECT:name;
+const unique T.Size__DEVICE_OBJECT:name;
+const unique T.ReferenceCount__DEVICE_OBJECT:name;
+const unique T.DriverObject__DEVICE_OBJECT:name;
+const unique T.NextDevice__DEVICE_OBJECT:name;
+const unique T.AttachedDevice__DEVICE_OBJECT:name;
+const unique T.CurrentIrp__DEVICE_OBJECT:name;
+const unique T.Timer__DEVICE_OBJECT:name;
+const unique T.Flags__DEVICE_OBJECT:name;
+const unique T.Characteristics__DEVICE_OBJECT:name;
+const unique T.Vpb__DEVICE_OBJECT:name;
+const unique T.DeviceExtension__DEVICE_OBJECT:name;
+const unique T.DeviceType__DEVICE_OBJECT:name;
+const unique T.StackSize__DEVICE_OBJECT:name;
+const unique T.Queue__DEVICE_OBJECT:name;
+const unique T.AlignmentRequirement__DEVICE_OBJECT:name;
+const unique T.DeviceQueue__DEVICE_OBJECT:name;
+const unique T.Dpc__DEVICE_OBJECT:name;
+const unique T.ActiveThreadCount__DEVICE_OBJECT:name;
+const unique T.SecurityDescriptor__DEVICE_OBJECT:name;
+const unique T.DeviceLock__DEVICE_OBJECT:name;
+const unique T.SectorSize__DEVICE_OBJECT:name;
+const unique T.Spare1__DEVICE_OBJECT:name;
+const unique T.DeviceObjectExtension__DEVICE_OBJECT:name;
+const unique T.Reserved__DEVICE_OBJECT:name;
+const unique T.Type__DEVOBJ_EXTENSION:name;
+const unique T.Size__DEVOBJ_EXTENSION:name;
+const unique T.DeviceObject__DEVOBJ_EXTENSION:name;
+const unique T.__unnamed_4_a97c65a1__DISPATCHER_HEADER:name;
+const unique T.SignalState__DISPATCHER_HEADER:name;
+const unique T.WaitListHead__DISPATCHER_HEADER:name;
+const unique T.DriverObject__DRIVER_EXTENSION:name;
+const unique T.AddDevice__DRIVER_EXTENSION:name;
+const unique T.Count__DRIVER_EXTENSION:name;
+const unique T.ServiceKeyName__DRIVER_EXTENSION:name;
+const unique T.Type__DRIVER_OBJECT:name;
+const unique T.Size__DRIVER_OBJECT:name;
+const unique T.DeviceObject__DRIVER_OBJECT:name;
+const unique T.Flags__DRIVER_OBJECT:name;
+const unique T.DriverStart__DRIVER_OBJECT:name;
+const unique T.DriverSize__DRIVER_OBJECT:name;
+const unique T.DriverSection__DRIVER_OBJECT:name;
+const unique T.DriverExtension__DRIVER_OBJECT:name;
+const unique T.DriverName__DRIVER_OBJECT:name;
+const unique T.HardwareDatabase__DRIVER_OBJECT:name;
+const unique T.FastIoDispatch__DRIVER_OBJECT:name;
+const unique T.DriverInit__DRIVER_OBJECT:name;
+const unique T.DriverStartIo__DRIVER_OBJECT:name;
+const unique T.DriverUnload__DRIVER_OBJECT:name;
+const unique T.MajorFunction__DRIVER_OBJECT:name;
+const unique T.SystemResourcesList__ERESOURCE:name;
+const unique T.OwnerTable__ERESOURCE:name;
+const unique T.ActiveCount__ERESOURCE:name;
+const unique T.Flag__ERESOURCE:name;
+const unique T.SharedWaiters__ERESOURCE:name;
+const unique T.ExclusiveWaiters__ERESOURCE:name;
+const unique T.OwnerEntry__ERESOURCE:name;
+const unique T.ActiveEntries__ERESOURCE:name;
+const unique T.ContentionCount__ERESOURCE:name;
+const unique T.NumberOfSharedWaiters__ERESOURCE:name;
+const unique T.NumberOfExclusiveWaiters__ERESOURCE:name;
+const unique T.__unnamed_4_52c594f7__ERESOURCE:name;
+const unique T.SpinLock__ERESOURCE:name;
+const unique T.SizeOfFastIoDispatch__FAST_IO_DISPATCH:name;
+const unique T.FastIoCheckIfPossible__FAST_IO_DISPATCH:name;
+const unique T.FastIoRead__FAST_IO_DISPATCH:name;
+const unique T.FastIoWrite__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryBasicInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryStandardInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoLock__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockSingle__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAll__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAllByKey__FAST_IO_DISPATCH:name;
+const unique T.FastIoDeviceControl__FAST_IO_DISPATCH:name;
+const unique T.AcquireFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.ReleaseFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.FastIoDetachDevice__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryNetworkOpenInfo__FAST_IO_DISPATCH:name;
+const unique T.AcquireForModWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlRead__FAST_IO_DISPATCH:name;
+const unique T.MdlReadComplete__FAST_IO_DISPATCH:name;
+const unique T.PrepareMdlWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteComplete__FAST_IO_DISPATCH:name;
+const unique T.FastIoReadCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoWriteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlReadCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryOpen__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForModWrite__FAST_IO_DISPATCH:name;
+const unique T.AcquireForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.Count__FAST_MUTEX:name;
+const unique T.Owner__FAST_MUTEX:name;
+const unique T.Contention__FAST_MUTEX:name;
+const unique T.Gate__FAST_MUTEX:name;
+const unique T.OldIrql__FAST_MUTEX:name;
+const unique T.CreationTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastAccessTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastWriteTime__FILE_BASIC_INFORMATION:name;
+const unique T.ChangeTime__FILE_BASIC_INFORMATION:name;
+const unique T.FileAttributes__FILE_BASIC_INFORMATION:name;
+const unique T.CreationTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastAccessTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastWriteTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.ChangeTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.AllocationSize__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.EndOfFile__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.FileAttributes__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.Type__FILE_OBJECT:name;
+const unique T.Size__FILE_OBJECT:name;
+const unique T.DeviceObject__FILE_OBJECT:name;
+const unique T.Vpb__FILE_OBJECT:name;
+const unique T.FsContext__FILE_OBJECT:name;
+const unique T.FsContext2__FILE_OBJECT:name;
+const unique T.SectionObjectPointer__FILE_OBJECT:name;
+const unique T.PrivateCacheMap__FILE_OBJECT:name;
+const unique T.FinalStatus__FILE_OBJECT:name;
+const unique T.RelatedFileObject__FILE_OBJECT:name;
+const unique T.LockOperation__FILE_OBJECT:name;
+const unique T.DeletePending__FILE_OBJECT:name;
+const unique T.ReadAccess__FILE_OBJECT:name;
+const unique T.WriteAccess__FILE_OBJECT:name;
+const unique T.DeleteAccess__FILE_OBJECT:name;
+const unique T.SharedRead__FILE_OBJECT:name;
+const unique T.SharedWrite__FILE_OBJECT:name;
+const unique T.SharedDelete__FILE_OBJECT:name;
+const unique T.Flags__FILE_OBJECT:name;
+const unique T.FileName__FILE_OBJECT:name;
+const unique T.CurrentByteOffset__FILE_OBJECT:name;
+const unique T.Waiters__FILE_OBJECT:name;
+const unique T.Busy__FILE_OBJECT:name;
+const unique T.LastLock__FILE_OBJECT:name;
+const unique T.Lock__FILE_OBJECT:name;
+const unique T.Event__FILE_OBJECT:name;
+const unique T.CompletionContext__FILE_OBJECT:name;
+const unique T.IrpListLock__FILE_OBJECT:name;
+const unique T.IrpList__FILE_OBJECT:name;
+const unique T.FileObjectExtension__FILE_OBJECT:name;
+const unique T.AllocationSize__FILE_STANDARD_INFORMATION:name;
+const unique T.EndOfFile__FILE_STANDARD_INFORMATION:name;
+const unique T.NumberOfLinks__FILE_STANDARD_INFORMATION:name;
+const unique T.DeletePending__FILE_STANDARD_INFORMATION:name;
+const unique T.Directory__FILE_STANDARD_INFORMATION:name;
+const unique T.Debug__GLOBALS:name;
+const unique T.GrandMaster__GLOBALS:name;
+const unique T.AssocClassList__GLOBALS:name;
+const unique T.NumAssocClass__GLOBALS:name;
+const unique T.Opens__GLOBALS:name;
+const unique T.NumberLegacyPorts__GLOBALS:name;
+const unique T.Mutex__GLOBALS:name;
+const unique T.ConnectOneClassToOnePort__GLOBALS:name;
+const unique T.SendOutputToAllPorts__GLOBALS:name;
+const unique T.PortsServiced__GLOBALS:name;
+const unique T.InitExtension__GLOBALS:name;
+const unique T.RegistryPath__GLOBALS:name;
+const unique T.BaseClassName__GLOBALS:name;
+const unique T.BaseClassBuffer__GLOBALS:name;
+const unique T.LegacyDeviceList__GLOBALS:name;
+const unique T.Data1__GUID:name;
+const unique T.Data2__GUID:name;
+const unique T.Data3__GUID:name;
+const unique T.Data4__GUID:name;
+const unique T.PrivilegeCount__INITIAL_PRIVILEGE_SET:name;
+const unique T.Control__INITIAL_PRIVILEGE_SET:name;
+const unique T.Privilege__INITIAL_PRIVILEGE_SET:name;
+const unique T.Size__INTERFACE:name;
+const unique T.Version__INTERFACE:name;
+const unique T.Context__INTERFACE:name;
+const unique T.InterfaceReference__INTERFACE:name;
+const unique T.InterfaceDereference__INTERFACE:name;
+const unique T.Port__IO_COMPLETION_CONTEXT:name;
+const unique T.Key__IO_COMPLETION_CONTEXT:name;
+const unique T.Common__IO_REMOVE_LOCK:name;
+const unique T.Dbg__IO_REMOVE_LOCK:name;
+const unique T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Signature__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LockList__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Spin__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Option__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare1__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare2__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.u__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__IO_RESOURCE_LIST:name;
+const unique T.Revision__IO_RESOURCE_LIST:name;
+const unique T.Count__IO_RESOURCE_LIST:name;
+const unique T.Descriptors__IO_RESOURCE_LIST:name;
+const unique T.ListSize__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.InterfaceType__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.BusNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SlotNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.Reserved__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.AlternativeLists__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.List__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SecurityQos__IO_SECURITY_CONTEXT:name;
+const unique T.AccessState__IO_SECURITY_CONTEXT:name;
+const unique T.DesiredAccess__IO_SECURITY_CONTEXT:name;
+const unique T.FullCreateOptions__IO_SECURITY_CONTEXT:name;
+const unique T.MajorFunction__IO_STACK_LOCATION:name;
+const unique T.MinorFunction__IO_STACK_LOCATION:name;
+const unique T.Flags__IO_STACK_LOCATION:name;
+const unique T.Control__IO_STACK_LOCATION:name;
+const unique T.Parameters__IO_STACK_LOCATION:name;
+const unique T.DeviceObject__IO_STACK_LOCATION:name;
+const unique T.FileObject__IO_STACK_LOCATION:name;
+const unique T.CompletionRoutine__IO_STACK_LOCATION:name;
+const unique T.Context__IO_STACK_LOCATION:name;
+const unique T.__unnamed_4_d99b6e2b__IO_STATUS_BLOCK:name;
+const unique T.Information__IO_STATUS_BLOCK:name;
+const unique T.Type__IRP:name;
+const unique T.Size__IRP:name;
+const unique T.MdlAddress__IRP:name;
+const unique T.Flags__IRP:name;
+const unique T.AssociatedIrp__IRP:name;
+const unique T.ThreadListEntry__IRP:name;
+const unique T.IoStatus__IRP:name;
+const unique T.RequestorMode__IRP:name;
+const unique T.PendingReturned__IRP:name;
+const unique T.StackCount__IRP:name;
+const unique T.CurrentLocation__IRP:name;
+const unique T.Cancel__IRP:name;
+const unique T.CancelIrql__IRP:name;
+const unique T.ApcEnvironment__IRP:name;
+const unique T.AllocationFlags__IRP:name;
+const unique T.UserIosb__IRP:name;
+const unique T.UserEvent__IRP:name;
+const unique T.Overlay__IRP:name;
+const unique T.CancelRoutine__IRP:name;
+const unique T.UserBuffer__IRP:name;
+const unique T.Tail__IRP:name;
+const unique T.Type__KAPC:name;
+const unique T.SpareByte0__KAPC:name;
+const unique T.Size__KAPC:name;
+const unique T.SpareByte1__KAPC:name;
+const unique T.SpareLong0__KAPC:name;
+const unique T.Thread__KAPC:name;
+const unique T.ApcListEntry__KAPC:name;
+const unique T.KernelRoutine__KAPC:name;
+const unique T.RundownRoutine__KAPC:name;
+const unique T.NormalRoutine__KAPC:name;
+const unique T.NormalContext__KAPC:name;
+const unique T.SystemArgument1__KAPC:name;
+const unique T.SystemArgument2__KAPC:name;
+const unique T.ApcStateIndex__KAPC:name;
+const unique T.ApcMode__KAPC:name;
+const unique T.Inserted__KAPC:name;
+const unique T.Type__KDEVICE_QUEUE:name;
+const unique T.Size__KDEVICE_QUEUE:name;
+const unique T.DeviceListHead__KDEVICE_QUEUE:name;
+const unique T.Lock__KDEVICE_QUEUE:name;
+const unique T.Busy__KDEVICE_QUEUE:name;
+const unique T.DeviceListEntry__KDEVICE_QUEUE_ENTRY:name;
+const unique T.SortKey__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Inserted__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Type__KDPC:name;
+const unique T.Importance__KDPC:name;
+const unique T.Number__KDPC:name;
+const unique T.DpcListEntry__KDPC:name;
+const unique T.DeferredRoutine__KDPC:name;
+const unique T.DeferredContext__KDPC:name;
+const unique T.SystemArgument1__KDPC:name;
+const unique T.SystemArgument2__KDPC:name;
+const unique T.DpcData__KDPC:name;
+const unique T.Header__KEVENT:name;
+const unique T.KeyboardIdentifier__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyboardMode__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfFunctionKeys__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfIndicators__KEYBOARD_ATTRIBUTES:name;
+const unique T.NumberOfKeysTotal__KEYBOARD_ATTRIBUTES:name;
+const unique T.InputDataQueueLength__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyRepeatMinimum__KEYBOARD_ATTRIBUTES:name;
+const unique T.KeyRepeatMaximum__KEYBOARD_ATTRIBUTES:name;
+const unique T.Type__KEYBOARD_ID:name;
+const unique T.Subtype__KEYBOARD_ID:name;
+const unique T.UnitId__KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T.LedFlags__KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T.UnitId__KEYBOARD_INPUT_DATA:name;
+const unique T.MakeCode__KEYBOARD_INPUT_DATA:name;
+const unique T.Flags__KEYBOARD_INPUT_DATA:name;
+const unique T.Reserved__KEYBOARD_INPUT_DATA:name;
+const unique T.ExtraInformation__KEYBOARD_INPUT_DATA:name;
+const unique T.UnitId__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Rate__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Delay__KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T.Header__KSEMAPHORE:name;
+const unique T.Limit__KSEMAPHORE:name;
+const unique T.__unnamed_8_58ee4a31__LARGE_INTEGER:name;
+const unique T.u__LARGE_INTEGER:name;
+const unique T.QuadPart__LARGE_INTEGER:name;
+const unique T.Flink__LIST_ENTRY:name;
+const unique T.Blink__LIST_ENTRY:name;
+const unique T.LowPart__LUID:name;
+const unique T.HighPart__LUID:name;
+const unique T.Luid__LUID_AND_ATTRIBUTES:name;
+const unique T.Attributes__LUID_AND_ATTRIBUTES:name;
+const unique T.Next__MDL:name;
+const unique T.Size__MDL:name;
+const unique T.MdlFlags__MDL:name;
+const unique T.Process__MDL:name;
+const unique T.MappedSystemVa__MDL:name;
+const unique T.StartVa__MDL:name;
+const unique T.ByteCount__MDL:name;
+const unique T.ByteOffset__MDL:name;
+const unique T.OwnerThread__OWNER_ENTRY:name;
+const unique T.__unnamed_4_6f9ac8e1__OWNER_ENTRY:name;
+const unique T.File__PORT:name;
+const unique T.Port__PORT:name;
+const unique T.Enabled__PORT:name;
+const unique T.Reserved__PORT:name;
+const unique T.Free__PORT:name;
+const unique T.SequenceD1__POWER_SEQUENCE:name;
+const unique T.SequenceD2__POWER_SEQUENCE:name;
+const unique T.SequenceD3__POWER_SEQUENCE:name;
+const unique T.SystemState__POWER_STATE:name;
+const unique T.DeviceState__POWER_STATE:name;
+const unique T.PrivilegeCount__PRIVILEGE_SET:name;
+const unique T.Control__PRIVILEGE_SET:name;
+const unique T.Privilege__PRIVILEGE_SET:name;
+const unique T.DataSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.SharedCacheMap__SECTION_OBJECT_POINTERS:name;
+const unique T.ImageSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.Length__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ImpersonationLevel__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ContextTrackingMode__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.EffectiveOnly__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ClientToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ImpersonationLevel__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.PrimaryToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ProcessAuditId__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.__unnamed_4_3a2fdc5e__SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T.Length__UNICODE_STRING:name;
+const unique T.MaximumLength__UNICODE_STRING:name;
+const unique T.Buffer__UNICODE_STRING:name;
+const unique T.Type__VPB:name;
+const unique T.Size__VPB:name;
+const unique T.Flags__VPB:name;
+const unique T.VolumeLabelLength__VPB:name;
+const unique T.DeviceObject__VPB:name;
+const unique T.RealDevice__VPB:name;
+const unique T.SerialNumber__VPB:name;
+const unique T.ReferenceCount__VPB:name;
+const unique T.VolumeLabel__VPB:name;
+const unique T.WaitQueueEntry__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceRoutine__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceContext__WAIT_CONTEXT_BLOCK:name;
+const unique T.NumberOfMapRegisters__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceObject__WAIT_CONTEXT_BLOCK:name;
+const unique T.CurrentIrp__WAIT_CONTEXT_BLOCK:name;
+const unique T.BufferChainingDpc__WAIT_CONTEXT_BLOCK:name;
+const unique T.GuidCount__WMILIB_CONTEXT:name;
+const unique T.GuidList__WMILIB_CONTEXT:name;
+const unique T.QueryWmiRegInfo__WMILIB_CONTEXT:name;
+const unique T.QueryWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataItem__WMILIB_CONTEXT:name;
+const unique T.ExecuteWmiMethod__WMILIB_CONTEXT:name;
+const unique T.WmiFunctionControl__WMILIB_CONTEXT:name;
+const unique T.Reserved___unnamed_12_0d6a30de:name;
+const unique T.MessageCount___unnamed_12_0d6a30de:name;
+const unique T.Vector___unnamed_12_0d6a30de:name;
+const unique T.Affinity___unnamed_12_0d6a30de:name;
+const unique T.Start___unnamed_12_17f5c211:name;
+const unique T.Length48___unnamed_12_17f5c211:name;
+const unique T.Start___unnamed_12_1fb42e39:name;
+const unique T.Length___unnamed_12_1fb42e39:name;
+const unique T.Reserved___unnamed_12_1fb42e39:name;
+const unique T.Start___unnamed_12_2a1563c6:name;
+const unique T.Length___unnamed_12_2a1563c6:name;
+const unique T.DataSize___unnamed_12_31347272:name;
+const unique T.Reserved1___unnamed_12_31347272:name;
+const unique T.Reserved2___unnamed_12_31347272:name;
+const unique T.Raw___unnamed_12_429aadc0:name;
+const unique T.Translated___unnamed_12_429aadc0:name;
+const unique T.Start___unnamed_12_4719de1a:name;
+const unique T.Length___unnamed_12_4719de1a:name;
+const unique T.Data___unnamed_12_4be56faa:name;
+const unique T.Data___unnamed_12_5ce25b92:name;
+const unique T.Generic___unnamed_12_7a698b72:name;
+const unique T.Port___unnamed_12_7a698b72:name;
+const unique T.Interrupt___unnamed_12_7a698b72:name;
+const unique T.MessageInterrupt___unnamed_12_7a698b72:name;
+const unique T.Memory___unnamed_12_7a698b72:name;
+const unique T.Dma___unnamed_12_7a698b72:name;
+const unique T.DevicePrivate___unnamed_12_7a698b72:name;
+const unique T.BusNumber___unnamed_12_7a698b72:name;
+const unique T.DeviceSpecificData___unnamed_12_7a698b72:name;
+const unique T.Memory40___unnamed_12_7a698b72:name;
+const unique T.Memory48___unnamed_12_7a698b72:name;
+const unique T.Memory64___unnamed_12_7a698b72:name;
+const unique T.Start___unnamed_12_87c0de8d:name;
+const unique T.Length64___unnamed_12_87c0de8d:name;
+const unique T.Start___unnamed_12_98bfc55a:name;
+const unique T.Length40___unnamed_12_98bfc55a:name;
+const unique T.Priority___unnamed_12_ab1bd9d7:name;
+const unique T.Reserved1___unnamed_12_ab1bd9d7:name;
+const unique T.Reserved2___unnamed_12_ab1bd9d7:name;
+const unique T.Level___unnamed_12_b0429be9:name;
+const unique T.Vector___unnamed_12_b0429be9:name;
+const unique T.Affinity___unnamed_12_b0429be9:name;
+const unique T.ListEntry___unnamed_12_b43e8de8:name;
+const unique T.__unnamed_4_f19b65c1___unnamed_12_b43e8de8:name;
+const unique T.Level___unnamed_12_bfdb39ee:name;
+const unique T.Vector___unnamed_12_bfdb39ee:name;
+const unique T.Affinity___unnamed_12_bfdb39ee:name;
+const unique T.Start___unnamed_12_cd42b3c3:name;
+const unique T.Length___unnamed_12_cd42b3c3:name;
+const unique T.__unnamed_12_429aadc0___unnamed_12_e668effc:name;
+const unique T.Channel___unnamed_12_e80d029e:name;
+const unique T.Port___unnamed_12_e80d029e:name;
+const unique T.Reserved1___unnamed_12_e80d029e:name;
+const unique T.Length___unnamed_16_07c0bcc5:name;
+const unique T.MinBusNumber___unnamed_16_07c0bcc5:name;
+const unique T.MaxBusNumber___unnamed_16_07c0bcc5:name;
+const unique T.Reserved___unnamed_16_07c0bcc5:name;
+const unique T.InterfaceType___unnamed_16_29cb9f2f:name;
+const unique T.Size___unnamed_16_29cb9f2f:name;
+const unique T.Version___unnamed_16_29cb9f2f:name;
+const unique T.Interface___unnamed_16_29cb9f2f:name;
+const unique T.InterfaceSpecificData___unnamed_16_29cb9f2f:name;
+const unique T.SecurityContext___unnamed_16_30f11dbf:name;
+const unique T.Options___unnamed_16_30f11dbf:name;
+const unique T.FileAttributes___unnamed_16_30f11dbf:name;
+const unique T.ShareAccess___unnamed_16_30f11dbf:name;
+const unique T.EaLength___unnamed_16_30f11dbf:name;
+const unique T.DriverContext___unnamed_16_35034f68:name;
+const unique T.Length___unnamed_16_487a9498:name;
+const unique T.FileName___unnamed_16_487a9498:name;
+const unique T.FileInformationClass___unnamed_16_487a9498:name;
+const unique T.FileIndex___unnamed_16_487a9498:name;
+const unique T.OutputBufferLength___unnamed_16_5f6a8844:name;
+const unique T.InputBufferLength___unnamed_16_5f6a8844:name;
+const unique T.FsControlCode___unnamed_16_5f6a8844:name;
+const unique T.Type3InputBuffer___unnamed_16_5f6a8844:name;
+const unique T.Length___unnamed_16_7177b9f3:name;
+const unique T.FileInformationClass___unnamed_16_7177b9f3:name;
+const unique T.FileObject___unnamed_16_7177b9f3:name;
+const unique T.__unnamed_4_43913aa5___unnamed_16_7177b9f3:name;
+const unique T.Length___unnamed_16_88e91ef6:name;
+const unique T.Key___unnamed_16_88e91ef6:name;
+const unique T.ByteOffset___unnamed_16_88e91ef6:name;
+const unique T.Length___unnamed_16_8c506c98:name;
+const unique T.Key___unnamed_16_8c506c98:name;
+const unique T.ByteOffset___unnamed_16_8c506c98:name;
+const unique T.WhichSpace___unnamed_16_9ac2e5f8:name;
+const unique T.Buffer___unnamed_16_9ac2e5f8:name;
+const unique T.Offset___unnamed_16_9ac2e5f8:name;
+const unique T.Length___unnamed_16_9ac2e5f8:name;
+const unique T.Create___unnamed_16_b93842ad:name;
+const unique T.Read___unnamed_16_b93842ad:name;
+const unique T.Write___unnamed_16_b93842ad:name;
+const unique T.QueryDirectory___unnamed_16_b93842ad:name;
+const unique T.NotifyDirectory___unnamed_16_b93842ad:name;
+const unique T.QueryFile___unnamed_16_b93842ad:name;
+const unique T.SetFile___unnamed_16_b93842ad:name;
+const unique T.QueryEa___unnamed_16_b93842ad:name;
+const unique T.SetEa___unnamed_16_b93842ad:name;
+const unique T.QueryVolume___unnamed_16_b93842ad:name;
+const unique T.SetVolume___unnamed_16_b93842ad:name;
+const unique T.FileSystemControl___unnamed_16_b93842ad:name;
+const unique T.LockControl___unnamed_16_b93842ad:name;
+const unique T.DeviceIoControl___unnamed_16_b93842ad:name;
+const unique T.QuerySecurity___unnamed_16_b93842ad:name;
+const unique T.SetSecurity___unnamed_16_b93842ad:name;
+const unique T.MountVolume___unnamed_16_b93842ad:name;
+const unique T.VerifyVolume___unnamed_16_b93842ad:name;
+const unique T.Scsi___unnamed_16_b93842ad:name;
+const unique T.QueryQuota___unnamed_16_b93842ad:name;
+const unique T.SetQuota___unnamed_16_b93842ad:name;
+const unique T.QueryDeviceRelations___unnamed_16_b93842ad:name;
+const unique T.QueryInterface___unnamed_16_b93842ad:name;
+const unique T.DeviceCapabilities___unnamed_16_b93842ad:name;
+const unique T.FilterResourceRequirements___unnamed_16_b93842ad:name;
+const unique T.ReadWriteConfig___unnamed_16_b93842ad:name;
+const unique T.SetLock___unnamed_16_b93842ad:name;
+const unique T.QueryId___unnamed_16_b93842ad:name;
+const unique T.QueryDeviceText___unnamed_16_b93842ad:name;
+const unique T.UsageNotification___unnamed_16_b93842ad:name;
+const unique T.WaitWake___unnamed_16_b93842ad:name;
+const unique T.PowerSequence___unnamed_16_b93842ad:name;
+const unique T.Power___unnamed_16_b93842ad:name;
+const unique T.StartDevice___unnamed_16_b93842ad:name;
+const unique T.WMI___unnamed_16_b93842ad:name;
+const unique T.Others___unnamed_16_b93842ad:name;
+const unique T.Length___unnamed_16_b9c62eab:name;
+const unique T.Key___unnamed_16_b9c62eab:name;
+const unique T.ByteOffset___unnamed_16_b9c62eab:name;
+const unique T.__unnamed_4_7d9d0c7e___unnamed_16_bb584060:name;
+const unique T.Type___unnamed_16_bb584060:name;
+const unique T.State___unnamed_16_bb584060:name;
+const unique T.ShutdownType___unnamed_16_bb584060:name;
+const unique T.OutputBufferLength___unnamed_16_dba55c7c:name;
+const unique T.InputBufferLength___unnamed_16_dba55c7c:name;
+const unique T.IoControlCode___unnamed_16_dba55c7c:name;
+const unique T.Type3InputBuffer___unnamed_16_dba55c7c:name;
+const unique T.DeviceQueueEntry___unnamed_16_e70c268b:name;
+const unique T.__unnamed_16_35034f68___unnamed_16_e70c268b:name;
+const unique T.Argument1___unnamed_16_e734d694:name;
+const unique T.Argument2___unnamed_16_e734d694:name;
+const unique T.Argument3___unnamed_16_e734d694:name;
+const unique T.Argument4___unnamed_16_e734d694:name;
+const unique T.ProviderId___unnamed_16_eac6dbea:name;
+const unique T.DataPath___unnamed_16_eac6dbea:name;
+const unique T.BufferSize___unnamed_16_eac6dbea:name;
+const unique T.Buffer___unnamed_16_eac6dbea:name;
+const unique T.Length___unnamed_16_f6cae4c2:name;
+const unique T.EaList___unnamed_16_f6cae4c2:name;
+const unique T.EaListLength___unnamed_16_f6cae4c2:name;
+const unique T.EaIndex___unnamed_16_f6cae4c2:name;
+const unique T.Length___unnamed_16_fe36e4f4:name;
+const unique T.StartSid___unnamed_16_fe36e4f4:name;
+const unique T.SidList___unnamed_16_fe36e4f4:name;
+const unique T.SidListLength___unnamed_16_fe36e4f4:name;
+const unique T.Abandoned___unnamed_1_29794256:name;
+const unique T.Absolute___unnamed_1_29794256:name;
+const unique T.NpxIrql___unnamed_1_29794256:name;
+const unique T.Signalling___unnamed_1_29794256:name;
+const unique T.Inserted___unnamed_1_2dc63b48:name;
+const unique T.DebugActive___unnamed_1_2dc63b48:name;
+const unique T.DpcActive___unnamed_1_2dc63b48:name;
+const unique T.Size___unnamed_1_2ef8da39:name;
+const unique T.Hand___unnamed_1_2ef8da39:name;
+const unique T.Lock___unnamed_1_faa7dc71:name;
+const unique T.MinimumVector___unnamed_20_f4d2e6d8:name;
+const unique T.MaximumVector___unnamed_20_f4d2e6d8:name;
+const unique T.AffinityPolicy___unnamed_20_f4d2e6d8:name;
+const unique T.PriorityPolicy___unnamed_20_f4d2e6d8:name;
+const unique T.TargetedProcessors___unnamed_20_f4d2e6d8:name;
+const unique T.Length___unnamed_24_41cbc8c0:name;
+const unique T.Alignment___unnamed_24_41cbc8c0:name;
+const unique T.MinimumAddress___unnamed_24_41cbc8c0:name;
+const unique T.MaximumAddress___unnamed_24_41cbc8c0:name;
+const unique T.Length48___unnamed_24_5419c914:name;
+const unique T.Alignment48___unnamed_24_5419c914:name;
+const unique T.MinimumAddress___unnamed_24_5419c914:name;
+const unique T.MaximumAddress___unnamed_24_5419c914:name;
+const unique T.Length___unnamed_24_67a5ff10:name;
+const unique T.Alignment___unnamed_24_67a5ff10:name;
+const unique T.MinimumAddress___unnamed_24_67a5ff10:name;
+const unique T.MaximumAddress___unnamed_24_67a5ff10:name;
+const unique T.Port___unnamed_24_72c3976e:name;
+const unique T.Memory___unnamed_24_72c3976e:name;
+const unique T.Interrupt___unnamed_24_72c3976e:name;
+const unique T.Dma___unnamed_24_72c3976e:name;
+const unique T.Generic___unnamed_24_72c3976e:name;
+const unique T.DevicePrivate___unnamed_24_72c3976e:name;
+const unique T.BusNumber___unnamed_24_72c3976e:name;
+const unique T.ConfigData___unnamed_24_72c3976e:name;
+const unique T.Memory40___unnamed_24_72c3976e:name;
+const unique T.Memory48___unnamed_24_72c3976e:name;
+const unique T.Memory64___unnamed_24_72c3976e:name;
+const unique T.Length64___unnamed_24_a26050bb:name;
+const unique T.Alignment64___unnamed_24_a26050bb:name;
+const unique T.MinimumAddress___unnamed_24_a26050bb:name;
+const unique T.MaximumAddress___unnamed_24_a26050bb:name;
+const unique T.Length___unnamed_24_b8f476db:name;
+const unique T.Alignment___unnamed_24_b8f476db:name;
+const unique T.MinimumAddress___unnamed_24_b8f476db:name;
+const unique T.MaximumAddress___unnamed_24_b8f476db:name;
+const unique T.Length40___unnamed_24_d09044b4:name;
+const unique T.Alignment40___unnamed_24_d09044b4:name;
+const unique T.MinimumAddress___unnamed_24_d09044b4:name;
+const unique T.MaximumAddress___unnamed_24_d09044b4:name;
+const unique T.ReplaceIfExists___unnamed_2_46cc4597:name;
+const unique T.AdvanceOnly___unnamed_2_46cc4597:name;
+const unique T.__unnamed_16_e70c268b___unnamed_40_7218f704:name;
+const unique T.Thread___unnamed_40_7218f704:name;
+const unique T.AuxiliaryBuffer___unnamed_40_7218f704:name;
+const unique T.__unnamed_12_b43e8de8___unnamed_40_7218f704:name;
+const unique T.OriginalFileObject___unnamed_40_7218f704:name;
+const unique T.ListEntry___unnamed_40_c55c9377:name;
+const unique T.Wcb___unnamed_40_c55c9377:name;
+const unique T.InitialPrivilegeSet___unnamed_44_5584090d:name;
+const unique T.PrivilegeSet___unnamed_44_5584090d:name;
+const unique T.Overlay___unnamed_48_cf99b13f:name;
+const unique T.Apc___unnamed_48_cf99b13f:name;
+const unique T.CompletionKey___unnamed_48_cf99b13f:name;
+const unique T.PowerState___unnamed_4_069846fb:name;
+const unique T.IdType___unnamed_4_224c32f4:name;
+const unique T.Capabilities___unnamed_4_2de698da:name;
+const unique T.__unnamed_4_c3479730___unnamed_4_3a2fdc5e:name;
+const unique T.ContextAsUlong___unnamed_4_3a2fdc5e:name;
+const unique T.Length___unnamed_4_3a4c1a13:name;
+const unique T.__unnamed_2_46cc4597___unnamed_4_43913aa5:name;
+const unique T.ClusterCount___unnamed_4_43913aa5:name;
+const unique T.DeleteHandle___unnamed_4_43913aa5:name;
+const unique T.UserApcRoutine___unnamed_4_4e8dd2ba:name;
+const unique T.IssuingProcess___unnamed_4_4e8dd2ba:name;
+const unique T.Srb___unnamed_4_52603077:name;
+const unique T.Address___unnamed_4_52c594f7:name;
+const unique T.CreatorBackTraceIndex___unnamed_4_52c594f7:name;
+const unique T.Type___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_29794256___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_2ef8da39___unnamed_4_5ca00198:name;
+const unique T.__unnamed_1_2dc63b48___unnamed_4_5ca00198:name;
+const unique T.MasterIrp___unnamed_4_6ac6463c:name;
+const unique T.IrpCount___unnamed_4_6ac6463c:name;
+const unique T.SystemBuffer___unnamed_4_6ac6463c:name;
+const unique T.OwnerCount___unnamed_4_6f9ac8e1:name;
+const unique T.TableSize___unnamed_4_6f9ac8e1:name;
+const unique T.PowerSequence___unnamed_4_7a02167b:name;
+const unique T.SystemContext___unnamed_4_7d9d0c7e:name;
+const unique T.SystemPowerStateContext___unnamed_4_7d9d0c7e:name;
+const unique T.IoResourceRequirementList___unnamed_4_82f7a864:name;
+const unique T.Length___unnamed_4_9aec220b:name;
+const unique T.__unnamed_4_5ca00198___unnamed_4_a97c65a1:name;
+const unique T.Lock___unnamed_4_a97c65a1:name;
+const unique T.Reserved1___unnamed_4_c3479730:name;
+const unique T.TargetSystemState___unnamed_4_c3479730:name;
+const unique T.EffectiveSystemState___unnamed_4_c3479730:name;
+const unique T.CurrentSystemState___unnamed_4_c3479730:name;
+const unique T.IgnoreHibernationPath___unnamed_4_c3479730:name;
+const unique T.PseudoTransition___unnamed_4_c3479730:name;
+const unique T.Reserved2___unnamed_4_c3479730:name;
+const unique T.Status___unnamed_4_d99b6e2b:name;
+const unique T.Pointer___unnamed_4_d99b6e2b:name;
+const unique T.CurrentStackLocation___unnamed_4_f19b65c1:name;
+const unique T.PacketType___unnamed_4_f19b65c1:name;
+const unique T.Type___unnamed_4_fa10fc16:name;
+const unique T.SecurityInformation___unnamed_8_01efa60d:name;
+const unique T.Length___unnamed_8_01efa60d:name;
+const unique T.MinimumChannel___unnamed_8_08d4cef8:name;
+const unique T.MaximumChannel___unnamed_8_08d4cef8:name;
+const unique T.__unnamed_4_4e8dd2ba___unnamed_8_0a898c0c:name;
+const unique T.UserApcContext___unnamed_8_0a898c0c:name;
+const unique T.SecurityInformation___unnamed_8_1330f93a:name;
+const unique T.SecurityDescriptor___unnamed_8_1330f93a:name;
+const unique T.AsynchronousParameters___unnamed_8_181d0de9:name;
+const unique T.AllocationSize___unnamed_8_181d0de9:name;
+const unique T.Vpb___unnamed_8_4812764d:name;
+const unique T.DeviceObject___unnamed_8_4812764d:name;
+const unique T.Length___unnamed_8_559a91e6:name;
+const unique T.FsInformationClass___unnamed_8_559a91e6:name;
+const unique T.Length___unnamed_8_5845b309:name;
+const unique T.FileInformationClass___unnamed_8_5845b309:name;
+const unique T.LowPart___unnamed_8_58ee4a31:name;
+const unique T.HighPart___unnamed_8_58ee4a31:name;
+const unique T.AllocatedResources___unnamed_8_61acf4ce:name;
+const unique T.AllocatedResourcesTranslated___unnamed_8_61acf4ce:name;
+const unique T.DeviceTextType___unnamed_8_6acfee04:name;
+const unique T.LocaleId___unnamed_8_6acfee04:name;
+const unique T.Length___unnamed_8_7f26a9dd:name;
+const unique T.CompletionFilter___unnamed_8_7f26a9dd:name;
+const unique T.Vpb___unnamed_8_87add0bd:name;
+const unique T.DeviceObject___unnamed_8_87add0bd:name;
+const unique T.InPath___unnamed_8_b2773e4c:name;
+const unique T.Reserved___unnamed_8_b2773e4c:name;
+const unique T.Type___unnamed_8_b2773e4c:name;
+const unique T.Length___unnamed_8_de890d4e:name;
+const unique T.FsInformationClass___unnamed_8_de890d4e:name;
+const unique T.LowPart___unnamed_8_ef9ba0d3:name;
+const unique T.HighPart___unnamed_8_ef9ba0d3:name;
+
+// Type declarations
+
+const unique T.A11CHAR:name;
+const unique T.A19CHAR:name;
+const unique T.A1_CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_LIST:name;
+const unique T.A1_LUID_AND_ATTRIBUTES:name;
+const unique T.A256UINT2:name;
+const unique T.A28PFDRIVER_DISPATCH:name;
+const unique T.A2UCHAR:name;
+const unique T.A32UINT2:name;
+const unique T.A36CHAR:name;
+const unique T.A37CHAR:name;
+const unique T.A39CHAR:name;
+const unique T.A3UCHAR:name;
+const unique T.A3UINT4:name;
+const unique T.A3_LUID_AND_ATTRIBUTES:name;
+const unique T.A43CHAR:name;
+const unique T.A4PVOID:name;
+const unique T.A4UINT4:name;
+const unique T.A5_DEVICE_POWER_STATE:name;
+const unique T.A74CHAR:name;
+const unique T.A7_DEVICE_POWER_STATE:name;
+const unique T.A8UCHAR:name;
+const unique T.BUS_QUERY_ID_TYPE:name;
+const unique T.CHAR:name;
+const unique T.DEVICE_TEXT_TYPE:name;
+const unique T.F0:name;
+const unique T.F1:name;
+const unique T.F10:name;
+const unique T.F11:name;
+const unique T.F12:name;
+const unique T.F13:name;
+const unique T.F14:name;
+const unique T.F15:name;
+const unique T.F16:name;
+const unique T.F17:name;
+const unique T.F18:name;
+const unique T.F19:name;
+const unique T.F2:name;
+const unique T.F20:name;
+const unique T.F21:name;
+const unique T.F22:name;
+const unique T.F23:name;
+const unique T.F24:name;
+const unique T.F25:name;
+const unique T.F26:name;
+const unique T.F27:name;
+const unique T.F28:name;
+const unique T.F29:name;
+const unique T.F3:name;
+const unique T.F30:name;
+const unique T.F31:name;
+const unique T.F32:name;
+const unique T.F33:name;
+const unique T.F34:name;
+const unique T.F35:name;
+const unique T.F36:name;
+const unique T.F37:name;
+const unique T.F38:name;
+const unique T.F4:name;
+const unique T.F5:name;
+const unique T.F6:name;
+const unique T.F7:name;
+const unique T.F8:name;
+const unique T.F9:name;
+const unique T.FDRIVER_ADD_DEVICE:name;
+const unique T.FDRIVER_CANCEL:name;
+const unique T.FDRIVER_CONTROL:name;
+const unique T.FDRIVER_DISPATCH:name;
+const unique T.FDRIVER_INITIALIZE:name;
+const unique T.FDRIVER_STARTIO:name;
+const unique T.FDRIVER_UNLOAD:name;
+const unique T.FFAST_IO_ACQUIRE_FILE:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.FFAST_IO_DETACH_DEVICE:name;
+const unique T.FFAST_IO_DEVICE_CONTROL:name;
+const unique T.FFAST_IO_LOCK:name;
+const unique T.FFAST_IO_MDL_READ:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.FFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.FFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.FFAST_IO_QUERY_OPEN:name;
+const unique T.FFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.FFAST_IO_READ:name;
+const unique T.FFAST_IO_READ_COMPRESSED:name;
+const unique T.FFAST_IO_RELEASE_FILE:name;
+const unique T.FFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_UNLOCK_ALL:name;
+const unique T.FFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.FFAST_IO_UNLOCK_SINGLE:name;
+const unique T.FFAST_IO_WRITE:name;
+const unique T.FFAST_IO_WRITE_COMPRESSED:name;
+const unique T.FIO_COMPLETION_ROUTINE:name;
+const unique T.FKDEFERRED_ROUTINE:name;
+const unique T.INT2:name;
+const unique T.INT4:name;
+const unique T.INT8:name;
+const unique T.PA11CHAR:name;
+const unique T.PA19CHAR:name;
+const unique T.PA36CHAR:name;
+const unique T.PA37CHAR:name;
+const unique T.PA39CHAR:name;
+const unique T.PA43CHAR:name;
+const unique T.PA74CHAR:name;
+const unique T.PCHAR:name;
+const unique T.PF19:name;
+const unique T.PF21:name;
+const unique T.PF23:name;
+const unique T.PF24:name;
+const unique T.PF25:name;
+const unique T.PF33:name;
+const unique T.PF34:name;
+const unique T.PF35:name;
+const unique T.PF36:name;
+const unique T.PF37:name;
+const unique T.PF38:name;
+const unique T.PFDRIVER_ADD_DEVICE:name;
+const unique T.PFDRIVER_CANCEL:name;
+const unique T.PFDRIVER_CONTROL:name;
+const unique T.PFDRIVER_DISPATCH:name;
+const unique T.PFDRIVER_INITIALIZE:name;
+const unique T.PFDRIVER_STARTIO:name;
+const unique T.PFDRIVER_UNLOAD:name;
+const unique T.PFFAST_IO_ACQUIRE_FILE:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.PFFAST_IO_DETACH_DEVICE:name;
+const unique T.PFFAST_IO_DEVICE_CONTROL:name;
+const unique T.PFFAST_IO_LOCK:name;
+const unique T.PFFAST_IO_MDL_READ:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.PFFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.PFFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.PFFAST_IO_QUERY_OPEN:name;
+const unique T.PFFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.PFFAST_IO_READ:name;
+const unique T.PFFAST_IO_READ_COMPRESSED:name;
+const unique T.PFFAST_IO_RELEASE_FILE:name;
+const unique T.PFFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_UNLOCK_ALL:name;
+const unique T.PFFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.PFFAST_IO_UNLOCK_SINGLE:name;
+const unique T.PFFAST_IO_WRITE:name;
+const unique T.PFFAST_IO_WRITE_COMPRESSED:name;
+const unique T.PFIO_COMPLETION_ROUTINE:name;
+const unique T.PFKDEFERRED_ROUTINE:name;
+const unique T.PINT4:name;
+const unique T.POWER_ACTION:name;
+const unique T.PPCHAR:name;
+const unique T.PPF24:name;
+const unique T.PPP_FILE_OBJECT:name;
+const unique T.PPVOID:name;
+const unique T.PP_DEVICE_EXTENSION:name;
+const unique T.PP_DEVICE_OBJECT:name;
+const unique T.PP_DRIVER_OBJECT:name;
+const unique T.PP_ERESOURCE:name;
+const unique T.PP_FILE_OBJECT:name;
+const unique T.PP_IRP:name;
+const unique T.PP_LIST_ENTRY:name;
+const unique T.PP_MDL:name;
+const unique T.PP_PORT:name;
+const unique T.PP_UNICODE_STRING:name;
+const unique T.PUCHAR:name;
+const unique T.PUINT2:name;
+const unique T.PUINT4:name;
+const unique T.PVOID:name;
+const unique T.PWMIGUIDREGINFO:name;
+const unique T.P_ACCESS_STATE:name;
+const unique T.P_CM_RESOURCE_LIST:name;
+const unique T.P_COMPRESSED_DATA_INFO:name;
+const unique T.P_DEVICE_CAPABILITIES:name;
+const unique T.P_DEVICE_EXTENSION:name;
+const unique T.P_DEVICE_OBJECT:name;
+const unique T.P_DEVOBJ_EXTENSION:name;
+const unique T.P_DRIVER_EXTENSION:name;
+const unique T.P_DRIVER_OBJECT:name;
+const unique T.P_EPROCESS:name;
+const unique T.P_ERESOURCE:name;
+const unique T.P_ETHREAD:name;
+const unique T.P_FAST_IO_DISPATCH:name;
+const unique T.P_FILE_BASIC_INFORMATION:name;
+const unique T.P_FILE_GET_QUOTA_INFORMATION:name;
+const unique T.P_FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.P_FILE_OBJECT:name;
+const unique T.P_FILE_STANDARD_INFORMATION:name;
+const unique T.P_GLOBALS:name;
+const unique T.P_GUID:name;
+const unique T.P_INTERFACE:name;
+const unique T.P_IO_COMPLETION_CONTEXT:name;
+const unique T.P_IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T.P_IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.P_IO_SECURITY_CONTEXT:name;
+const unique T.P_IO_STACK_LOCATION:name;
+const unique T.P_IO_STATUS_BLOCK:name;
+const unique T.P_IO_TIMER:name;
+const unique T.P_IRP:name;
+const unique T.P_KAPC:name;
+const unique T.P_KDPC:name;
+const unique T.P_KEVENT:name;
+const unique T.P_KEYBOARD_INPUT_DATA:name;
+const unique T.P_KSEMAPHORE:name;
+const unique T.P_KTHREAD:name;
+const unique T.P_LARGE_INTEGER:name;
+const unique T.P_LIST_ENTRY:name;
+const unique T.P_MDL:name;
+const unique T.P_OWNER_ENTRY:name;
+const unique T.P_PORT:name;
+const unique T.P_POWER_SEQUENCE:name;
+const unique T.P_SCSI_REQUEST_BLOCK:name;
+const unique T.P_SECTION_OBJECT_POINTERS:name;
+const unique T.P_SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.P_UNICODE_STRING:name;
+const unique T.P_VPB:name;
+const unique T.UCHAR:name;
+const unique T.UINT2:name;
+const unique T.UINT4:name;
+const unique T.VOID:name;
+const unique T.WMIENABLEDISABLECONTROL:name;
+const unique T.WMIGUIDREGINFO:name;
+const unique T._ACCESS_STATE:name;
+const unique T._CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_LIST:name;
+const unique T._CM_RESOURCE_LIST:name;
+const unique T._COMPRESSED_DATA_INFO:name;
+const unique T._DEVICE_CAPABILITIES:name;
+const unique T._DEVICE_EXTENSION:name;
+const unique T._DEVICE_OBJECT:name;
+const unique T._DEVICE_POWER_STATE:name;
+const unique T._DEVICE_RELATION_TYPE:name;
+const unique T._DEVICE_USAGE_NOTIFICATION_TYPE:name;
+const unique T._DEVOBJ_EXTENSION:name;
+const unique T._DISPATCHER_HEADER:name;
+const unique T._DRIVER_EXTENSION:name;
+const unique T._DRIVER_OBJECT:name;
+const unique T._EPROCESS:name;
+const unique T._ERESOURCE:name;
+const unique T._ETHREAD:name;
+const unique T._FAST_IO_DISPATCH:name;
+const unique T._FAST_MUTEX:name;
+const unique T._FILE_BASIC_INFORMATION:name;
+const unique T._FILE_GET_QUOTA_INFORMATION:name;
+const unique T._FILE_INFORMATION_CLASS:name;
+const unique T._FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T._FILE_OBJECT:name;
+const unique T._FILE_STANDARD_INFORMATION:name;
+const unique T._FSINFOCLASS:name;
+const unique T._GLOBALS:name;
+const unique T._GUID:name;
+const unique T._INITIAL_PRIVILEGE_SET:name;
+const unique T._INTERFACE:name;
+const unique T._INTERFACE_TYPE:name;
+const unique T._IO_ALLOCATION_ACTION:name;
+const unique T._IO_COMPLETION_CONTEXT:name;
+const unique T._IO_REMOVE_LOCK:name;
+const unique T._IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T._IO_RESOURCE_DESCRIPTOR:name;
+const unique T._IO_RESOURCE_LIST:name;
+const unique T._IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T._IO_SECURITY_CONTEXT:name;
+const unique T._IO_STACK_LOCATION:name;
+const unique T._IO_STATUS_BLOCK:name;
+const unique T._IO_TIMER:name;
+const unique T._IRP:name;
+const unique T._IRQ_DEVICE_POLICY:name;
+const unique T._IRQ_PRIORITY:name;
+const unique T._KAPC:name;
+const unique T._KDEVICE_QUEUE:name;
+const unique T._KDEVICE_QUEUE_ENTRY:name;
+const unique T._KDPC:name;
+const unique T._KEVENT:name;
+const unique T._KEYBOARD_ATTRIBUTES:name;
+const unique T._KEYBOARD_ID:name;
+const unique T._KEYBOARD_INDICATOR_PARAMETERS:name;
+const unique T._KEYBOARD_INPUT_DATA:name;
+const unique T._KEYBOARD_TYPEMATIC_PARAMETERS:name;
+const unique T._KSEMAPHORE:name;
+const unique T._KTHREAD:name;
+const unique T._LARGE_INTEGER:name;
+const unique T._LIST_ENTRY:name;
+const unique T._LUID:name;
+const unique T._LUID_AND_ATTRIBUTES:name;
+const unique T._MDL:name;
+const unique T._OWNER_ENTRY:name;
+const unique T._PORT:name;
+const unique T._POWER_SEQUENCE:name;
+const unique T._POWER_STATE:name;
+const unique T._POWER_STATE_TYPE:name;
+const unique T._PRIVILEGE_SET:name;
+const unique T._SCSI_REQUEST_BLOCK:name;
+const unique T._SECTION_OBJECT_POINTERS:name;
+const unique T._SECURITY_IMPERSONATION_LEVEL:name;
+const unique T._SECURITY_QUALITY_OF_SERVICE:name;
+const unique T._SECURITY_SUBJECT_CONTEXT:name;
+const unique T._SYSTEM_POWER_STATE:name;
+const unique T._SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T._UNICODE_STRING:name;
+const unique T._VPB:name;
+const unique T._WAIT_CONTEXT_BLOCK:name;
+const unique T._WMILIB_CONTEXT:name;
+const unique T.__unnamed_12_0d6a30de:name;
+const unique T.__unnamed_12_17f5c211:name;
+const unique T.__unnamed_12_1fb42e39:name;
+const unique T.__unnamed_12_2a1563c6:name;
+const unique T.__unnamed_12_31347272:name;
+const unique T.__unnamed_12_429aadc0:name;
+const unique T.__unnamed_12_4719de1a:name;
+const unique T.__unnamed_12_4be56faa:name;
+const unique T.__unnamed_12_5ce25b92:name;
+const unique T.__unnamed_12_7a698b72:name;
+const unique T.__unnamed_12_87c0de8d:name;
+const unique T.__unnamed_12_98bfc55a:name;
+const unique T.__unnamed_12_ab1bd9d7:name;
+const unique T.__unnamed_12_b0429be9:name;
+const unique T.__unnamed_12_b43e8de8:name;
+const unique T.__unnamed_12_bfdb39ee:name;
+const unique T.__unnamed_12_cd42b3c3:name;
+const unique T.__unnamed_12_e668effc:name;
+const unique T.__unnamed_12_e80d029e:name;
+const unique T.__unnamed_16_07c0bcc5:name;
+const unique T.__unnamed_16_29cb9f2f:name;
+const unique T.__unnamed_16_30f11dbf:name;
+const unique T.__unnamed_16_35034f68:name;
+const unique T.__unnamed_16_487a9498:name;
+const unique T.__unnamed_16_5f6a8844:name;
+const unique T.__unnamed_16_7177b9f3:name;
+const unique T.__unnamed_16_88e91ef6:name;
+const unique T.__unnamed_16_8c506c98:name;
+const unique T.__unnamed_16_9ac2e5f8:name;
+const unique T.__unnamed_16_b93842ad:name;
+const unique T.__unnamed_16_b9c62eab:name;
+const unique T.__unnamed_16_bb584060:name;
+const unique T.__unnamed_16_dba55c7c:name;
+const unique T.__unnamed_16_e70c268b:name;
+const unique T.__unnamed_16_e734d694:name;
+const unique T.__unnamed_16_eac6dbea:name;
+const unique T.__unnamed_16_f6cae4c2:name;
+const unique T.__unnamed_16_fe36e4f4:name;
+const unique T.__unnamed_1_29794256:name;
+const unique T.__unnamed_1_2dc63b48:name;
+const unique T.__unnamed_1_2ef8da39:name;
+const unique T.__unnamed_1_faa7dc71:name;
+const unique T.__unnamed_20_f4d2e6d8:name;
+const unique T.__unnamed_24_41cbc8c0:name;
+const unique T.__unnamed_24_5419c914:name;
+const unique T.__unnamed_24_67a5ff10:name;
+const unique T.__unnamed_24_72c3976e:name;
+const unique T.__unnamed_24_a26050bb:name;
+const unique T.__unnamed_24_b8f476db:name;
+const unique T.__unnamed_24_d09044b4:name;
+const unique T.__unnamed_2_46cc4597:name;
+const unique T.__unnamed_40_7218f704:name;
+const unique T.__unnamed_40_c55c9377:name;
+const unique T.__unnamed_44_5584090d:name;
+const unique T.__unnamed_48_cf99b13f:name;
+const unique T.__unnamed_4_069846fb:name;
+const unique T.__unnamed_4_224c32f4:name;
+const unique T.__unnamed_4_2de698da:name;
+const unique T.__unnamed_4_3a2fdc5e:name;
+const unique T.__unnamed_4_3a4c1a13:name;
+const unique T.__unnamed_4_43913aa5:name;
+const unique T.__unnamed_4_4e8dd2ba:name;
+const unique T.__unnamed_4_52603077:name;
+const unique T.__unnamed_4_52c594f7:name;
+const unique T.__unnamed_4_5ca00198:name;
+const unique T.__unnamed_4_6ac6463c:name;
+const unique T.__unnamed_4_6f9ac8e1:name;
+const unique T.__unnamed_4_7a02167b:name;
+const unique T.__unnamed_4_7d9d0c7e:name;
+const unique T.__unnamed_4_82f7a864:name;
+const unique T.__unnamed_4_9aec220b:name;
+const unique T.__unnamed_4_a97c65a1:name;
+const unique T.__unnamed_4_c3479730:name;
+const unique T.__unnamed_4_d99b6e2b:name;
+const unique T.__unnamed_4_f19b65c1:name;
+const unique T.__unnamed_4_fa10fc16:name;
+const unique T.__unnamed_8_01efa60d:name;
+const unique T.__unnamed_8_08d4cef8:name;
+const unique T.__unnamed_8_0a898c0c:name;
+const unique T.__unnamed_8_1330f93a:name;
+const unique T.__unnamed_8_181d0de9:name;
+const unique T.__unnamed_8_4812764d:name;
+const unique T.__unnamed_8_559a91e6:name;
+const unique T.__unnamed_8_5845b309:name;
+const unique T.__unnamed_8_58ee4a31:name;
+const unique T.__unnamed_8_61acf4ce:name;
+const unique T.__unnamed_8_6acfee04:name;
+const unique T.__unnamed_8_7f26a9dd:name;
+const unique T.__unnamed_8_87add0bd:name;
+const unique T.__unnamed_8_b2773e4c:name;
+const unique T.__unnamed_8_de890d4e:name;
+const unique T.__unnamed_8_ef9ba0d3:name;
+
+function AssocClassList__GLOBALS(int) returns (int);
+function AssocClassList__GLOBALSInv(int) returns (int);
+function _S_AssocClassList__GLOBALS([int]bool) returns ([int]bool);
+function _S_AssocClassList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(AssocClassList__GLOBALS(x))} AssocClassList__GLOBALSInv(AssocClassList__GLOBALS(x)) == x);
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(x)} AssocClassList__GLOBALS(AssocClassList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_AssocClassList__GLOBALS(S)[x]} _S_AssocClassList__GLOBALS(S)[x] <==> S[AssocClassList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_AssocClassList__GLOBALSInv(S)[x]} _S_AssocClassList__GLOBALSInv(S)[x] <==> S[AssocClassList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AssocClassList__GLOBALS(S)} S[x] ==> _S_AssocClassList__GLOBALS(S)[AssocClassList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AssocClassList__GLOBALSInv(S)} S[x] ==> _S_AssocClassList__GLOBALSInv(S)[AssocClassList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {AssocClassList__GLOBALS(x)} AssocClassList__GLOBALS(x) == x + 8);
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(x)} AssocClassList__GLOBALSInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == AssocClassList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == AssocClassList__GLOBALSInv(x));
+function Buffer__UNICODE_STRING(int) returns (int);
+function Buffer__UNICODE_STRINGInv(int) returns (int);
+function _S_Buffer__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Buffer__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x))} Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRING(Buffer__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRING(S)[x]} _S_Buffer__UNICODE_STRING(S)[x] <==> S[Buffer__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRINGInv(S)[x]} _S_Buffer__UNICODE_STRINGInv(S)[x] <==> S[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRING(S)} S[x] ==> _S_Buffer__UNICODE_STRING(S)[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRINGInv(S)} S[x] ==> _S_Buffer__UNICODE_STRINGInv(S)[Buffer__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRING(x)} Buffer__UNICODE_STRING(x) == x + 4);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRINGInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Buffer__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Buffer__UNICODE_STRINGInv(x));
+function DataIn__DEVICE_EXTENSION(int) returns (int);
+function DataIn__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataIn__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataIn__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x))} DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSION(DataIn__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSION(S)[x]} _S_DataIn__DEVICE_EXTENSION(S)[x] <==> S[DataIn__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSIONInv(S)[x]} _S_DataIn__DEVICE_EXTENSIONInv(S)[x] <==> S[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSION(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSION(S)[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSIONInv(S)[DataIn__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSION(x)} DataIn__DEVICE_EXTENSION(x) == x + 132);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSIONInv(x) == x - 132);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1) == DataIn__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 132)} MINUS_LEFT_PTR(x, 1, 132) == DataIn__DEVICE_EXTENSIONInv(x));
+function DataOut__DEVICE_EXTENSION(int) returns (int);
+function DataOut__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataOut__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataOut__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x))} DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSION(DataOut__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSION(S)[x]} _S_DataOut__DEVICE_EXTENSION(S)[x] <==> S[DataOut__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSIONInv(S)[x]} _S_DataOut__DEVICE_EXTENSIONInv(S)[x] <==> S[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSION(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSION(S)[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSIONInv(S)[DataOut__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSION(x)} DataOut__DEVICE_EXTENSION(x) == x + 136);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSIONInv(x) == x - 136);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1) == DataOut__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 136)} MINUS_LEFT_PTR(x, 1, 136) == DataOut__DEVICE_EXTENSIONInv(x));
+function DeviceExtension__DEVICE_OBJECT(int) returns (int);
+function DeviceExtension__DEVICE_OBJECTInv(int) returns (int);
+function _S_DeviceExtension__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_DeviceExtension__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x))} DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECT(DeviceExtension__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECT(S)[x]} _S_DeviceExtension__DEVICE_OBJECT(S)[x] <==> S[DeviceExtension__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECTInv(S)[x]} _S_DeviceExtension__DEVICE_OBJECTInv(S)[x] <==> S[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECT(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECT(S)[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECTInv(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECTInv(S)[DeviceExtension__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECT(x)} DeviceExtension__DEVICE_OBJECT(x) == x + 40);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECTInv(x) == x - 40);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1) == DeviceExtension__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 40)} MINUS_LEFT_PTR(x, 1, 40) == DeviceExtension__DEVICE_OBJECTInv(x));
+function Enabled__DEVICE_EXTENSION(int) returns (int);
+function Enabled__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Enabled__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Enabled__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(Enabled__DEVICE_EXTENSION(x))} Enabled__DEVICE_EXTENSIONInv(Enabled__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(x)} Enabled__DEVICE_EXTENSION(Enabled__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__DEVICE_EXTENSION(S)[x]} _S_Enabled__DEVICE_EXTENSION(S)[x] <==> S[Enabled__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__DEVICE_EXTENSIONInv(S)[x]} _S_Enabled__DEVICE_EXTENSIONInv(S)[x] <==> S[Enabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__DEVICE_EXTENSION(S)} S[x] ==> _S_Enabled__DEVICE_EXTENSION(S)[Enabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Enabled__DEVICE_EXTENSIONInv(S)[Enabled__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSION(x)} Enabled__DEVICE_EXTENSION(x) == x + 284);
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(x)} Enabled__DEVICE_EXTENSIONInv(x) == x - 284);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 284, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 284, 1) == Enabled__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 284)} MINUS_LEFT_PTR(x, 1, 284) == Enabled__DEVICE_EXTENSIONInv(x));
+function Enabled__PORT(int) returns (int);
+function Enabled__PORTInv(int) returns (int);
+function _S_Enabled__PORT([int]bool) returns ([int]bool);
+function _S_Enabled__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Enabled__PORTInv(Enabled__PORT(x))} Enabled__PORTInv(Enabled__PORT(x)) == x);
+axiom (forall x:int :: {Enabled__PORTInv(x)} Enabled__PORT(Enabled__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__PORT(S)[x]} _S_Enabled__PORT(S)[x] <==> S[Enabled__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__PORTInv(S)[x]} _S_Enabled__PORTInv(S)[x] <==> S[Enabled__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__PORT(S)} S[x] ==> _S_Enabled__PORT(S)[Enabled__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__PORTInv(S)} S[x] ==> _S_Enabled__PORTInv(S)[Enabled__PORTInv(x)]);
+
+axiom (forall x:int :: {Enabled__PORT(x)} Enabled__PORT(x) == x + 8);
+axiom (forall x:int :: {Enabled__PORTInv(x)} Enabled__PORTInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == Enabled__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == Enabled__PORTInv(x));
+function File__DEVICE_EXTENSION(int) returns (int);
+function File__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_File__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_File__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x))} File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSION(File__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSION(S)[x]} _S_File__DEVICE_EXTENSION(S)[x] <==> S[File__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSIONInv(S)[x]} _S_File__DEVICE_EXTENSIONInv(S)[x] <==> S[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSION(S)} S[x] ==> _S_File__DEVICE_EXTENSION(S)[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_File__DEVICE_EXTENSIONInv(S)[File__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSION(x)} File__DEVICE_EXTENSION(x) == x + 280);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSIONInv(x) == x - 280);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 280, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 280, 1) == File__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 280)} MINUS_LEFT_PTR(x, 1, 280) == File__DEVICE_EXTENSIONInv(x));
+function File__PORT(int) returns (int);
+function File__PORTInv(int) returns (int);
+function _S_File__PORT([int]bool) returns ([int]bool);
+function _S_File__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__PORTInv(File__PORT(x))} File__PORTInv(File__PORT(x)) == x);
+axiom (forall x:int :: {File__PORTInv(x)} File__PORT(File__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__PORT(S)[x]} _S_File__PORT(S)[x] <==> S[File__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__PORTInv(S)[x]} _S_File__PORTInv(S)[x] <==> S[File__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__PORT(S)} S[x] ==> _S_File__PORT(S)[File__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__PORTInv(S)} S[x] ==> _S_File__PORTInv(S)[File__PORTInv(x)]);
+
+axiom (forall x:int :: {File__PORT(x)} File__PORT(x) == x + 0);
+axiom (forall x:int :: {File__PORTInv(x)} File__PORTInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == File__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == File__PORTInv(x));
+function Flink__LIST_ENTRY(int) returns (int);
+function Flink__LIST_ENTRYInv(int) returns (int);
+function _S_Flink__LIST_ENTRY([int]bool) returns ([int]bool);
+function _S_Flink__LIST_ENTRYInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x))} Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x)) == x);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRY(Flink__LIST_ENTRYInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRY(S)[x]} _S_Flink__LIST_ENTRY(S)[x] <==> S[Flink__LIST_ENTRYInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRYInv(S)[x]} _S_Flink__LIST_ENTRYInv(S)[x] <==> S[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRY(S)} S[x] ==> _S_Flink__LIST_ENTRY(S)[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRYInv(S)} S[x] ==> _S_Flink__LIST_ENTRYInv(S)[Flink__LIST_ENTRYInv(x)]);
+
+axiom (forall x:int :: {Flink__LIST_ENTRY(x)} Flink__LIST_ENTRY(x) == x + 0);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRYInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Flink__LIST_ENTRYInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Flink__LIST_ENTRYInv(x));
+function Free__PORT(int) returns (int);
+function Free__PORTInv(int) returns (int);
+function _S_Free__PORT([int]bool) returns ([int]bool);
+function _S_Free__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Free__PORTInv(Free__PORT(x))} Free__PORTInv(Free__PORT(x)) == x);
+axiom (forall x:int :: {Free__PORTInv(x)} Free__PORT(Free__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Free__PORT(S)[x]} _S_Free__PORT(S)[x] <==> S[Free__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Free__PORTInv(S)[x]} _S_Free__PORTInv(S)[x] <==> S[Free__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Free__PORT(S)} S[x] ==> _S_Free__PORT(S)[Free__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Free__PORTInv(S)} S[x] ==> _S_Free__PORTInv(S)[Free__PORTInv(x)]);
+
+axiom (forall x:int :: {Free__PORT(x)} Free__PORT(x) == x + 11);
+axiom (forall x:int :: {Free__PORTInv(x)} Free__PORTInv(x) == x - 11);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 11, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 11, 1) == Free__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 11)} MINUS_LEFT_PTR(x, 1, 11) == Free__PORTInv(x));
+function GrandMaster__GLOBALS(int) returns (int);
+function GrandMaster__GLOBALSInv(int) returns (int);
+function _S_GrandMaster__GLOBALS([int]bool) returns ([int]bool);
+function _S_GrandMaster__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x))} GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x)) == x);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALS(GrandMaster__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALS(S)[x]} _S_GrandMaster__GLOBALS(S)[x] <==> S[GrandMaster__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALSInv(S)[x]} _S_GrandMaster__GLOBALSInv(S)[x] <==> S[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALS(S)} S[x] ==> _S_GrandMaster__GLOBALS(S)[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALSInv(S)} S[x] ==> _S_GrandMaster__GLOBALSInv(S)[GrandMaster__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {GrandMaster__GLOBALS(x)} GrandMaster__GLOBALS(x) == x + 4);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALSInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == GrandMaster__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == GrandMaster__GLOBALSInv(x));
+function InputData__DEVICE_EXTENSION(int) returns (int);
+function InputData__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_InputData__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_InputData__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x))} InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSION(InputData__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSION(S)[x]} _S_InputData__DEVICE_EXTENSION(S)[x] <==> S[InputData__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSIONInv(S)[x]} _S_InputData__DEVICE_EXTENSIONInv(S)[x] <==> S[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSION(S)} S[x] ==> _S_InputData__DEVICE_EXTENSION(S)[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_InputData__DEVICE_EXTENSIONInv(S)[InputData__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSION(x)} InputData__DEVICE_EXTENSION(x) == x + 128);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSIONInv(x) == x - 128);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1) == InputData__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 128)} MINUS_LEFT_PTR(x, 1, 128) == InputData__DEVICE_EXTENSIONInv(x));
+function LegacyDeviceList__GLOBALS(int) returns (int);
+function LegacyDeviceList__GLOBALSInv(int) returns (int);
+function _S_LegacyDeviceList__GLOBALS([int]bool) returns ([int]bool);
+function _S_LegacyDeviceList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x))} LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x)) == x);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALS(LegacyDeviceList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALS(S)[x]} _S_LegacyDeviceList__GLOBALS(S)[x] <==> S[LegacyDeviceList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALSInv(S)[x]} _S_LegacyDeviceList__GLOBALSInv(S)[x] <==> S[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALS(S)} S[x] ==> _S_LegacyDeviceList__GLOBALS(S)[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALSInv(S)} S[x] ==> _S_LegacyDeviceList__GLOBALSInv(S)[LegacyDeviceList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALS(x)} LegacyDeviceList__GLOBALS(x) == x + 888);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALSInv(x) == x - 888);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 888, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 888, 1) == LegacyDeviceList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 888)} MINUS_LEFT_PTR(x, 1, 888) == LegacyDeviceList__GLOBALSInv(x));
+function Link__DEVICE_EXTENSION(int) returns (int);
+function Link__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Link__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Link__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x))} Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSION(Link__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSION(S)[x]} _S_Link__DEVICE_EXTENSION(S)[x] <==> S[Link__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSIONInv(S)[x]} _S_Link__DEVICE_EXTENSIONInv(S)[x] <==> S[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSION(S)} S[x] ==> _S_Link__DEVICE_EXTENSION(S)[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Link__DEVICE_EXTENSIONInv(S)[Link__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSION(x)} Link__DEVICE_EXTENSION(x) == x + 272);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSIONInv(x) == x - 272);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 272, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 272, 1) == Link__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 272)} MINUS_LEFT_PTR(x, 1, 272) == Link__DEVICE_EXTENSIONInv(x));
+function NumAssocClass__GLOBALS(int) returns (int);
+function NumAssocClass__GLOBALSInv(int) returns (int);
+function _S_NumAssocClass__GLOBALS([int]bool) returns ([int]bool);
+function _S_NumAssocClass__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NumAssocClass__GLOBALSInv(NumAssocClass__GLOBALS(x))} NumAssocClass__GLOBALSInv(NumAssocClass__GLOBALS(x)) == x);
+axiom (forall x:int :: {NumAssocClass__GLOBALSInv(x)} NumAssocClass__GLOBALS(NumAssocClass__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NumAssocClass__GLOBALS(S)[x]} _S_NumAssocClass__GLOBALS(S)[x] <==> S[NumAssocClass__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NumAssocClass__GLOBALSInv(S)[x]} _S_NumAssocClass__GLOBALSInv(S)[x] <==> S[NumAssocClass__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumAssocClass__GLOBALS(S)} S[x] ==> _S_NumAssocClass__GLOBALS(S)[NumAssocClass__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumAssocClass__GLOBALSInv(S)} S[x] ==> _S_NumAssocClass__GLOBALSInv(S)[NumAssocClass__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {NumAssocClass__GLOBALS(x)} NumAssocClass__GLOBALS(x) == x + 12);
+axiom (forall x:int :: {NumAssocClass__GLOBALSInv(x)} NumAssocClass__GLOBALSInv(x) == x - 12);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1) == NumAssocClass__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 12)} MINUS_LEFT_PTR(x, 1, 12) == NumAssocClass__GLOBALSInv(x));
+function PnP__DEVICE_EXTENSION(int) returns (int);
+function PnP__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_PnP__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_PnP__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x))} PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSION(PnP__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSION(S)[x]} _S_PnP__DEVICE_EXTENSION(S)[x] <==> S[PnP__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSIONInv(S)[x]} _S_PnP__DEVICE_EXTENSIONInv(S)[x] <==> S[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSION(S)} S[x] ==> _S_PnP__DEVICE_EXTENSION(S)[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_PnP__DEVICE_EXTENSIONInv(S)[PnP__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSION(x)} PnP__DEVICE_EXTENSION(x) == x + 104);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSIONInv(x) == x - 104);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1) == PnP__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 104)} MINUS_LEFT_PTR(x, 1, 104) == PnP__DEVICE_EXTENSIONInv(x));
+function Port__PORT(int) returns (int);
+function Port__PORTInv(int) returns (int);
+function _S_Port__PORT([int]bool) returns ([int]bool);
+function _S_Port__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Port__PORTInv(Port__PORT(x))} Port__PORTInv(Port__PORT(x)) == x);
+axiom (forall x:int :: {Port__PORTInv(x)} Port__PORT(Port__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Port__PORT(S)[x]} _S_Port__PORT(S)[x] <==> S[Port__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Port__PORTInv(S)[x]} _S_Port__PORTInv(S)[x] <==> S[Port__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Port__PORT(S)} S[x] ==> _S_Port__PORT(S)[Port__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Port__PORTInv(S)} S[x] ==> _S_Port__PORTInv(S)[Port__PORTInv(x)]);
+
+axiom (forall x:int :: {Port__PORT(x)} Port__PORT(x) == x + 4);
+axiom (forall x:int :: {Port__PORTInv(x)} Port__PORTInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Port__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Port__PORTInv(x));
+function RegistryPath__GLOBALS(int) returns (int);
+function RegistryPath__GLOBALSInv(int) returns (int);
+function _S_RegistryPath__GLOBALS([int]bool) returns ([int]bool);
+function _S_RegistryPath__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {RegistryPath__GLOBALSInv(RegistryPath__GLOBALS(x))} RegistryPath__GLOBALSInv(RegistryPath__GLOBALS(x)) == x);
+axiom (forall x:int :: {RegistryPath__GLOBALSInv(x)} RegistryPath__GLOBALS(RegistryPath__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_RegistryPath__GLOBALS(S)[x]} _S_RegistryPath__GLOBALS(S)[x] <==> S[RegistryPath__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_RegistryPath__GLOBALSInv(S)[x]} _S_RegistryPath__GLOBALSInv(S)[x] <==> S[RegistryPath__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RegistryPath__GLOBALS(S)} S[x] ==> _S_RegistryPath__GLOBALS(S)[RegistryPath__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RegistryPath__GLOBALSInv(S)} S[x] ==> _S_RegistryPath__GLOBALSInv(S)[RegistryPath__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {RegistryPath__GLOBALS(x)} RegistryPath__GLOBALS(x) == x + 360);
+axiom (forall x:int :: {RegistryPath__GLOBALSInv(x)} RegistryPath__GLOBALSInv(x) == x - 360);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 360, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 360, 1) == RegistryPath__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 360)} MINUS_LEFT_PTR(x, 1, 360) == RegistryPath__GLOBALSInv(x));
+function Self__DEVICE_EXTENSION(int) returns (int);
+function Self__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Self__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Self__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x))} Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSION(Self__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSION(S)[x]} _S_Self__DEVICE_EXTENSION(S)[x] <==> S[Self__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSIONInv(S)[x]} _S_Self__DEVICE_EXTENSIONInv(S)[x] <==> S[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSION(S)} S[x] ==> _S_Self__DEVICE_EXTENSION(S)[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Self__DEVICE_EXTENSIONInv(S)[Self__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSION(x)} Self__DEVICE_EXTENSION(x) == x + 0);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSIONInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Self__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Self__DEVICE_EXTENSIONInv(x));
+function StackSize__DEVICE_OBJECT(int) returns (int);
+function StackSize__DEVICE_OBJECTInv(int) returns (int);
+function _S_StackSize__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_StackSize__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(StackSize__DEVICE_OBJECT(x))} StackSize__DEVICE_OBJECTInv(StackSize__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(x)} StackSize__DEVICE_OBJECT(StackSize__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_StackSize__DEVICE_OBJECT(S)[x]} _S_StackSize__DEVICE_OBJECT(S)[x] <==> S[StackSize__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_StackSize__DEVICE_OBJECTInv(S)[x]} _S_StackSize__DEVICE_OBJECTInv(S)[x] <==> S[StackSize__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_StackSize__DEVICE_OBJECT(S)} S[x] ==> _S_StackSize__DEVICE_OBJECT(S)[StackSize__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_StackSize__DEVICE_OBJECTInv(S)} S[x] ==> _S_StackSize__DEVICE_OBJECTInv(S)[StackSize__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {StackSize__DEVICE_OBJECT(x)} StackSize__DEVICE_OBJECT(x) == x + 48);
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(x)} StackSize__DEVICE_OBJECTInv(x) == x - 48);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 48, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 48, 1) == StackSize__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 48)} MINUS_LEFT_PTR(x, 1, 48) == StackSize__DEVICE_OBJECTInv(x));
+function Started__DEVICE_EXTENSION(int) returns (int);
+function Started__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Started__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Started__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x))} Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSION(Started__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSION(S)[x]} _S_Started__DEVICE_EXTENSION(S)[x] <==> S[Started__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSIONInv(S)[x]} _S_Started__DEVICE_EXTENSIONInv(S)[x] <==> S[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSION(S)} S[x] ==> _S_Started__DEVICE_EXTENSION(S)[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Started__DEVICE_EXTENSIONInv(S)[Started__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSION(x)} Started__DEVICE_EXTENSION(x) == x + 105);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSIONInv(x) == x - 105);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1) == Started__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 105)} MINUS_LEFT_PTR(x, 1, 105) == Started__DEVICE_EXTENSIONInv(x));
+function TopPort__DEVICE_EXTENSION(int) returns (int);
+function TopPort__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TopPort__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TopPort__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x))} TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSION(TopPort__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSION(S)[x]} _S_TopPort__DEVICE_EXTENSION(S)[x] <==> S[TopPort__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSIONInv(S)[x]} _S_TopPort__DEVICE_EXTENSIONInv(S)[x] <==> S[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSION(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSION(S)[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSIONInv(S)[TopPort__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSION(x)} TopPort__DEVICE_EXTENSION(x) == x + 8);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSIONInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == TopPort__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == TopPort__DEVICE_EXTENSIONInv(x));
+function UnitId__DEVICE_EXTENSION(int) returns (int);
+function UnitId__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_UnitId__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_UnitId__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x))} UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSION(UnitId__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSION(S)[x]} _S_UnitId__DEVICE_EXTENSION(S)[x] <==> S[UnitId__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSIONInv(S)[x]} _S_UnitId__DEVICE_EXTENSIONInv(S)[x] <==> S[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSION(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSION(S)[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSIONInv(S)[UnitId__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSION(x)} UnitId__DEVICE_EXTENSION(x) == x + 196);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSIONInv(x) == x - 196);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 196, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 196, 1) == UnitId__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 196)} MINUS_LEFT_PTR(x, 1, 196) == UnitId__DEVICE_EXTENSIONInv(x));
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom (forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom (forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:int, b:int) returns (x:int);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == 0);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == 0 || b == 0 ==> BIT_BAND(a,b) == 0);
+
+function BIT_BOR(a:int, b:int) returns (x:int);
+
+function BIT_BXOR(a:int, b:int) returns (x:int);
+
+function BIT_BNOT(a:int) returns (int);
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+
+
+
+procedure havoc_assert(i:int);
+requires (i != 0);
+
+procedure havoc_assume(i:int);
+ensures (i != 0);
+
+procedure __HAVOC_free(a:int);
+modifies alloc;
+ensures (forall x:int :: {alloc[x]} x == a || old(alloc)[x] == alloc[x]);
+ensures (alloc[a] == FREED);
+// Additional checks guarded by tranlator flags
+// requires alloc[a] == ALLOCATED;
+// requires Base(a) == a;
+
+procedure __HAVOC_malloc(obj_size:int) returns (new:int);
+requires obj_size >= 0;
+modifies alloc;
+ensures (new > 0);
+ensures (forall x:int :: {Base(x)} new <= x && x < new+obj_size ==> Base(x) == new);
+ensures (forall x:int :: {alloc[x]} x == new || old(alloc)[x] == alloc[x]);
+ensures old(alloc)[new] == UNALLOCATED && alloc[new] == ALLOCATED;
+
+procedure nondet_choice() returns (x:int);
+
+procedure _strdup(str:int) returns (new:int);
+
+procedure _xstrcasecmp(a0:int, a1:int) returns (ret:int);
+
+procedure _xstrcmp(a0:int, a1:int) returns (ret:int);
+
+var Res_DEVICE_STACK:[int]int;
+var Res_DEV_EXTN:[int]int;
+var Res_DEV_OBJ_INIT:[int]int;
+var Res_SPIN_LOCK:[int]int;
+
+
+
+////////////////////
+// Between predicate
+////////////////////
+function ReachBetween(f: [int]int, x: int, y: int, z: int) returns (bool);
+function ReachAvoiding(f: [int]int, x: int, y: int, z: int) returns (bool);
+
+
+//////////////////////////
+// Between set constructor
+//////////////////////////
+function ReachBetweenSet(f: [int]int, x: int, z: int) returns ([int]bool);
+
+////////////////////////////////////////////////////
+// axioms relating ReachBetween and ReachBetweenSet
+////////////////////////////////////////////////////
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetweenSet(f, x, z)[y]} ReachBetweenSet(f, x, z)[y] <==> ReachBetween(f, x, y, z));
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z), ReachBetweenSet(f, x, z)} ReachBetween(f, x, y, z) ==> ReachBetweenSet(f, x, z)[y]);
+axiom(forall f: [int]int, x: int, z: int :: {ReachBetweenSet(f, x, z)} ReachBetween(f, x, x, x));
+
+
+//////////////////////////
+// Axioms for ReachBetween
+//////////////////////////
+
+// reflexive
+axiom(forall f: [int]int, x: int :: ReachBetween(f, x, x, x));
+
+// step
+//axiom(forall f: [int]int, x: int :: {f[x]} ReachBetween(f, x, f[x], f[x]));
+axiom(forall f: [int]int, x: int, y: int, z: int, w:int :: {ReachBetween(f, y, z, w), f[x]} ReachBetween(f, x, f[x], f[x]));
+
+// reach
+axiom(forall f: [int]int, x: int, y: int :: {f[x], ReachBetween(f, x, y, y)} ReachBetween(f, x, y, y) ==> x == y || ReachBetween(f, x, f[x], y));
+
+// cycle
+axiom(forall f: [int]int, x: int, y:int :: {f[x], ReachBetween(f, x, y, y)} f[x] == x && ReachBetween(f, x, y, y) ==> x == y);
+
+// sandwich
+axiom(forall f: [int]int, x: int, y: int :: {ReachBetween(f, x, y, x)} ReachBetween(f, x, y, x) ==> x == y);
+
+// order1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, x, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, x, z, z) ==> ReachBetween(f, x, y, z) || ReachBetween(f, x, z, y));
+
+// order2
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z)} ReachBetween(f, x, y, z) ==> ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z));
+
+// transitive1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, y, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z) ==> ReachBetween(f, x, z, z));
+
+// transitive2
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, y, w, z)} ReachBetween(f, x, y, z) && ReachBetween(f, y, w, z) ==> ReachBetween(f, x, y, w) && ReachBetween(f, x, w, z));
+
+// transitive3
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, x, w, y)} ReachBetween(f, x, y, z) && ReachBetween(f, x, w, y) ==> ReachBetween(f, x, w, z) && ReachBetween(f, w, y, z));
+
+// This axiom is required to deal with the incompleteness of the trigger for the reflexive axiom.
+// It cannot be proved using the rest of the axioms.
+axiom(forall f: [int]int, u:int, x: int :: {ReachBetween(f, u, x, x)} ReachBetween(f, u, x, x) ==> ReachBetween(f, u, u, x));
+
+// relation between ReachAvoiding and ReachBetween
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachAvoiding(f, x, y, z)}{ReachBetween(f, x, y, z)} ReachAvoiding(f, x, y, z) <==> (ReachBetween(f, x, y, z) || (ReachBetween(f, x, y, y) && !ReachBetween(f, x, z, z))));
+
+// update
+axiom(forall f: [int]int, u: int, v: int, x: int, p: int, q: int :: {ReachAvoiding(f[p := q], u, v, x)} ReachAvoiding(f[p := q], u, v, x) <==> ((ReachAvoiding(f, u, v, p) && ReachAvoiding(f, u, v, x)) || (ReachAvoiding(f, u, p, x) && p != x && ReachAvoiding(f, q, v, p) && ReachAvoiding(f, q, v, x))));
+ ///////////////////////////////
+ // Shifts for linking fields
+ ///////////////////////////////
+function Shift_Flink__LIST_ENTRY(f: [int]int) returns ([int]int);
+axiom( forall f: [int]int, __x:int :: {f[Flink__LIST_ENTRY(__x)],Shift_Flink__LIST_ENTRY(f)} {Shift_Flink__LIST_ENTRY(f)[__x]} Shift_Flink__LIST_ENTRY(f)[__x] == f[Flink__LIST_ENTRY(__x)]);
+axiom(forall f: [int]int, __x:int, __v:int :: {Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v])} Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v]) == Shift_Flink__LIST_ENTRY(f)[__x := __v]);
+
+const unique Globals : int;
+axiom(Globals != 0);
+
+
+procedure ExFreePoolWithTag($P$1$14901.35$ExFreePoolWithTag$81:int, $Tag$2$14902.15$ExFreePoolWithTag$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoAllocateIrp($StackSize$1$20453.15$IoAllocateIrp$81:int, $ChargeQuota$2$20454.17$IoAllocateIrp$81:int) returns ($result.IoAllocateIrp$20452.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoDeleteDevice($DeviceObject$1$21328.67$IoDeleteDevice$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: requires 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 1
+requires((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 1)));
+//TAG: ensures 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 0 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 0
+ensures((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 0) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 0)));
+//TAG: ensures 1 ==> __updates_resource("DEV_OBJ_INIT", DeviceObject, 0) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension), 0)
+ensures((true) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41 := 0]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] := 0])));
+//TAG: ensures !1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == __old_resource("DEV_OBJ_INIT", DeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension))
+ensures((!(true)) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]])));
+//TAG: ensures !1 ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!(true)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($DeviceObject$1$21328.67$IoDeleteDevice$41))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || ($DeviceObject$1$21328.67$IoDeleteDevice$41 == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoFreeIrp($Irp$1$21417.14$IoFreeIrp$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KbdEnableDisablePort($EnableFlag$1$543.15$KbdEnableDisablePort$161:int, $Irp$2$544.15$KbdEnableDisablePort$161:int, $Port$3$545.25$KbdEnableDisablePort$161:int, $File$4$546.22$KbdEnableDisablePort$161:int) returns ($result.KbdEnableDisablePort$542.0$1$:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KeyboardClassCleanupQueue($DeviceObject$1$1080.28$KeyboardClassCleanupQueue$121:int, $DeviceExtension$2$1081.28$KeyboardClassCleanupQueue$121:int, $FileObject$3$1082.28$KeyboardClassCleanupQueue$121:int);
+
+//TAG: requires __resource("DEV_EXTN", DeviceExtension) == 1
+requires(Res_DEV_EXTN[$DeviceExtension$2$1081.28$KeyboardClassCleanupQueue$121] == 1);
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires __resource("DEV_OBJ_INIT", DeviceObject) == 1
+requires(Res_DEV_OBJ_INIT[$DeviceObject$1$1080.28$KeyboardClassCleanupQueue$121] == 1);
+//TAG: ensures __resource("DEV_EXTN", DeviceExtension) == 1
+ensures(Res_DEV_EXTN[$DeviceExtension$2$1081.28$KeyboardClassCleanupQueue$121] == 1);
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+//TAG: ensures __resource("DEV_OBJ_INIT", DeviceObject) == 1
+ensures(Res_DEV_OBJ_INIT[$DeviceObject$1$1080.28$KeyboardClassCleanupQueue$121] == 1);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ObfDereferenceObject($Object$1$24931.15$ObfDereferenceObject$41:int) returns ($result.ObfDereferenceObject$24930.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RemoveEntryList($Entry$1$6929.19$RemoveEntryList$41:int) returns ($result.RemoveEntryList$6928.0$1$:int);
+
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+//TAG: ensures __seteq(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __setminus(__old(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList)), __set(Entry)))
+ensures((Subset(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(old(Mem)[T.Flink__LIST_ENTRY]), old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(old(Globals)))], LegacyDeviceList__GLOBALS(old(Globals))), Singleton($Entry$1$6929.19$RemoveEntryList$41))) && Subset(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(old(Mem)[T.Flink__LIST_ENTRY]), old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(old(Globals)))], LegacyDeviceList__GLOBALS(old(Globals))), Singleton($Entry$1$6929.19$RemoveEntryList$41)), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)))));
+//TAG: ensures Entry->Flink == __old(Entry->Flink)
+ensures(Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($Entry$1$6929.19$RemoveEntryList$41)] == old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($Entry$1$6929.19$RemoveEntryList$41)]);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure __PREfastPagedCode();
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KeyboardClassUnload($DriverObject$1$2966.24$KeyboardClassUnload$41:int)
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z) && __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+requires(((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z)))) && ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true)))));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z) && __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+ensures(((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z)))) && ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+modifies alloc;
+free ensures(forall f:int :: {alloc[Base(f)]} old(alloc)[Base(f)] == UNALLOCATED || old(alloc)[Base(f)] == alloc[Base(f)]);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for:
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for:
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for:
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for:
+
+//TAG: havoc memory locations by default
+modifies Mem;
+{
+var havoc_stringTemp:int;
+var condVal:int;
+var $DriverObject$1$2966.24$KeyboardClassUnload$4 : int;
+var $IoAllocateIrp.arg.1$9$ : int;
+var $KbdDebugPrint.arg.2$1$ : int;
+var $KbdDebugPrint.arg.2$19$ : int;
+var $RtlAssert.arg.1$14$ : int;
+var $RtlAssert.arg.1$16$ : int;
+var $RtlAssert.arg.1$18$ : int;
+var $RtlAssert.arg.1$3$ : int;
+var $RtlAssert.arg.1$5$ : int;
+var $RtlAssert.arg.1$7$ : int;
+var $RtlAssert.arg.2$13$ : int;
+var $RtlAssert.arg.2$15$ : int;
+var $RtlAssert.arg.2$17$ : int;
+var $RtlAssert.arg.2$2$ : int;
+var $RtlAssert.arg.2$4$ : int;
+var $RtlAssert.arg.2$6$ : int;
+var $data$3$2989.22$KeyboardClassUnload$4 : int;
+var $enabled$6$3006.16$KeyboardClassUnload$4 : int;
+var $entry$2$2988.16$KeyboardClassUnload$4 : int;
+var $file$7$3007.21$KeyboardClassUnload$4 : int;
+var $i$8$3075.14$KeyboardClassUnload$4 : int;
+var $irp$5$2991.9$KeyboardClassUnload$4 : int;
+var $port$4$2990.10$KeyboardClassUnload$4 : int;
+var $result.IoAllocateIrp$3031.31$8$ : int;
+var $result.KbdEnableDisablePort$3033.37$10$ : int;
+var $result.ObfDereferenceObject$3044.12$11$ : int;
+var $result.RemoveEntryList$3055.24$12$ : int;
+var tempBoogie0:int;
+var tempBoogie1:int;
+var tempBoogie2:int;
+var tempBoogie3:int;
+var tempBoogie4:int;
+var tempBoogie5:int;
+var tempBoogie6:int;
+var tempBoogie7:int;
+var tempBoogie8:int;
+var tempBoogie9:int;
+var tempBoogie10:int;
+var tempBoogie11:int;
+var tempBoogie12:int;
+var tempBoogie13:int;
+var tempBoogie14:int;
+var tempBoogie15:int;
+var tempBoogie16:int;
+var tempBoogie17:int;
+var tempBoogie18:int;
+var tempBoogie19:int;
+var LOOP_15_alloc:[int]name;
+var LOOP_15_Mem:[name][int]int;
+var LOOP_15_Res_DEVICE_STACK:[int]int;
+var LOOP_15_Res_DEV_EXTN:[int]int;
+var LOOP_15_Res_DEV_OBJ_INIT:[int]int;
+var LOOP_15_Res_SPIN_LOCK:[int]int;
+var LOOP_108_alloc:[int]name;
+var LOOP_108_Mem:[name][int]int;
+var LOOP_108_Res_DEVICE_STACK:[int]int;
+var LOOP_108_Res_DEV_EXTN:[int]int;
+var LOOP_108_Res_DEV_OBJ_INIT:[int]int;
+var LOOP_108_Res_SPIN_LOCK:[int]int;
+
+
+start:
+
+assume (alloc[$DriverObject$1$2966.24$KeyboardClassUnload$41] != UNALLOCATED);
+call $file$7$3007.21$KeyboardClassUnload$4 := __HAVOC_malloc(4);
+$DriverObject$1$2966.24$KeyboardClassUnload$4 := $DriverObject$1$2966.24$KeyboardClassUnload$41;
+goto label_3;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3088)
+label_1:
+call __HAVOC_free($file$7$3007.21$KeyboardClassUnload$4);
+assume (forall m:int:: {Res_DEVICE_STACK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEVICE_STACK[m] == old(Res_DEVICE_STACK)[m]);
+assume (forall m:int:: {Res_DEV_EXTN[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_EXTN[m] == old(Res_DEV_EXTN)[m]);
+assume (forall m:int:: {Res_DEV_OBJ_INIT[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_OBJ_INIT[m] == old(Res_DEV_OBJ_INIT)[m]);
+assume (forall m:int:: {Res_SPIN_LOCK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_SPIN_LOCK[m] == old(Res_SPIN_LOCK)[m]);
+assume (forall m:int :: {Mem[T.A11CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A11CHAR][m] == old(Mem[T.A11CHAR])[m]);
+assume (forall m:int :: {Mem[T.A19CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A19CHAR][m] == old(Mem[T.A19CHAR])[m]);
+assume (forall m:int :: {Mem[T.A36CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A36CHAR][m] == old(Mem[T.A36CHAR])[m]);
+assume (forall m:int :: {Mem[T.A37CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A37CHAR][m] == old(Mem[T.A37CHAR])[m]);
+assume (forall m:int :: {Mem[T.A39CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A39CHAR][m] == old(Mem[T.A39CHAR])[m]);
+assume (forall m:int :: {Mem[T.A43CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A43CHAR][m] == old(Mem[T.A43CHAR])[m]);
+assume (forall m:int :: {Mem[T.A74CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A74CHAR][m] == old(Mem[T.A74CHAR])[m]);
+assume (forall m:int :: {Mem[T.AssocClassList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.AssocClassList__GLOBALS][m] == old(Mem[T.AssocClassList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Buffer__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Buffer__UNICODE_STRING][m] == old(Mem[T.Buffer__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][m] == old(Mem[T.CurrentStackLocation___unnamed_4_f19b65c1])[m]);
+assume (forall m:int :: {Mem[T.DataIn__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataIn__DEVICE_EXTENSION][m] == old(Mem[T.DataIn__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DataOut__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataOut__DEVICE_EXTENSION][m] == old(Mem[T.DataOut__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DeviceExtension__DEVICE_OBJECT][m] == old(Mem[T.DeviceExtension__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Enabled__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Enabled__DEVICE_EXTENSION][m] == old(Mem[T.Enabled__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Enabled__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Enabled__PORT][m] == old(Mem[T.Enabled__PORT])[m]);
+assume (forall m:int :: {Mem[T.File__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__DEVICE_EXTENSION][m] == old(Mem[T.File__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.File__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__PORT][m] == old(Mem[T.File__PORT])[m]);
+assume (forall m:int :: {Mem[T.Flink__LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flink__LIST_ENTRY][m] == old(Mem[T.Flink__LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.Free__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Free__PORT][m] == old(Mem[T.Free__PORT])[m]);
+assume (forall m:int :: {Mem[T.GrandMaster__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GrandMaster__GLOBALS][m] == old(Mem[T.GrandMaster__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.INT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.INT4][m] == old(Mem[T.INT4])[m]);
+assume (forall m:int :: {Mem[T.InputData__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputData__DEVICE_EXTENSION][m] == old(Mem[T.InputData__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.LegacyDeviceList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LegacyDeviceList__GLOBALS][m] == old(Mem[T.LegacyDeviceList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Link__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Link__DEVICE_EXTENSION][m] == old(Mem[T.Link__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinorFunction__IO_STACK_LOCATION][m] == old(Mem[T.MinorFunction__IO_STACK_LOCATION])[m]);
+assume (forall m:int :: {Mem[T.NumAssocClass__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NumAssocClass__GLOBALS][m] == old(Mem[T.NumAssocClass__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.PCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PCHAR][m] == old(Mem[T.PCHAR])[m]);
+assume (forall m:int :: {Mem[T.PP_FILE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PP_FILE_OBJECT][m] == old(Mem[T.PP_FILE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.PVOID][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PVOID][m] == old(Mem[T.PVOID])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_EXTENSION][m] == old(Mem[T.P_DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_OBJECT][m] == old(Mem[T.P_DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_FILE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_FILE_OBJECT][m] == old(Mem[T.P_FILE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_IRP][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_IRP][m] == old(Mem[T.P_IRP])[m]);
+assume (forall m:int :: {Mem[T.P_KEYBOARD_INPUT_DATA][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_KEYBOARD_INPUT_DATA][m] == old(Mem[T.P_KEYBOARD_INPUT_DATA])[m]);
+assume (forall m:int :: {Mem[T.P_LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_LIST_ENTRY][m] == old(Mem[T.P_LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.P_PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_PORT][m] == old(Mem[T.P_PORT])[m]);
+assume (forall m:int :: {Mem[T.PnP__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PnP__DEVICE_EXTENSION][m] == old(Mem[T.PnP__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Port__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Port__PORT][m] == old(Mem[T.Port__PORT])[m]);
+assume (forall m:int :: {Mem[T.RegistryPath__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.RegistryPath__GLOBALS][m] == old(Mem[T.RegistryPath__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Self__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Self__DEVICE_EXTENSION][m] == old(Mem[T.Self__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.StackSize__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.StackSize__DEVICE_OBJECT][m] == old(Mem[T.StackSize__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Started__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Started__DEVICE_EXTENSION][m] == old(Mem[T.Started__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TopPort__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TopPort__DEVICE_EXTENSION][m] == old(Mem[T.TopPort__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.UCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UCHAR][m] == old(Mem[T.UCHAR])[m]);
+assume (forall m:int :: {Mem[T.UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT4][m] == old(Mem[T.UINT4])[m]);
+assume (forall m:int :: {Mem[T.UnitId__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UnitId__DEVICE_EXTENSION][m] == old(Mem[T.UnitId__DEVICE_EXTENSION])[m]);
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3088)
+label_2:
+assume false;
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(2988)
+label_3:
+goto label_4;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(2989)
+label_4:
+goto label_5;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(2990)
+label_5:
+goto label_6;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(2991)
+label_6:
+goto label_7;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(2995)
+label_7:
+call __PREfastPagedCode ();
+goto label_13;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(2997)
+label_10:
+// skip KbdDebugPrint
+goto label_14;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(2997)
+label_13:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$1$ := havoc_stringTemp ;
+goto label_10;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3002)
+label_14:
+$entry$2$2988.16$KeyboardClassUnload$4 := Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))] ;
+goto label_15;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3003)
+label_15:
+// loop entry initialization...
+LOOP_15_alloc := alloc;
+LOOP_15_Mem := Mem;
+LOOP_15_Res_DEVICE_STACK := Res_DEVICE_STACK;
+LOOP_15_Res_DEV_EXTN := Res_DEV_EXTN;
+LOOP_15_Res_DEV_OBJ_INIT := Res_DEV_OBJ_INIT;
+LOOP_15_Res_SPIN_LOCK := Res_SPIN_LOCK;
+goto label_15_head;
+
+
+label_15_head:
+// loop head assertions...
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+assert((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+assert((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+assert((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+assert((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+assert((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+assert((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: requires __setin(entry, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[$entry$2$2988.16$KeyboardClassUnload$4]);
+assume(forall f:int :: {alloc[Base(f)]} LOOP_15_alloc[Base(f)] == UNALLOCATED || LOOP_15_alloc[Base(f)] == alloc[Base(f)]);
+
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || LOOP_15_Res_DEVICE_STACK[r] == Res_DEVICE_STACK[r]));
+
+//TAG: net change in resource DEV_EXTN only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_DEV_EXTN[r]} (SetTrue()[r]) || LOOP_15_Res_DEV_EXTN[r] == Res_DEV_EXTN[r]));
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (SetTrue()[r]) || LOOP_15_Res_DEV_OBJ_INIT[r] == Res_DEV_OBJ_INIT[r]));
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || LOOP_15_Res_SPIN_LOCK[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == LOOP_15_Mem[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == LOOP_15_Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == LOOP_15_Mem[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == LOOP_15_Mem[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == LOOP_15_Mem[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == LOOP_15_Mem[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == LOOP_15_Mem[T.P_DEVICE_OBJECT][_m]));
+
+// end loop head assertions
+
+goto label_15_true , label_15_false ;
+
+
+label_15_true :
+assume ($entry$2$2988.16$KeyboardClassUnload$4 != LegacyDeviceList__GLOBALS(Globals));
+goto label_16;
+
+
+label_15_false :
+assume !($entry$2$2988.16$KeyboardClassUnload$4 != LegacyDeviceList__GLOBALS(Globals));
+goto label_85;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3006)
+label_16:
+goto label_17;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3006)
+label_17:
+$enabled$6$3006.16$KeyboardClassUnload$4 := 0 ;
+goto label_18;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3007)
+label_18:
+goto label_19;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3007)
+label_19:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$7$3007.21$KeyboardClassUnload$4 := 0];
+goto label_20;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3009)
+label_20:
+$data$3$2989.22$KeyboardClassUnload$4 := MINUS_LEFT_PTR($entry$2$2988.16$KeyboardClassUnload$4, 1, 272) ;
+goto label_21;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3010)
+label_21:
+goto label_21_true , label_21_false ;
+
+
+label_21_true :
+assume (Mem[T.PnP__DEVICE_EXTENSION][PnP__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] != 0);
+goto label_25;
+
+
+label_21_false :
+assume (Mem[T.PnP__DEVICE_EXTENSION][PnP__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] == 0);
+goto label_27;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3010)
+label_22:
+// skip RtlAssert
+goto label_27;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3010)
+label_25:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$2$ := havoc_stringTemp ;
+goto label_26;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3010)
+label_26:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$3$ := havoc_stringTemp ;
+goto label_22;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3012)
+label_27:
+goto label_27_true , label_27_false ;
+
+
+label_27_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_28;
+
+
+label_27_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_40;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3013)
+label_28:
+$port$4$2990.10$KeyboardClassUnload$4 := PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)]) ;
+goto label_29;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3014)
+label_29:
+goto label_29_true , label_29_false ;
+
+
+label_29_true :
+assume (Mem[T.Port__PORT][Port__PORT($port$4$2990.10$KeyboardClassUnload$4)] == $data$3$2989.22$KeyboardClassUnload$4);
+goto label_35;
+
+
+label_29_false :
+assume !(Mem[T.Port__PORT][Port__PORT($port$4$2990.10$KeyboardClassUnload$4)] == $data$3$2989.22$KeyboardClassUnload$4);
+goto label_33;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3014)
+label_30:
+// skip RtlAssert
+goto label_35;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3014)
+label_33:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$4$ := havoc_stringTemp ;
+goto label_34;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3014)
+label_34:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$5$ := havoc_stringTemp ;
+goto label_30;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3016)
+label_35:
+$enabled$6$3006.16$KeyboardClassUnload$4 := Mem[T.Enabled__PORT][Enabled__PORT($port$4$2990.10$KeyboardClassUnload$4)] ;
+goto label_36;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3017)
+label_36:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$7$3007.21$KeyboardClassUnload$4 := Mem[T.File__PORT][File__PORT($port$4$2990.10$KeyboardClassUnload$4)]];
+goto label_37;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3019)
+label_37:
+Mem[T.Enabled__PORT] := Mem[T.Enabled__PORT][Enabled__PORT($port$4$2990.10$KeyboardClassUnload$4) := 0];
+goto label_38;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3020)
+label_38:
+Mem[T.File__PORT] := Mem[T.File__PORT][File__PORT($port$4$2990.10$KeyboardClassUnload$4) := 0];
+goto label_39;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3021)
+label_39:
+Mem[T.Free__PORT] := Mem[T.Free__PORT][Free__PORT($port$4$2990.10$KeyboardClassUnload$4) := 1];
+goto label_49;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3024)
+label_40:
+$enabled$6$3006.16$KeyboardClassUnload$4 := Mem[T.Enabled__DEVICE_EXTENSION][Enabled__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] ;
+goto label_41;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3025)
+label_41:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$7$3007.21$KeyboardClassUnload$4 := Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)]];
+goto label_42;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3026)
+label_42:
+goto label_42_true , label_42_false ;
+
+
+label_42_true :
+assume (Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] != 0);
+goto label_48;
+
+
+label_42_false :
+assume (Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] == 0);
+goto label_46;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3026)
+label_43:
+// skip RtlAssert
+goto label_48;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3026)
+label_46:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$6$ := havoc_stringTemp ;
+goto label_47;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3026)
+label_47:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$7$ := havoc_stringTemp ;
+goto label_43;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3027)
+label_48:
+Mem[T.Enabled__DEVICE_EXTENSION] := Mem[T.Enabled__DEVICE_EXTENSION][Enabled__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4) := 0];
+goto label_49;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3030)
+label_49:
+goto label_49_true , label_49_false ;
+
+
+label_49_true :
+assume ($enabled$6$3006.16$KeyboardClassUnload$4 != 0);
+goto label_53;
+
+
+label_49_false :
+assume ($enabled$6$3006.16$KeyboardClassUnload$4 == 0);
+goto label_62;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3031)
+label_50:
+call $result.IoAllocateIrp$3031.31$8$ := IoAllocateIrp ($IoAllocateIrp.arg.1$9$, 0);
+goto label_54;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3031)
+label_53:
+$IoAllocateIrp.arg.1$9$ := PLUS(Mem[T.StackSize__DEVICE_OBJECT][StackSize__DEVICE_OBJECT(Mem[T.TopPort__DEVICE_EXTENSION][TopPort__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)])], 1, 1) ;
+goto label_50;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3031)
+label_54:
+$irp$5$2991.9$KeyboardClassUnload$4 := $result.IoAllocateIrp$3031.31$8$ ;
+goto label_55;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3032)
+label_55:
+goto label_55_true , label_55_false ;
+
+
+label_55_true :
+assume ($irp$5$2991.9$KeyboardClassUnload$4 != 0);
+goto label_56;
+
+
+label_55_false :
+assume ($irp$5$2991.9$KeyboardClassUnload$4 == 0);
+goto label_62;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3033)
+label_56:
+call $result.KbdEnableDisablePort$3033.37$10$ := KbdEnableDisablePort (0, $irp$5$2991.9$KeyboardClassUnload$4, $data$3$2989.22$KeyboardClassUnload$4, $file$7$3007.21$KeyboardClassUnload$4);
+goto label_59;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3034)
+label_59:
+call IoFreeIrp ($irp$5$2991.9$KeyboardClassUnload$4);
+goto label_62;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3043)
+label_62:
+goto label_62_true , label_62_false ;
+
+
+label_62_true :
+assume (Mem[T.P_FILE_OBJECT][$file$7$3007.21$KeyboardClassUnload$4] != 0);
+goto label_63;
+
+
+label_62_false :
+assume (Mem[T.P_FILE_OBJECT][$file$7$3007.21$KeyboardClassUnload$4] == 0);
+goto label_66;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3044)
+label_63:
+call $result.ObfDereferenceObject$3044.12$11$ := ObfDereferenceObject (Mem[T.P_FILE_OBJECT][$file$7$3007.21$KeyboardClassUnload$4]);
+goto label_66;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3051)
+label_66:
+goto label_66_true , label_66_false ;
+
+
+label_66_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_70;
+
+
+label_66_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_67;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3052)
+label_67:
+call KeyboardClassCleanupQueue (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)], $data$3$2989.22$KeyboardClassUnload$4, 0);
+goto label_70;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3055)
+label_70:
+call $result.RemoveEntryList$3055.24$12$ := RemoveEntryList (Link__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4));
+goto label_73;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3056)
+label_73:
+$entry$2$2988.16$KeyboardClassUnload$4 := Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($entry$2$2988.16$KeyboardClassUnload$4)] ;
+goto label_74;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3058)
+label_74:
+goto label_74_true , label_74_false ;
+
+
+label_74_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] != 0);
+goto label_75;
+
+
+label_74_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] == 0);
+goto label_81;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3058)
+label_75:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)], 0);
+goto label_78;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3058)
+label_78:
+Mem[T.DataOut__DEVICE_EXTENSION] := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4) := 0];
+goto label_79;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3058)
+label_79:
+Mem[T.DataIn__DEVICE_EXTENSION] := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4) := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)]];
+goto label_80;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3058)
+label_80:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4) := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)]];
+goto label_81;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3058)
+label_81:
+call IoDeleteDevice (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)]);
+goto label_84;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3058)
+label_84:
+$data$3$2989.22$KeyboardClassUnload$4 := 0 ;
+goto label_15_head;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3064)
+label_85:
+goto label_85_true , label_85_false ;
+
+
+label_85_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_86;
+
+
+label_85_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3065)
+label_86:
+$data$3$2989.22$KeyboardClassUnload$4 := Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] ;
+goto label_87;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3066)
+label_87:
+Mem[T.GrandMaster__GLOBALS] := Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals) := 0];
+goto label_88;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3068)
+label_88:
+call KeyboardClassCleanupQueue (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)], $data$3$2989.22$KeyboardClassUnload$4, 0);
+goto label_91;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3069)
+label_91:
+goto label_91_true , label_91_false ;
+
+
+label_91_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] != 0);
+goto label_92;
+
+
+label_91_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)] == 0);
+goto label_98;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3069)
+label_92:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)], 0);
+goto label_95;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3069)
+label_95:
+Mem[T.DataOut__DEVICE_EXTENSION] := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4) := 0];
+goto label_96;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3069)
+label_96:
+Mem[T.DataIn__DEVICE_EXTENSION] := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4) := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)]];
+goto label_97;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3069)
+label_97:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4) := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)]];
+goto label_98;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3069)
+label_98:
+call IoDeleteDevice (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($data$3$2989.22$KeyboardClassUnload$4)]);
+goto label_101;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3069)
+label_101:
+$data$3$2989.22$KeyboardClassUnload$4 := 0 ;
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3072)
+label_102:
+call ExFreePoolWithTag (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING(RegistryPath__GLOBALS(Globals))], 0);
+goto label_105;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3073)
+label_105:
+goto label_105_true , label_105_false ;
+
+
+label_105_true :
+assume (Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)] != 0);
+goto label_106;
+
+
+label_105_false :
+assume (Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)] == 0);
+goto label_134;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3075)
+label_106:
+goto label_107;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3077)
+label_107:
+$i$8$3075.14$KeyboardClassUnload$4 := 0 ;
+goto label_108;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3077)
+label_108:
+// loop entry initialization...
+LOOP_108_alloc := alloc;
+LOOP_108_Mem := Mem;
+LOOP_108_Res_DEVICE_STACK := Res_DEVICE_STACK;
+LOOP_108_Res_DEV_EXTN := Res_DEV_EXTN;
+LOOP_108_Res_DEV_OBJ_INIT := Res_DEV_OBJ_INIT;
+LOOP_108_Res_SPIN_LOCK := Res_SPIN_LOCK;
+goto label_108_head;
+
+
+label_108_head:
+// loop head assertions...
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+assert((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+assert((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), 1)
+assert((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> (true))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+assert((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+assert((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires __preserves_resource("DEV_OBJ_INIT")
+assert(Res_DEV_OBJ_INIT == LOOP_108_Res_DEV_OBJ_INIT);
+//TAG: requires __preserves_resource("DEV_EXTN")
+assert(Res_DEV_EXTN == LOOP_108_Res_DEV_EXTN);
+//TAG: requires __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+assert(Mem[T.Flink__LIST_ENTRY] == LOOP_108_Mem[T.Flink__LIST_ENTRY]);
+assume(forall f:int :: {alloc[Base(f)]} LOOP_108_alloc[Base(f)] == UNALLOCATED || LOOP_108_alloc[Base(f)] == alloc[Base(f)]);
+
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || LOOP_108_Res_DEVICE_STACK[r] == Res_DEVICE_STACK[r]));
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || LOOP_108_Res_DEV_EXTN[r] == Res_DEV_EXTN[r]));
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || LOOP_108_Res_DEV_OBJ_INIT[r] == Res_DEV_OBJ_INIT[r]));
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || LOOP_108_Res_SPIN_LOCK[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == LOOP_108_Mem[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_f19b65c1] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m] == LOOP_108_Mem[T.CurrentStackLocation___unnamed_4_f19b65c1][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == LOOP_108_Mem[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == LOOP_108_Mem[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == LOOP_108_Mem[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == LOOP_108_Mem[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == LOOP_108_Mem[T.P_DEVICE_OBJECT][_m]));
+
+// end loop head assertions
+
+goto label_108_true , label_108_false ;
+
+
+label_108_true :
+assume ($i$8$3075.14$KeyboardClassUnload$4 < Mem[T.NumAssocClass__GLOBALS][NumAssocClass__GLOBALS(Globals)]);
+goto label_109;
+
+
+label_108_false :
+assume !($i$8$3075.14$KeyboardClassUnload$4 < Mem[T.NumAssocClass__GLOBALS][NumAssocClass__GLOBALS(Globals)]);
+goto label_128;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3078)
+label_109:
+goto label_109_true , label_109_false ;
+
+
+label_109_true :
+assume (Mem[T.Free__PORT][Free__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$3075.14$KeyboardClassUnload$4))] == 1);
+goto label_115;
+
+
+label_109_false :
+assume !(Mem[T.Free__PORT][Free__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$3075.14$KeyboardClassUnload$4))] == 1);
+goto label_113;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3078)
+label_110:
+// skip RtlAssert
+goto label_115;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3078)
+label_113:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$13$ := havoc_stringTemp ;
+goto label_114;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3078)
+label_114:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$14$ := havoc_stringTemp ;
+goto label_110;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3079)
+label_115:
+goto label_115_true , label_115_false ;
+
+
+label_115_true :
+assume (Mem[T.Enabled__PORT][Enabled__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$3075.14$KeyboardClassUnload$4))] != 0);
+goto label_119;
+
+
+label_115_false :
+assume (Mem[T.Enabled__PORT][Enabled__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$3075.14$KeyboardClassUnload$4))] == 0);
+goto label_121;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3079)
+label_116:
+// skip RtlAssert
+goto label_121;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3079)
+label_119:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$15$ := havoc_stringTemp ;
+goto label_120;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3079)
+label_120:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$16$ := havoc_stringTemp ;
+goto label_116;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3080)
+label_121:
+goto label_121_true , label_121_false ;
+
+
+label_121_true :
+assume (Mem[T.File__PORT][File__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$3075.14$KeyboardClassUnload$4))] != 0);
+goto label_125;
+
+
+label_121_false :
+assume (Mem[T.File__PORT][File__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$3075.14$KeyboardClassUnload$4))] == 0);
+goto label_127;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3080)
+label_122:
+// skip RtlAssert
+goto label_127;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3080)
+label_125:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$17$ := havoc_stringTemp ;
+goto label_126;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3080)
+label_126:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$18$ := havoc_stringTemp ;
+goto label_122;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3077)
+label_127:
+$i$8$3075.14$KeyboardClassUnload$4 := PLUS($i$8$3075.14$KeyboardClassUnload$4, 1, 1) ;
+goto label_108_head;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3084)
+label_128:
+call ExFreePoolWithTag (Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 0);
+goto label_134;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3087)
+label_131:
+// skip KbdDebugPrint
+goto label_1;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\kbdclass_fbl_fbs_dev2_ntfs\kbdclass.c(3087)
+label_134:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$KbdDebugPrint.arg.2$19$ := havoc_stringTemp ;
+goto label_131;
+
+}
+
diff --git a/Test/havoc0/MouCreateClassObject.bpl b/Test/havoc0/MouCreateClassObject.bpl
new file mode 100644
index 00000000..d988dfbd
--- /dev/null
+++ b/Test/havoc0/MouCreateClassObject.bpl
@@ -0,0 +1,4918 @@
+type byte, name;
+function OneByteToInt(byte) returns (int);
+function TwoBytesToInt(byte, byte) returns (int);
+function FourBytesToInt(byte, byte, byte, byte) returns (int);
+axiom(forall b0:byte, c0:byte :: {OneByteToInt(b0), OneByteToInt(c0)} OneByteToInt(b0) == OneByteToInt(c0) ==> b0 == c0);
+axiom(forall b0:byte, b1: byte, c0:byte, c1:byte :: {TwoBytesToInt(b0, b1), TwoBytesToInt(c0, c1)} TwoBytesToInt(b0, b1) == TwoBytesToInt(c0, c1) ==> b0 == c0 && b1 == c1);
+axiom(forall b0:byte, b1: byte, b2:byte, b3:byte, c0:byte, c1:byte, c2:byte, c3:byte :: {FourBytesToInt(b0, b1, b2, b3), FourBytesToInt(c0, c1, c2, c3)} FourBytesToInt(b0, b1, b2, b3) == FourBytesToInt(c0, c1, c2, c3) ==> b0 == c0 && b1 == c1 && b2 == c2 && b3 == c3);
+
+// Mutable
+var Mem_BYTE:[int]byte;
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function SetTrue() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+/*
+function AtLeast(int, int) returns ([int]bool);
+function ModEqual(int, int, int) returns (bool);
+axiom(forall n:int, x:int :: ModEqual(n,x,x));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> ModEqual(n,y,x));
+axiom(forall n:int, x:int, y:int, z:int :: {ModEqual(n,x,y), ModEqual(n,y,z)} ModEqual(n,x,y) && ModEqual(n,y,z) ==> ModEqual(n,x,z));
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} ModEqual(n,x,PLUS(x,n,z)));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> (exists k:int :: x - y == n*k));
+axiom(forall x:int, n:int, y:int :: {AtLeast(n,x)[y]}{ModEqual(n,x,y)} AtLeast(n,x)[y] <==> x <= y && ModEqual(n,x,y));
+axiom(forall x:int, n:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+*/
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int :: SetTrue()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]}{Union(S,T),S[x]}{Union(S,T),T[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]}{Intersection(S,T),S[x]}{Intersection(S,T),T[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]}{Difference(S,T),S[x]}{Difference(S,T),T[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Subset(S,T)}{T[x],Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Disjoint(S,T)}{T[x],Disjoint(S,T)} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f,y), f[x]} Inverse(f,y)[x] ==> f[x] == y);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name, m:[name][int]int) returns (bool);
+function Values(t:name, m:[name][int]int) returns ([int]bool);
+function T.Ptr(t:name) returns (name);
+
+axiom(forall v:int, t:name, m:[name][int]int :: {Values(t, m)[v]} Values(t, m)[v] ==> HasType(v, t, m));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, t, m), Values(t, m)} HasType(v, t, m) ==> Values(t, m)[v]);
+
+axiom(forall a:int, t:name :: {Match(a, T.Ptr(t))} Match(a, T.Ptr(t)) <==> Field(a) == T.Ptr(t));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, T.Ptr(t), m)} HasType(v, T.Ptr(t), m) <==> (v == 0 || (v > 0 && Match(v, t))));
+
+axiom(forall v:int, t:name, m1:[name][int]int, m2:[name][int]int :: {HasType(v, t, m1), HasType(v, t, m2)}
+ (HasType(v, t, m1) <==> HasType(v, t, m2)));
+
+// Field declarations
+
+const unique T.Guid_WMIGUIDREGINFO:name;
+const unique T.InstanceCount_WMIGUIDREGINFO:name;
+const unique T.Flags_WMIGUIDREGINFO:name;
+const unique T.OperationID__ACCESS_STATE:name;
+const unique T.SecurityEvaluated__ACCESS_STATE:name;
+const unique T.GenerateAudit__ACCESS_STATE:name;
+const unique T.GenerateOnClose__ACCESS_STATE:name;
+const unique T.PrivilegesAllocated__ACCESS_STATE:name;
+const unique T.Flags__ACCESS_STATE:name;
+const unique T.RemainingDesiredAccess__ACCESS_STATE:name;
+const unique T.PreviouslyGrantedAccess__ACCESS_STATE:name;
+const unique T.OriginalDesiredAccess__ACCESS_STATE:name;
+const unique T.SubjectSecurityContext__ACCESS_STATE:name;
+const unique T.SecurityDescriptor__ACCESS_STATE:name;
+const unique T.AuxData__ACCESS_STATE:name;
+const unique T.Privileges__ACCESS_STATE:name;
+const unique T.AuditPrivileges__ACCESS_STATE:name;
+const unique T.ObjectName__ACCESS_STATE:name;
+const unique T.ObjectTypeName__ACCESS_STATE:name;
+const unique T.InterfaceType__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.BusNumber__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.PartialResourceList__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.u__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Revision__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.PartialDescriptors__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_RESOURCE_LIST:name;
+const unique T.List__CM_RESOURCE_LIST:name;
+const unique T.Size__DEVICE_CAPABILITIES:name;
+const unique T.Version__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD1__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD2__DEVICE_CAPABILITIES:name;
+const unique T.LockSupported__DEVICE_CAPABILITIES:name;
+const unique T.EjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.Removable__DEVICE_CAPABILITIES:name;
+const unique T.DockDevice__DEVICE_CAPABILITIES:name;
+const unique T.UniqueID__DEVICE_CAPABILITIES:name;
+const unique T.SilentInstall__DEVICE_CAPABILITIES:name;
+const unique T.RawDeviceOK__DEVICE_CAPABILITIES:name;
+const unique T.SurpriseRemovalOK__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD0__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD1__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD2__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD3__DEVICE_CAPABILITIES:name;
+const unique T.HardwareDisabled__DEVICE_CAPABILITIES:name;
+const unique T.NonDynamic__DEVICE_CAPABILITIES:name;
+const unique T.WarmEjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.NoDisplayInUI__DEVICE_CAPABILITIES:name;
+const unique T.Reserved__DEVICE_CAPABILITIES:name;
+const unique T.Address__DEVICE_CAPABILITIES:name;
+const unique T.UINumber__DEVICE_CAPABILITIES:name;
+const unique T.DeviceState__DEVICE_CAPABILITIES:name;
+const unique T.SystemWake__DEVICE_CAPABILITIES:name;
+const unique T.DeviceWake__DEVICE_CAPABILITIES:name;
+const unique T.D1Latency__DEVICE_CAPABILITIES:name;
+const unique T.D2Latency__DEVICE_CAPABILITIES:name;
+const unique T.D3Latency__DEVICE_CAPABILITIES:name;
+const unique T.Self__DEVICE_EXTENSION:name;
+const unique T.TrueClassDevice__DEVICE_EXTENSION:name;
+const unique T.TopPort__DEVICE_EXTENSION:name;
+const unique T.PDO__DEVICE_EXTENSION:name;
+const unique T.RemoveLock__DEVICE_EXTENSION:name;
+const unique T.PnP__DEVICE_EXTENSION:name;
+const unique T.Started__DEVICE_EXTENSION:name;
+const unique T.OkayToLogOverflow__DEVICE_EXTENSION:name;
+const unique T.WaitWakeSpinLock__DEVICE_EXTENSION:name;
+const unique T.TrustedSubsystemCount__DEVICE_EXTENSION:name;
+const unique T.InputCount__DEVICE_EXTENSION:name;
+const unique T.SymbolicLinkName__DEVICE_EXTENSION:name;
+const unique T.InputData__DEVICE_EXTENSION:name;
+const unique T.DataIn__DEVICE_EXTENSION:name;
+const unique T.DataOut__DEVICE_EXTENSION:name;
+const unique T.MouseAttributes__DEVICE_EXTENSION:name;
+const unique T.SpinLock__DEVICE_EXTENSION:name;
+const unique T.ReadQueue__DEVICE_EXTENSION:name;
+const unique T.SequenceNumber__DEVICE_EXTENSION:name;
+const unique T.DeviceState__DEVICE_EXTENSION:name;
+const unique T.SystemState__DEVICE_EXTENSION:name;
+const unique T.UnitId__DEVICE_EXTENSION:name;
+const unique T.WmiLibInfo__DEVICE_EXTENSION:name;
+const unique T.SystemToDeviceState__DEVICE_EXTENSION:name;
+const unique T.MinDeviceWakeState__DEVICE_EXTENSION:name;
+const unique T.MinSystemWakeState__DEVICE_EXTENSION:name;
+const unique T.WaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.ExtraWaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.TargetNotifyHandle__DEVICE_EXTENSION:name;
+const unique T.Link__DEVICE_EXTENSION:name;
+const unique T.File__DEVICE_EXTENSION:name;
+const unique T.Enabled__DEVICE_EXTENSION:name;
+const unique T.WaitWakeEnabled__DEVICE_EXTENSION:name;
+const unique T.SurpriseRemoved__DEVICE_EXTENSION:name;
+const unique T.Type__DEVICE_OBJECT:name;
+const unique T.Size__DEVICE_OBJECT:name;
+const unique T.ReferenceCount__DEVICE_OBJECT:name;
+const unique T.DriverObject__DEVICE_OBJECT:name;
+const unique T.NextDevice__DEVICE_OBJECT:name;
+const unique T.AttachedDevice__DEVICE_OBJECT:name;
+const unique T.CurrentIrp__DEVICE_OBJECT:name;
+const unique T.Timer__DEVICE_OBJECT:name;
+const unique T.Flags__DEVICE_OBJECT:name;
+const unique T.Characteristics__DEVICE_OBJECT:name;
+const unique T.Vpb__DEVICE_OBJECT:name;
+const unique T.DeviceExtension__DEVICE_OBJECT:name;
+const unique T.DeviceType__DEVICE_OBJECT:name;
+const unique T.StackSize__DEVICE_OBJECT:name;
+const unique T.Queue__DEVICE_OBJECT:name;
+const unique T.AlignmentRequirement__DEVICE_OBJECT:name;
+const unique T.DeviceQueue__DEVICE_OBJECT:name;
+const unique T.Dpc__DEVICE_OBJECT:name;
+const unique T.ActiveThreadCount__DEVICE_OBJECT:name;
+const unique T.SecurityDescriptor__DEVICE_OBJECT:name;
+const unique T.DeviceLock__DEVICE_OBJECT:name;
+const unique T.SectorSize__DEVICE_OBJECT:name;
+const unique T.Spare1__DEVICE_OBJECT:name;
+const unique T.DeviceObjectExtension__DEVICE_OBJECT:name;
+const unique T.Reserved__DEVICE_OBJECT:name;
+const unique T.Type__DEVOBJ_EXTENSION:name;
+const unique T.Size__DEVOBJ_EXTENSION:name;
+const unique T.DeviceObject__DEVOBJ_EXTENSION:name;
+const unique T.__unnamed_4_c9b2e921__DISPATCHER_HEADER:name;
+const unique T.SignalState__DISPATCHER_HEADER:name;
+const unique T.WaitListHead__DISPATCHER_HEADER:name;
+const unique T.DriverObject__DRIVER_EXTENSION:name;
+const unique T.AddDevice__DRIVER_EXTENSION:name;
+const unique T.Count__DRIVER_EXTENSION:name;
+const unique T.ServiceKeyName__DRIVER_EXTENSION:name;
+const unique T.Type__DRIVER_OBJECT:name;
+const unique T.Size__DRIVER_OBJECT:name;
+const unique T.DeviceObject__DRIVER_OBJECT:name;
+const unique T.Flags__DRIVER_OBJECT:name;
+const unique T.DriverStart__DRIVER_OBJECT:name;
+const unique T.DriverSize__DRIVER_OBJECT:name;
+const unique T.DriverSection__DRIVER_OBJECT:name;
+const unique T.DriverExtension__DRIVER_OBJECT:name;
+const unique T.DriverName__DRIVER_OBJECT:name;
+const unique T.HardwareDatabase__DRIVER_OBJECT:name;
+const unique T.FastIoDispatch__DRIVER_OBJECT:name;
+const unique T.DriverInit__DRIVER_OBJECT:name;
+const unique T.DriverStartIo__DRIVER_OBJECT:name;
+const unique T.DriverUnload__DRIVER_OBJECT:name;
+const unique T.MajorFunction__DRIVER_OBJECT:name;
+const unique T.SystemResourcesList__ERESOURCE:name;
+const unique T.OwnerTable__ERESOURCE:name;
+const unique T.ActiveCount__ERESOURCE:name;
+const unique T.Flag__ERESOURCE:name;
+const unique T.SharedWaiters__ERESOURCE:name;
+const unique T.ExclusiveWaiters__ERESOURCE:name;
+const unique T.OwnerEntry__ERESOURCE:name;
+const unique T.ActiveEntries__ERESOURCE:name;
+const unique T.ContentionCount__ERESOURCE:name;
+const unique T.NumberOfSharedWaiters__ERESOURCE:name;
+const unique T.NumberOfExclusiveWaiters__ERESOURCE:name;
+const unique T.__unnamed_4_46b62f69__ERESOURCE:name;
+const unique T.SpinLock__ERESOURCE:name;
+const unique T.SizeOfFastIoDispatch__FAST_IO_DISPATCH:name;
+const unique T.FastIoCheckIfPossible__FAST_IO_DISPATCH:name;
+const unique T.FastIoRead__FAST_IO_DISPATCH:name;
+const unique T.FastIoWrite__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryBasicInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryStandardInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoLock__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockSingle__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAll__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAllByKey__FAST_IO_DISPATCH:name;
+const unique T.FastIoDeviceControl__FAST_IO_DISPATCH:name;
+const unique T.AcquireFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.ReleaseFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.FastIoDetachDevice__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryNetworkOpenInfo__FAST_IO_DISPATCH:name;
+const unique T.AcquireForModWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlRead__FAST_IO_DISPATCH:name;
+const unique T.MdlReadComplete__FAST_IO_DISPATCH:name;
+const unique T.PrepareMdlWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteComplete__FAST_IO_DISPATCH:name;
+const unique T.FastIoReadCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoWriteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlReadCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryOpen__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForModWrite__FAST_IO_DISPATCH:name;
+const unique T.AcquireForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.Count__FAST_MUTEX:name;
+const unique T.Owner__FAST_MUTEX:name;
+const unique T.Contention__FAST_MUTEX:name;
+const unique T.Gate__FAST_MUTEX:name;
+const unique T.OldIrql__FAST_MUTEX:name;
+const unique T.CreationTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastAccessTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastWriteTime__FILE_BASIC_INFORMATION:name;
+const unique T.ChangeTime__FILE_BASIC_INFORMATION:name;
+const unique T.FileAttributes__FILE_BASIC_INFORMATION:name;
+const unique T.CreationTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastAccessTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastWriteTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.ChangeTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.AllocationSize__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.EndOfFile__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.FileAttributes__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.Type__FILE_OBJECT:name;
+const unique T.Size__FILE_OBJECT:name;
+const unique T.DeviceObject__FILE_OBJECT:name;
+const unique T.Vpb__FILE_OBJECT:name;
+const unique T.FsContext__FILE_OBJECT:name;
+const unique T.FsContext2__FILE_OBJECT:name;
+const unique T.SectionObjectPointer__FILE_OBJECT:name;
+const unique T.PrivateCacheMap__FILE_OBJECT:name;
+const unique T.FinalStatus__FILE_OBJECT:name;
+const unique T.RelatedFileObject__FILE_OBJECT:name;
+const unique T.LockOperation__FILE_OBJECT:name;
+const unique T.DeletePending__FILE_OBJECT:name;
+const unique T.ReadAccess__FILE_OBJECT:name;
+const unique T.WriteAccess__FILE_OBJECT:name;
+const unique T.DeleteAccess__FILE_OBJECT:name;
+const unique T.SharedRead__FILE_OBJECT:name;
+const unique T.SharedWrite__FILE_OBJECT:name;
+const unique T.SharedDelete__FILE_OBJECT:name;
+const unique T.Flags__FILE_OBJECT:name;
+const unique T.FileName__FILE_OBJECT:name;
+const unique T.CurrentByteOffset__FILE_OBJECT:name;
+const unique T.Waiters__FILE_OBJECT:name;
+const unique T.Busy__FILE_OBJECT:name;
+const unique T.LastLock__FILE_OBJECT:name;
+const unique T.Lock__FILE_OBJECT:name;
+const unique T.Event__FILE_OBJECT:name;
+const unique T.CompletionContext__FILE_OBJECT:name;
+const unique T.IrpListLock__FILE_OBJECT:name;
+const unique T.IrpList__FILE_OBJECT:name;
+const unique T.FileObjectExtension__FILE_OBJECT:name;
+const unique T.AllocationSize__FILE_STANDARD_INFORMATION:name;
+const unique T.EndOfFile__FILE_STANDARD_INFORMATION:name;
+const unique T.NumberOfLinks__FILE_STANDARD_INFORMATION:name;
+const unique T.DeletePending__FILE_STANDARD_INFORMATION:name;
+const unique T.Directory__FILE_STANDARD_INFORMATION:name;
+const unique T.Debug__GLOBALS:name;
+const unique T.GrandMaster__GLOBALS:name;
+const unique T.AssocClassList__GLOBALS:name;
+const unique T.NumAssocClass__GLOBALS:name;
+const unique T.Opens__GLOBALS:name;
+const unique T.NumberLegacyPorts__GLOBALS:name;
+const unique T.Mutex__GLOBALS:name;
+const unique T.ConnectOneClassToOnePort__GLOBALS:name;
+const unique T.PortsServiced__GLOBALS:name;
+const unique T.InitExtension__GLOBALS:name;
+const unique T.RegistryPath__GLOBALS:name;
+const unique T.BaseClassName__GLOBALS:name;
+const unique T.BaseClassBuffer__GLOBALS:name;
+const unique T.LegacyDeviceList__GLOBALS:name;
+const unique T.Data1__GUID:name;
+const unique T.Data2__GUID:name;
+const unique T.Data3__GUID:name;
+const unique T.Data4__GUID:name;
+const unique T.PrivilegeCount__INITIAL_PRIVILEGE_SET:name;
+const unique T.Control__INITIAL_PRIVILEGE_SET:name;
+const unique T.Privilege__INITIAL_PRIVILEGE_SET:name;
+const unique T.Size__INTERFACE:name;
+const unique T.Version__INTERFACE:name;
+const unique T.Context__INTERFACE:name;
+const unique T.InterfaceReference__INTERFACE:name;
+const unique T.InterfaceDereference__INTERFACE:name;
+const unique T.Port__IO_COMPLETION_CONTEXT:name;
+const unique T.Key__IO_COMPLETION_CONTEXT:name;
+const unique T.Common__IO_REMOVE_LOCK:name;
+const unique T.Dbg__IO_REMOVE_LOCK:name;
+const unique T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Signature__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LockList__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Spin__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Option__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare1__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare2__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.u__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__IO_RESOURCE_LIST:name;
+const unique T.Revision__IO_RESOURCE_LIST:name;
+const unique T.Count__IO_RESOURCE_LIST:name;
+const unique T.Descriptors__IO_RESOURCE_LIST:name;
+const unique T.ListSize__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.InterfaceType__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.BusNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SlotNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.Reserved__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.AlternativeLists__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.List__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SecurityQos__IO_SECURITY_CONTEXT:name;
+const unique T.AccessState__IO_SECURITY_CONTEXT:name;
+const unique T.DesiredAccess__IO_SECURITY_CONTEXT:name;
+const unique T.FullCreateOptions__IO_SECURITY_CONTEXT:name;
+const unique T.MajorFunction__IO_STACK_LOCATION:name;
+const unique T.MinorFunction__IO_STACK_LOCATION:name;
+const unique T.Flags__IO_STACK_LOCATION:name;
+const unique T.Control__IO_STACK_LOCATION:name;
+const unique T.Parameters__IO_STACK_LOCATION:name;
+const unique T.DeviceObject__IO_STACK_LOCATION:name;
+const unique T.FileObject__IO_STACK_LOCATION:name;
+const unique T.CompletionRoutine__IO_STACK_LOCATION:name;
+const unique T.Context__IO_STACK_LOCATION:name;
+const unique T.__unnamed_4_16aff58e__IO_STATUS_BLOCK:name;
+const unique T.Information__IO_STATUS_BLOCK:name;
+const unique T.Type__IRP:name;
+const unique T.Size__IRP:name;
+const unique T.MdlAddress__IRP:name;
+const unique T.Flags__IRP:name;
+const unique T.AssociatedIrp__IRP:name;
+const unique T.ThreadListEntry__IRP:name;
+const unique T.IoStatus__IRP:name;
+const unique T.RequestorMode__IRP:name;
+const unique T.PendingReturned__IRP:name;
+const unique T.StackCount__IRP:name;
+const unique T.CurrentLocation__IRP:name;
+const unique T.Cancel__IRP:name;
+const unique T.CancelIrql__IRP:name;
+const unique T.ApcEnvironment__IRP:name;
+const unique T.AllocationFlags__IRP:name;
+const unique T.UserIosb__IRP:name;
+const unique T.UserEvent__IRP:name;
+const unique T.Overlay__IRP:name;
+const unique T.CancelRoutine__IRP:name;
+const unique T.UserBuffer__IRP:name;
+const unique T.Tail__IRP:name;
+const unique T.Type__KAPC:name;
+const unique T.SpareByte0__KAPC:name;
+const unique T.Size__KAPC:name;
+const unique T.SpareByte1__KAPC:name;
+const unique T.SpareLong0__KAPC:name;
+const unique T.Thread__KAPC:name;
+const unique T.ApcListEntry__KAPC:name;
+const unique T.KernelRoutine__KAPC:name;
+const unique T.RundownRoutine__KAPC:name;
+const unique T.NormalRoutine__KAPC:name;
+const unique T.NormalContext__KAPC:name;
+const unique T.SystemArgument1__KAPC:name;
+const unique T.SystemArgument2__KAPC:name;
+const unique T.ApcStateIndex__KAPC:name;
+const unique T.ApcMode__KAPC:name;
+const unique T.Inserted__KAPC:name;
+const unique T.Type__KDEVICE_QUEUE:name;
+const unique T.Size__KDEVICE_QUEUE:name;
+const unique T.DeviceListHead__KDEVICE_QUEUE:name;
+const unique T.Lock__KDEVICE_QUEUE:name;
+const unique T.Busy__KDEVICE_QUEUE:name;
+const unique T.DeviceListEntry__KDEVICE_QUEUE_ENTRY:name;
+const unique T.SortKey__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Inserted__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Type__KDPC:name;
+const unique T.Importance__KDPC:name;
+const unique T.Number__KDPC:name;
+const unique T.DpcListEntry__KDPC:name;
+const unique T.DeferredRoutine__KDPC:name;
+const unique T.DeferredContext__KDPC:name;
+const unique T.SystemArgument1__KDPC:name;
+const unique T.SystemArgument2__KDPC:name;
+const unique T.DpcData__KDPC:name;
+const unique T.Header__KEVENT:name;
+const unique T.Header__KSEMAPHORE:name;
+const unique T.Limit__KSEMAPHORE:name;
+const unique T.__unnamed_8_8684a3e7__LARGE_INTEGER:name;
+const unique T.u__LARGE_INTEGER:name;
+const unique T.QuadPart__LARGE_INTEGER:name;
+const unique T.Flink__LIST_ENTRY:name;
+const unique T.Blink__LIST_ENTRY:name;
+const unique T.LowPart__LUID:name;
+const unique T.HighPart__LUID:name;
+const unique T.Luid__LUID_AND_ATTRIBUTES:name;
+const unique T.Attributes__LUID_AND_ATTRIBUTES:name;
+const unique T.Next__MDL:name;
+const unique T.Size__MDL:name;
+const unique T.MdlFlags__MDL:name;
+const unique T.Process__MDL:name;
+const unique T.MappedSystemVa__MDL:name;
+const unique T.StartVa__MDL:name;
+const unique T.ByteCount__MDL:name;
+const unique T.ByteOffset__MDL:name;
+const unique T.MouseIdentifier__MOUSE_ATTRIBUTES:name;
+const unique T.NumberOfButtons__MOUSE_ATTRIBUTES:name;
+const unique T.SampleRate__MOUSE_ATTRIBUTES:name;
+const unique T.InputDataQueueLength__MOUSE_ATTRIBUTES:name;
+const unique T.UnitId__MOUSE_INPUT_DATA:name;
+const unique T.Flags__MOUSE_INPUT_DATA:name;
+const unique T.__unnamed_4_9c11ed91__MOUSE_INPUT_DATA:name;
+const unique T.RawButtons__MOUSE_INPUT_DATA:name;
+const unique T.LastX__MOUSE_INPUT_DATA:name;
+const unique T.LastY__MOUSE_INPUT_DATA:name;
+const unique T.ExtraInformation__MOUSE_INPUT_DATA:name;
+const unique T.OwnerThread__OWNER_ENTRY:name;
+const unique T.__unnamed_4_c1e23b02__OWNER_ENTRY:name;
+const unique T.File__PORT:name;
+const unique T.Port__PORT:name;
+const unique T.Enabled__PORT:name;
+const unique T.Reserved__PORT:name;
+const unique T.Free__PORT:name;
+const unique T.SequenceD1__POWER_SEQUENCE:name;
+const unique T.SequenceD2__POWER_SEQUENCE:name;
+const unique T.SequenceD3__POWER_SEQUENCE:name;
+const unique T.SystemState__POWER_STATE:name;
+const unique T.DeviceState__POWER_STATE:name;
+const unique T.PrivilegeCount__PRIVILEGE_SET:name;
+const unique T.Control__PRIVILEGE_SET:name;
+const unique T.Privilege__PRIVILEGE_SET:name;
+const unique T.DataSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.SharedCacheMap__SECTION_OBJECT_POINTERS:name;
+const unique T.ImageSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.Length__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ImpersonationLevel__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ContextTrackingMode__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.EffectiveOnly__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ClientToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ImpersonationLevel__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.PrimaryToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ProcessAuditId__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.__unnamed_4_b4f5a780__SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T.Length__UNICODE_STRING:name;
+const unique T.MaximumLength__UNICODE_STRING:name;
+const unique T.Buffer__UNICODE_STRING:name;
+const unique T.Type__VPB:name;
+const unique T.Size__VPB:name;
+const unique T.Flags__VPB:name;
+const unique T.VolumeLabelLength__VPB:name;
+const unique T.DeviceObject__VPB:name;
+const unique T.RealDevice__VPB:name;
+const unique T.SerialNumber__VPB:name;
+const unique T.ReferenceCount__VPB:name;
+const unique T.VolumeLabel__VPB:name;
+const unique T.WaitQueueEntry__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceRoutine__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceContext__WAIT_CONTEXT_BLOCK:name;
+const unique T.NumberOfMapRegisters__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceObject__WAIT_CONTEXT_BLOCK:name;
+const unique T.CurrentIrp__WAIT_CONTEXT_BLOCK:name;
+const unique T.BufferChainingDpc__WAIT_CONTEXT_BLOCK:name;
+const unique T.GuidCount__WMILIB_CONTEXT:name;
+const unique T.GuidList__WMILIB_CONTEXT:name;
+const unique T.QueryWmiRegInfo__WMILIB_CONTEXT:name;
+const unique T.QueryWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataItem__WMILIB_CONTEXT:name;
+const unique T.ExecuteWmiMethod__WMILIB_CONTEXT:name;
+const unique T.WmiFunctionControl__WMILIB_CONTEXT:name;
+const unique T.Start___unnamed_12_06b9ee6e:name;
+const unique T.Length48___unnamed_12_06b9ee6e:name;
+const unique T.Start___unnamed_12_0882bd02:name;
+const unique T.Length64___unnamed_12_0882bd02:name;
+const unique T.__unnamed_12_2e80217b___unnamed_12_264d0dab:name;
+const unique T.Raw___unnamed_12_2e80217b:name;
+const unique T.Translated___unnamed_12_2e80217b:name;
+const unique T.Data___unnamed_12_5cc7ace2:name;
+const unique T.Channel___unnamed_12_6374506e:name;
+const unique T.Port___unnamed_12_6374506e:name;
+const unique T.Reserved1___unnamed_12_6374506e:name;
+const unique T.Priority___unnamed_12_68a4278e:name;
+const unique T.Reserved1___unnamed_12_68a4278e:name;
+const unique T.Reserved2___unnamed_12_68a4278e:name;
+const unique T.Generic___unnamed_12_79ed2653:name;
+const unique T.Port___unnamed_12_79ed2653:name;
+const unique T.Interrupt___unnamed_12_79ed2653:name;
+const unique T.MessageInterrupt___unnamed_12_79ed2653:name;
+const unique T.Memory___unnamed_12_79ed2653:name;
+const unique T.Dma___unnamed_12_79ed2653:name;
+const unique T.DevicePrivate___unnamed_12_79ed2653:name;
+const unique T.BusNumber___unnamed_12_79ed2653:name;
+const unique T.DeviceSpecificData___unnamed_12_79ed2653:name;
+const unique T.Memory40___unnamed_12_79ed2653:name;
+const unique T.Memory48___unnamed_12_79ed2653:name;
+const unique T.Memory64___unnamed_12_79ed2653:name;
+const unique T.Start___unnamed_12_7da594c0:name;
+const unique T.Length40___unnamed_12_7da594c0:name;
+const unique T.Start___unnamed_12_9873e05d:name;
+const unique T.Length___unnamed_12_9873e05d:name;
+const unique T.DataSize___unnamed_12_9cc8cebc:name;
+const unique T.Reserved1___unnamed_12_9cc8cebc:name;
+const unique T.Reserved2___unnamed_12_9cc8cebc:name;
+const unique T.Start___unnamed_12_b98da82e:name;
+const unique T.Length___unnamed_12_b98da82e:name;
+const unique T.Level___unnamed_12_c2880e88:name;
+const unique T.Vector___unnamed_12_c2880e88:name;
+const unique T.Affinity___unnamed_12_c2880e88:name;
+const unique T.Start___unnamed_12_c49ab31a:name;
+const unique T.Length___unnamed_12_c49ab31a:name;
+const unique T.ListEntry___unnamed_12_c6ed93f3:name;
+const unique T.__unnamed_4_a7aa989c___unnamed_12_c6ed93f3:name;
+const unique T.Data___unnamed_12_ced61554:name;
+const unique T.Reserved___unnamed_12_d9c44df5:name;
+const unique T.MessageCount___unnamed_12_d9c44df5:name;
+const unique T.Vector___unnamed_12_d9c44df5:name;
+const unique T.Affinity___unnamed_12_d9c44df5:name;
+const unique T.Start___unnamed_12_db3dcbfc:name;
+const unique T.Length___unnamed_12_db3dcbfc:name;
+const unique T.Reserved___unnamed_12_db3dcbfc:name;
+const unique T.Level___unnamed_12_fb26b3fc:name;
+const unique T.Vector___unnamed_12_fb26b3fc:name;
+const unique T.Affinity___unnamed_12_fb26b3fc:name;
+const unique T.OutputBufferLength___unnamed_16_22e4d054:name;
+const unique T.InputBufferLength___unnamed_16_22e4d054:name;
+const unique T.IoControlCode___unnamed_16_22e4d054:name;
+const unique T.Type3InputBuffer___unnamed_16_22e4d054:name;
+const unique T.Create___unnamed_16_39b626ad:name;
+const unique T.Read___unnamed_16_39b626ad:name;
+const unique T.Write___unnamed_16_39b626ad:name;
+const unique T.QueryDirectory___unnamed_16_39b626ad:name;
+const unique T.NotifyDirectory___unnamed_16_39b626ad:name;
+const unique T.QueryFile___unnamed_16_39b626ad:name;
+const unique T.SetFile___unnamed_16_39b626ad:name;
+const unique T.QueryEa___unnamed_16_39b626ad:name;
+const unique T.SetEa___unnamed_16_39b626ad:name;
+const unique T.QueryVolume___unnamed_16_39b626ad:name;
+const unique T.SetVolume___unnamed_16_39b626ad:name;
+const unique T.FileSystemControl___unnamed_16_39b626ad:name;
+const unique T.LockControl___unnamed_16_39b626ad:name;
+const unique T.DeviceIoControl___unnamed_16_39b626ad:name;
+const unique T.QuerySecurity___unnamed_16_39b626ad:name;
+const unique T.SetSecurity___unnamed_16_39b626ad:name;
+const unique T.MountVolume___unnamed_16_39b626ad:name;
+const unique T.VerifyVolume___unnamed_16_39b626ad:name;
+const unique T.Scsi___unnamed_16_39b626ad:name;
+const unique T.QueryQuota___unnamed_16_39b626ad:name;
+const unique T.SetQuota___unnamed_16_39b626ad:name;
+const unique T.QueryDeviceRelations___unnamed_16_39b626ad:name;
+const unique T.QueryInterface___unnamed_16_39b626ad:name;
+const unique T.DeviceCapabilities___unnamed_16_39b626ad:name;
+const unique T.FilterResourceRequirements___unnamed_16_39b626ad:name;
+const unique T.ReadWriteConfig___unnamed_16_39b626ad:name;
+const unique T.SetLock___unnamed_16_39b626ad:name;
+const unique T.QueryId___unnamed_16_39b626ad:name;
+const unique T.QueryDeviceText___unnamed_16_39b626ad:name;
+const unique T.UsageNotification___unnamed_16_39b626ad:name;
+const unique T.WaitWake___unnamed_16_39b626ad:name;
+const unique T.PowerSequence___unnamed_16_39b626ad:name;
+const unique T.Power___unnamed_16_39b626ad:name;
+const unique T.StartDevice___unnamed_16_39b626ad:name;
+const unique T.WMI___unnamed_16_39b626ad:name;
+const unique T.Others___unnamed_16_39b626ad:name;
+const unique T.WhichSpace___unnamed_16_56c011d7:name;
+const unique T.Buffer___unnamed_16_56c011d7:name;
+const unique T.Offset___unnamed_16_56c011d7:name;
+const unique T.Length___unnamed_16_56c011d7:name;
+const unique T.DeviceQueueEntry___unnamed_16_5fed8f23:name;
+const unique T.__unnamed_16_ae643f17___unnamed_16_5fed8f23:name;
+const unique T.Length___unnamed_16_6be9abe0:name;
+const unique T.FileName___unnamed_16_6be9abe0:name;
+const unique T.FileInformationClass___unnamed_16_6be9abe0:name;
+const unique T.FileIndex___unnamed_16_6be9abe0:name;
+const unique T.InterfaceType___unnamed_16_78879a38:name;
+const unique T.Size___unnamed_16_78879a38:name;
+const unique T.Version___unnamed_16_78879a38:name;
+const unique T.Interface___unnamed_16_78879a38:name;
+const unique T.InterfaceSpecificData___unnamed_16_78879a38:name;
+const unique T.Length___unnamed_16_804a2f24:name;
+const unique T.StartSid___unnamed_16_804a2f24:name;
+const unique T.SidList___unnamed_16_804a2f24:name;
+const unique T.SidListLength___unnamed_16_804a2f24:name;
+const unique T.Argument1___unnamed_16_8586693f:name;
+const unique T.Argument2___unnamed_16_8586693f:name;
+const unique T.Argument3___unnamed_16_8586693f:name;
+const unique T.Argument4___unnamed_16_8586693f:name;
+const unique T.Length___unnamed_16_8831e65f:name;
+const unique T.Key___unnamed_16_8831e65f:name;
+const unique T.ByteOffset___unnamed_16_8831e65f:name;
+const unique T.SecurityContext___unnamed_16_8c2d663a:name;
+const unique T.Options___unnamed_16_8c2d663a:name;
+const unique T.FileAttributes___unnamed_16_8c2d663a:name;
+const unique T.ShareAccess___unnamed_16_8c2d663a:name;
+const unique T.EaLength___unnamed_16_8c2d663a:name;
+const unique T.Length___unnamed_16_913b9a7a:name;
+const unique T.Key___unnamed_16_913b9a7a:name;
+const unique T.ByteOffset___unnamed_16_913b9a7a:name;
+const unique T.OutputBufferLength___unnamed_16_94d1d1c7:name;
+const unique T.InputBufferLength___unnamed_16_94d1d1c7:name;
+const unique T.FsControlCode___unnamed_16_94d1d1c7:name;
+const unique T.Type3InputBuffer___unnamed_16_94d1d1c7:name;
+const unique T.Length___unnamed_16_a2fab4da:name;
+const unique T.FileInformationClass___unnamed_16_a2fab4da:name;
+const unique T.FileObject___unnamed_16_a2fab4da:name;
+const unique T.__unnamed_4_a7d0864c___unnamed_16_a2fab4da:name;
+const unique T.DriverContext___unnamed_16_ae643f17:name;
+const unique T.Length___unnamed_16_c1b29316:name;
+const unique T.Key___unnamed_16_c1b29316:name;
+const unique T.ByteOffset___unnamed_16_c1b29316:name;
+const unique T.ProviderId___unnamed_16_cbd53ed4:name;
+const unique T.DataPath___unnamed_16_cbd53ed4:name;
+const unique T.BufferSize___unnamed_16_cbd53ed4:name;
+const unique T.Buffer___unnamed_16_cbd53ed4:name;
+const unique T.Length___unnamed_16_db70db6e:name;
+const unique T.MinBusNumber___unnamed_16_db70db6e:name;
+const unique T.MaxBusNumber___unnamed_16_db70db6e:name;
+const unique T.Reserved___unnamed_16_db70db6e:name;
+const unique T.Length___unnamed_16_ef4b6307:name;
+const unique T.EaList___unnamed_16_ef4b6307:name;
+const unique T.EaListLength___unnamed_16_ef4b6307:name;
+const unique T.EaIndex___unnamed_16_ef4b6307:name;
+const unique T.__unnamed_4_b060dea6___unnamed_16_fdda1f62:name;
+const unique T.Type___unnamed_16_fdda1f62:name;
+const unique T.State___unnamed_16_fdda1f62:name;
+const unique T.ShutdownType___unnamed_16_fdda1f62:name;
+const unique T.Lock___unnamed_1_1394de4b:name;
+const unique T.Abandoned___unnamed_1_2bb39c56:name;
+const unique T.Absolute___unnamed_1_2bb39c56:name;
+const unique T.NpxIrql___unnamed_1_2bb39c56:name;
+const unique T.Signalling___unnamed_1_2bb39c56:name;
+const unique T.Inserted___unnamed_1_9fa0583a:name;
+const unique T.DebugActive___unnamed_1_9fa0583a:name;
+const unique T.DpcActive___unnamed_1_9fa0583a:name;
+const unique T.Size___unnamed_1_e30779f5:name;
+const unique T.Hand___unnamed_1_e30779f5:name;
+const unique T.MinimumVector___unnamed_20_83d468e4:name;
+const unique T.MaximumVector___unnamed_20_83d468e4:name;
+const unique T.AffinityPolicy___unnamed_20_83d468e4:name;
+const unique T.PriorityPolicy___unnamed_20_83d468e4:name;
+const unique T.TargetedProcessors___unnamed_20_83d468e4:name;
+const unique T.Length40___unnamed_24_035931da:name;
+const unique T.Alignment40___unnamed_24_035931da:name;
+const unique T.MinimumAddress___unnamed_24_035931da:name;
+const unique T.MaximumAddress___unnamed_24_035931da:name;
+const unique T.Length___unnamed_24_38e128db:name;
+const unique T.Alignment___unnamed_24_38e128db:name;
+const unique T.MinimumAddress___unnamed_24_38e128db:name;
+const unique T.MaximumAddress___unnamed_24_38e128db:name;
+const unique T.Length___unnamed_24_9500ea34:name;
+const unique T.Alignment___unnamed_24_9500ea34:name;
+const unique T.MinimumAddress___unnamed_24_9500ea34:name;
+const unique T.MaximumAddress___unnamed_24_9500ea34:name;
+const unique T.Length___unnamed_24_9734802c:name;
+const unique T.Alignment___unnamed_24_9734802c:name;
+const unique T.MinimumAddress___unnamed_24_9734802c:name;
+const unique T.MaximumAddress___unnamed_24_9734802c:name;
+const unique T.Length64___unnamed_24_af62813f:name;
+const unique T.Alignment64___unnamed_24_af62813f:name;
+const unique T.MinimumAddress___unnamed_24_af62813f:name;
+const unique T.MaximumAddress___unnamed_24_af62813f:name;
+const unique T.Length48___unnamed_24_c0555099:name;
+const unique T.Alignment48___unnamed_24_c0555099:name;
+const unique T.MinimumAddress___unnamed_24_c0555099:name;
+const unique T.MaximumAddress___unnamed_24_c0555099:name;
+const unique T.Port___unnamed_24_d7c4ec3a:name;
+const unique T.Memory___unnamed_24_d7c4ec3a:name;
+const unique T.Interrupt___unnamed_24_d7c4ec3a:name;
+const unique T.Dma___unnamed_24_d7c4ec3a:name;
+const unique T.Generic___unnamed_24_d7c4ec3a:name;
+const unique T.DevicePrivate___unnamed_24_d7c4ec3a:name;
+const unique T.BusNumber___unnamed_24_d7c4ec3a:name;
+const unique T.ConfigData___unnamed_24_d7c4ec3a:name;
+const unique T.Memory40___unnamed_24_d7c4ec3a:name;
+const unique T.Memory48___unnamed_24_d7c4ec3a:name;
+const unique T.Memory64___unnamed_24_d7c4ec3a:name;
+const unique T.ReplaceIfExists___unnamed_2_196a7f56:name;
+const unique T.AdvanceOnly___unnamed_2_196a7f56:name;
+const unique T.__unnamed_16_5fed8f23___unnamed_40_a0414182:name;
+const unique T.Thread___unnamed_40_a0414182:name;
+const unique T.AuxiliaryBuffer___unnamed_40_a0414182:name;
+const unique T.__unnamed_12_c6ed93f3___unnamed_40_a0414182:name;
+const unique T.OriginalFileObject___unnamed_40_a0414182:name;
+const unique T.ListEntry___unnamed_40_d90496f4:name;
+const unique T.Wcb___unnamed_40_d90496f4:name;
+const unique T.InitialPrivilegeSet___unnamed_44_a7026dca:name;
+const unique T.PrivilegeSet___unnamed_44_a7026dca:name;
+const unique T.Overlay___unnamed_48_c1da9fa5:name;
+const unique T.Apc___unnamed_48_c1da9fa5:name;
+const unique T.CompletionKey___unnamed_48_c1da9fa5:name;
+const unique T.PowerSequence___unnamed_4_0510b147:name;
+const unique T.Length___unnamed_4_0a569078:name;
+const unique T.Status___unnamed_4_16aff58e:name;
+const unique T.Pointer___unnamed_4_16aff58e:name;
+const unique T.IdType___unnamed_4_40bf8e34:name;
+const unique T.Address___unnamed_4_46b62f69:name;
+const unique T.CreatorBackTraceIndex___unnamed_4_46b62f69:name;
+const unique T.Capabilities___unnamed_4_73d46255:name;
+const unique T.Srb___unnamed_4_765e3037:name;
+const unique T.Type___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_2bb39c56___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_e30779f5___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_9fa0583a___unnamed_4_846adf3f:name;
+const unique T.PowerState___unnamed_4_8dd73d30:name;
+const unique T.Type___unnamed_4_957e0d74:name;
+const unique T.Buttons___unnamed_4_9c11ed91:name;
+const unique T.__unnamed_4_b5247f10___unnamed_4_9c11ed91:name;
+const unique T.IoResourceRequirementList___unnamed_4_a58d40c8:name;
+const unique T.CurrentStackLocation___unnamed_4_a7aa989c:name;
+const unique T.PacketType___unnamed_4_a7aa989c:name;
+const unique T.__unnamed_2_196a7f56___unnamed_4_a7d0864c:name;
+const unique T.ClusterCount___unnamed_4_a7d0864c:name;
+const unique T.DeleteHandle___unnamed_4_a7d0864c:name;
+const unique T.Length___unnamed_4_aa20b426:name;
+const unique T.UserApcRoutine___unnamed_4_ab87ddfd:name;
+const unique T.IssuingProcess___unnamed_4_ab87ddfd:name;
+const unique T.Reserved1___unnamed_4_b016b1e1:name;
+const unique T.TargetSystemState___unnamed_4_b016b1e1:name;
+const unique T.EffectiveSystemState___unnamed_4_b016b1e1:name;
+const unique T.CurrentSystemState___unnamed_4_b016b1e1:name;
+const unique T.IgnoreHibernationPath___unnamed_4_b016b1e1:name;
+const unique T.PseudoTransition___unnamed_4_b016b1e1:name;
+const unique T.Reserved2___unnamed_4_b016b1e1:name;
+const unique T.SystemContext___unnamed_4_b060dea6:name;
+const unique T.SystemPowerStateContext___unnamed_4_b060dea6:name;
+const unique T.__unnamed_4_b016b1e1___unnamed_4_b4f5a780:name;
+const unique T.ContextAsUlong___unnamed_4_b4f5a780:name;
+const unique T.ButtonFlags___unnamed_4_b5247f10:name;
+const unique T.ButtonData___unnamed_4_b5247f10:name;
+const unique T.OwnerCount___unnamed_4_c1e23b02:name;
+const unique T.TableSize___unnamed_4_c1e23b02:name;
+const unique T.__unnamed_4_846adf3f___unnamed_4_c9b2e921:name;
+const unique T.Lock___unnamed_4_c9b2e921:name;
+const unique T.MasterIrp___unnamed_4_fa7b96a7:name;
+const unique T.IrpCount___unnamed_4_fa7b96a7:name;
+const unique T.SystemBuffer___unnamed_4_fa7b96a7:name;
+const unique T.Vpb___unnamed_8_09ad2712:name;
+const unique T.DeviceObject___unnamed_8_09ad2712:name;
+const unique T.Length___unnamed_8_21ac1dba:name;
+const unique T.CompletionFilter___unnamed_8_21ac1dba:name;
+const unique T.Length___unnamed_8_27d3ab76:name;
+const unique T.FsInformationClass___unnamed_8_27d3ab76:name;
+const unique T.Vpb___unnamed_8_4289df81:name;
+const unique T.DeviceObject___unnamed_8_4289df81:name;
+const unique T.Length___unnamed_8_47b72724:name;
+const unique T.FileInformationClass___unnamed_8_47b72724:name;
+const unique T.DeviceTextType___unnamed_8_4b3e3ba3:name;
+const unique T.LocaleId___unnamed_8_4b3e3ba3:name;
+const unique T.__unnamed_4_ab87ddfd___unnamed_8_4f695993:name;
+const unique T.UserApcContext___unnamed_8_4f695993:name;
+const unique T.AllocatedResources___unnamed_8_5cfb6ca4:name;
+const unique T.AllocatedResourcesTranslated___unnamed_8_5cfb6ca4:name;
+const unique T.SecurityInformation___unnamed_8_606438c5:name;
+const unique T.Length___unnamed_8_606438c5:name;
+const unique T.MinimumChannel___unnamed_8_6ad774c0:name;
+const unique T.MaximumChannel___unnamed_8_6ad774c0:name;
+const unique T.Length___unnamed_8_805045cb:name;
+const unique T.FsInformationClass___unnamed_8_805045cb:name;
+const unique T.LowPart___unnamed_8_8684a3e7:name;
+const unique T.HighPart___unnamed_8_8684a3e7:name;
+const unique T.SecurityInformation___unnamed_8_8cc410da:name;
+const unique T.SecurityDescriptor___unnamed_8_8cc410da:name;
+const unique T.InPath___unnamed_8_a47253e0:name;
+const unique T.Reserved___unnamed_8_a47253e0:name;
+const unique T.Type___unnamed_8_a47253e0:name;
+const unique T.AsynchronousParameters___unnamed_8_bbd07f6c:name;
+const unique T.AllocationSize___unnamed_8_bbd07f6c:name;
+const unique T.LowPart___unnamed_8_c9ca8234:name;
+const unique T.HighPart___unnamed_8_c9ca8234:name;
+
+// Type declarations
+
+const unique T.A1_CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_LIST:name;
+const unique T.A1_LUID_AND_ATTRIBUTES:name;
+const unique T.A256UINT2:name;
+const unique T.A28PFDRIVER_DISPATCH:name;
+const unique T.A2UCHAR:name;
+const unique T.A2UINT2:name;
+const unique T.A32UINT2:name;
+const unique T.A37CHAR:name;
+const unique T.A3UCHAR:name;
+const unique T.A3UINT4:name;
+const unique T.A3_LUID_AND_ATTRIBUTES:name;
+const unique T.A40CHAR:name;
+const unique T.A4PVOID:name;
+const unique T.A4UINT4:name;
+const unique T.A5_DEVICE_POWER_STATE:name;
+const unique T.A65CHAR:name;
+const unique T.A75CHAR:name;
+const unique T.A76CHAR:name;
+const unique T.A7UINT2:name;
+const unique T.A7_DEVICE_POWER_STATE:name;
+const unique T.A80CHAR:name;
+const unique T.A8UCHAR:name;
+const unique T.A9UINT2:name;
+const unique T.BUS_QUERY_ID_TYPE:name;
+const unique T.CHAR:name;
+const unique T.DEVICE_TEXT_TYPE:name;
+const unique T.F0:name;
+const unique T.F1:name;
+const unique T.F10:name;
+const unique T.F11:name;
+const unique T.F12:name;
+const unique T.F13:name;
+const unique T.F14:name;
+const unique T.F15:name;
+const unique T.F16:name;
+const unique T.F17:name;
+const unique T.F18:name;
+const unique T.F19:name;
+const unique T.F2:name;
+const unique T.F20:name;
+const unique T.F21:name;
+const unique T.F22:name;
+const unique T.F23:name;
+const unique T.F24:name;
+const unique T.F25:name;
+const unique T.F26:name;
+const unique T.F27:name;
+const unique T.F28:name;
+const unique T.F29:name;
+const unique T.F3:name;
+const unique T.F30:name;
+const unique T.F31:name;
+const unique T.F32:name;
+const unique T.F33:name;
+const unique T.F34:name;
+const unique T.F35:name;
+const unique T.F36:name;
+const unique T.F37:name;
+const unique T.F38:name;
+const unique T.F4:name;
+const unique T.F5:name;
+const unique T.F6:name;
+const unique T.F7:name;
+const unique T.F8:name;
+const unique T.F9:name;
+const unique T.FDRIVER_ADD_DEVICE:name;
+const unique T.FDRIVER_CANCEL:name;
+const unique T.FDRIVER_CONTROL:name;
+const unique T.FDRIVER_DISPATCH:name;
+const unique T.FDRIVER_INITIALIZE:name;
+const unique T.FDRIVER_STARTIO:name;
+const unique T.FDRIVER_UNLOAD:name;
+const unique T.FFAST_IO_ACQUIRE_FILE:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.FFAST_IO_DETACH_DEVICE:name;
+const unique T.FFAST_IO_DEVICE_CONTROL:name;
+const unique T.FFAST_IO_LOCK:name;
+const unique T.FFAST_IO_MDL_READ:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.FFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.FFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.FFAST_IO_QUERY_OPEN:name;
+const unique T.FFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.FFAST_IO_READ:name;
+const unique T.FFAST_IO_READ_COMPRESSED:name;
+const unique T.FFAST_IO_RELEASE_FILE:name;
+const unique T.FFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_UNLOCK_ALL:name;
+const unique T.FFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.FFAST_IO_UNLOCK_SINGLE:name;
+const unique T.FFAST_IO_WRITE:name;
+const unique T.FFAST_IO_WRITE_COMPRESSED:name;
+const unique T.FIO_COMPLETION_ROUTINE:name;
+const unique T.FKDEFERRED_ROUTINE:name;
+const unique T.INT2:name;
+const unique T.INT4:name;
+const unique T.INT8:name;
+const unique T.PA2UINT2:name;
+const unique T.PA37CHAR:name;
+const unique T.PA40CHAR:name;
+const unique T.PA4UINT4:name;
+const unique T.PA65CHAR:name;
+const unique T.PA75CHAR:name;
+const unique T.PA76CHAR:name;
+const unique T.PA7UINT2:name;
+const unique T.PA80CHAR:name;
+const unique T.PA9UINT2:name;
+const unique T.PCHAR:name;
+const unique T.PF19:name;
+const unique T.PF21:name;
+const unique T.PF23:name;
+const unique T.PF24:name;
+const unique T.PF25:name;
+const unique T.PF33:name;
+const unique T.PF34:name;
+const unique T.PF35:name;
+const unique T.PF36:name;
+const unique T.PF37:name;
+const unique T.PF38:name;
+const unique T.PFDRIVER_ADD_DEVICE:name;
+const unique T.PFDRIVER_CANCEL:name;
+const unique T.PFDRIVER_CONTROL:name;
+const unique T.PFDRIVER_DISPATCH:name;
+const unique T.PFDRIVER_INITIALIZE:name;
+const unique T.PFDRIVER_STARTIO:name;
+const unique T.PFDRIVER_UNLOAD:name;
+const unique T.PFFAST_IO_ACQUIRE_FILE:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.PFFAST_IO_DETACH_DEVICE:name;
+const unique T.PFFAST_IO_DEVICE_CONTROL:name;
+const unique T.PFFAST_IO_LOCK:name;
+const unique T.PFFAST_IO_MDL_READ:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.PFFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.PFFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.PFFAST_IO_QUERY_OPEN:name;
+const unique T.PFFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.PFFAST_IO_READ:name;
+const unique T.PFFAST_IO_READ_COMPRESSED:name;
+const unique T.PFFAST_IO_RELEASE_FILE:name;
+const unique T.PFFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_UNLOCK_ALL:name;
+const unique T.PFFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.PFFAST_IO_UNLOCK_SINGLE:name;
+const unique T.PFFAST_IO_WRITE:name;
+const unique T.PFFAST_IO_WRITE_COMPRESSED:name;
+const unique T.PFIO_COMPLETION_ROUTINE:name;
+const unique T.PFKDEFERRED_ROUTINE:name;
+const unique T.PINT4:name;
+const unique T.POWER_ACTION:name;
+const unique T.PPCHAR:name;
+const unique T.PPF24:name;
+const unique T.PPPUINT2:name;
+const unique T.PPP_DEVICE_OBJECT:name;
+const unique T.PPUINT2:name;
+const unique T.PPUINT4:name;
+const unique T.PPVOID:name;
+const unique T.PP_DEVICE_EXTENSION:name;
+const unique T.PP_DEVICE_OBJECT:name;
+const unique T.PP_DRIVER_OBJECT:name;
+const unique T.PP_ERESOURCE:name;
+const unique T.PP_FAST_MUTEX:name;
+const unique T.PP_IO_REMOVE_LOCK:name;
+const unique T.PP_LIST_ENTRY:name;
+const unique T.PP_MDL:name;
+const unique T.PP_UNICODE_STRING:name;
+const unique T.PUCHAR:name;
+const unique T.PUINT2:name;
+const unique T.PUINT4:name;
+const unique T.PVOID:name;
+const unique T.PWMIGUIDREGINFO:name;
+const unique T.P_ACCESS_STATE:name;
+const unique T.P_CM_RESOURCE_LIST:name;
+const unique T.P_COMPRESSED_DATA_INFO:name;
+const unique T.P_DEVICE_CAPABILITIES:name;
+const unique T.P_DEVICE_EXTENSION:name;
+const unique T.P_DEVICE_OBJECT:name;
+const unique T.P_DEVOBJ_EXTENSION:name;
+const unique T.P_DRIVER_EXTENSION:name;
+const unique T.P_DRIVER_OBJECT:name;
+const unique T.P_EPROCESS:name;
+const unique T.P_ERESOURCE:name;
+const unique T.P_ETHREAD:name;
+const unique T.P_FAST_IO_DISPATCH:name;
+const unique T.P_FAST_MUTEX:name;
+const unique T.P_FILE_BASIC_INFORMATION:name;
+const unique T.P_FILE_GET_QUOTA_INFORMATION:name;
+const unique T.P_FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.P_FILE_OBJECT:name;
+const unique T.P_FILE_STANDARD_INFORMATION:name;
+const unique T.P_GLOBALS:name;
+const unique T.P_GUID:name;
+const unique T.P_INTERFACE:name;
+const unique T.P_IO_COMPLETION_CONTEXT:name;
+const unique T.P_IO_REMOVE_LOCK:name;
+const unique T.P_IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T.P_IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.P_IO_SECURITY_CONTEXT:name;
+const unique T.P_IO_STACK_LOCATION:name;
+const unique T.P_IO_STATUS_BLOCK:name;
+const unique T.P_IO_TIMER:name;
+const unique T.P_IRP:name;
+const unique T.P_KAPC:name;
+const unique T.P_KDPC:name;
+const unique T.P_KEVENT:name;
+const unique T.P_KSEMAPHORE:name;
+const unique T.P_KTHREAD:name;
+const unique T.P_LARGE_INTEGER:name;
+const unique T.P_LIST_ENTRY:name;
+const unique T.P_MDL:name;
+const unique T.P_MOUSE_INPUT_DATA:name;
+const unique T.P_OWNER_ENTRY:name;
+const unique T.P_POOL_TYPE:name;
+const unique T.P_PORT:name;
+const unique T.P_POWER_SEQUENCE:name;
+const unique T.P_SCSI_REQUEST_BLOCK:name;
+const unique T.P_SECTION_OBJECT_POINTERS:name;
+const unique T.P_SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.P_UNICODE_STRING:name;
+const unique T.P_VPB:name;
+const unique T.UCHAR:name;
+const unique T.UINT2:name;
+const unique T.UINT4:name;
+const unique T.VOID:name;
+const unique T.WMIENABLEDISABLECONTROL:name;
+const unique T.WMIGUIDREGINFO:name;
+const unique T._ACCESS_STATE:name;
+const unique T._CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_LIST:name;
+const unique T._CM_RESOURCE_LIST:name;
+const unique T._COMPRESSED_DATA_INFO:name;
+const unique T._DEVICE_CAPABILITIES:name;
+const unique T._DEVICE_EXTENSION:name;
+const unique T._DEVICE_OBJECT:name;
+const unique T._DEVICE_POWER_STATE:name;
+const unique T._DEVICE_RELATION_TYPE:name;
+const unique T._DEVICE_USAGE_NOTIFICATION_TYPE:name;
+const unique T._DEVOBJ_EXTENSION:name;
+const unique T._DISPATCHER_HEADER:name;
+const unique T._DRIVER_EXTENSION:name;
+const unique T._DRIVER_OBJECT:name;
+const unique T._EPROCESS:name;
+const unique T._ERESOURCE:name;
+const unique T._ETHREAD:name;
+const unique T._FAST_IO_DISPATCH:name;
+const unique T._FAST_MUTEX:name;
+const unique T._FILE_BASIC_INFORMATION:name;
+const unique T._FILE_GET_QUOTA_INFORMATION:name;
+const unique T._FILE_INFORMATION_CLASS:name;
+const unique T._FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T._FILE_OBJECT:name;
+const unique T._FILE_STANDARD_INFORMATION:name;
+const unique T._FSINFOCLASS:name;
+const unique T._GLOBALS:name;
+const unique T._GUID:name;
+const unique T._INITIAL_PRIVILEGE_SET:name;
+const unique T._INTERFACE:name;
+const unique T._INTERFACE_TYPE:name;
+const unique T._IO_ALLOCATION_ACTION:name;
+const unique T._IO_COMPLETION_CONTEXT:name;
+const unique T._IO_REMOVE_LOCK:name;
+const unique T._IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T._IO_RESOURCE_DESCRIPTOR:name;
+const unique T._IO_RESOURCE_LIST:name;
+const unique T._IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T._IO_SECURITY_CONTEXT:name;
+const unique T._IO_STACK_LOCATION:name;
+const unique T._IO_STATUS_BLOCK:name;
+const unique T._IO_TIMER:name;
+const unique T._IRP:name;
+const unique T._IRQ_DEVICE_POLICY:name;
+const unique T._IRQ_PRIORITY:name;
+const unique T._KAPC:name;
+const unique T._KDEVICE_QUEUE:name;
+const unique T._KDEVICE_QUEUE_ENTRY:name;
+const unique T._KDPC:name;
+const unique T._KEVENT:name;
+const unique T._KSEMAPHORE:name;
+const unique T._KTHREAD:name;
+const unique T._LARGE_INTEGER:name;
+const unique T._LIST_ENTRY:name;
+const unique T._LUID:name;
+const unique T._LUID_AND_ATTRIBUTES:name;
+const unique T._MDL:name;
+const unique T._MOUSE_ATTRIBUTES:name;
+const unique T._MOUSE_INPUT_DATA:name;
+const unique T._OWNER_ENTRY:name;
+const unique T._POOL_TYPE:name;
+const unique T._PORT:name;
+const unique T._POWER_SEQUENCE:name;
+const unique T._POWER_STATE:name;
+const unique T._POWER_STATE_TYPE:name;
+const unique T._PRIVILEGE_SET:name;
+const unique T._SCSI_REQUEST_BLOCK:name;
+const unique T._SECTION_OBJECT_POINTERS:name;
+const unique T._SECURITY_IMPERSONATION_LEVEL:name;
+const unique T._SECURITY_QUALITY_OF_SERVICE:name;
+const unique T._SECURITY_SUBJECT_CONTEXT:name;
+const unique T._SYSTEM_POWER_STATE:name;
+const unique T._SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T._UNICODE_STRING:name;
+const unique T._VPB:name;
+const unique T._WAIT_CONTEXT_BLOCK:name;
+const unique T._WMILIB_CONTEXT:name;
+const unique T.__unnamed_12_06b9ee6e:name;
+const unique T.__unnamed_12_0882bd02:name;
+const unique T.__unnamed_12_264d0dab:name;
+const unique T.__unnamed_12_2e80217b:name;
+const unique T.__unnamed_12_5cc7ace2:name;
+const unique T.__unnamed_12_6374506e:name;
+const unique T.__unnamed_12_68a4278e:name;
+const unique T.__unnamed_12_79ed2653:name;
+const unique T.__unnamed_12_7da594c0:name;
+const unique T.__unnamed_12_9873e05d:name;
+const unique T.__unnamed_12_9cc8cebc:name;
+const unique T.__unnamed_12_b98da82e:name;
+const unique T.__unnamed_12_c2880e88:name;
+const unique T.__unnamed_12_c49ab31a:name;
+const unique T.__unnamed_12_c6ed93f3:name;
+const unique T.__unnamed_12_ced61554:name;
+const unique T.__unnamed_12_d9c44df5:name;
+const unique T.__unnamed_12_db3dcbfc:name;
+const unique T.__unnamed_12_fb26b3fc:name;
+const unique T.__unnamed_16_22e4d054:name;
+const unique T.__unnamed_16_39b626ad:name;
+const unique T.__unnamed_16_56c011d7:name;
+const unique T.__unnamed_16_5fed8f23:name;
+const unique T.__unnamed_16_6be9abe0:name;
+const unique T.__unnamed_16_78879a38:name;
+const unique T.__unnamed_16_804a2f24:name;
+const unique T.__unnamed_16_8586693f:name;
+const unique T.__unnamed_16_8831e65f:name;
+const unique T.__unnamed_16_8c2d663a:name;
+const unique T.__unnamed_16_913b9a7a:name;
+const unique T.__unnamed_16_94d1d1c7:name;
+const unique T.__unnamed_16_a2fab4da:name;
+const unique T.__unnamed_16_ae643f17:name;
+const unique T.__unnamed_16_c1b29316:name;
+const unique T.__unnamed_16_cbd53ed4:name;
+const unique T.__unnamed_16_db70db6e:name;
+const unique T.__unnamed_16_ef4b6307:name;
+const unique T.__unnamed_16_fdda1f62:name;
+const unique T.__unnamed_1_1394de4b:name;
+const unique T.__unnamed_1_2bb39c56:name;
+const unique T.__unnamed_1_9fa0583a:name;
+const unique T.__unnamed_1_e30779f5:name;
+const unique T.__unnamed_20_83d468e4:name;
+const unique T.__unnamed_24_035931da:name;
+const unique T.__unnamed_24_38e128db:name;
+const unique T.__unnamed_24_9500ea34:name;
+const unique T.__unnamed_24_9734802c:name;
+const unique T.__unnamed_24_af62813f:name;
+const unique T.__unnamed_24_c0555099:name;
+const unique T.__unnamed_24_d7c4ec3a:name;
+const unique T.__unnamed_2_196a7f56:name;
+const unique T.__unnamed_40_a0414182:name;
+const unique T.__unnamed_40_d90496f4:name;
+const unique T.__unnamed_44_a7026dca:name;
+const unique T.__unnamed_48_c1da9fa5:name;
+const unique T.__unnamed_4_0510b147:name;
+const unique T.__unnamed_4_0a569078:name;
+const unique T.__unnamed_4_16aff58e:name;
+const unique T.__unnamed_4_40bf8e34:name;
+const unique T.__unnamed_4_46b62f69:name;
+const unique T.__unnamed_4_73d46255:name;
+const unique T.__unnamed_4_765e3037:name;
+const unique T.__unnamed_4_846adf3f:name;
+const unique T.__unnamed_4_8dd73d30:name;
+const unique T.__unnamed_4_957e0d74:name;
+const unique T.__unnamed_4_9c11ed91:name;
+const unique T.__unnamed_4_a58d40c8:name;
+const unique T.__unnamed_4_a7aa989c:name;
+const unique T.__unnamed_4_a7d0864c:name;
+const unique T.__unnamed_4_aa20b426:name;
+const unique T.__unnamed_4_ab87ddfd:name;
+const unique T.__unnamed_4_b016b1e1:name;
+const unique T.__unnamed_4_b060dea6:name;
+const unique T.__unnamed_4_b4f5a780:name;
+const unique T.__unnamed_4_b5247f10:name;
+const unique T.__unnamed_4_c1e23b02:name;
+const unique T.__unnamed_4_c9b2e921:name;
+const unique T.__unnamed_4_fa7b96a7:name;
+const unique T.__unnamed_8_09ad2712:name;
+const unique T.__unnamed_8_21ac1dba:name;
+const unique T.__unnamed_8_27d3ab76:name;
+const unique T.__unnamed_8_4289df81:name;
+const unique T.__unnamed_8_47b72724:name;
+const unique T.__unnamed_8_4b3e3ba3:name;
+const unique T.__unnamed_8_4f695993:name;
+const unique T.__unnamed_8_5cfb6ca4:name;
+const unique T.__unnamed_8_606438c5:name;
+const unique T.__unnamed_8_6ad774c0:name;
+const unique T.__unnamed_8_805045cb:name;
+const unique T.__unnamed_8_8684a3e7:name;
+const unique T.__unnamed_8_8cc410da:name;
+const unique T.__unnamed_8_a47253e0:name;
+const unique T.__unnamed_8_bbd07f6c:name;
+const unique T.__unnamed_8_c9ca8234:name;
+
+function Abandoned___unnamed_1_2bb39c56(int) returns (int);
+function Abandoned___unnamed_1_2bb39c56Inv(int) returns (int);
+function _S_Abandoned___unnamed_1_2bb39c56([int]bool) returns ([int]bool);
+function _S_Abandoned___unnamed_1_2bb39c56Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Abandoned___unnamed_1_2bb39c56Inv(Abandoned___unnamed_1_2bb39c56(x))} Abandoned___unnamed_1_2bb39c56Inv(Abandoned___unnamed_1_2bb39c56(x)) == x);
+axiom (forall x:int :: {Abandoned___unnamed_1_2bb39c56Inv(x)} Abandoned___unnamed_1_2bb39c56(Abandoned___unnamed_1_2bb39c56Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Abandoned___unnamed_1_2bb39c56(S)[x]} _S_Abandoned___unnamed_1_2bb39c56(S)[x] <==> S[Abandoned___unnamed_1_2bb39c56Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Abandoned___unnamed_1_2bb39c56Inv(S)[x]} _S_Abandoned___unnamed_1_2bb39c56Inv(S)[x] <==> S[Abandoned___unnamed_1_2bb39c56(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Abandoned___unnamed_1_2bb39c56(S)} S[x] ==> _S_Abandoned___unnamed_1_2bb39c56(S)[Abandoned___unnamed_1_2bb39c56(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Abandoned___unnamed_1_2bb39c56Inv(S)} S[x] ==> _S_Abandoned___unnamed_1_2bb39c56Inv(S)[Abandoned___unnamed_1_2bb39c56Inv(x)]);
+
+axiom (forall x:int :: {Abandoned___unnamed_1_2bb39c56(x)} Abandoned___unnamed_1_2bb39c56(x) == x + 0);
+axiom (forall x:int :: {Abandoned___unnamed_1_2bb39c56Inv(x)} Abandoned___unnamed_1_2bb39c56Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Abandoned___unnamed_1_2bb39c56Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Abandoned___unnamed_1_2bb39c56Inv(x));
+function Absolute___unnamed_1_2bb39c56(int) returns (int);
+function Absolute___unnamed_1_2bb39c56Inv(int) returns (int);
+function _S_Absolute___unnamed_1_2bb39c56([int]bool) returns ([int]bool);
+function _S_Absolute___unnamed_1_2bb39c56Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Absolute___unnamed_1_2bb39c56Inv(Absolute___unnamed_1_2bb39c56(x))} Absolute___unnamed_1_2bb39c56Inv(Absolute___unnamed_1_2bb39c56(x)) == x);
+axiom (forall x:int :: {Absolute___unnamed_1_2bb39c56Inv(x)} Absolute___unnamed_1_2bb39c56(Absolute___unnamed_1_2bb39c56Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Absolute___unnamed_1_2bb39c56(S)[x]} _S_Absolute___unnamed_1_2bb39c56(S)[x] <==> S[Absolute___unnamed_1_2bb39c56Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Absolute___unnamed_1_2bb39c56Inv(S)[x]} _S_Absolute___unnamed_1_2bb39c56Inv(S)[x] <==> S[Absolute___unnamed_1_2bb39c56(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Absolute___unnamed_1_2bb39c56(S)} S[x] ==> _S_Absolute___unnamed_1_2bb39c56(S)[Absolute___unnamed_1_2bb39c56(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Absolute___unnamed_1_2bb39c56Inv(S)} S[x] ==> _S_Absolute___unnamed_1_2bb39c56Inv(S)[Absolute___unnamed_1_2bb39c56Inv(x)]);
+
+axiom (forall x:int :: {Absolute___unnamed_1_2bb39c56(x)} Absolute___unnamed_1_2bb39c56(x) == x + 0);
+axiom (forall x:int :: {Absolute___unnamed_1_2bb39c56Inv(x)} Absolute___unnamed_1_2bb39c56Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Absolute___unnamed_1_2bb39c56Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Absolute___unnamed_1_2bb39c56Inv(x));
+function AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x))} AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(S)[AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x)} AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 16);
+axiom (forall x:int :: {AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 16);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1) == AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 16)} MINUS_LEFT_PTR(x, 1, 16) == AllocateTag__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function BaseClassName__GLOBALS(int) returns (int);
+function BaseClassName__GLOBALSInv(int) returns (int);
+function _S_BaseClassName__GLOBALS([int]bool) returns ([int]bool);
+function _S_BaseClassName__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(BaseClassName__GLOBALS(x))} BaseClassName__GLOBALSInv(BaseClassName__GLOBALS(x)) == x);
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(x)} BaseClassName__GLOBALS(BaseClassName__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_BaseClassName__GLOBALS(S)[x]} _S_BaseClassName__GLOBALS(S)[x] <==> S[BaseClassName__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_BaseClassName__GLOBALSInv(S)[x]} _S_BaseClassName__GLOBALSInv(S)[x] <==> S[BaseClassName__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_BaseClassName__GLOBALS(S)} S[x] ==> _S_BaseClassName__GLOBALS(S)[BaseClassName__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_BaseClassName__GLOBALSInv(S)} S[x] ==> _S_BaseClassName__GLOBALSInv(S)[BaseClassName__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {BaseClassName__GLOBALS(x)} BaseClassName__GLOBALS(x) == x + 344);
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(x)} BaseClassName__GLOBALSInv(x) == x - 344);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 344, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 344, 1) == BaseClassName__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 344)} MINUS_LEFT_PTR(x, 1, 344) == BaseClassName__GLOBALSInv(x));
+function Blink__LIST_ENTRY(int) returns (int);
+function Blink__LIST_ENTRYInv(int) returns (int);
+function _S_Blink__LIST_ENTRY([int]bool) returns ([int]bool);
+function _S_Blink__LIST_ENTRYInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Blink__LIST_ENTRYInv(Blink__LIST_ENTRY(x))} Blink__LIST_ENTRYInv(Blink__LIST_ENTRY(x)) == x);
+axiom (forall x:int :: {Blink__LIST_ENTRYInv(x)} Blink__LIST_ENTRY(Blink__LIST_ENTRYInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Blink__LIST_ENTRY(S)[x]} _S_Blink__LIST_ENTRY(S)[x] <==> S[Blink__LIST_ENTRYInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Blink__LIST_ENTRYInv(S)[x]} _S_Blink__LIST_ENTRYInv(S)[x] <==> S[Blink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Blink__LIST_ENTRY(S)} S[x] ==> _S_Blink__LIST_ENTRY(S)[Blink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Blink__LIST_ENTRYInv(S)} S[x] ==> _S_Blink__LIST_ENTRYInv(S)[Blink__LIST_ENTRYInv(x)]);
+
+axiom (forall x:int :: {Blink__LIST_ENTRY(x)} Blink__LIST_ENTRY(x) == x + 4);
+axiom (forall x:int :: {Blink__LIST_ENTRYInv(x)} Blink__LIST_ENTRYInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Blink__LIST_ENTRYInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Blink__LIST_ENTRYInv(x));
+function Blocks__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x))} Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Blocks__IO_REMOVE_LOCK_DBG_BLOCK(Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCK(S)[Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x)} Blocks__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 56);
+axiom (forall x:int :: {Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 56);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 56, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 56, 1) == Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 56)} MINUS_LEFT_PTR(x, 1, 56) == Blocks__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Buffer__UNICODE_STRING(int) returns (int);
+function Buffer__UNICODE_STRINGInv(int) returns (int);
+function _S_Buffer__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Buffer__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x))} Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRING(Buffer__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRING(S)[x]} _S_Buffer__UNICODE_STRING(S)[x] <==> S[Buffer__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRINGInv(S)[x]} _S_Buffer__UNICODE_STRINGInv(S)[x] <==> S[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRING(S)} S[x] ==> _S_Buffer__UNICODE_STRING(S)[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRINGInv(S)} S[x] ==> _S_Buffer__UNICODE_STRINGInv(S)[Buffer__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRING(x)} Buffer__UNICODE_STRING(x) == x + 4);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRINGInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Buffer__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Buffer__UNICODE_STRINGInv(x));
+function Common__IO_REMOVE_LOCK(int) returns (int);
+function Common__IO_REMOVE_LOCKInv(int) returns (int);
+function _S_Common__IO_REMOVE_LOCK([int]bool) returns ([int]bool);
+function _S_Common__IO_REMOVE_LOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Common__IO_REMOVE_LOCKInv(Common__IO_REMOVE_LOCK(x))} Common__IO_REMOVE_LOCKInv(Common__IO_REMOVE_LOCK(x)) == x);
+axiom (forall x:int :: {Common__IO_REMOVE_LOCKInv(x)} Common__IO_REMOVE_LOCK(Common__IO_REMOVE_LOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Common__IO_REMOVE_LOCK(S)[x]} _S_Common__IO_REMOVE_LOCK(S)[x] <==> S[Common__IO_REMOVE_LOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Common__IO_REMOVE_LOCKInv(S)[x]} _S_Common__IO_REMOVE_LOCKInv(S)[x] <==> S[Common__IO_REMOVE_LOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Common__IO_REMOVE_LOCK(S)} S[x] ==> _S_Common__IO_REMOVE_LOCK(S)[Common__IO_REMOVE_LOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Common__IO_REMOVE_LOCKInv(S)} S[x] ==> _S_Common__IO_REMOVE_LOCKInv(S)[Common__IO_REMOVE_LOCKInv(x)]);
+
+axiom (forall x:int :: {Common__IO_REMOVE_LOCK(x)} Common__IO_REMOVE_LOCK(x) == x + 0);
+axiom (forall x:int :: {Common__IO_REMOVE_LOCKInv(x)} Common__IO_REMOVE_LOCKInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Common__IO_REMOVE_LOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Common__IO_REMOVE_LOCKInv(x));
+function ConnectOneClassToOnePort__GLOBALS(int) returns (int);
+function ConnectOneClassToOnePort__GLOBALSInv(int) returns (int);
+function _S_ConnectOneClassToOnePort__GLOBALS([int]bool) returns ([int]bool);
+function _S_ConnectOneClassToOnePort__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {ConnectOneClassToOnePort__GLOBALSInv(ConnectOneClassToOnePort__GLOBALS(x))} ConnectOneClassToOnePort__GLOBALSInv(ConnectOneClassToOnePort__GLOBALS(x)) == x);
+axiom (forall x:int :: {ConnectOneClassToOnePort__GLOBALSInv(x)} ConnectOneClassToOnePort__GLOBALS(ConnectOneClassToOnePort__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_ConnectOneClassToOnePort__GLOBALS(S)[x]} _S_ConnectOneClassToOnePort__GLOBALS(S)[x] <==> S[ConnectOneClassToOnePort__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_ConnectOneClassToOnePort__GLOBALSInv(S)[x]} _S_ConnectOneClassToOnePort__GLOBALSInv(S)[x] <==> S[ConnectOneClassToOnePort__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ConnectOneClassToOnePort__GLOBALS(S)} S[x] ==> _S_ConnectOneClassToOnePort__GLOBALS(S)[ConnectOneClassToOnePort__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ConnectOneClassToOnePort__GLOBALSInv(S)} S[x] ==> _S_ConnectOneClassToOnePort__GLOBALSInv(S)[ConnectOneClassToOnePort__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {ConnectOneClassToOnePort__GLOBALS(x)} ConnectOneClassToOnePort__GLOBALS(x) == x + 56);
+axiom (forall x:int :: {ConnectOneClassToOnePort__GLOBALSInv(x)} ConnectOneClassToOnePort__GLOBALSInv(x) == x - 56);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 56, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 56, 1) == ConnectOneClassToOnePort__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 56)} MINUS_LEFT_PTR(x, 1, 56) == ConnectOneClassToOnePort__GLOBALSInv(x));
+function DataIn__DEVICE_EXTENSION(int) returns (int);
+function DataIn__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataIn__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataIn__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x))} DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSION(DataIn__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSION(S)[x]} _S_DataIn__DEVICE_EXTENSION(S)[x] <==> S[DataIn__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSIONInv(S)[x]} _S_DataIn__DEVICE_EXTENSIONInv(S)[x] <==> S[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSION(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSION(S)[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSIONInv(S)[DataIn__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSION(x)} DataIn__DEVICE_EXTENSION(x) == x + 132);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSIONInv(x) == x - 132);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1) == DataIn__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 132)} MINUS_LEFT_PTR(x, 1, 132) == DataIn__DEVICE_EXTENSIONInv(x));
+function DataOut__DEVICE_EXTENSION(int) returns (int);
+function DataOut__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataOut__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataOut__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x))} DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSION(DataOut__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSION(S)[x]} _S_DataOut__DEVICE_EXTENSION(S)[x] <==> S[DataOut__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSIONInv(S)[x]} _S_DataOut__DEVICE_EXTENSIONInv(S)[x] <==> S[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSION(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSION(S)[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSIONInv(S)[DataOut__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSION(x)} DataOut__DEVICE_EXTENSION(x) == x + 136);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSIONInv(x) == x - 136);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1) == DataOut__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 136)} MINUS_LEFT_PTR(x, 1, 136) == DataOut__DEVICE_EXTENSIONInv(x));
+function Dbg__IO_REMOVE_LOCK(int) returns (int);
+function Dbg__IO_REMOVE_LOCKInv(int) returns (int);
+function _S_Dbg__IO_REMOVE_LOCK([int]bool) returns ([int]bool);
+function _S_Dbg__IO_REMOVE_LOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Dbg__IO_REMOVE_LOCKInv(Dbg__IO_REMOVE_LOCK(x))} Dbg__IO_REMOVE_LOCKInv(Dbg__IO_REMOVE_LOCK(x)) == x);
+axiom (forall x:int :: {Dbg__IO_REMOVE_LOCKInv(x)} Dbg__IO_REMOVE_LOCK(Dbg__IO_REMOVE_LOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Dbg__IO_REMOVE_LOCK(S)[x]} _S_Dbg__IO_REMOVE_LOCK(S)[x] <==> S[Dbg__IO_REMOVE_LOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Dbg__IO_REMOVE_LOCKInv(S)[x]} _S_Dbg__IO_REMOVE_LOCKInv(S)[x] <==> S[Dbg__IO_REMOVE_LOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Dbg__IO_REMOVE_LOCK(S)} S[x] ==> _S_Dbg__IO_REMOVE_LOCK(S)[Dbg__IO_REMOVE_LOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Dbg__IO_REMOVE_LOCKInv(S)} S[x] ==> _S_Dbg__IO_REMOVE_LOCKInv(S)[Dbg__IO_REMOVE_LOCKInv(x)]);
+
+axiom (forall x:int :: {Dbg__IO_REMOVE_LOCK(x)} Dbg__IO_REMOVE_LOCK(x) == x + 24);
+axiom (forall x:int :: {Dbg__IO_REMOVE_LOCKInv(x)} Dbg__IO_REMOVE_LOCKInv(x) == x - 24);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1) == Dbg__IO_REMOVE_LOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 24)} MINUS_LEFT_PTR(x, 1, 24) == Dbg__IO_REMOVE_LOCKInv(x));
+function DebugActive___unnamed_1_9fa0583a(int) returns (int);
+function DebugActive___unnamed_1_9fa0583aInv(int) returns (int);
+function _S_DebugActive___unnamed_1_9fa0583a([int]bool) returns ([int]bool);
+function _S_DebugActive___unnamed_1_9fa0583aInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DebugActive___unnamed_1_9fa0583aInv(DebugActive___unnamed_1_9fa0583a(x))} DebugActive___unnamed_1_9fa0583aInv(DebugActive___unnamed_1_9fa0583a(x)) == x);
+axiom (forall x:int :: {DebugActive___unnamed_1_9fa0583aInv(x)} DebugActive___unnamed_1_9fa0583a(DebugActive___unnamed_1_9fa0583aInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DebugActive___unnamed_1_9fa0583a(S)[x]} _S_DebugActive___unnamed_1_9fa0583a(S)[x] <==> S[DebugActive___unnamed_1_9fa0583aInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DebugActive___unnamed_1_9fa0583aInv(S)[x]} _S_DebugActive___unnamed_1_9fa0583aInv(S)[x] <==> S[DebugActive___unnamed_1_9fa0583a(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DebugActive___unnamed_1_9fa0583a(S)} S[x] ==> _S_DebugActive___unnamed_1_9fa0583a(S)[DebugActive___unnamed_1_9fa0583a(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DebugActive___unnamed_1_9fa0583aInv(S)} S[x] ==> _S_DebugActive___unnamed_1_9fa0583aInv(S)[DebugActive___unnamed_1_9fa0583aInv(x)]);
+
+axiom (forall x:int :: {DebugActive___unnamed_1_9fa0583a(x)} DebugActive___unnamed_1_9fa0583a(x) == x + 0);
+axiom (forall x:int :: {DebugActive___unnamed_1_9fa0583aInv(x)} DebugActive___unnamed_1_9fa0583aInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == DebugActive___unnamed_1_9fa0583aInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == DebugActive___unnamed_1_9fa0583aInv(x));
+function DeviceExtension__DEVICE_OBJECT(int) returns (int);
+function DeviceExtension__DEVICE_OBJECTInv(int) returns (int);
+function _S_DeviceExtension__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_DeviceExtension__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x))} DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECT(DeviceExtension__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECT(S)[x]} _S_DeviceExtension__DEVICE_OBJECT(S)[x] <==> S[DeviceExtension__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECTInv(S)[x]} _S_DeviceExtension__DEVICE_OBJECTInv(S)[x] <==> S[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECT(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECT(S)[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECTInv(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECTInv(S)[DeviceExtension__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECT(x)} DeviceExtension__DEVICE_OBJECT(x) == x + 40);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECTInv(x) == x - 40);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1) == DeviceExtension__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 40)} MINUS_LEFT_PTR(x, 1, 40) == DeviceExtension__DEVICE_OBJECTInv(x));
+function DeviceState__DEVICE_EXTENSION(int) returns (int);
+function DeviceState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DeviceState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DeviceState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DeviceState__DEVICE_EXTENSIONInv(DeviceState__DEVICE_EXTENSION(x))} DeviceState__DEVICE_EXTENSIONInv(DeviceState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DeviceState__DEVICE_EXTENSIONInv(x)} DeviceState__DEVICE_EXTENSION(DeviceState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DeviceState__DEVICE_EXTENSION(S)[x]} _S_DeviceState__DEVICE_EXTENSION(S)[x] <==> S[DeviceState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DeviceState__DEVICE_EXTENSIONInv(S)[x]} _S_DeviceState__DEVICE_EXTENSIONInv(S)[x] <==> S[DeviceState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceState__DEVICE_EXTENSION(S)} S[x] ==> _S_DeviceState__DEVICE_EXTENSION(S)[DeviceState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DeviceState__DEVICE_EXTENSIONInv(S)[DeviceState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DeviceState__DEVICE_EXTENSION(x)} DeviceState__DEVICE_EXTENSION(x) == x + 168);
+axiom (forall x:int :: {DeviceState__DEVICE_EXTENSIONInv(x)} DeviceState__DEVICE_EXTENSIONInv(x) == x - 168);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 168, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 168, 1) == DeviceState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 168)} MINUS_LEFT_PTR(x, 1, 168) == DeviceState__DEVICE_EXTENSIONInv(x));
+function DpcActive___unnamed_1_9fa0583a(int) returns (int);
+function DpcActive___unnamed_1_9fa0583aInv(int) returns (int);
+function _S_DpcActive___unnamed_1_9fa0583a([int]bool) returns ([int]bool);
+function _S_DpcActive___unnamed_1_9fa0583aInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DpcActive___unnamed_1_9fa0583aInv(DpcActive___unnamed_1_9fa0583a(x))} DpcActive___unnamed_1_9fa0583aInv(DpcActive___unnamed_1_9fa0583a(x)) == x);
+axiom (forall x:int :: {DpcActive___unnamed_1_9fa0583aInv(x)} DpcActive___unnamed_1_9fa0583a(DpcActive___unnamed_1_9fa0583aInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DpcActive___unnamed_1_9fa0583a(S)[x]} _S_DpcActive___unnamed_1_9fa0583a(S)[x] <==> S[DpcActive___unnamed_1_9fa0583aInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DpcActive___unnamed_1_9fa0583aInv(S)[x]} _S_DpcActive___unnamed_1_9fa0583aInv(S)[x] <==> S[DpcActive___unnamed_1_9fa0583a(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DpcActive___unnamed_1_9fa0583a(S)} S[x] ==> _S_DpcActive___unnamed_1_9fa0583a(S)[DpcActive___unnamed_1_9fa0583a(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DpcActive___unnamed_1_9fa0583aInv(S)} S[x] ==> _S_DpcActive___unnamed_1_9fa0583aInv(S)[DpcActive___unnamed_1_9fa0583aInv(x)]);
+
+axiom (forall x:int :: {DpcActive___unnamed_1_9fa0583a(x)} DpcActive___unnamed_1_9fa0583a(x) == x + 0);
+axiom (forall x:int :: {DpcActive___unnamed_1_9fa0583aInv(x)} DpcActive___unnamed_1_9fa0583aInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == DpcActive___unnamed_1_9fa0583aInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == DpcActive___unnamed_1_9fa0583aInv(x));
+function Enabled__DEVICE_EXTENSION(int) returns (int);
+function Enabled__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Enabled__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Enabled__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(Enabled__DEVICE_EXTENSION(x))} Enabled__DEVICE_EXTENSIONInv(Enabled__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(x)} Enabled__DEVICE_EXTENSION(Enabled__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__DEVICE_EXTENSION(S)[x]} _S_Enabled__DEVICE_EXTENSION(S)[x] <==> S[Enabled__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__DEVICE_EXTENSIONInv(S)[x]} _S_Enabled__DEVICE_EXTENSIONInv(S)[x] <==> S[Enabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__DEVICE_EXTENSION(S)} S[x] ==> _S_Enabled__DEVICE_EXTENSION(S)[Enabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Enabled__DEVICE_EXTENSIONInv(S)[Enabled__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSION(x)} Enabled__DEVICE_EXTENSION(x) == x + 264);
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(x)} Enabled__DEVICE_EXTENSIONInv(x) == x - 264);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 264, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 264, 1) == Enabled__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 264)} MINUS_LEFT_PTR(x, 1, 264) == Enabled__DEVICE_EXTENSIONInv(x));
+function ExecuteWmiMethod__WMILIB_CONTEXT(int) returns (int);
+function ExecuteWmiMethod__WMILIB_CONTEXTInv(int) returns (int);
+function _S_ExecuteWmiMethod__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_ExecuteWmiMethod__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {ExecuteWmiMethod__WMILIB_CONTEXTInv(ExecuteWmiMethod__WMILIB_CONTEXT(x))} ExecuteWmiMethod__WMILIB_CONTEXTInv(ExecuteWmiMethod__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {ExecuteWmiMethod__WMILIB_CONTEXTInv(x)} ExecuteWmiMethod__WMILIB_CONTEXT(ExecuteWmiMethod__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_ExecuteWmiMethod__WMILIB_CONTEXT(S)[x]} _S_ExecuteWmiMethod__WMILIB_CONTEXT(S)[x] <==> S[ExecuteWmiMethod__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_ExecuteWmiMethod__WMILIB_CONTEXTInv(S)[x]} _S_ExecuteWmiMethod__WMILIB_CONTEXTInv(S)[x] <==> S[ExecuteWmiMethod__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ExecuteWmiMethod__WMILIB_CONTEXT(S)} S[x] ==> _S_ExecuteWmiMethod__WMILIB_CONTEXT(S)[ExecuteWmiMethod__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ExecuteWmiMethod__WMILIB_CONTEXTInv(S)} S[x] ==> _S_ExecuteWmiMethod__WMILIB_CONTEXTInv(S)[ExecuteWmiMethod__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {ExecuteWmiMethod__WMILIB_CONTEXT(x)} ExecuteWmiMethod__WMILIB_CONTEXT(x) == x + 24);
+axiom (forall x:int :: {ExecuteWmiMethod__WMILIB_CONTEXTInv(x)} ExecuteWmiMethod__WMILIB_CONTEXTInv(x) == x - 24);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1) == ExecuteWmiMethod__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 24)} MINUS_LEFT_PTR(x, 1, 24) == ExecuteWmiMethod__WMILIB_CONTEXTInv(x));
+function ExtraWaitWakeIrp__DEVICE_EXTENSION(int) returns (int);
+function ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_ExtraWaitWakeIrp__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(ExtraWaitWakeIrp__DEVICE_EXTENSION(x))} ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(ExtraWaitWakeIrp__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)} ExtraWaitWakeIrp__DEVICE_EXTENSION(ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_ExtraWaitWakeIrp__DEVICE_EXTENSION(S)[x]} _S_ExtraWaitWakeIrp__DEVICE_EXTENSION(S)[x] <==> S[ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(S)[x]} _S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(S)[x] <==> S[ExtraWaitWakeIrp__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ExtraWaitWakeIrp__DEVICE_EXTENSION(S)} S[x] ==> _S_ExtraWaitWakeIrp__DEVICE_EXTENSION(S)[ExtraWaitWakeIrp__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(S)[ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {ExtraWaitWakeIrp__DEVICE_EXTENSION(x)} ExtraWaitWakeIrp__DEVICE_EXTENSION(x) == x + 244);
+axiom (forall x:int :: {ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x)} ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x) == x - 244);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 244, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 244, 1) == ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 244)} MINUS_LEFT_PTR(x, 1, 244) == ExtraWaitWakeIrp__DEVICE_EXTENSIONInv(x));
+function File__DEVICE_EXTENSION(int) returns (int);
+function File__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_File__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_File__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x))} File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSION(File__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSION(S)[x]} _S_File__DEVICE_EXTENSION(S)[x] <==> S[File__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSIONInv(S)[x]} _S_File__DEVICE_EXTENSIONInv(S)[x] <==> S[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSION(S)} S[x] ==> _S_File__DEVICE_EXTENSION(S)[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_File__DEVICE_EXTENSIONInv(S)[File__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSION(x)} File__DEVICE_EXTENSION(x) == x + 260);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSIONInv(x) == x - 260);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 260, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 260, 1) == File__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 260)} MINUS_LEFT_PTR(x, 1, 260) == File__DEVICE_EXTENSIONInv(x));
+function Flags__DEVICE_OBJECT(int) returns (int);
+function Flags__DEVICE_OBJECTInv(int) returns (int);
+function _S_Flags__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_Flags__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(Flags__DEVICE_OBJECT(x))} Flags__DEVICE_OBJECTInv(Flags__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(x)} Flags__DEVICE_OBJECT(Flags__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flags__DEVICE_OBJECT(S)[x]} _S_Flags__DEVICE_OBJECT(S)[x] <==> S[Flags__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flags__DEVICE_OBJECTInv(S)[x]} _S_Flags__DEVICE_OBJECTInv(S)[x] <==> S[Flags__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flags__DEVICE_OBJECT(S)} S[x] ==> _S_Flags__DEVICE_OBJECT(S)[Flags__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flags__DEVICE_OBJECTInv(S)} S[x] ==> _S_Flags__DEVICE_OBJECTInv(S)[Flags__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {Flags__DEVICE_OBJECT(x)} Flags__DEVICE_OBJECT(x) == x + 28);
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(x)} Flags__DEVICE_OBJECTInv(x) == x - 28);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1) == Flags__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 28)} MINUS_LEFT_PTR(x, 1, 28) == Flags__DEVICE_OBJECTInv(x));
+function Flink__LIST_ENTRY(int) returns (int);
+function Flink__LIST_ENTRYInv(int) returns (int);
+function _S_Flink__LIST_ENTRY([int]bool) returns ([int]bool);
+function _S_Flink__LIST_ENTRYInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x))} Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x)) == x);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRY(Flink__LIST_ENTRYInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRY(S)[x]} _S_Flink__LIST_ENTRY(S)[x] <==> S[Flink__LIST_ENTRYInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRYInv(S)[x]} _S_Flink__LIST_ENTRYInv(S)[x] <==> S[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRY(S)} S[x] ==> _S_Flink__LIST_ENTRY(S)[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRYInv(S)} S[x] ==> _S_Flink__LIST_ENTRYInv(S)[Flink__LIST_ENTRYInv(x)]);
+
+axiom (forall x:int :: {Flink__LIST_ENTRY(x)} Flink__LIST_ENTRY(x) == x + 0);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRYInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Flink__LIST_ENTRYInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Flink__LIST_ENTRYInv(x));
+function GrandMaster__GLOBALS(int) returns (int);
+function GrandMaster__GLOBALSInv(int) returns (int);
+function _S_GrandMaster__GLOBALS([int]bool) returns ([int]bool);
+function _S_GrandMaster__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x))} GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x)) == x);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALS(GrandMaster__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALS(S)[x]} _S_GrandMaster__GLOBALS(S)[x] <==> S[GrandMaster__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALSInv(S)[x]} _S_GrandMaster__GLOBALSInv(S)[x] <==> S[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALS(S)} S[x] ==> _S_GrandMaster__GLOBALS(S)[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALSInv(S)} S[x] ==> _S_GrandMaster__GLOBALSInv(S)[GrandMaster__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {GrandMaster__GLOBALS(x)} GrandMaster__GLOBALS(x) == x + 4);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALSInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == GrandMaster__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == GrandMaster__GLOBALSInv(x));
+function GuidCount__WMILIB_CONTEXT(int) returns (int);
+function GuidCount__WMILIB_CONTEXTInv(int) returns (int);
+function _S_GuidCount__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_GuidCount__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GuidCount__WMILIB_CONTEXTInv(GuidCount__WMILIB_CONTEXT(x))} GuidCount__WMILIB_CONTEXTInv(GuidCount__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {GuidCount__WMILIB_CONTEXTInv(x)} GuidCount__WMILIB_CONTEXT(GuidCount__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GuidCount__WMILIB_CONTEXT(S)[x]} _S_GuidCount__WMILIB_CONTEXT(S)[x] <==> S[GuidCount__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GuidCount__WMILIB_CONTEXTInv(S)[x]} _S_GuidCount__WMILIB_CONTEXTInv(S)[x] <==> S[GuidCount__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GuidCount__WMILIB_CONTEXT(S)} S[x] ==> _S_GuidCount__WMILIB_CONTEXT(S)[GuidCount__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GuidCount__WMILIB_CONTEXTInv(S)} S[x] ==> _S_GuidCount__WMILIB_CONTEXTInv(S)[GuidCount__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {GuidCount__WMILIB_CONTEXT(x)} GuidCount__WMILIB_CONTEXT(x) == x + 0);
+axiom (forall x:int :: {GuidCount__WMILIB_CONTEXTInv(x)} GuidCount__WMILIB_CONTEXTInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == GuidCount__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == GuidCount__WMILIB_CONTEXTInv(x));
+function GuidList__WMILIB_CONTEXT(int) returns (int);
+function GuidList__WMILIB_CONTEXTInv(int) returns (int);
+function _S_GuidList__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_GuidList__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GuidList__WMILIB_CONTEXTInv(GuidList__WMILIB_CONTEXT(x))} GuidList__WMILIB_CONTEXTInv(GuidList__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {GuidList__WMILIB_CONTEXTInv(x)} GuidList__WMILIB_CONTEXT(GuidList__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GuidList__WMILIB_CONTEXT(S)[x]} _S_GuidList__WMILIB_CONTEXT(S)[x] <==> S[GuidList__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GuidList__WMILIB_CONTEXTInv(S)[x]} _S_GuidList__WMILIB_CONTEXTInv(S)[x] <==> S[GuidList__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GuidList__WMILIB_CONTEXT(S)} S[x] ==> _S_GuidList__WMILIB_CONTEXT(S)[GuidList__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GuidList__WMILIB_CONTEXTInv(S)} S[x] ==> _S_GuidList__WMILIB_CONTEXTInv(S)[GuidList__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {GuidList__WMILIB_CONTEXT(x)} GuidList__WMILIB_CONTEXT(x) == x + 4);
+axiom (forall x:int :: {GuidList__WMILIB_CONTEXTInv(x)} GuidList__WMILIB_CONTEXTInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == GuidList__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == GuidList__WMILIB_CONTEXTInv(x));
+function Hand___unnamed_1_e30779f5(int) returns (int);
+function Hand___unnamed_1_e30779f5Inv(int) returns (int);
+function _S_Hand___unnamed_1_e30779f5([int]bool) returns ([int]bool);
+function _S_Hand___unnamed_1_e30779f5Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Hand___unnamed_1_e30779f5Inv(Hand___unnamed_1_e30779f5(x))} Hand___unnamed_1_e30779f5Inv(Hand___unnamed_1_e30779f5(x)) == x);
+axiom (forall x:int :: {Hand___unnamed_1_e30779f5Inv(x)} Hand___unnamed_1_e30779f5(Hand___unnamed_1_e30779f5Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Hand___unnamed_1_e30779f5(S)[x]} _S_Hand___unnamed_1_e30779f5(S)[x] <==> S[Hand___unnamed_1_e30779f5Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Hand___unnamed_1_e30779f5Inv(S)[x]} _S_Hand___unnamed_1_e30779f5Inv(S)[x] <==> S[Hand___unnamed_1_e30779f5(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Hand___unnamed_1_e30779f5(S)} S[x] ==> _S_Hand___unnamed_1_e30779f5(S)[Hand___unnamed_1_e30779f5(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Hand___unnamed_1_e30779f5Inv(S)} S[x] ==> _S_Hand___unnamed_1_e30779f5Inv(S)[Hand___unnamed_1_e30779f5Inv(x)]);
+
+axiom (forall x:int :: {Hand___unnamed_1_e30779f5(x)} Hand___unnamed_1_e30779f5(x) == x + 0);
+axiom (forall x:int :: {Hand___unnamed_1_e30779f5Inv(x)} Hand___unnamed_1_e30779f5Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Hand___unnamed_1_e30779f5Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Hand___unnamed_1_e30779f5Inv(x));
+function Header__KEVENT(int) returns (int);
+function Header__KEVENTInv(int) returns (int);
+function _S_Header__KEVENT([int]bool) returns ([int]bool);
+function _S_Header__KEVENTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Header__KEVENTInv(Header__KEVENT(x))} Header__KEVENTInv(Header__KEVENT(x)) == x);
+axiom (forall x:int :: {Header__KEVENTInv(x)} Header__KEVENT(Header__KEVENTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Header__KEVENT(S)[x]} _S_Header__KEVENT(S)[x] <==> S[Header__KEVENTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Header__KEVENTInv(S)[x]} _S_Header__KEVENTInv(S)[x] <==> S[Header__KEVENT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Header__KEVENT(S)} S[x] ==> _S_Header__KEVENT(S)[Header__KEVENT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Header__KEVENTInv(S)} S[x] ==> _S_Header__KEVENTInv(S)[Header__KEVENTInv(x)]);
+
+axiom (forall x:int :: {Header__KEVENT(x)} Header__KEVENT(x) == x + 0);
+axiom (forall x:int :: {Header__KEVENTInv(x)} Header__KEVENTInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Header__KEVENTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Header__KEVENTInv(x));
+function HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x))} HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(S)[HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x)} HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 4);
+axiom (forall x:int :: {HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == HighWatermark__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function InputCount__DEVICE_EXTENSION(int) returns (int);
+function InputCount__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_InputCount__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_InputCount__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputCount__DEVICE_EXTENSIONInv(InputCount__DEVICE_EXTENSION(x))} InputCount__DEVICE_EXTENSIONInv(InputCount__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {InputCount__DEVICE_EXTENSIONInv(x)} InputCount__DEVICE_EXTENSION(InputCount__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputCount__DEVICE_EXTENSION(S)[x]} _S_InputCount__DEVICE_EXTENSION(S)[x] <==> S[InputCount__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputCount__DEVICE_EXTENSIONInv(S)[x]} _S_InputCount__DEVICE_EXTENSIONInv(S)[x] <==> S[InputCount__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputCount__DEVICE_EXTENSION(S)} S[x] ==> _S_InputCount__DEVICE_EXTENSION(S)[InputCount__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputCount__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_InputCount__DEVICE_EXTENSIONInv(S)[InputCount__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {InputCount__DEVICE_EXTENSION(x)} InputCount__DEVICE_EXTENSION(x) == x + 116);
+axiom (forall x:int :: {InputCount__DEVICE_EXTENSIONInv(x)} InputCount__DEVICE_EXTENSIONInv(x) == x - 116);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 116, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 116, 1) == InputCount__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 116)} MINUS_LEFT_PTR(x, 1, 116) == InputCount__DEVICE_EXTENSIONInv(x));
+function InputDataQueueLength__MOUSE_ATTRIBUTES(int) returns (int);
+function InputDataQueueLength__MOUSE_ATTRIBUTESInv(int) returns (int);
+function _S_InputDataQueueLength__MOUSE_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_InputDataQueueLength__MOUSE_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputDataQueueLength__MOUSE_ATTRIBUTESInv(InputDataQueueLength__MOUSE_ATTRIBUTES(x))} InputDataQueueLength__MOUSE_ATTRIBUTESInv(InputDataQueueLength__MOUSE_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {InputDataQueueLength__MOUSE_ATTRIBUTESInv(x)} InputDataQueueLength__MOUSE_ATTRIBUTES(InputDataQueueLength__MOUSE_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputDataQueueLength__MOUSE_ATTRIBUTES(S)[x]} _S_InputDataQueueLength__MOUSE_ATTRIBUTES(S)[x] <==> S[InputDataQueueLength__MOUSE_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputDataQueueLength__MOUSE_ATTRIBUTESInv(S)[x]} _S_InputDataQueueLength__MOUSE_ATTRIBUTESInv(S)[x] <==> S[InputDataQueueLength__MOUSE_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputDataQueueLength__MOUSE_ATTRIBUTES(S)} S[x] ==> _S_InputDataQueueLength__MOUSE_ATTRIBUTES(S)[InputDataQueueLength__MOUSE_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputDataQueueLength__MOUSE_ATTRIBUTESInv(S)} S[x] ==> _S_InputDataQueueLength__MOUSE_ATTRIBUTESInv(S)[InputDataQueueLength__MOUSE_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {InputDataQueueLength__MOUSE_ATTRIBUTES(x)} InputDataQueueLength__MOUSE_ATTRIBUTES(x) == x + 8);
+axiom (forall x:int :: {InputDataQueueLength__MOUSE_ATTRIBUTESInv(x)} InputDataQueueLength__MOUSE_ATTRIBUTESInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == InputDataQueueLength__MOUSE_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == InputDataQueueLength__MOUSE_ATTRIBUTESInv(x));
+function InputData__DEVICE_EXTENSION(int) returns (int);
+function InputData__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_InputData__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_InputData__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x))} InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSION(InputData__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSION(S)[x]} _S_InputData__DEVICE_EXTENSION(S)[x] <==> S[InputData__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSIONInv(S)[x]} _S_InputData__DEVICE_EXTENSIONInv(S)[x] <==> S[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSION(S)} S[x] ==> _S_InputData__DEVICE_EXTENSION(S)[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_InputData__DEVICE_EXTENSIONInv(S)[InputData__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSION(x)} InputData__DEVICE_EXTENSION(x) == x + 128);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSIONInv(x) == x - 128);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1) == InputData__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 128)} MINUS_LEFT_PTR(x, 1, 128) == InputData__DEVICE_EXTENSIONInv(x));
+function Inserted___unnamed_1_9fa0583a(int) returns (int);
+function Inserted___unnamed_1_9fa0583aInv(int) returns (int);
+function _S_Inserted___unnamed_1_9fa0583a([int]bool) returns ([int]bool);
+function _S_Inserted___unnamed_1_9fa0583aInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Inserted___unnamed_1_9fa0583aInv(Inserted___unnamed_1_9fa0583a(x))} Inserted___unnamed_1_9fa0583aInv(Inserted___unnamed_1_9fa0583a(x)) == x);
+axiom (forall x:int :: {Inserted___unnamed_1_9fa0583aInv(x)} Inserted___unnamed_1_9fa0583a(Inserted___unnamed_1_9fa0583aInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Inserted___unnamed_1_9fa0583a(S)[x]} _S_Inserted___unnamed_1_9fa0583a(S)[x] <==> S[Inserted___unnamed_1_9fa0583aInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Inserted___unnamed_1_9fa0583aInv(S)[x]} _S_Inserted___unnamed_1_9fa0583aInv(S)[x] <==> S[Inserted___unnamed_1_9fa0583a(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Inserted___unnamed_1_9fa0583a(S)} S[x] ==> _S_Inserted___unnamed_1_9fa0583a(S)[Inserted___unnamed_1_9fa0583a(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Inserted___unnamed_1_9fa0583aInv(S)} S[x] ==> _S_Inserted___unnamed_1_9fa0583aInv(S)[Inserted___unnamed_1_9fa0583aInv(x)]);
+
+axiom (forall x:int :: {Inserted___unnamed_1_9fa0583a(x)} Inserted___unnamed_1_9fa0583a(x) == x + 0);
+axiom (forall x:int :: {Inserted___unnamed_1_9fa0583aInv(x)} Inserted___unnamed_1_9fa0583aInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Inserted___unnamed_1_9fa0583aInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Inserted___unnamed_1_9fa0583aInv(x));
+function IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(int) returns (int);
+function IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(int) returns (int);
+function _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK([int]bool) returns ([int]bool);
+function _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x))} IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x)) == x);
+axiom (forall x:int :: {IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x]} _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x] <==> S[IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x]} _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x] <==> S[IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(S)} S[x] ==> _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(S)[IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)} S[x] ==> _S_IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+
+axiom (forall x:int :: {IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x)} IoCount__IO_REMOVE_LOCK_COMMON_BLOCK(x) == x + 4);
+axiom (forall x:int :: {IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == IoCount__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+function LegacyDeviceList__GLOBALS(int) returns (int);
+function LegacyDeviceList__GLOBALSInv(int) returns (int);
+function _S_LegacyDeviceList__GLOBALS([int]bool) returns ([int]bool);
+function _S_LegacyDeviceList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x))} LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x)) == x);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALS(LegacyDeviceList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALS(S)[x]} _S_LegacyDeviceList__GLOBALS(S)[x] <==> S[LegacyDeviceList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALSInv(S)[x]} _S_LegacyDeviceList__GLOBALSInv(S)[x] <==> S[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALS(S)} S[x] ==> _S_LegacyDeviceList__GLOBALS(S)[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALSInv(S)} S[x] ==> _S_LegacyDeviceList__GLOBALSInv(S)[LegacyDeviceList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALS(x)} LegacyDeviceList__GLOBALS(x) == x + 864);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALSInv(x) == x - 864);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 864, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 864, 1) == LegacyDeviceList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 864)} MINUS_LEFT_PTR(x, 1, 864) == LegacyDeviceList__GLOBALSInv(x));
+function Length__UNICODE_STRING(int) returns (int);
+function Length__UNICODE_STRINGInv(int) returns (int);
+function _S_Length__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Length__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(Length__UNICODE_STRING(x))} Length__UNICODE_STRINGInv(Length__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(x)} Length__UNICODE_STRING(Length__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Length__UNICODE_STRING(S)[x]} _S_Length__UNICODE_STRING(S)[x] <==> S[Length__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Length__UNICODE_STRINGInv(S)[x]} _S_Length__UNICODE_STRINGInv(S)[x] <==> S[Length__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Length__UNICODE_STRING(S)} S[x] ==> _S_Length__UNICODE_STRING(S)[Length__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Length__UNICODE_STRINGInv(S)} S[x] ==> _S_Length__UNICODE_STRINGInv(S)[Length__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Length__UNICODE_STRING(x)} Length__UNICODE_STRING(x) == x + 0);
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(x)} Length__UNICODE_STRINGInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Length__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Length__UNICODE_STRINGInv(x));
+function Link__DEVICE_EXTENSION(int) returns (int);
+function Link__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Link__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Link__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x))} Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSION(Link__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSION(S)[x]} _S_Link__DEVICE_EXTENSION(S)[x] <==> S[Link__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSIONInv(S)[x]} _S_Link__DEVICE_EXTENSIONInv(S)[x] <==> S[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSION(S)} S[x] ==> _S_Link__DEVICE_EXTENSION(S)[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Link__DEVICE_EXTENSIONInv(S)[Link__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSION(x)} Link__DEVICE_EXTENSION(x) == x + 252);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSIONInv(x) == x - 252);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 252, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 252, 1) == Link__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 252)} MINUS_LEFT_PTR(x, 1, 252) == Link__DEVICE_EXTENSIONInv(x));
+function LockList__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_LockList__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(LockList__IO_REMOVE_LOCK_DBG_BLOCK(x))} LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(LockList__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} LockList__IO_REMOVE_LOCK_DBG_BLOCK(LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LockList__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_LockList__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[LockList__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LockList__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_LockList__IO_REMOVE_LOCK_DBG_BLOCK(S)[LockList__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {LockList__IO_REMOVE_LOCK_DBG_BLOCK(x)} LockList__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 20);
+axiom (forall x:int :: {LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 20);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1) == LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 20)} MINUS_LEFT_PTR(x, 1, 20) == LockList__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Lock___unnamed_4_c9b2e921(int) returns (int);
+function Lock___unnamed_4_c9b2e921Inv(int) returns (int);
+function _S_Lock___unnamed_4_c9b2e921([int]bool) returns ([int]bool);
+function _S_Lock___unnamed_4_c9b2e921Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Lock___unnamed_4_c9b2e921Inv(Lock___unnamed_4_c9b2e921(x))} Lock___unnamed_4_c9b2e921Inv(Lock___unnamed_4_c9b2e921(x)) == x);
+axiom (forall x:int :: {Lock___unnamed_4_c9b2e921Inv(x)} Lock___unnamed_4_c9b2e921(Lock___unnamed_4_c9b2e921Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Lock___unnamed_4_c9b2e921(S)[x]} _S_Lock___unnamed_4_c9b2e921(S)[x] <==> S[Lock___unnamed_4_c9b2e921Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Lock___unnamed_4_c9b2e921Inv(S)[x]} _S_Lock___unnamed_4_c9b2e921Inv(S)[x] <==> S[Lock___unnamed_4_c9b2e921(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Lock___unnamed_4_c9b2e921(S)} S[x] ==> _S_Lock___unnamed_4_c9b2e921(S)[Lock___unnamed_4_c9b2e921(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Lock___unnamed_4_c9b2e921Inv(S)} S[x] ==> _S_Lock___unnamed_4_c9b2e921Inv(S)[Lock___unnamed_4_c9b2e921Inv(x)]);
+
+axiom (forall x:int :: {Lock___unnamed_4_c9b2e921(x)} Lock___unnamed_4_c9b2e921(x) == x + 0);
+axiom (forall x:int :: {Lock___unnamed_4_c9b2e921Inv(x)} Lock___unnamed_4_c9b2e921Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Lock___unnamed_4_c9b2e921Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Lock___unnamed_4_c9b2e921Inv(x));
+function LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x))} LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(S)[LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x)} LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 32);
+axiom (forall x:int :: {LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 32);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 32, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 32, 1) == LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 32)} MINUS_LEFT_PTR(x, 1, 32) == LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x))} MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(S)[MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x)} MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 8);
+axiom (forall x:int :: {MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function MaximumLength__UNICODE_STRING(int) returns (int);
+function MaximumLength__UNICODE_STRINGInv(int) returns (int);
+function _S_MaximumLength__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_MaximumLength__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(MaximumLength__UNICODE_STRING(x))} MaximumLength__UNICODE_STRINGInv(MaximumLength__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(x)} MaximumLength__UNICODE_STRING(MaximumLength__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MaximumLength__UNICODE_STRING(S)[x]} _S_MaximumLength__UNICODE_STRING(S)[x] <==> S[MaximumLength__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MaximumLength__UNICODE_STRINGInv(S)[x]} _S_MaximumLength__UNICODE_STRINGInv(S)[x] <==> S[MaximumLength__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaximumLength__UNICODE_STRING(S)} S[x] ==> _S_MaximumLength__UNICODE_STRING(S)[MaximumLength__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaximumLength__UNICODE_STRINGInv(S)} S[x] ==> _S_MaximumLength__UNICODE_STRINGInv(S)[MaximumLength__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {MaximumLength__UNICODE_STRING(x)} MaximumLength__UNICODE_STRING(x) == x + 2);
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(x)} MaximumLength__UNICODE_STRINGInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == MaximumLength__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == MaximumLength__UNICODE_STRINGInv(x));
+function MinDeviceWakeState__DEVICE_EXTENSION(int) returns (int);
+function MinDeviceWakeState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_MinDeviceWakeState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_MinDeviceWakeState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MinDeviceWakeState__DEVICE_EXTENSIONInv(MinDeviceWakeState__DEVICE_EXTENSION(x))} MinDeviceWakeState__DEVICE_EXTENSIONInv(MinDeviceWakeState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {MinDeviceWakeState__DEVICE_EXTENSIONInv(x)} MinDeviceWakeState__DEVICE_EXTENSION(MinDeviceWakeState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MinDeviceWakeState__DEVICE_EXTENSION(S)[x]} _S_MinDeviceWakeState__DEVICE_EXTENSION(S)[x] <==> S[MinDeviceWakeState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MinDeviceWakeState__DEVICE_EXTENSIONInv(S)[x]} _S_MinDeviceWakeState__DEVICE_EXTENSIONInv(S)[x] <==> S[MinDeviceWakeState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MinDeviceWakeState__DEVICE_EXTENSION(S)} S[x] ==> _S_MinDeviceWakeState__DEVICE_EXTENSION(S)[MinDeviceWakeState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MinDeviceWakeState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_MinDeviceWakeState__DEVICE_EXTENSIONInv(S)[MinDeviceWakeState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {MinDeviceWakeState__DEVICE_EXTENSION(x)} MinDeviceWakeState__DEVICE_EXTENSION(x) == x + 232);
+axiom (forall x:int :: {MinDeviceWakeState__DEVICE_EXTENSIONInv(x)} MinDeviceWakeState__DEVICE_EXTENSIONInv(x) == x - 232);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 232, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 232, 1) == MinDeviceWakeState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 232)} MINUS_LEFT_PTR(x, 1, 232) == MinDeviceWakeState__DEVICE_EXTENSIONInv(x));
+function MinSystemWakeState__DEVICE_EXTENSION(int) returns (int);
+function MinSystemWakeState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_MinSystemWakeState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_MinSystemWakeState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MinSystemWakeState__DEVICE_EXTENSIONInv(MinSystemWakeState__DEVICE_EXTENSION(x))} MinSystemWakeState__DEVICE_EXTENSIONInv(MinSystemWakeState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {MinSystemWakeState__DEVICE_EXTENSIONInv(x)} MinSystemWakeState__DEVICE_EXTENSION(MinSystemWakeState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MinSystemWakeState__DEVICE_EXTENSION(S)[x]} _S_MinSystemWakeState__DEVICE_EXTENSION(S)[x] <==> S[MinSystemWakeState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MinSystemWakeState__DEVICE_EXTENSIONInv(S)[x]} _S_MinSystemWakeState__DEVICE_EXTENSIONInv(S)[x] <==> S[MinSystemWakeState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MinSystemWakeState__DEVICE_EXTENSION(S)} S[x] ==> _S_MinSystemWakeState__DEVICE_EXTENSION(S)[MinSystemWakeState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MinSystemWakeState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_MinSystemWakeState__DEVICE_EXTENSIONInv(S)[MinSystemWakeState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {MinSystemWakeState__DEVICE_EXTENSION(x)} MinSystemWakeState__DEVICE_EXTENSION(x) == x + 236);
+axiom (forall x:int :: {MinSystemWakeState__DEVICE_EXTENSIONInv(x)} MinSystemWakeState__DEVICE_EXTENSIONInv(x) == x - 236);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 236, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 236, 1) == MinSystemWakeState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 236)} MINUS_LEFT_PTR(x, 1, 236) == MinSystemWakeState__DEVICE_EXTENSIONInv(x));
+function MouseAttributes__DEVICE_EXTENSION(int) returns (int);
+function MouseAttributes__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_MouseAttributes__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_MouseAttributes__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MouseAttributes__DEVICE_EXTENSIONInv(MouseAttributes__DEVICE_EXTENSION(x))} MouseAttributes__DEVICE_EXTENSIONInv(MouseAttributes__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {MouseAttributes__DEVICE_EXTENSIONInv(x)} MouseAttributes__DEVICE_EXTENSION(MouseAttributes__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MouseAttributes__DEVICE_EXTENSION(S)[x]} _S_MouseAttributes__DEVICE_EXTENSION(S)[x] <==> S[MouseAttributes__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MouseAttributes__DEVICE_EXTENSIONInv(S)[x]} _S_MouseAttributes__DEVICE_EXTENSIONInv(S)[x] <==> S[MouseAttributes__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MouseAttributes__DEVICE_EXTENSION(S)} S[x] ==> _S_MouseAttributes__DEVICE_EXTENSION(S)[MouseAttributes__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MouseAttributes__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_MouseAttributes__DEVICE_EXTENSIONInv(S)[MouseAttributes__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {MouseAttributes__DEVICE_EXTENSION(x)} MouseAttributes__DEVICE_EXTENSION(x) == x + 140);
+axiom (forall x:int :: {MouseAttributes__DEVICE_EXTENSIONInv(x)} MouseAttributes__DEVICE_EXTENSIONInv(x) == x - 140);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 140, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 140, 1) == MouseAttributes__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 140)} MINUS_LEFT_PTR(x, 1, 140) == MouseAttributes__DEVICE_EXTENSIONInv(x));
+function MouseIdentifier__MOUSE_ATTRIBUTES(int) returns (int);
+function MouseIdentifier__MOUSE_ATTRIBUTESInv(int) returns (int);
+function _S_MouseIdentifier__MOUSE_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_MouseIdentifier__MOUSE_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MouseIdentifier__MOUSE_ATTRIBUTESInv(MouseIdentifier__MOUSE_ATTRIBUTES(x))} MouseIdentifier__MOUSE_ATTRIBUTESInv(MouseIdentifier__MOUSE_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {MouseIdentifier__MOUSE_ATTRIBUTESInv(x)} MouseIdentifier__MOUSE_ATTRIBUTES(MouseIdentifier__MOUSE_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MouseIdentifier__MOUSE_ATTRIBUTES(S)[x]} _S_MouseIdentifier__MOUSE_ATTRIBUTES(S)[x] <==> S[MouseIdentifier__MOUSE_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MouseIdentifier__MOUSE_ATTRIBUTESInv(S)[x]} _S_MouseIdentifier__MOUSE_ATTRIBUTESInv(S)[x] <==> S[MouseIdentifier__MOUSE_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MouseIdentifier__MOUSE_ATTRIBUTES(S)} S[x] ==> _S_MouseIdentifier__MOUSE_ATTRIBUTES(S)[MouseIdentifier__MOUSE_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MouseIdentifier__MOUSE_ATTRIBUTESInv(S)} S[x] ==> _S_MouseIdentifier__MOUSE_ATTRIBUTESInv(S)[MouseIdentifier__MOUSE_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {MouseIdentifier__MOUSE_ATTRIBUTES(x)} MouseIdentifier__MOUSE_ATTRIBUTES(x) == x + 0);
+axiom (forall x:int :: {MouseIdentifier__MOUSE_ATTRIBUTESInv(x)} MouseIdentifier__MOUSE_ATTRIBUTESInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == MouseIdentifier__MOUSE_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == MouseIdentifier__MOUSE_ATTRIBUTESInv(x));
+function Mutex__GLOBALS(int) returns (int);
+function Mutex__GLOBALSInv(int) returns (int);
+function _S_Mutex__GLOBALS([int]bool) returns ([int]bool);
+function _S_Mutex__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Mutex__GLOBALSInv(Mutex__GLOBALS(x))} Mutex__GLOBALSInv(Mutex__GLOBALS(x)) == x);
+axiom (forall x:int :: {Mutex__GLOBALSInv(x)} Mutex__GLOBALS(Mutex__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Mutex__GLOBALS(S)[x]} _S_Mutex__GLOBALS(S)[x] <==> S[Mutex__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Mutex__GLOBALSInv(S)[x]} _S_Mutex__GLOBALSInv(S)[x] <==> S[Mutex__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Mutex__GLOBALS(S)} S[x] ==> _S_Mutex__GLOBALS(S)[Mutex__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Mutex__GLOBALSInv(S)} S[x] ==> _S_Mutex__GLOBALSInv(S)[Mutex__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {Mutex__GLOBALS(x)} Mutex__GLOBALS(x) == x + 24);
+axiom (forall x:int :: {Mutex__GLOBALSInv(x)} Mutex__GLOBALSInv(x) == x - 24);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1) == Mutex__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 24)} MINUS_LEFT_PTR(x, 1, 24) == Mutex__GLOBALSInv(x));
+function NpxIrql___unnamed_1_2bb39c56(int) returns (int);
+function NpxIrql___unnamed_1_2bb39c56Inv(int) returns (int);
+function _S_NpxIrql___unnamed_1_2bb39c56([int]bool) returns ([int]bool);
+function _S_NpxIrql___unnamed_1_2bb39c56Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NpxIrql___unnamed_1_2bb39c56Inv(NpxIrql___unnamed_1_2bb39c56(x))} NpxIrql___unnamed_1_2bb39c56Inv(NpxIrql___unnamed_1_2bb39c56(x)) == x);
+axiom (forall x:int :: {NpxIrql___unnamed_1_2bb39c56Inv(x)} NpxIrql___unnamed_1_2bb39c56(NpxIrql___unnamed_1_2bb39c56Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NpxIrql___unnamed_1_2bb39c56(S)[x]} _S_NpxIrql___unnamed_1_2bb39c56(S)[x] <==> S[NpxIrql___unnamed_1_2bb39c56Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NpxIrql___unnamed_1_2bb39c56Inv(S)[x]} _S_NpxIrql___unnamed_1_2bb39c56Inv(S)[x] <==> S[NpxIrql___unnamed_1_2bb39c56(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NpxIrql___unnamed_1_2bb39c56(S)} S[x] ==> _S_NpxIrql___unnamed_1_2bb39c56(S)[NpxIrql___unnamed_1_2bb39c56(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NpxIrql___unnamed_1_2bb39c56Inv(S)} S[x] ==> _S_NpxIrql___unnamed_1_2bb39c56Inv(S)[NpxIrql___unnamed_1_2bb39c56Inv(x)]);
+
+axiom (forall x:int :: {NpxIrql___unnamed_1_2bb39c56(x)} NpxIrql___unnamed_1_2bb39c56(x) == x + 0);
+axiom (forall x:int :: {NpxIrql___unnamed_1_2bb39c56Inv(x)} NpxIrql___unnamed_1_2bb39c56Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == NpxIrql___unnamed_1_2bb39c56Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == NpxIrql___unnamed_1_2bb39c56Inv(x));
+function NumberOfButtons__MOUSE_ATTRIBUTES(int) returns (int);
+function NumberOfButtons__MOUSE_ATTRIBUTESInv(int) returns (int);
+function _S_NumberOfButtons__MOUSE_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_NumberOfButtons__MOUSE_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NumberOfButtons__MOUSE_ATTRIBUTESInv(NumberOfButtons__MOUSE_ATTRIBUTES(x))} NumberOfButtons__MOUSE_ATTRIBUTESInv(NumberOfButtons__MOUSE_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {NumberOfButtons__MOUSE_ATTRIBUTESInv(x)} NumberOfButtons__MOUSE_ATTRIBUTES(NumberOfButtons__MOUSE_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NumberOfButtons__MOUSE_ATTRIBUTES(S)[x]} _S_NumberOfButtons__MOUSE_ATTRIBUTES(S)[x] <==> S[NumberOfButtons__MOUSE_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NumberOfButtons__MOUSE_ATTRIBUTESInv(S)[x]} _S_NumberOfButtons__MOUSE_ATTRIBUTESInv(S)[x] <==> S[NumberOfButtons__MOUSE_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberOfButtons__MOUSE_ATTRIBUTES(S)} S[x] ==> _S_NumberOfButtons__MOUSE_ATTRIBUTES(S)[NumberOfButtons__MOUSE_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberOfButtons__MOUSE_ATTRIBUTESInv(S)} S[x] ==> _S_NumberOfButtons__MOUSE_ATTRIBUTESInv(S)[NumberOfButtons__MOUSE_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {NumberOfButtons__MOUSE_ATTRIBUTES(x)} NumberOfButtons__MOUSE_ATTRIBUTES(x) == x + 2);
+axiom (forall x:int :: {NumberOfButtons__MOUSE_ATTRIBUTESInv(x)} NumberOfButtons__MOUSE_ATTRIBUTESInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == NumberOfButtons__MOUSE_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == NumberOfButtons__MOUSE_ATTRIBUTESInv(x));
+function OkayToLogOverflow__DEVICE_EXTENSION(int) returns (int);
+function OkayToLogOverflow__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_OkayToLogOverflow__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_OkayToLogOverflow__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {OkayToLogOverflow__DEVICE_EXTENSIONInv(OkayToLogOverflow__DEVICE_EXTENSION(x))} OkayToLogOverflow__DEVICE_EXTENSIONInv(OkayToLogOverflow__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {OkayToLogOverflow__DEVICE_EXTENSIONInv(x)} OkayToLogOverflow__DEVICE_EXTENSION(OkayToLogOverflow__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_OkayToLogOverflow__DEVICE_EXTENSION(S)[x]} _S_OkayToLogOverflow__DEVICE_EXTENSION(S)[x] <==> S[OkayToLogOverflow__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_OkayToLogOverflow__DEVICE_EXTENSIONInv(S)[x]} _S_OkayToLogOverflow__DEVICE_EXTENSIONInv(S)[x] <==> S[OkayToLogOverflow__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_OkayToLogOverflow__DEVICE_EXTENSION(S)} S[x] ==> _S_OkayToLogOverflow__DEVICE_EXTENSION(S)[OkayToLogOverflow__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_OkayToLogOverflow__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_OkayToLogOverflow__DEVICE_EXTENSIONInv(S)[OkayToLogOverflow__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {OkayToLogOverflow__DEVICE_EXTENSION(x)} OkayToLogOverflow__DEVICE_EXTENSION(x) == x + 106);
+axiom (forall x:int :: {OkayToLogOverflow__DEVICE_EXTENSIONInv(x)} OkayToLogOverflow__DEVICE_EXTENSIONInv(x) == x - 106);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 106, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 106, 1) == OkayToLogOverflow__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 106)} MINUS_LEFT_PTR(x, 1, 106) == OkayToLogOverflow__DEVICE_EXTENSIONInv(x));
+function PDO__DEVICE_EXTENSION(int) returns (int);
+function PDO__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_PDO__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_PDO__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PDO__DEVICE_EXTENSIONInv(PDO__DEVICE_EXTENSION(x))} PDO__DEVICE_EXTENSIONInv(PDO__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {PDO__DEVICE_EXTENSIONInv(x)} PDO__DEVICE_EXTENSION(PDO__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PDO__DEVICE_EXTENSION(S)[x]} _S_PDO__DEVICE_EXTENSION(S)[x] <==> S[PDO__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PDO__DEVICE_EXTENSIONInv(S)[x]} _S_PDO__DEVICE_EXTENSIONInv(S)[x] <==> S[PDO__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PDO__DEVICE_EXTENSION(S)} S[x] ==> _S_PDO__DEVICE_EXTENSION(S)[PDO__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PDO__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_PDO__DEVICE_EXTENSIONInv(S)[PDO__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {PDO__DEVICE_EXTENSION(x)} PDO__DEVICE_EXTENSION(x) == x + 12);
+axiom (forall x:int :: {PDO__DEVICE_EXTENSIONInv(x)} PDO__DEVICE_EXTENSIONInv(x) == x - 12);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1) == PDO__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 12)} MINUS_LEFT_PTR(x, 1, 12) == PDO__DEVICE_EXTENSIONInv(x));
+function PnP__DEVICE_EXTENSION(int) returns (int);
+function PnP__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_PnP__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_PnP__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x))} PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSION(PnP__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSION(S)[x]} _S_PnP__DEVICE_EXTENSION(S)[x] <==> S[PnP__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSIONInv(S)[x]} _S_PnP__DEVICE_EXTENSIONInv(S)[x] <==> S[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSION(S)} S[x] ==> _S_PnP__DEVICE_EXTENSION(S)[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_PnP__DEVICE_EXTENSIONInv(S)[PnP__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSION(x)} PnP__DEVICE_EXTENSION(x) == x + 104);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSIONInv(x) == x - 104);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1) == PnP__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 104)} MINUS_LEFT_PTR(x, 1, 104) == PnP__DEVICE_EXTENSIONInv(x));
+function QueryWmiDataBlock__WMILIB_CONTEXT(int) returns (int);
+function QueryWmiDataBlock__WMILIB_CONTEXTInv(int) returns (int);
+function _S_QueryWmiDataBlock__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_QueryWmiDataBlock__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {QueryWmiDataBlock__WMILIB_CONTEXTInv(QueryWmiDataBlock__WMILIB_CONTEXT(x))} QueryWmiDataBlock__WMILIB_CONTEXTInv(QueryWmiDataBlock__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {QueryWmiDataBlock__WMILIB_CONTEXTInv(x)} QueryWmiDataBlock__WMILIB_CONTEXT(QueryWmiDataBlock__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_QueryWmiDataBlock__WMILIB_CONTEXT(S)[x]} _S_QueryWmiDataBlock__WMILIB_CONTEXT(S)[x] <==> S[QueryWmiDataBlock__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_QueryWmiDataBlock__WMILIB_CONTEXTInv(S)[x]} _S_QueryWmiDataBlock__WMILIB_CONTEXTInv(S)[x] <==> S[QueryWmiDataBlock__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_QueryWmiDataBlock__WMILIB_CONTEXT(S)} S[x] ==> _S_QueryWmiDataBlock__WMILIB_CONTEXT(S)[QueryWmiDataBlock__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_QueryWmiDataBlock__WMILIB_CONTEXTInv(S)} S[x] ==> _S_QueryWmiDataBlock__WMILIB_CONTEXTInv(S)[QueryWmiDataBlock__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {QueryWmiDataBlock__WMILIB_CONTEXT(x)} QueryWmiDataBlock__WMILIB_CONTEXT(x) == x + 12);
+axiom (forall x:int :: {QueryWmiDataBlock__WMILIB_CONTEXTInv(x)} QueryWmiDataBlock__WMILIB_CONTEXTInv(x) == x - 12);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1) == QueryWmiDataBlock__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 12)} MINUS_LEFT_PTR(x, 1, 12) == QueryWmiDataBlock__WMILIB_CONTEXTInv(x));
+function QueryWmiRegInfo__WMILIB_CONTEXT(int) returns (int);
+function QueryWmiRegInfo__WMILIB_CONTEXTInv(int) returns (int);
+function _S_QueryWmiRegInfo__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_QueryWmiRegInfo__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {QueryWmiRegInfo__WMILIB_CONTEXTInv(QueryWmiRegInfo__WMILIB_CONTEXT(x))} QueryWmiRegInfo__WMILIB_CONTEXTInv(QueryWmiRegInfo__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {QueryWmiRegInfo__WMILIB_CONTEXTInv(x)} QueryWmiRegInfo__WMILIB_CONTEXT(QueryWmiRegInfo__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_QueryWmiRegInfo__WMILIB_CONTEXT(S)[x]} _S_QueryWmiRegInfo__WMILIB_CONTEXT(S)[x] <==> S[QueryWmiRegInfo__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_QueryWmiRegInfo__WMILIB_CONTEXTInv(S)[x]} _S_QueryWmiRegInfo__WMILIB_CONTEXTInv(S)[x] <==> S[QueryWmiRegInfo__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_QueryWmiRegInfo__WMILIB_CONTEXT(S)} S[x] ==> _S_QueryWmiRegInfo__WMILIB_CONTEXT(S)[QueryWmiRegInfo__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_QueryWmiRegInfo__WMILIB_CONTEXTInv(S)} S[x] ==> _S_QueryWmiRegInfo__WMILIB_CONTEXTInv(S)[QueryWmiRegInfo__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {QueryWmiRegInfo__WMILIB_CONTEXT(x)} QueryWmiRegInfo__WMILIB_CONTEXT(x) == x + 8);
+axiom (forall x:int :: {QueryWmiRegInfo__WMILIB_CONTEXTInv(x)} QueryWmiRegInfo__WMILIB_CONTEXTInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == QueryWmiRegInfo__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == QueryWmiRegInfo__WMILIB_CONTEXTInv(x));
+function ReadQueue__DEVICE_EXTENSION(int) returns (int);
+function ReadQueue__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_ReadQueue__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_ReadQueue__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {ReadQueue__DEVICE_EXTENSIONInv(ReadQueue__DEVICE_EXTENSION(x))} ReadQueue__DEVICE_EXTENSIONInv(ReadQueue__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {ReadQueue__DEVICE_EXTENSIONInv(x)} ReadQueue__DEVICE_EXTENSION(ReadQueue__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_ReadQueue__DEVICE_EXTENSION(S)[x]} _S_ReadQueue__DEVICE_EXTENSION(S)[x] <==> S[ReadQueue__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_ReadQueue__DEVICE_EXTENSIONInv(S)[x]} _S_ReadQueue__DEVICE_EXTENSIONInv(S)[x] <==> S[ReadQueue__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ReadQueue__DEVICE_EXTENSION(S)} S[x] ==> _S_ReadQueue__DEVICE_EXTENSION(S)[ReadQueue__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_ReadQueue__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_ReadQueue__DEVICE_EXTENSIONInv(S)[ReadQueue__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {ReadQueue__DEVICE_EXTENSION(x)} ReadQueue__DEVICE_EXTENSION(x) == x + 156);
+axiom (forall x:int :: {ReadQueue__DEVICE_EXTENSIONInv(x)} ReadQueue__DEVICE_EXTENSIONInv(x) == x - 156);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 156, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 156, 1) == ReadQueue__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 156)} MINUS_LEFT_PTR(x, 1, 156) == ReadQueue__DEVICE_EXTENSIONInv(x));
+function RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(int) returns (int);
+function RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(int) returns (int);
+function _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK([int]bool) returns ([int]bool);
+function _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x))} RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x)) == x);
+axiom (forall x:int :: {RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x]} _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x] <==> S[RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x]} _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x] <==> S[RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(S)} S[x] ==> _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(S)[RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)} S[x] ==> _S_RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+
+axiom (forall x:int :: {RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x)} RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK(x) == x + 8);
+axiom (forall x:int :: {RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+function RemoveLock__DEVICE_EXTENSION(int) returns (int);
+function RemoveLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_RemoveLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_RemoveLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {RemoveLock__DEVICE_EXTENSIONInv(RemoveLock__DEVICE_EXTENSION(x))} RemoveLock__DEVICE_EXTENSIONInv(RemoveLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {RemoveLock__DEVICE_EXTENSIONInv(x)} RemoveLock__DEVICE_EXTENSION(RemoveLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_RemoveLock__DEVICE_EXTENSION(S)[x]} _S_RemoveLock__DEVICE_EXTENSION(S)[x] <==> S[RemoveLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_RemoveLock__DEVICE_EXTENSIONInv(S)[x]} _S_RemoveLock__DEVICE_EXTENSIONInv(S)[x] <==> S[RemoveLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RemoveLock__DEVICE_EXTENSION(S)} S[x] ==> _S_RemoveLock__DEVICE_EXTENSION(S)[RemoveLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RemoveLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_RemoveLock__DEVICE_EXTENSIONInv(S)[RemoveLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {RemoveLock__DEVICE_EXTENSION(x)} RemoveLock__DEVICE_EXTENSION(x) == x + 16);
+axiom (forall x:int :: {RemoveLock__DEVICE_EXTENSIONInv(x)} RemoveLock__DEVICE_EXTENSIONInv(x) == x - 16);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1) == RemoveLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 16)} MINUS_LEFT_PTR(x, 1, 16) == RemoveLock__DEVICE_EXTENSIONInv(x));
+function Removed__IO_REMOVE_LOCK_COMMON_BLOCK(int) returns (int);
+function Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(int) returns (int);
+function _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK([int]bool) returns ([int]bool);
+function _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x))} Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x)) == x);
+axiom (forall x:int :: {Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} Removed__IO_REMOVE_LOCK_COMMON_BLOCK(Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x]} _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x] <==> S[Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x]} _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x] <==> S[Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK(S)} S[x] ==> _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCK(S)[Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)} S[x] ==> _S_Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x)} Removed__IO_REMOVE_LOCK_COMMON_BLOCK(x) == x + 0);
+axiom (forall x:int :: {Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Removed__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+function Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x))} Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(S)[Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x)} Reserved1__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 36);
+axiom (forall x:int :: {Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 36);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 36, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 36, 1) == Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 36)} MINUS_LEFT_PTR(x, 1, 36) == Reserved1__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x))} Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(S)[Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x)} Reserved2__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 52);
+axiom (forall x:int :: {Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 52);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 52, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 52, 1) == Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 52)} MINUS_LEFT_PTR(x, 1, 52) == Reserved2__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(int) returns (int);
+function Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(int) returns (int);
+function _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK([int]bool) returns ([int]bool);
+function _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x))} Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x)) == x);
+axiom (forall x:int :: {Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x]} _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(S)[x] <==> S[Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x]} _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[x] <==> S[Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(S)} S[x] ==> _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(S)[Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)} S[x] ==> _S_Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(S)[Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x)} Reserved__IO_REMOVE_LOCK_COMMON_BLOCK(x) == x + 1);
+axiom (forall x:int :: {Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x)} Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x) == x - 1);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1) == Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 1)} MINUS_LEFT_PTR(x, 1, 1) == Reserved__IO_REMOVE_LOCK_COMMON_BLOCKInv(x));
+function SampleRate__MOUSE_ATTRIBUTES(int) returns (int);
+function SampleRate__MOUSE_ATTRIBUTESInv(int) returns (int);
+function _S_SampleRate__MOUSE_ATTRIBUTES([int]bool) returns ([int]bool);
+function _S_SampleRate__MOUSE_ATTRIBUTESInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SampleRate__MOUSE_ATTRIBUTESInv(SampleRate__MOUSE_ATTRIBUTES(x))} SampleRate__MOUSE_ATTRIBUTESInv(SampleRate__MOUSE_ATTRIBUTES(x)) == x);
+axiom (forall x:int :: {SampleRate__MOUSE_ATTRIBUTESInv(x)} SampleRate__MOUSE_ATTRIBUTES(SampleRate__MOUSE_ATTRIBUTESInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SampleRate__MOUSE_ATTRIBUTES(S)[x]} _S_SampleRate__MOUSE_ATTRIBUTES(S)[x] <==> S[SampleRate__MOUSE_ATTRIBUTESInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SampleRate__MOUSE_ATTRIBUTESInv(S)[x]} _S_SampleRate__MOUSE_ATTRIBUTESInv(S)[x] <==> S[SampleRate__MOUSE_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SampleRate__MOUSE_ATTRIBUTES(S)} S[x] ==> _S_SampleRate__MOUSE_ATTRIBUTES(S)[SampleRate__MOUSE_ATTRIBUTES(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SampleRate__MOUSE_ATTRIBUTESInv(S)} S[x] ==> _S_SampleRate__MOUSE_ATTRIBUTESInv(S)[SampleRate__MOUSE_ATTRIBUTESInv(x)]);
+
+axiom (forall x:int :: {SampleRate__MOUSE_ATTRIBUTES(x)} SampleRate__MOUSE_ATTRIBUTES(x) == x + 4);
+axiom (forall x:int :: {SampleRate__MOUSE_ATTRIBUTESInv(x)} SampleRate__MOUSE_ATTRIBUTESInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == SampleRate__MOUSE_ATTRIBUTESInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == SampleRate__MOUSE_ATTRIBUTESInv(x));
+function Self__DEVICE_EXTENSION(int) returns (int);
+function Self__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Self__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Self__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x))} Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSION(Self__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSION(S)[x]} _S_Self__DEVICE_EXTENSION(S)[x] <==> S[Self__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSIONInv(S)[x]} _S_Self__DEVICE_EXTENSIONInv(S)[x] <==> S[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSION(S)} S[x] ==> _S_Self__DEVICE_EXTENSION(S)[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Self__DEVICE_EXTENSIONInv(S)[Self__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSION(x)} Self__DEVICE_EXTENSION(x) == x + 0);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSIONInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Self__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Self__DEVICE_EXTENSIONInv(x));
+function SequenceNumber__DEVICE_EXTENSION(int) returns (int);
+function SequenceNumber__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SequenceNumber__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SequenceNumber__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SequenceNumber__DEVICE_EXTENSIONInv(SequenceNumber__DEVICE_EXTENSION(x))} SequenceNumber__DEVICE_EXTENSIONInv(SequenceNumber__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SequenceNumber__DEVICE_EXTENSIONInv(x)} SequenceNumber__DEVICE_EXTENSION(SequenceNumber__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SequenceNumber__DEVICE_EXTENSION(S)[x]} _S_SequenceNumber__DEVICE_EXTENSION(S)[x] <==> S[SequenceNumber__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SequenceNumber__DEVICE_EXTENSIONInv(S)[x]} _S_SequenceNumber__DEVICE_EXTENSIONInv(S)[x] <==> S[SequenceNumber__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SequenceNumber__DEVICE_EXTENSION(S)} S[x] ==> _S_SequenceNumber__DEVICE_EXTENSION(S)[SequenceNumber__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SequenceNumber__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SequenceNumber__DEVICE_EXTENSIONInv(S)[SequenceNumber__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SequenceNumber__DEVICE_EXTENSION(x)} SequenceNumber__DEVICE_EXTENSION(x) == x + 164);
+axiom (forall x:int :: {SequenceNumber__DEVICE_EXTENSIONInv(x)} SequenceNumber__DEVICE_EXTENSIONInv(x) == x - 164);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 164, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 164, 1) == SequenceNumber__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 164)} MINUS_LEFT_PTR(x, 1, 164) == SequenceNumber__DEVICE_EXTENSIONInv(x));
+function SetWmiDataBlock__WMILIB_CONTEXT(int) returns (int);
+function SetWmiDataBlock__WMILIB_CONTEXTInv(int) returns (int);
+function _S_SetWmiDataBlock__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_SetWmiDataBlock__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SetWmiDataBlock__WMILIB_CONTEXTInv(SetWmiDataBlock__WMILIB_CONTEXT(x))} SetWmiDataBlock__WMILIB_CONTEXTInv(SetWmiDataBlock__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {SetWmiDataBlock__WMILIB_CONTEXTInv(x)} SetWmiDataBlock__WMILIB_CONTEXT(SetWmiDataBlock__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SetWmiDataBlock__WMILIB_CONTEXT(S)[x]} _S_SetWmiDataBlock__WMILIB_CONTEXT(S)[x] <==> S[SetWmiDataBlock__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SetWmiDataBlock__WMILIB_CONTEXTInv(S)[x]} _S_SetWmiDataBlock__WMILIB_CONTEXTInv(S)[x] <==> S[SetWmiDataBlock__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SetWmiDataBlock__WMILIB_CONTEXT(S)} S[x] ==> _S_SetWmiDataBlock__WMILIB_CONTEXT(S)[SetWmiDataBlock__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SetWmiDataBlock__WMILIB_CONTEXTInv(S)} S[x] ==> _S_SetWmiDataBlock__WMILIB_CONTEXTInv(S)[SetWmiDataBlock__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {SetWmiDataBlock__WMILIB_CONTEXT(x)} SetWmiDataBlock__WMILIB_CONTEXT(x) == x + 16);
+axiom (forall x:int :: {SetWmiDataBlock__WMILIB_CONTEXTInv(x)} SetWmiDataBlock__WMILIB_CONTEXTInv(x) == x - 16);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 16, 1) == SetWmiDataBlock__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 16)} MINUS_LEFT_PTR(x, 1, 16) == SetWmiDataBlock__WMILIB_CONTEXTInv(x));
+function SetWmiDataItem__WMILIB_CONTEXT(int) returns (int);
+function SetWmiDataItem__WMILIB_CONTEXTInv(int) returns (int);
+function _S_SetWmiDataItem__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_SetWmiDataItem__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SetWmiDataItem__WMILIB_CONTEXTInv(SetWmiDataItem__WMILIB_CONTEXT(x))} SetWmiDataItem__WMILIB_CONTEXTInv(SetWmiDataItem__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {SetWmiDataItem__WMILIB_CONTEXTInv(x)} SetWmiDataItem__WMILIB_CONTEXT(SetWmiDataItem__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SetWmiDataItem__WMILIB_CONTEXT(S)[x]} _S_SetWmiDataItem__WMILIB_CONTEXT(S)[x] <==> S[SetWmiDataItem__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SetWmiDataItem__WMILIB_CONTEXTInv(S)[x]} _S_SetWmiDataItem__WMILIB_CONTEXTInv(S)[x] <==> S[SetWmiDataItem__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SetWmiDataItem__WMILIB_CONTEXT(S)} S[x] ==> _S_SetWmiDataItem__WMILIB_CONTEXT(S)[SetWmiDataItem__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SetWmiDataItem__WMILIB_CONTEXTInv(S)} S[x] ==> _S_SetWmiDataItem__WMILIB_CONTEXTInv(S)[SetWmiDataItem__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {SetWmiDataItem__WMILIB_CONTEXT(x)} SetWmiDataItem__WMILIB_CONTEXT(x) == x + 20);
+axiom (forall x:int :: {SetWmiDataItem__WMILIB_CONTEXTInv(x)} SetWmiDataItem__WMILIB_CONTEXTInv(x) == x - 20);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1) == SetWmiDataItem__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 20)} MINUS_LEFT_PTR(x, 1, 20) == SetWmiDataItem__WMILIB_CONTEXTInv(x));
+function SignalState__DISPATCHER_HEADER(int) returns (int);
+function SignalState__DISPATCHER_HEADERInv(int) returns (int);
+function _S_SignalState__DISPATCHER_HEADER([int]bool) returns ([int]bool);
+function _S_SignalState__DISPATCHER_HEADERInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SignalState__DISPATCHER_HEADERInv(SignalState__DISPATCHER_HEADER(x))} SignalState__DISPATCHER_HEADERInv(SignalState__DISPATCHER_HEADER(x)) == x);
+axiom (forall x:int :: {SignalState__DISPATCHER_HEADERInv(x)} SignalState__DISPATCHER_HEADER(SignalState__DISPATCHER_HEADERInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SignalState__DISPATCHER_HEADER(S)[x]} _S_SignalState__DISPATCHER_HEADER(S)[x] <==> S[SignalState__DISPATCHER_HEADERInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SignalState__DISPATCHER_HEADERInv(S)[x]} _S_SignalState__DISPATCHER_HEADERInv(S)[x] <==> S[SignalState__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SignalState__DISPATCHER_HEADER(S)} S[x] ==> _S_SignalState__DISPATCHER_HEADER(S)[SignalState__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SignalState__DISPATCHER_HEADERInv(S)} S[x] ==> _S_SignalState__DISPATCHER_HEADERInv(S)[SignalState__DISPATCHER_HEADERInv(x)]);
+
+axiom (forall x:int :: {SignalState__DISPATCHER_HEADER(x)} SignalState__DISPATCHER_HEADER(x) == x + 4);
+axiom (forall x:int :: {SignalState__DISPATCHER_HEADERInv(x)} SignalState__DISPATCHER_HEADERInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == SignalState__DISPATCHER_HEADERInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == SignalState__DISPATCHER_HEADERInv(x));
+function Signalling___unnamed_1_2bb39c56(int) returns (int);
+function Signalling___unnamed_1_2bb39c56Inv(int) returns (int);
+function _S_Signalling___unnamed_1_2bb39c56([int]bool) returns ([int]bool);
+function _S_Signalling___unnamed_1_2bb39c56Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Signalling___unnamed_1_2bb39c56Inv(Signalling___unnamed_1_2bb39c56(x))} Signalling___unnamed_1_2bb39c56Inv(Signalling___unnamed_1_2bb39c56(x)) == x);
+axiom (forall x:int :: {Signalling___unnamed_1_2bb39c56Inv(x)} Signalling___unnamed_1_2bb39c56(Signalling___unnamed_1_2bb39c56Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Signalling___unnamed_1_2bb39c56(S)[x]} _S_Signalling___unnamed_1_2bb39c56(S)[x] <==> S[Signalling___unnamed_1_2bb39c56Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Signalling___unnamed_1_2bb39c56Inv(S)[x]} _S_Signalling___unnamed_1_2bb39c56Inv(S)[x] <==> S[Signalling___unnamed_1_2bb39c56(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Signalling___unnamed_1_2bb39c56(S)} S[x] ==> _S_Signalling___unnamed_1_2bb39c56(S)[Signalling___unnamed_1_2bb39c56(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Signalling___unnamed_1_2bb39c56Inv(S)} S[x] ==> _S_Signalling___unnamed_1_2bb39c56Inv(S)[Signalling___unnamed_1_2bb39c56Inv(x)]);
+
+axiom (forall x:int :: {Signalling___unnamed_1_2bb39c56(x)} Signalling___unnamed_1_2bb39c56(x) == x + 0);
+axiom (forall x:int :: {Signalling___unnamed_1_2bb39c56Inv(x)} Signalling___unnamed_1_2bb39c56Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Signalling___unnamed_1_2bb39c56Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Signalling___unnamed_1_2bb39c56Inv(x));
+function Signature__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Signature__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(Signature__IO_REMOVE_LOCK_DBG_BLOCK(x))} Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(Signature__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Signature__IO_REMOVE_LOCK_DBG_BLOCK(Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Signature__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Signature__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Signature__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Signature__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Signature__IO_REMOVE_LOCK_DBG_BLOCK(S)[Signature__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Signature__IO_REMOVE_LOCK_DBG_BLOCK(x)} Signature__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 0);
+axiom (forall x:int :: {Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Signature__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Size___unnamed_1_e30779f5(int) returns (int);
+function Size___unnamed_1_e30779f5Inv(int) returns (int);
+function _S_Size___unnamed_1_e30779f5([int]bool) returns ([int]bool);
+function _S_Size___unnamed_1_e30779f5Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Size___unnamed_1_e30779f5Inv(Size___unnamed_1_e30779f5(x))} Size___unnamed_1_e30779f5Inv(Size___unnamed_1_e30779f5(x)) == x);
+axiom (forall x:int :: {Size___unnamed_1_e30779f5Inv(x)} Size___unnamed_1_e30779f5(Size___unnamed_1_e30779f5Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Size___unnamed_1_e30779f5(S)[x]} _S_Size___unnamed_1_e30779f5(S)[x] <==> S[Size___unnamed_1_e30779f5Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Size___unnamed_1_e30779f5Inv(S)[x]} _S_Size___unnamed_1_e30779f5Inv(S)[x] <==> S[Size___unnamed_1_e30779f5(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Size___unnamed_1_e30779f5(S)} S[x] ==> _S_Size___unnamed_1_e30779f5(S)[Size___unnamed_1_e30779f5(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Size___unnamed_1_e30779f5Inv(S)} S[x] ==> _S_Size___unnamed_1_e30779f5Inv(S)[Size___unnamed_1_e30779f5Inv(x)]);
+
+axiom (forall x:int :: {Size___unnamed_1_e30779f5(x)} Size___unnamed_1_e30779f5(x) == x + 0);
+axiom (forall x:int :: {Size___unnamed_1_e30779f5Inv(x)} Size___unnamed_1_e30779f5Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Size___unnamed_1_e30779f5Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Size___unnamed_1_e30779f5Inv(x));
+function SpinLock__DEVICE_EXTENSION(int) returns (int);
+function SpinLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SpinLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SpinLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(SpinLock__DEVICE_EXTENSION(x))} SpinLock__DEVICE_EXTENSIONInv(SpinLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(x)} SpinLock__DEVICE_EXTENSION(SpinLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SpinLock__DEVICE_EXTENSION(S)[x]} _S_SpinLock__DEVICE_EXTENSION(S)[x] <==> S[SpinLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SpinLock__DEVICE_EXTENSIONInv(S)[x]} _S_SpinLock__DEVICE_EXTENSIONInv(S)[x] <==> S[SpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SpinLock__DEVICE_EXTENSION(S)} S[x] ==> _S_SpinLock__DEVICE_EXTENSION(S)[SpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SpinLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SpinLock__DEVICE_EXTENSIONInv(S)[SpinLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSION(x)} SpinLock__DEVICE_EXTENSION(x) == x + 152);
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(x)} SpinLock__DEVICE_EXTENSIONInv(x) == x - 152);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 152, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 152, 1) == SpinLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 152)} MINUS_LEFT_PTR(x, 1, 152) == SpinLock__DEVICE_EXTENSIONInv(x));
+function Spin__IO_REMOVE_LOCK_DBG_BLOCK(int) returns (int);
+function Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(int) returns (int);
+function _S_Spin__IO_REMOVE_LOCK_DBG_BLOCK([int]bool) returns ([int]bool);
+function _S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(Spin__IO_REMOVE_LOCK_DBG_BLOCK(x))} Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(Spin__IO_REMOVE_LOCK_DBG_BLOCK(x)) == x);
+axiom (forall x:int :: {Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Spin__IO_REMOVE_LOCK_DBG_BLOCK(Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Spin__IO_REMOVE_LOCK_DBG_BLOCK(S)[x]} _S_Spin__IO_REMOVE_LOCK_DBG_BLOCK(S)[x] <==> S[Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x]} _S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[x] <==> S[Spin__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Spin__IO_REMOVE_LOCK_DBG_BLOCK(S)} S[x] ==> _S_Spin__IO_REMOVE_LOCK_DBG_BLOCK(S)[Spin__IO_REMOVE_LOCK_DBG_BLOCK(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(S)} S[x] ==> _S_Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(S)[Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)]);
+
+axiom (forall x:int :: {Spin__IO_REMOVE_LOCK_DBG_BLOCK(x)} Spin__IO_REMOVE_LOCK_DBG_BLOCK(x) == x + 28);
+axiom (forall x:int :: {Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x)} Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x) == x - 28);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1) == Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 28)} MINUS_LEFT_PTR(x, 1, 28) == Spin__IO_REMOVE_LOCK_DBG_BLOCKInv(x));
+function Started__DEVICE_EXTENSION(int) returns (int);
+function Started__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Started__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Started__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x))} Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSION(Started__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSION(S)[x]} _S_Started__DEVICE_EXTENSION(S)[x] <==> S[Started__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSIONInv(S)[x]} _S_Started__DEVICE_EXTENSIONInv(S)[x] <==> S[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSION(S)} S[x] ==> _S_Started__DEVICE_EXTENSION(S)[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Started__DEVICE_EXTENSIONInv(S)[Started__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSION(x)} Started__DEVICE_EXTENSION(x) == x + 105);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSIONInv(x) == x - 105);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1) == Started__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 105)} MINUS_LEFT_PTR(x, 1, 105) == Started__DEVICE_EXTENSIONInv(x));
+function SurpriseRemoved__DEVICE_EXTENSION(int) returns (int);
+function SurpriseRemoved__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SurpriseRemoved__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SurpriseRemoved__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SurpriseRemoved__DEVICE_EXTENSIONInv(SurpriseRemoved__DEVICE_EXTENSION(x))} SurpriseRemoved__DEVICE_EXTENSIONInv(SurpriseRemoved__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SurpriseRemoved__DEVICE_EXTENSIONInv(x)} SurpriseRemoved__DEVICE_EXTENSION(SurpriseRemoved__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SurpriseRemoved__DEVICE_EXTENSION(S)[x]} _S_SurpriseRemoved__DEVICE_EXTENSION(S)[x] <==> S[SurpriseRemoved__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SurpriseRemoved__DEVICE_EXTENSIONInv(S)[x]} _S_SurpriseRemoved__DEVICE_EXTENSIONInv(S)[x] <==> S[SurpriseRemoved__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SurpriseRemoved__DEVICE_EXTENSION(S)} S[x] ==> _S_SurpriseRemoved__DEVICE_EXTENSION(S)[SurpriseRemoved__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SurpriseRemoved__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SurpriseRemoved__DEVICE_EXTENSIONInv(S)[SurpriseRemoved__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SurpriseRemoved__DEVICE_EXTENSION(x)} SurpriseRemoved__DEVICE_EXTENSION(x) == x + 266);
+axiom (forall x:int :: {SurpriseRemoved__DEVICE_EXTENSIONInv(x)} SurpriseRemoved__DEVICE_EXTENSIONInv(x) == x - 266);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 266, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 266, 1) == SurpriseRemoved__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 266)} MINUS_LEFT_PTR(x, 1, 266) == SurpriseRemoved__DEVICE_EXTENSIONInv(x));
+function SymbolicLinkName__DEVICE_EXTENSION(int) returns (int);
+function SymbolicLinkName__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SymbolicLinkName__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SymbolicLinkName__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SymbolicLinkName__DEVICE_EXTENSIONInv(SymbolicLinkName__DEVICE_EXTENSION(x))} SymbolicLinkName__DEVICE_EXTENSIONInv(SymbolicLinkName__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SymbolicLinkName__DEVICE_EXTENSIONInv(x)} SymbolicLinkName__DEVICE_EXTENSION(SymbolicLinkName__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SymbolicLinkName__DEVICE_EXTENSION(S)[x]} _S_SymbolicLinkName__DEVICE_EXTENSION(S)[x] <==> S[SymbolicLinkName__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SymbolicLinkName__DEVICE_EXTENSIONInv(S)[x]} _S_SymbolicLinkName__DEVICE_EXTENSIONInv(S)[x] <==> S[SymbolicLinkName__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SymbolicLinkName__DEVICE_EXTENSION(S)} S[x] ==> _S_SymbolicLinkName__DEVICE_EXTENSION(S)[SymbolicLinkName__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SymbolicLinkName__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SymbolicLinkName__DEVICE_EXTENSIONInv(S)[SymbolicLinkName__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SymbolicLinkName__DEVICE_EXTENSION(x)} SymbolicLinkName__DEVICE_EXTENSION(x) == x + 120);
+axiom (forall x:int :: {SymbolicLinkName__DEVICE_EXTENSIONInv(x)} SymbolicLinkName__DEVICE_EXTENSIONInv(x) == x - 120);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 120, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 120, 1) == SymbolicLinkName__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 120)} MINUS_LEFT_PTR(x, 1, 120) == SymbolicLinkName__DEVICE_EXTENSIONInv(x));
+function SystemState__DEVICE_EXTENSION(int) returns (int);
+function SystemState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SystemState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SystemState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SystemState__DEVICE_EXTENSIONInv(SystemState__DEVICE_EXTENSION(x))} SystemState__DEVICE_EXTENSIONInv(SystemState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SystemState__DEVICE_EXTENSIONInv(x)} SystemState__DEVICE_EXTENSION(SystemState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SystemState__DEVICE_EXTENSION(S)[x]} _S_SystemState__DEVICE_EXTENSION(S)[x] <==> S[SystemState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SystemState__DEVICE_EXTENSIONInv(S)[x]} _S_SystemState__DEVICE_EXTENSIONInv(S)[x] <==> S[SystemState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SystemState__DEVICE_EXTENSION(S)} S[x] ==> _S_SystemState__DEVICE_EXTENSION(S)[SystemState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SystemState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SystemState__DEVICE_EXTENSIONInv(S)[SystemState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SystemState__DEVICE_EXTENSION(x)} SystemState__DEVICE_EXTENSION(x) == x + 172);
+axiom (forall x:int :: {SystemState__DEVICE_EXTENSIONInv(x)} SystemState__DEVICE_EXTENSIONInv(x) == x - 172);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 172, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 172, 1) == SystemState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 172)} MINUS_LEFT_PTR(x, 1, 172) == SystemState__DEVICE_EXTENSIONInv(x));
+function SystemToDeviceState__DEVICE_EXTENSION(int) returns (int);
+function SystemToDeviceState__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SystemToDeviceState__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SystemToDeviceState__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SystemToDeviceState__DEVICE_EXTENSIONInv(SystemToDeviceState__DEVICE_EXTENSION(x))} SystemToDeviceState__DEVICE_EXTENSIONInv(SystemToDeviceState__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SystemToDeviceState__DEVICE_EXTENSIONInv(x)} SystemToDeviceState__DEVICE_EXTENSION(SystemToDeviceState__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SystemToDeviceState__DEVICE_EXTENSION(S)[x]} _S_SystemToDeviceState__DEVICE_EXTENSION(S)[x] <==> S[SystemToDeviceState__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SystemToDeviceState__DEVICE_EXTENSIONInv(S)[x]} _S_SystemToDeviceState__DEVICE_EXTENSIONInv(S)[x] <==> S[SystemToDeviceState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SystemToDeviceState__DEVICE_EXTENSION(S)} S[x] ==> _S_SystemToDeviceState__DEVICE_EXTENSION(S)[SystemToDeviceState__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SystemToDeviceState__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SystemToDeviceState__DEVICE_EXTENSIONInv(S)[SystemToDeviceState__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SystemToDeviceState__DEVICE_EXTENSION(x)} SystemToDeviceState__DEVICE_EXTENSION(x) == x + 212);
+axiom (forall x:int :: {SystemToDeviceState__DEVICE_EXTENSIONInv(x)} SystemToDeviceState__DEVICE_EXTENSIONInv(x) == x - 212);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 212, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 212, 1) == SystemToDeviceState__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 212)} MINUS_LEFT_PTR(x, 1, 212) == SystemToDeviceState__DEVICE_EXTENSIONInv(x));
+function TargetNotifyHandle__DEVICE_EXTENSION(int) returns (int);
+function TargetNotifyHandle__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TargetNotifyHandle__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TargetNotifyHandle__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TargetNotifyHandle__DEVICE_EXTENSIONInv(TargetNotifyHandle__DEVICE_EXTENSION(x))} TargetNotifyHandle__DEVICE_EXTENSIONInv(TargetNotifyHandle__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TargetNotifyHandle__DEVICE_EXTENSIONInv(x)} TargetNotifyHandle__DEVICE_EXTENSION(TargetNotifyHandle__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TargetNotifyHandle__DEVICE_EXTENSION(S)[x]} _S_TargetNotifyHandle__DEVICE_EXTENSION(S)[x] <==> S[TargetNotifyHandle__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TargetNotifyHandle__DEVICE_EXTENSIONInv(S)[x]} _S_TargetNotifyHandle__DEVICE_EXTENSIONInv(S)[x] <==> S[TargetNotifyHandle__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TargetNotifyHandle__DEVICE_EXTENSION(S)} S[x] ==> _S_TargetNotifyHandle__DEVICE_EXTENSION(S)[TargetNotifyHandle__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TargetNotifyHandle__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TargetNotifyHandle__DEVICE_EXTENSIONInv(S)[TargetNotifyHandle__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TargetNotifyHandle__DEVICE_EXTENSION(x)} TargetNotifyHandle__DEVICE_EXTENSION(x) == x + 248);
+axiom (forall x:int :: {TargetNotifyHandle__DEVICE_EXTENSIONInv(x)} TargetNotifyHandle__DEVICE_EXTENSIONInv(x) == x - 248);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 248, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 248, 1) == TargetNotifyHandle__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 248)} MINUS_LEFT_PTR(x, 1, 248) == TargetNotifyHandle__DEVICE_EXTENSIONInv(x));
+function TopPort__DEVICE_EXTENSION(int) returns (int);
+function TopPort__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TopPort__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TopPort__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x))} TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSION(TopPort__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSION(S)[x]} _S_TopPort__DEVICE_EXTENSION(S)[x] <==> S[TopPort__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSIONInv(S)[x]} _S_TopPort__DEVICE_EXTENSIONInv(S)[x] <==> S[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSION(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSION(S)[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSIONInv(S)[TopPort__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSION(x)} TopPort__DEVICE_EXTENSION(x) == x + 8);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSIONInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == TopPort__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == TopPort__DEVICE_EXTENSIONInv(x));
+function TrueClassDevice__DEVICE_EXTENSION(int) returns (int);
+function TrueClassDevice__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TrueClassDevice__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TrueClassDevice__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TrueClassDevice__DEVICE_EXTENSIONInv(TrueClassDevice__DEVICE_EXTENSION(x))} TrueClassDevice__DEVICE_EXTENSIONInv(TrueClassDevice__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TrueClassDevice__DEVICE_EXTENSIONInv(x)} TrueClassDevice__DEVICE_EXTENSION(TrueClassDevice__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TrueClassDevice__DEVICE_EXTENSION(S)[x]} _S_TrueClassDevice__DEVICE_EXTENSION(S)[x] <==> S[TrueClassDevice__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TrueClassDevice__DEVICE_EXTENSIONInv(S)[x]} _S_TrueClassDevice__DEVICE_EXTENSIONInv(S)[x] <==> S[TrueClassDevice__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TrueClassDevice__DEVICE_EXTENSION(S)} S[x] ==> _S_TrueClassDevice__DEVICE_EXTENSION(S)[TrueClassDevice__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TrueClassDevice__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TrueClassDevice__DEVICE_EXTENSIONInv(S)[TrueClassDevice__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TrueClassDevice__DEVICE_EXTENSION(x)} TrueClassDevice__DEVICE_EXTENSION(x) == x + 4);
+axiom (forall x:int :: {TrueClassDevice__DEVICE_EXTENSIONInv(x)} TrueClassDevice__DEVICE_EXTENSIONInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == TrueClassDevice__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == TrueClassDevice__DEVICE_EXTENSIONInv(x));
+function TrustedSubsystemCount__DEVICE_EXTENSION(int) returns (int);
+function TrustedSubsystemCount__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TrustedSubsystemCount__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TrustedSubsystemCount__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TrustedSubsystemCount__DEVICE_EXTENSIONInv(TrustedSubsystemCount__DEVICE_EXTENSION(x))} TrustedSubsystemCount__DEVICE_EXTENSIONInv(TrustedSubsystemCount__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)} TrustedSubsystemCount__DEVICE_EXTENSION(TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TrustedSubsystemCount__DEVICE_EXTENSION(S)[x]} _S_TrustedSubsystemCount__DEVICE_EXTENSION(S)[x] <==> S[TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TrustedSubsystemCount__DEVICE_EXTENSIONInv(S)[x]} _S_TrustedSubsystemCount__DEVICE_EXTENSIONInv(S)[x] <==> S[TrustedSubsystemCount__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TrustedSubsystemCount__DEVICE_EXTENSION(S)} S[x] ==> _S_TrustedSubsystemCount__DEVICE_EXTENSION(S)[TrustedSubsystemCount__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TrustedSubsystemCount__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TrustedSubsystemCount__DEVICE_EXTENSIONInv(S)[TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TrustedSubsystemCount__DEVICE_EXTENSION(x)} TrustedSubsystemCount__DEVICE_EXTENSION(x) == x + 112);
+axiom (forall x:int :: {TrustedSubsystemCount__DEVICE_EXTENSIONInv(x)} TrustedSubsystemCount__DEVICE_EXTENSIONInv(x) == x - 112);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 112, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 112, 1) == TrustedSubsystemCount__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 112)} MINUS_LEFT_PTR(x, 1, 112) == TrustedSubsystemCount__DEVICE_EXTENSIONInv(x));
+function Type___unnamed_4_846adf3f(int) returns (int);
+function Type___unnamed_4_846adf3fInv(int) returns (int);
+function _S_Type___unnamed_4_846adf3f([int]bool) returns ([int]bool);
+function _S_Type___unnamed_4_846adf3fInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Type___unnamed_4_846adf3fInv(Type___unnamed_4_846adf3f(x))} Type___unnamed_4_846adf3fInv(Type___unnamed_4_846adf3f(x)) == x);
+axiom (forall x:int :: {Type___unnamed_4_846adf3fInv(x)} Type___unnamed_4_846adf3f(Type___unnamed_4_846adf3fInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Type___unnamed_4_846adf3f(S)[x]} _S_Type___unnamed_4_846adf3f(S)[x] <==> S[Type___unnamed_4_846adf3fInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Type___unnamed_4_846adf3fInv(S)[x]} _S_Type___unnamed_4_846adf3fInv(S)[x] <==> S[Type___unnamed_4_846adf3f(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Type___unnamed_4_846adf3f(S)} S[x] ==> _S_Type___unnamed_4_846adf3f(S)[Type___unnamed_4_846adf3f(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Type___unnamed_4_846adf3fInv(S)} S[x] ==> _S_Type___unnamed_4_846adf3fInv(S)[Type___unnamed_4_846adf3fInv(x)]);
+
+axiom (forall x:int :: {Type___unnamed_4_846adf3f(x)} Type___unnamed_4_846adf3f(x) == x + 0);
+axiom (forall x:int :: {Type___unnamed_4_846adf3fInv(x)} Type___unnamed_4_846adf3fInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Type___unnamed_4_846adf3fInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Type___unnamed_4_846adf3fInv(x));
+function UnitId__DEVICE_EXTENSION(int) returns (int);
+function UnitId__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_UnitId__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_UnitId__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x))} UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSION(UnitId__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSION(S)[x]} _S_UnitId__DEVICE_EXTENSION(S)[x] <==> S[UnitId__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSIONInv(S)[x]} _S_UnitId__DEVICE_EXTENSIONInv(S)[x] <==> S[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSION(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSION(S)[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSIONInv(S)[UnitId__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSION(x)} UnitId__DEVICE_EXTENSION(x) == x + 176);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSIONInv(x) == x - 176);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 176, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 176, 1) == UnitId__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 176)} MINUS_LEFT_PTR(x, 1, 176) == UnitId__DEVICE_EXTENSIONInv(x));
+function WaitListHead__DISPATCHER_HEADER(int) returns (int);
+function WaitListHead__DISPATCHER_HEADERInv(int) returns (int);
+function _S_WaitListHead__DISPATCHER_HEADER([int]bool) returns ([int]bool);
+function _S_WaitListHead__DISPATCHER_HEADERInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitListHead__DISPATCHER_HEADERInv(WaitListHead__DISPATCHER_HEADER(x))} WaitListHead__DISPATCHER_HEADERInv(WaitListHead__DISPATCHER_HEADER(x)) == x);
+axiom (forall x:int :: {WaitListHead__DISPATCHER_HEADERInv(x)} WaitListHead__DISPATCHER_HEADER(WaitListHead__DISPATCHER_HEADERInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitListHead__DISPATCHER_HEADER(S)[x]} _S_WaitListHead__DISPATCHER_HEADER(S)[x] <==> S[WaitListHead__DISPATCHER_HEADERInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitListHead__DISPATCHER_HEADERInv(S)[x]} _S_WaitListHead__DISPATCHER_HEADERInv(S)[x] <==> S[WaitListHead__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitListHead__DISPATCHER_HEADER(S)} S[x] ==> _S_WaitListHead__DISPATCHER_HEADER(S)[WaitListHead__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitListHead__DISPATCHER_HEADERInv(S)} S[x] ==> _S_WaitListHead__DISPATCHER_HEADERInv(S)[WaitListHead__DISPATCHER_HEADERInv(x)]);
+
+axiom (forall x:int :: {WaitListHead__DISPATCHER_HEADER(x)} WaitListHead__DISPATCHER_HEADER(x) == x + 8);
+axiom (forall x:int :: {WaitListHead__DISPATCHER_HEADERInv(x)} WaitListHead__DISPATCHER_HEADERInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == WaitListHead__DISPATCHER_HEADERInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == WaitListHead__DISPATCHER_HEADERInv(x));
+function WaitWakeEnabled__DEVICE_EXTENSION(int) returns (int);
+function WaitWakeEnabled__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WaitWakeEnabled__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WaitWakeEnabled__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitWakeEnabled__DEVICE_EXTENSIONInv(WaitWakeEnabled__DEVICE_EXTENSION(x))} WaitWakeEnabled__DEVICE_EXTENSIONInv(WaitWakeEnabled__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WaitWakeEnabled__DEVICE_EXTENSIONInv(x)} WaitWakeEnabled__DEVICE_EXTENSION(WaitWakeEnabled__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeEnabled__DEVICE_EXTENSION(S)[x]} _S_WaitWakeEnabled__DEVICE_EXTENSION(S)[x] <==> S[WaitWakeEnabled__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeEnabled__DEVICE_EXTENSIONInv(S)[x]} _S_WaitWakeEnabled__DEVICE_EXTENSIONInv(S)[x] <==> S[WaitWakeEnabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeEnabled__DEVICE_EXTENSION(S)} S[x] ==> _S_WaitWakeEnabled__DEVICE_EXTENSION(S)[WaitWakeEnabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeEnabled__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WaitWakeEnabled__DEVICE_EXTENSIONInv(S)[WaitWakeEnabled__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WaitWakeEnabled__DEVICE_EXTENSION(x)} WaitWakeEnabled__DEVICE_EXTENSION(x) == x + 265);
+axiom (forall x:int :: {WaitWakeEnabled__DEVICE_EXTENSIONInv(x)} WaitWakeEnabled__DEVICE_EXTENSIONInv(x) == x - 265);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 265, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 265, 1) == WaitWakeEnabled__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 265)} MINUS_LEFT_PTR(x, 1, 265) == WaitWakeEnabled__DEVICE_EXTENSIONInv(x));
+function WaitWakeIrp__DEVICE_EXTENSION(int) returns (int);
+function WaitWakeIrp__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WaitWakeIrp__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WaitWakeIrp__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitWakeIrp__DEVICE_EXTENSIONInv(WaitWakeIrp__DEVICE_EXTENSION(x))} WaitWakeIrp__DEVICE_EXTENSIONInv(WaitWakeIrp__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WaitWakeIrp__DEVICE_EXTENSIONInv(x)} WaitWakeIrp__DEVICE_EXTENSION(WaitWakeIrp__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeIrp__DEVICE_EXTENSION(S)[x]} _S_WaitWakeIrp__DEVICE_EXTENSION(S)[x] <==> S[WaitWakeIrp__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeIrp__DEVICE_EXTENSIONInv(S)[x]} _S_WaitWakeIrp__DEVICE_EXTENSIONInv(S)[x] <==> S[WaitWakeIrp__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeIrp__DEVICE_EXTENSION(S)} S[x] ==> _S_WaitWakeIrp__DEVICE_EXTENSION(S)[WaitWakeIrp__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeIrp__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WaitWakeIrp__DEVICE_EXTENSIONInv(S)[WaitWakeIrp__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WaitWakeIrp__DEVICE_EXTENSION(x)} WaitWakeIrp__DEVICE_EXTENSION(x) == x + 240);
+axiom (forall x:int :: {WaitWakeIrp__DEVICE_EXTENSIONInv(x)} WaitWakeIrp__DEVICE_EXTENSIONInv(x) == x - 240);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 240, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 240, 1) == WaitWakeIrp__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 240)} MINUS_LEFT_PTR(x, 1, 240) == WaitWakeIrp__DEVICE_EXTENSIONInv(x));
+function WaitWakeSpinLock__DEVICE_EXTENSION(int) returns (int);
+function WaitWakeSpinLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WaitWakeSpinLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(WaitWakeSpinLock__DEVICE_EXTENSION(x))} WaitWakeSpinLock__DEVICE_EXTENSIONInv(WaitWakeSpinLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)} WaitWakeSpinLock__DEVICE_EXTENSION(WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[x]} _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[x] <==> S[WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[x]} _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[x] <==> S[WaitWakeSpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)} S[x] ==> _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[WaitWakeSpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSION(x)} WaitWakeSpinLock__DEVICE_EXTENSION(x) == x + 108);
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)} WaitWakeSpinLock__DEVICE_EXTENSIONInv(x) == x - 108);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 108, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 108, 1) == WaitWakeSpinLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 108)} MINUS_LEFT_PTR(x, 1, 108) == WaitWakeSpinLock__DEVICE_EXTENSIONInv(x));
+function WmiFunctionControl__WMILIB_CONTEXT(int) returns (int);
+function WmiFunctionControl__WMILIB_CONTEXTInv(int) returns (int);
+function _S_WmiFunctionControl__WMILIB_CONTEXT([int]bool) returns ([int]bool);
+function _S_WmiFunctionControl__WMILIB_CONTEXTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WmiFunctionControl__WMILIB_CONTEXTInv(WmiFunctionControl__WMILIB_CONTEXT(x))} WmiFunctionControl__WMILIB_CONTEXTInv(WmiFunctionControl__WMILIB_CONTEXT(x)) == x);
+axiom (forall x:int :: {WmiFunctionControl__WMILIB_CONTEXTInv(x)} WmiFunctionControl__WMILIB_CONTEXT(WmiFunctionControl__WMILIB_CONTEXTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WmiFunctionControl__WMILIB_CONTEXT(S)[x]} _S_WmiFunctionControl__WMILIB_CONTEXT(S)[x] <==> S[WmiFunctionControl__WMILIB_CONTEXTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WmiFunctionControl__WMILIB_CONTEXTInv(S)[x]} _S_WmiFunctionControl__WMILIB_CONTEXTInv(S)[x] <==> S[WmiFunctionControl__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WmiFunctionControl__WMILIB_CONTEXT(S)} S[x] ==> _S_WmiFunctionControl__WMILIB_CONTEXT(S)[WmiFunctionControl__WMILIB_CONTEXT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WmiFunctionControl__WMILIB_CONTEXTInv(S)} S[x] ==> _S_WmiFunctionControl__WMILIB_CONTEXTInv(S)[WmiFunctionControl__WMILIB_CONTEXTInv(x)]);
+
+axiom (forall x:int :: {WmiFunctionControl__WMILIB_CONTEXT(x)} WmiFunctionControl__WMILIB_CONTEXT(x) == x + 28);
+axiom (forall x:int :: {WmiFunctionControl__WMILIB_CONTEXTInv(x)} WmiFunctionControl__WMILIB_CONTEXTInv(x) == x - 28);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1) == WmiFunctionControl__WMILIB_CONTEXTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 28)} MINUS_LEFT_PTR(x, 1, 28) == WmiFunctionControl__WMILIB_CONTEXTInv(x));
+function WmiLibInfo__DEVICE_EXTENSION(int) returns (int);
+function WmiLibInfo__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WmiLibInfo__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WmiLibInfo__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WmiLibInfo__DEVICE_EXTENSIONInv(WmiLibInfo__DEVICE_EXTENSION(x))} WmiLibInfo__DEVICE_EXTENSIONInv(WmiLibInfo__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WmiLibInfo__DEVICE_EXTENSIONInv(x)} WmiLibInfo__DEVICE_EXTENSION(WmiLibInfo__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WmiLibInfo__DEVICE_EXTENSION(S)[x]} _S_WmiLibInfo__DEVICE_EXTENSION(S)[x] <==> S[WmiLibInfo__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WmiLibInfo__DEVICE_EXTENSIONInv(S)[x]} _S_WmiLibInfo__DEVICE_EXTENSIONInv(S)[x] <==> S[WmiLibInfo__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WmiLibInfo__DEVICE_EXTENSION(S)} S[x] ==> _S_WmiLibInfo__DEVICE_EXTENSION(S)[WmiLibInfo__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WmiLibInfo__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WmiLibInfo__DEVICE_EXTENSIONInv(S)[WmiLibInfo__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WmiLibInfo__DEVICE_EXTENSION(x)} WmiLibInfo__DEVICE_EXTENSION(x) == x + 180);
+axiom (forall x:int :: {WmiLibInfo__DEVICE_EXTENSIONInv(x)} WmiLibInfo__DEVICE_EXTENSIONInv(x) == x - 180);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 180, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 180, 1) == WmiLibInfo__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 180)} MINUS_LEFT_PTR(x, 1, 180) == WmiLibInfo__DEVICE_EXTENSIONInv(x));
+function __unnamed_1_2bb39c56___unnamed_4_846adf3f(int) returns (int);
+function __unnamed_1_2bb39c56___unnamed_4_846adf3fInv(int) returns (int);
+function _S___unnamed_1_2bb39c56___unnamed_4_846adf3f([int]bool) returns ([int]bool);
+function _S___unnamed_1_2bb39c56___unnamed_4_846adf3fInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_1_2bb39c56___unnamed_4_846adf3fInv(__unnamed_1_2bb39c56___unnamed_4_846adf3f(x))} __unnamed_1_2bb39c56___unnamed_4_846adf3fInv(__unnamed_1_2bb39c56___unnamed_4_846adf3f(x)) == x);
+axiom (forall x:int :: {__unnamed_1_2bb39c56___unnamed_4_846adf3fInv(x)} __unnamed_1_2bb39c56___unnamed_4_846adf3f(__unnamed_1_2bb39c56___unnamed_4_846adf3fInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_2bb39c56___unnamed_4_846adf3f(S)[x]} _S___unnamed_1_2bb39c56___unnamed_4_846adf3f(S)[x] <==> S[__unnamed_1_2bb39c56___unnamed_4_846adf3fInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_2bb39c56___unnamed_4_846adf3fInv(S)[x]} _S___unnamed_1_2bb39c56___unnamed_4_846adf3fInv(S)[x] <==> S[__unnamed_1_2bb39c56___unnamed_4_846adf3f(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_2bb39c56___unnamed_4_846adf3f(S)} S[x] ==> _S___unnamed_1_2bb39c56___unnamed_4_846adf3f(S)[__unnamed_1_2bb39c56___unnamed_4_846adf3f(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_2bb39c56___unnamed_4_846adf3fInv(S)} S[x] ==> _S___unnamed_1_2bb39c56___unnamed_4_846adf3fInv(S)[__unnamed_1_2bb39c56___unnamed_4_846adf3fInv(x)]);
+
+axiom (forall x:int :: {__unnamed_1_2bb39c56___unnamed_4_846adf3f(x)} __unnamed_1_2bb39c56___unnamed_4_846adf3f(x) == x + 1);
+axiom (forall x:int :: {__unnamed_1_2bb39c56___unnamed_4_846adf3fInv(x)} __unnamed_1_2bb39c56___unnamed_4_846adf3fInv(x) == x - 1);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 1, 1) == __unnamed_1_2bb39c56___unnamed_4_846adf3fInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 1)} MINUS_LEFT_PTR(x, 1, 1) == __unnamed_1_2bb39c56___unnamed_4_846adf3fInv(x));
+function __unnamed_1_9fa0583a___unnamed_4_846adf3f(int) returns (int);
+function __unnamed_1_9fa0583a___unnamed_4_846adf3fInv(int) returns (int);
+function _S___unnamed_1_9fa0583a___unnamed_4_846adf3f([int]bool) returns ([int]bool);
+function _S___unnamed_1_9fa0583a___unnamed_4_846adf3fInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_1_9fa0583a___unnamed_4_846adf3fInv(__unnamed_1_9fa0583a___unnamed_4_846adf3f(x))} __unnamed_1_9fa0583a___unnamed_4_846adf3fInv(__unnamed_1_9fa0583a___unnamed_4_846adf3f(x)) == x);
+axiom (forall x:int :: {__unnamed_1_9fa0583a___unnamed_4_846adf3fInv(x)} __unnamed_1_9fa0583a___unnamed_4_846adf3f(__unnamed_1_9fa0583a___unnamed_4_846adf3fInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_9fa0583a___unnamed_4_846adf3f(S)[x]} _S___unnamed_1_9fa0583a___unnamed_4_846adf3f(S)[x] <==> S[__unnamed_1_9fa0583a___unnamed_4_846adf3fInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_9fa0583a___unnamed_4_846adf3fInv(S)[x]} _S___unnamed_1_9fa0583a___unnamed_4_846adf3fInv(S)[x] <==> S[__unnamed_1_9fa0583a___unnamed_4_846adf3f(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_9fa0583a___unnamed_4_846adf3f(S)} S[x] ==> _S___unnamed_1_9fa0583a___unnamed_4_846adf3f(S)[__unnamed_1_9fa0583a___unnamed_4_846adf3f(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_9fa0583a___unnamed_4_846adf3fInv(S)} S[x] ==> _S___unnamed_1_9fa0583a___unnamed_4_846adf3fInv(S)[__unnamed_1_9fa0583a___unnamed_4_846adf3fInv(x)]);
+
+axiom (forall x:int :: {__unnamed_1_9fa0583a___unnamed_4_846adf3f(x)} __unnamed_1_9fa0583a___unnamed_4_846adf3f(x) == x + 3);
+axiom (forall x:int :: {__unnamed_1_9fa0583a___unnamed_4_846adf3fInv(x)} __unnamed_1_9fa0583a___unnamed_4_846adf3fInv(x) == x - 3);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 3, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 3, 1) == __unnamed_1_9fa0583a___unnamed_4_846adf3fInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 3)} MINUS_LEFT_PTR(x, 1, 3) == __unnamed_1_9fa0583a___unnamed_4_846adf3fInv(x));
+function __unnamed_1_e30779f5___unnamed_4_846adf3f(int) returns (int);
+function __unnamed_1_e30779f5___unnamed_4_846adf3fInv(int) returns (int);
+function _S___unnamed_1_e30779f5___unnamed_4_846adf3f([int]bool) returns ([int]bool);
+function _S___unnamed_1_e30779f5___unnamed_4_846adf3fInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_1_e30779f5___unnamed_4_846adf3fInv(__unnamed_1_e30779f5___unnamed_4_846adf3f(x))} __unnamed_1_e30779f5___unnamed_4_846adf3fInv(__unnamed_1_e30779f5___unnamed_4_846adf3f(x)) == x);
+axiom (forall x:int :: {__unnamed_1_e30779f5___unnamed_4_846adf3fInv(x)} __unnamed_1_e30779f5___unnamed_4_846adf3f(__unnamed_1_e30779f5___unnamed_4_846adf3fInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_e30779f5___unnamed_4_846adf3f(S)[x]} _S___unnamed_1_e30779f5___unnamed_4_846adf3f(S)[x] <==> S[__unnamed_1_e30779f5___unnamed_4_846adf3fInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_1_e30779f5___unnamed_4_846adf3fInv(S)[x]} _S___unnamed_1_e30779f5___unnamed_4_846adf3fInv(S)[x] <==> S[__unnamed_1_e30779f5___unnamed_4_846adf3f(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_e30779f5___unnamed_4_846adf3f(S)} S[x] ==> _S___unnamed_1_e30779f5___unnamed_4_846adf3f(S)[__unnamed_1_e30779f5___unnamed_4_846adf3f(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_1_e30779f5___unnamed_4_846adf3fInv(S)} S[x] ==> _S___unnamed_1_e30779f5___unnamed_4_846adf3fInv(S)[__unnamed_1_e30779f5___unnamed_4_846adf3fInv(x)]);
+
+axiom (forall x:int :: {__unnamed_1_e30779f5___unnamed_4_846adf3f(x)} __unnamed_1_e30779f5___unnamed_4_846adf3f(x) == x + 2);
+axiom (forall x:int :: {__unnamed_1_e30779f5___unnamed_4_846adf3fInv(x)} __unnamed_1_e30779f5___unnamed_4_846adf3fInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == __unnamed_1_e30779f5___unnamed_4_846adf3fInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == __unnamed_1_e30779f5___unnamed_4_846adf3fInv(x));
+function __unnamed_4_846adf3f___unnamed_4_c9b2e921(int) returns (int);
+function __unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(int) returns (int);
+function _S___unnamed_4_846adf3f___unnamed_4_c9b2e921([int]bool) returns ([int]bool);
+function _S___unnamed_4_846adf3f___unnamed_4_c9b2e921Inv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(__unnamed_4_846adf3f___unnamed_4_c9b2e921(x))} __unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(__unnamed_4_846adf3f___unnamed_4_c9b2e921(x)) == x);
+axiom (forall x:int :: {__unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(x)} __unnamed_4_846adf3f___unnamed_4_c9b2e921(__unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_4_846adf3f___unnamed_4_c9b2e921(S)[x]} _S___unnamed_4_846adf3f___unnamed_4_c9b2e921(S)[x] <==> S[__unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(S)[x]} _S___unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(S)[x] <==> S[__unnamed_4_846adf3f___unnamed_4_c9b2e921(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_4_846adf3f___unnamed_4_c9b2e921(S)} S[x] ==> _S___unnamed_4_846adf3f___unnamed_4_c9b2e921(S)[__unnamed_4_846adf3f___unnamed_4_c9b2e921(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(S)} S[x] ==> _S___unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(S)[__unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(x)]);
+
+axiom (forall x:int :: {__unnamed_4_846adf3f___unnamed_4_c9b2e921(x)} __unnamed_4_846adf3f___unnamed_4_c9b2e921(x) == x + 0);
+axiom (forall x:int :: {__unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(x)} __unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == __unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == __unnamed_4_846adf3f___unnamed_4_c9b2e921Inv(x));
+function __unnamed_4_c9b2e921__DISPATCHER_HEADER(int) returns (int);
+function __unnamed_4_c9b2e921__DISPATCHER_HEADERInv(int) returns (int);
+function _S___unnamed_4_c9b2e921__DISPATCHER_HEADER([int]bool) returns ([int]bool);
+function _S___unnamed_4_c9b2e921__DISPATCHER_HEADERInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {__unnamed_4_c9b2e921__DISPATCHER_HEADERInv(__unnamed_4_c9b2e921__DISPATCHER_HEADER(x))} __unnamed_4_c9b2e921__DISPATCHER_HEADERInv(__unnamed_4_c9b2e921__DISPATCHER_HEADER(x)) == x);
+axiom (forall x:int :: {__unnamed_4_c9b2e921__DISPATCHER_HEADERInv(x)} __unnamed_4_c9b2e921__DISPATCHER_HEADER(__unnamed_4_c9b2e921__DISPATCHER_HEADERInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_4_c9b2e921__DISPATCHER_HEADER(S)[x]} _S___unnamed_4_c9b2e921__DISPATCHER_HEADER(S)[x] <==> S[__unnamed_4_c9b2e921__DISPATCHER_HEADERInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S___unnamed_4_c9b2e921__DISPATCHER_HEADERInv(S)[x]} _S___unnamed_4_c9b2e921__DISPATCHER_HEADERInv(S)[x] <==> S[__unnamed_4_c9b2e921__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_4_c9b2e921__DISPATCHER_HEADER(S)} S[x] ==> _S___unnamed_4_c9b2e921__DISPATCHER_HEADER(S)[__unnamed_4_c9b2e921__DISPATCHER_HEADER(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S___unnamed_4_c9b2e921__DISPATCHER_HEADERInv(S)} S[x] ==> _S___unnamed_4_c9b2e921__DISPATCHER_HEADERInv(S)[__unnamed_4_c9b2e921__DISPATCHER_HEADERInv(x)]);
+
+axiom (forall x:int :: {__unnamed_4_c9b2e921__DISPATCHER_HEADER(x)} __unnamed_4_c9b2e921__DISPATCHER_HEADER(x) == x + 0);
+axiom (forall x:int :: {__unnamed_4_c9b2e921__DISPATCHER_HEADERInv(x)} __unnamed_4_c9b2e921__DISPATCHER_HEADERInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == __unnamed_4_c9b2e921__DISPATCHER_HEADERInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == __unnamed_4_c9b2e921__DISPATCHER_HEADERInv(x));
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom (forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom (forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:int, b:int) returns (x:int);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == 0);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == 0 || b == 0 ==> BIT_BAND(a,b) == 0);
+
+function BIT_BOR(a:int, b:int) returns (x:int);
+
+function BIT_BXOR(a:int, b:int) returns (x:int);
+
+function BIT_BNOT(a:int) returns (int);
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+
+
+
+procedure havoc_assert(i:int);
+requires (i != 0);
+
+procedure havoc_assume(i:int);
+ensures (i != 0);
+
+procedure __HAVOC_free(a:int);
+modifies alloc;
+ensures (forall x:int :: {alloc[x]} x == a || old(alloc)[x] == alloc[x]);
+ensures (alloc[a] == FREED);
+// Additional checks guarded by tranlator flags
+// requires alloc[a] == ALLOCATED;
+// requires Base(a) == a;
+
+procedure __HAVOC_malloc(obj_size:int) returns (new:int);
+requires obj_size >= 0;
+modifies alloc;
+ensures (new > 0);
+ensures (forall x:int :: {Base(x)} new <= x && x < new+obj_size ==> Base(x) == new);
+ensures (forall x:int :: {alloc[x]} x == new || old(alloc)[x] == alloc[x]);
+ensures old(alloc)[new] == UNALLOCATED && alloc[new] == ALLOCATED;
+
+procedure nondet_choice() returns (x:int);
+
+procedure _strdup(str:int) returns (new:int);
+
+procedure _xstrcasecmp(a0:int, a1:int) returns (ret:int);
+
+procedure _xstrcmp(a0:int, a1:int) returns (ret:int);
+
+var Res_DEVICE_STACK:[int]int;
+var Res_DEV_EXTN:[int]int;
+var Res_DEV_OBJ_INIT:[int]int;
+var Res_SPIN_LOCK:[int]int;
+
+
+
+////////////////////
+// Between predicate
+////////////////////
+function ReachBetween(f: [int]int, x: int, y: int, z: int) returns (bool);
+function ReachAvoiding(f: [int]int, x: int, y: int, z: int) returns (bool);
+
+
+//////////////////////////
+// Between set constructor
+//////////////////////////
+function ReachBetweenSet(f: [int]int, x: int, z: int) returns ([int]bool);
+
+////////////////////////////////////////////////////
+// axioms relating ReachBetween and ReachBetweenSet
+////////////////////////////////////////////////////
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetweenSet(f, x, z)[y]} ReachBetweenSet(f, x, z)[y] <==> ReachBetween(f, x, y, z));
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z), ReachBetweenSet(f, x, z)} ReachBetween(f, x, y, z) ==> ReachBetweenSet(f, x, z)[y]);
+axiom(forall f: [int]int, x: int, z: int :: {ReachBetweenSet(f, x, z)} ReachBetween(f, x, x, x));
+
+
+//////////////////////////
+// Axioms for ReachBetween
+//////////////////////////
+
+// reflexive
+axiom(forall f: [int]int, x: int :: ReachBetween(f, x, x, x));
+
+// step
+//axiom(forall f: [int]int, x: int :: {f[x]} ReachBetween(f, x, f[x], f[x]));
+axiom(forall f: [int]int, x: int, y: int, z: int, w:int :: {ReachBetween(f, y, z, w), f[x]} ReachBetween(f, x, f[x], f[x]));
+
+// reach
+axiom(forall f: [int]int, x: int, y: int :: {f[x], ReachBetween(f, x, y, y)} ReachBetween(f, x, y, y) ==> x == y || ReachBetween(f, x, f[x], y));
+
+// cycle
+axiom(forall f: [int]int, x: int, y:int :: {f[x], ReachBetween(f, x, y, y)} f[x] == x && ReachBetween(f, x, y, y) ==> x == y);
+
+// sandwich
+axiom(forall f: [int]int, x: int, y: int :: {ReachBetween(f, x, y, x)} ReachBetween(f, x, y, x) ==> x == y);
+
+// order1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, x, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, x, z, z) ==> ReachBetween(f, x, y, z) || ReachBetween(f, x, z, y));
+
+// order2
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z)} ReachBetween(f, x, y, z) ==> ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z));
+
+// transitive1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, y, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z) ==> ReachBetween(f, x, z, z));
+
+// transitive2
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, y, w, z)} ReachBetween(f, x, y, z) && ReachBetween(f, y, w, z) ==> ReachBetween(f, x, y, w) && ReachBetween(f, x, w, z));
+
+// transitive3
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, x, w, y)} ReachBetween(f, x, y, z) && ReachBetween(f, x, w, y) ==> ReachBetween(f, x, w, z) && ReachBetween(f, w, y, z));
+
+// This axiom is required to deal with the incompleteness of the trigger for the reflexive axiom.
+// It cannot be proved using the rest of the axioms.
+axiom(forall f: [int]int, u:int, x: int :: {ReachBetween(f, u, x, x)} ReachBetween(f, u, x, x) ==> ReachBetween(f, u, u, x));
+
+// relation between ReachAvoiding and ReachBetween
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachAvoiding(f, x, y, z)}{ReachBetween(f, x, y, z)} ReachAvoiding(f, x, y, z) <==> (ReachBetween(f, x, y, z) || (ReachBetween(f, x, y, y) && !ReachBetween(f, x, z, z))));
+
+// update
+axiom(forall f: [int]int, u: int, v: int, x: int, p: int, q: int :: {ReachAvoiding(f[p := q], u, v, x)} ReachAvoiding(f[p := q], u, v, x) <==> ((ReachAvoiding(f, u, v, p) && ReachAvoiding(f, u, v, x)) || (ReachAvoiding(f, u, p, x) && p != x && ReachAvoiding(f, q, v, p) && ReachAvoiding(f, q, v, x))));
+ ///////////////////////////////
+ // Shifts for linking fields
+ ///////////////////////////////
+function Shift_Flink__LIST_ENTRY(f: [int]int) returns ([int]int);
+axiom( forall f: [int]int, __x:int :: {f[Flink__LIST_ENTRY(__x)],Shift_Flink__LIST_ENTRY(f)} {Shift_Flink__LIST_ENTRY(f)[__x]} Shift_Flink__LIST_ENTRY(f)[__x] == f[Flink__LIST_ENTRY(__x)]);
+axiom(forall f: [int]int, __x:int, __v:int :: {Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v])} Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v]) == Shift_Flink__LIST_ENTRY(f)[__x := __v]);
+
+const unique Globals : int;
+axiom(Globals != 0);
+// the set of constants for 64 bit integers that Boogie doesn't parse
+const unique BOOGIE_LARGE_INT_4294967273:int;
+
+
+
+procedure ExAcquireFastMutex($FastMutex$1$15000.16$ExAcquireFastMutex$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExAllocatePoolWithTag($PoolType$1$14789.57$ExAllocatePoolWithTag$121:int, $NumberOfBytes$2$14790.16$ExAllocatePoolWithTag$121:int, $Tag$3$14791.15$ExAllocatePoolWithTag$121:int) returns ($result.ExAllocatePoolWithTag$14788.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExFreePoolWithTag($P$1$14901.35$ExFreePoolWithTag$81:int, $Tag$2$14902.15$ExFreePoolWithTag$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExReleaseFastMutex($FastMutex$1$15013.16$ExReleaseFastMutex$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure InitializeListHead_IRP($ListHead$1$12.44$InitializeListHead_IRP$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoCreateDevice($DriverObject$1$21226.25$IoCreateDevice$281:int, $DeviceExtensionSize$2$21227.16$IoCreateDevice$281:int, $DeviceName$3$21228.29$IoCreateDevice$281:int, $DeviceType$4$21229.22$IoCreateDevice$281:int, $DeviceCharacteristics$5$21230.16$IoCreateDevice$281:int, $Exclusive$6$21231.18$IoCreateDevice$281:int, $DeviceObject$7$21237.20$IoCreateDevice$281:int) returns ($result.IoCreateDevice$21225.0$1$:int);
+
+//TAG: ensures (LONG)__return >= 0 ==> *DeviceObject != (void *)0
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> (Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> (*DeviceObject)->DeviceExtension != (void *)0
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_EXTN", (*DeviceObject)->DeviceExtension) == 1
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]] == 1));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_OBJ_INIT", *DeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension)) == 1
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]] == 1)));
+//TAG: ensures (LONG)__return >= 0 ==> __old_resource("DEV_OBJ_INIT", *DeviceObject) == 0 && __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension)) == 0
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> ((old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]] == 0) && (old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]] == 0)));
+//TAG: ensures (LONG)__return >= 0 ==> __updates_resource("DEV_OBJ_INIT", *DeviceObject, 1) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension), 1)
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281] := 1]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])] := 1])));
+//TAG: ensures !((LONG)__return >= 0) ==> __resource("DEV_OBJ_INIT", *DeviceObject) == __old_resource("DEV_OBJ_INIT", *DeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension))
+ensures((!($result.IoCreateDevice$21225.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]] == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]])));
+//TAG: ensures !((LONG)__return >= 0) ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!($result.IoCreateDevice$21225.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+//TAG: ensures (LONG)__return >= 0 ==> !(__resource("DEV_OBJ_INIT", ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension))->Self) == 1)
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> (!(Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])])]] == 1)));
+//TAG: ensures !((LONG)__return >= 0) ==> *DeviceObject == __old(*DeviceObject)
+ensures((!($result.IoCreateDevice$21225.0$1$ >= 0)) ==> (Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281] == old(Mem)[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures (LONG)__return >= 0 ==> __return == 0
+ensures(($result.IoCreateDevice$21225.0$1$ >= 0) ==> ($result.IoCreateDevice$21225.0$1$ == 0));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*DeviceObject))->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281])] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, *DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281]))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || (Mem[T.P_DEVICE_OBJECT][$DeviceObject$7$21237.20$IoCreateDevice$281] == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty, DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($DeviceObject$7$21237.20$IoCreateDevice$281))) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || (_m == $DeviceObject$7$21237.20$IoCreateDevice$281) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoDeleteDevice($DeviceObject$1$21328.67$IoDeleteDevice$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: requires 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 1
+requires((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 1)));
+//TAG: ensures 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 0 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 0
+ensures((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 0) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 0)));
+//TAG: ensures 1 ==> __updates_resource("DEV_OBJ_INIT", DeviceObject, 0) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension), 0)
+ensures((true) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41 := 0]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] := 0])));
+//TAG: ensures !1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == __old_resource("DEV_OBJ_INIT", DeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension))
+ensures((!(true)) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]])));
+//TAG: ensures !1 ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!(true)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($DeviceObject$1$21328.67$IoDeleteDevice$41))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || ($DeviceObject$1$21328.67$IoDeleteDevice$41 == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoInitializeRemoveLockEx($Lock$1$22135.25$IoInitializeRemoveLockEx$201:int, $AllocateTag$2$22136.16$IoInitializeRemoveLockEx$201:int, $MaxLockedMinutes$3$22137.16$IoInitializeRemoveLockEx$201:int, $HighWatermark$4$22138.16$IoInitializeRemoveLockEx$201:int, $RemlockSize$5$22139.16$IoInitializeRemoveLockEx$201:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure KeInitializeSpinLock($SpinLock$1$13860.22$KeInitializeSpinLock$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+//TAG: ensures 1 ==> __resource("SPIN_LOCK", SpinLock) == 0
+ensures((true) ==> (Res_SPIN_LOCK[$SpinLock$1$13860.22$KeInitializeSpinLock$41] == 0));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty, SpinLock
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($SpinLock$1$13860.22$KeInitializeSpinLock$41))) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || ($SpinLock$1$13860.22$KeInitializeSpinLock$41 == r) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouInitializeDataQueue($Context$1$518.13$MouInitializeDataQueue$41:int);
+
+//TAG: requires __resource("DEV_EXTN", Context) == 1
+requires(Res_DEV_EXTN[$Context$1$518.13$MouInitializeDataQueue$41] == 1);
+//TAG: requires __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)Context)->SpinLock) == 0
+requires(Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION($Context$1$518.13$MouInitializeDataQueue$41)] == 0);
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __resource("DEV_EXTN", Context) == 1
+ensures(Res_DEV_EXTN[$Context$1$518.13$MouInitializeDataQueue$41] == 1);
+//TAG: ensures __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)Context)->SpinLock) == 0
+ensures(Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION($Context$1$518.13$MouInitializeDataQueue$41)] == 0);
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouseClassLogError($Object$1$542.10$MouseClassLogError$281:int, $ErrorCode$2$543.10$MouseClassLogError$281:int, $UniqueErrorValue$3$544.10$MouseClassLogError$281:int, $FinalStatus$4$545.13$MouseClassLogError$281:int, $DumpCount$5$546.10$MouseClassLogError$281:int, $DumpData$6$547.11$MouseClassLogError$281:int, $MajorFunction$7$548.10$MouseClassLogError$281:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlAppendUnicodeToString($Destination$1$7421.28$RtlAppendUnicodeToString$81:int, $Source$2$7422.20$RtlAppendUnicodeToString$81:int) returns ($result.RtlAppendUnicodeToString$7420.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlFreeUnicodeString($UnicodeString$1$7452.28$RtlFreeUnicodeString$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure __PREfastPagedCode();
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouCreateClassObject($DriverObject$1$3165.28$MouCreateClassObject$201:int, $TmpDeviceExtension$2$3166.28$MouCreateClassObject$201:int, $ClassDeviceObject$3$3167.28$MouCreateClassObject$201:int, $FullDeviceName$4$3168.35$MouCreateClassObject$201:int, $Legacy$5$3169.28$MouCreateClassObject$201:int) returns ($result.MouCreateClassObject$3164.0$1$:int)
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures (LONG)__return >= 0 ==> *ClassDeviceObject != (void *)0
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> (*ClassDeviceObject)->DeviceExtension != (void *)0
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_EXTN", (*ClassDeviceObject)->DeviceExtension) == 1
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]] == 1));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_OBJ_INIT", *ClassDeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == 1
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]] == 1)));
+//TAG: ensures (LONG)__return >= 0 ==> __old_resource("DEV_OBJ_INIT", *ClassDeviceObject) == 0 && __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == 0
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> ((old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]] == 0) && (old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]] == 0)));
+//TAG: ensures (LONG)__return >= 0 ==> __updates_resource("DEV_OBJ_INIT", *ClassDeviceObject, 1) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension), 1)
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201] := 1]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])] := 1])));
+//TAG: ensures !((LONG)__return >= 0) ==> __resource("DEV_OBJ_INIT", *ClassDeviceObject) == __old_resource("DEV_OBJ_INIT", *ClassDeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension))
+ensures((!($result.MouCreateClassObject$3164.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]] == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]])));
+//TAG: ensures !((LONG)__return >= 0) ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!($result.MouCreateClassObject$3164.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), __setin(_H_z, __set((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension))) || __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])])[_H_z]) || ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0))))));
+//TAG: ensures !((LONG)__return >= 0) ==> __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures((!($result.MouCreateClassObject$3164.0$1$ >= 0)) ==> ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0))))));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension))->SpinLock) == 0
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> (Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])])] == 0));
+modifies alloc;
+free ensures(forall f:int :: {alloc[Base(f)]} old(alloc)[Base(f)] == UNALLOCATED || old(alloc)[Base(f)] == alloc[Base(f)]);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, *ClassDeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201] == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: &TmpDeviceExtension->WaitWakeSpinLock, &((struct _DEVICE_EXTENSION *)TmpDeviceExtension)->SpinLock, __set_true
+ensures (Subset(Empty(), Union(Union(Union(Empty(), Singleton(WaitWakeSpinLock__DEVICE_EXTENSION($TmpDeviceExtension$2$3166.28$MouCreateClassObject$201))), Singleton(SpinLock__DEVICE_EXTENSION($TmpDeviceExtension$2$3166.28$MouCreateClassObject$201))), SetTrue())) && (forall r:int :: {Res_SPIN_LOCK[r]} (WaitWakeSpinLock__DEVICE_EXTENSION($TmpDeviceExtension$2$3166.28$MouCreateClassObject$201) == r) || (SpinLock__DEVICE_EXTENSION($TmpDeviceExtension$2$3166.28$MouCreateClassObject$201) == r) || (SetTrue()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_true
+ensures (Subset(Empty(), Union(Empty(), SetTrue())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (SetTrue()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty, ClassDeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($ClassDeviceObject$3$3167.28$MouCreateClassObject$201))) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || (_m == $ClassDeviceObject$3$3167.28$MouCreateClassObject$201) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+{
+var havoc_stringTemp:int;
+var condVal:int;
+var $ClassDeviceObject$3$3167.28$MouCreateClassObject$20 : int;
+var $DriverObject$1$3165.28$MouCreateClassObject$20 : int;
+var $ExAllocatePoolWithTag.arg.2$4$ : int;
+var $FullDeviceName$4$3168.35$MouCreateClassObject$20 : int;
+var $Legacy$5$3169.28$MouCreateClassObject$20 : int;
+var $MouDebugPrint.arg.2$15$ : int;
+var $MouDebugPrint.arg.2$18$ : int;
+var $MouDebugPrint.arg.2$2$ : int;
+var $MouDebugPrint.arg.2$20$ : int;
+var $MouDebugPrint.arg.2$22$ : int;
+var $MouDebugPrint.arg.2$5$ : int;
+var $RtlAppendUnicodeToString.arg.2$12$ : int;
+var $RtlAppendUnicodeToString.arg.2$14$ : int;
+var $RtlAppendUnicodeToString.arg.2$9$ : int;
+var $TmpDeviceExtension$2$3166.28$MouCreateClassObject$20 : int;
+var $deviceExtension$8$3199.24$MouCreateClassObject$20 : int;
+var $dumpCount$11$3202.24$MouCreateClassObject$20 : int;
+var $dumpData$12$3203.24$MouCreateClassObject$20 : int;
+var $errorCode$9$3200.24$MouCreateClassObject$20 : int;
+var $fullClassName$10$3201.24$MouCreateClassObject$20 : int;
+var $i$13$3204.24$MouCreateClassObject$20 : int;
+var $memset.arg.3$7$ : int;
+var $nameIndex$14$3205.24$MouCreateClassObject$20 : int;
+var $result.ExAllocatePoolWithTag$3252.0$3$ : int;
+var $result.ExAllocatePoolWithTag$3370.0$19$ : int;
+var $result.IoCreateDevice$3296.35$16$ : int;
+var $result.IoCreateDevice$3310.31$17$ : int;
+var $result.RtlAppendUnicodeToString$3271.32$8$ : int;
+var $result.RtlAppendUnicodeToString$3272.32$10$ : int;
+var $result.RtlAppendUnicodeToString$3275.36$11$ : int;
+var $result.RtlAppendUnicodeToString$3278.32$13$ : int;
+var $result.memset$3270.8$6$ : int;
+var $result.question.21$ : int;
+var $status$6$3197.24$MouCreateClassObject$20 : int;
+var $uniqueErrorValue$7$3198.24$MouCreateClassObject$20 : int;
+var tempBoogie0:int;
+var tempBoogie1:int;
+var tempBoogie2:int;
+var tempBoogie3:int;
+var tempBoogie4:int;
+var tempBoogie5:int;
+var tempBoogie6:int;
+var tempBoogie7:int;
+var tempBoogie8:int;
+var tempBoogie9:int;
+var tempBoogie10:int;
+var tempBoogie11:int;
+var tempBoogie12:int;
+var tempBoogie13:int;
+var tempBoogie14:int;
+var tempBoogie15:int;
+var tempBoogie16:int;
+var tempBoogie17:int;
+var tempBoogie18:int;
+var tempBoogie19:int;
+var LOOP_78_alloc:[int]name;
+var LOOP_78_Mem:[name][int]int;
+var LOOP_78_Res_DEVICE_STACK:[int]int;
+var LOOP_78_Res_DEV_EXTN:[int]int;
+var LOOP_78_Res_DEV_OBJ_INIT:[int]int;
+var LOOP_78_Res_SPIN_LOCK:[int]int;
+
+
+start:
+
+assume (alloc[$DriverObject$1$3165.28$MouCreateClassObject$201] != UNALLOCATED);
+assume (alloc[$TmpDeviceExtension$2$3166.28$MouCreateClassObject$201] != UNALLOCATED);
+assume (alloc[$ClassDeviceObject$3$3167.28$MouCreateClassObject$201] != UNALLOCATED);
+assume (alloc[$FullDeviceName$4$3168.35$MouCreateClassObject$201] != UNALLOCATED);
+call $dumpData$12$3203.24$MouCreateClassObject$20 := __HAVOC_malloc(16);
+call $fullClassName$10$3201.24$MouCreateClassObject$20 := __HAVOC_malloc(8);
+$DriverObject$1$3165.28$MouCreateClassObject$20 := $DriverObject$1$3165.28$MouCreateClassObject$201;
+$TmpDeviceExtension$2$3166.28$MouCreateClassObject$20 := $TmpDeviceExtension$2$3166.28$MouCreateClassObject$201;
+$ClassDeviceObject$3$3167.28$MouCreateClassObject$20 := $ClassDeviceObject$3$3167.28$MouCreateClassObject$201;
+$FullDeviceName$4$3168.35$MouCreateClassObject$20 := $FullDeviceName$4$3168.35$MouCreateClassObject$201;
+$Legacy$5$3169.28$MouCreateClassObject$20 := $Legacy$5$3169.28$MouCreateClassObject$201;
+goto label_3;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3440)
+label_1:
+call __HAVOC_free($dumpData$12$3203.24$MouCreateClassObject$20);
+call __HAVOC_free($fullClassName$10$3201.24$MouCreateClassObject$20);
+assume (forall m:int:: {Res_DEVICE_STACK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEVICE_STACK[m] == old(Res_DEVICE_STACK)[m]);
+assume (forall m:int:: {Res_DEV_EXTN[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_EXTN[m] == old(Res_DEV_EXTN)[m]);
+assume (forall m:int:: {Res_DEV_OBJ_INIT[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_OBJ_INIT[m] == old(Res_DEV_OBJ_INIT)[m]);
+assume (forall m:int:: {Res_SPIN_LOCK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_SPIN_LOCK[m] == old(Res_SPIN_LOCK)[m]);
+assume (forall m:int :: {Mem[T.A2UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A2UINT2][m] == old(Mem[T.A2UINT2])[m]);
+assume (forall m:int :: {Mem[T.A37CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A37CHAR][m] == old(Mem[T.A37CHAR])[m]);
+assume (forall m:int :: {Mem[T.A40CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A40CHAR][m] == old(Mem[T.A40CHAR])[m]);
+assume (forall m:int :: {Mem[T.A4UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A4UINT4][m] == old(Mem[T.A4UINT4])[m]);
+assume (forall m:int :: {Mem[T.A65CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A65CHAR][m] == old(Mem[T.A65CHAR])[m]);
+assume (forall m:int :: {Mem[T.A75CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A75CHAR][m] == old(Mem[T.A75CHAR])[m]);
+assume (forall m:int :: {Mem[T.A76CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A76CHAR][m] == old(Mem[T.A76CHAR])[m]);
+assume (forall m:int :: {Mem[T.A7UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A7UINT2][m] == old(Mem[T.A7UINT2])[m]);
+assume (forall m:int :: {Mem[T.A80CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A80CHAR][m] == old(Mem[T.A80CHAR])[m]);
+assume (forall m:int :: {Mem[T.A9UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A9UINT2][m] == old(Mem[T.A9UINT2])[m]);
+assume (forall m:int :: {Mem[T.Abandoned___unnamed_1_2bb39c56][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Abandoned___unnamed_1_2bb39c56][m] == old(Mem[T.Abandoned___unnamed_1_2bb39c56])[m]);
+assume (forall m:int :: {Mem[T.Absolute___unnamed_1_2bb39c56][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Absolute___unnamed_1_2bb39c56][m] == old(Mem[T.Absolute___unnamed_1_2bb39c56])[m]);
+assume (forall m:int :: {Mem[T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.BaseClassName__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.BaseClassName__GLOBALS][m] == old(Mem[T.BaseClassName__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Blink__LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Blink__LIST_ENTRY][m] == old(Mem[T.Blink__LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Buffer__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Buffer__UNICODE_STRING][m] == old(Mem[T.Buffer__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.ConnectOneClassToOnePort__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.ConnectOneClassToOnePort__GLOBALS][m] == old(Mem[T.ConnectOneClassToOnePort__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][m] == old(Mem[T.CurrentStackLocation___unnamed_4_a7aa989c])[m]);
+assume (forall m:int :: {Mem[T.DataIn__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataIn__DEVICE_EXTENSION][m] == old(Mem[T.DataIn__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DataOut__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataOut__DEVICE_EXTENSION][m] == old(Mem[T.DataOut__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DebugActive___unnamed_1_9fa0583a][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DebugActive___unnamed_1_9fa0583a][m] == old(Mem[T.DebugActive___unnamed_1_9fa0583a])[m]);
+assume (forall m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DeviceExtension__DEVICE_OBJECT][m] == old(Mem[T.DeviceExtension__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.DeviceState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DeviceState__DEVICE_EXTENSION][m] == old(Mem[T.DeviceState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DpcActive___unnamed_1_9fa0583a][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DpcActive___unnamed_1_9fa0583a][m] == old(Mem[T.DpcActive___unnamed_1_9fa0583a])[m]);
+assume (forall m:int :: {Mem[T.Enabled__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Enabled__DEVICE_EXTENSION][m] == old(Mem[T.Enabled__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.ExecuteWmiMethod__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.ExecuteWmiMethod__WMILIB_CONTEXT][m] == old(Mem[T.ExecuteWmiMethod__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.ExtraWaitWakeIrp__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.ExtraWaitWakeIrp__DEVICE_EXTENSION][m] == old(Mem[T.ExtraWaitWakeIrp__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.File__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__DEVICE_EXTENSION][m] == old(Mem[T.File__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Flags__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flags__DEVICE_OBJECT][m] == old(Mem[T.Flags__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Flink__LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flink__LIST_ENTRY][m] == old(Mem[T.Flink__LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.GrandMaster__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GrandMaster__GLOBALS][m] == old(Mem[T.GrandMaster__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.GuidCount__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GuidCount__WMILIB_CONTEXT][m] == old(Mem[T.GuidCount__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.GuidList__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GuidList__WMILIB_CONTEXT][m] == old(Mem[T.GuidList__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.Hand___unnamed_1_e30779f5][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Hand___unnamed_1_e30779f5][m] == old(Mem[T.Hand___unnamed_1_e30779f5])[m]);
+assume (forall m:int :: {Mem[T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.INT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.INT4][m] == old(Mem[T.INT4])[m]);
+assume (forall m:int :: {Mem[T.InputCount__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputCount__DEVICE_EXTENSION][m] == old(Mem[T.InputCount__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.InputDataQueueLength__MOUSE_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputDataQueueLength__MOUSE_ATTRIBUTES][m] == old(Mem[T.InputDataQueueLength__MOUSE_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.InputData__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputData__DEVICE_EXTENSION][m] == old(Mem[T.InputData__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Inserted___unnamed_1_9fa0583a][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Inserted___unnamed_1_9fa0583a][m] == old(Mem[T.Inserted___unnamed_1_9fa0583a])[m]);
+assume (forall m:int :: {Mem[T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK][m] == old(Mem[T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.LegacyDeviceList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LegacyDeviceList__GLOBALS][m] == old(Mem[T.LegacyDeviceList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Length__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Length__UNICODE_STRING][m] == old(Mem[T.Length__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.Link__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Link__DEVICE_EXTENSION][m] == old(Mem[T.Link__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Lock___unnamed_4_c9b2e921][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Lock___unnamed_4_c9b2e921][m] == old(Mem[T.Lock___unnamed_4_c9b2e921])[m]);
+assume (forall m:int :: {Mem[T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.MaximumLength__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MaximumLength__UNICODE_STRING][m] == old(Mem[T.MaximumLength__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.MinDeviceWakeState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinDeviceWakeState__DEVICE_EXTENSION][m] == old(Mem[T.MinDeviceWakeState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MinSystemWakeState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinSystemWakeState__DEVICE_EXTENSION][m] == old(Mem[T.MinSystemWakeState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinorFunction__IO_STACK_LOCATION][m] == old(Mem[T.MinorFunction__IO_STACK_LOCATION])[m]);
+assume (forall m:int :: {Mem[T.MouseAttributes__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MouseAttributes__DEVICE_EXTENSION][m] == old(Mem[T.MouseAttributes__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MouseIdentifier__MOUSE_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MouseIdentifier__MOUSE_ATTRIBUTES][m] == old(Mem[T.MouseIdentifier__MOUSE_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.Mutex__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Mutex__GLOBALS][m] == old(Mem[T.Mutex__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.NpxIrql___unnamed_1_2bb39c56][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NpxIrql___unnamed_1_2bb39c56][m] == old(Mem[T.NpxIrql___unnamed_1_2bb39c56])[m]);
+assume (forall m:int :: {Mem[T.NumberOfButtons__MOUSE_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NumberOfButtons__MOUSE_ATTRIBUTES][m] == old(Mem[T.NumberOfButtons__MOUSE_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.OkayToLogOverflow__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.OkayToLogOverflow__DEVICE_EXTENSION][m] == old(Mem[T.OkayToLogOverflow__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.PCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PCHAR][m] == old(Mem[T.PCHAR])[m]);
+assume (forall m:int :: {Mem[T.PDO__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PDO__DEVICE_EXTENSION][m] == old(Mem[T.PDO__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.PUINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT2][m] == old(Mem[T.PUINT2])[m]);
+assume (forall m:int :: {Mem[T.PUINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT4][m] == old(Mem[T.PUINT4])[m]);
+assume (forall m:int :: {Mem[T.PVOID][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PVOID][m] == old(Mem[T.PVOID])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_EXTENSION][m] == old(Mem[T.P_DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_OBJECT][m] == old(Mem[T.P_DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_DRIVER_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DRIVER_OBJECT][m] == old(Mem[T.P_DRIVER_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_FAST_MUTEX][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_FAST_MUTEX][m] == old(Mem[T.P_FAST_MUTEX])[m]);
+assume (forall m:int :: {Mem[T.P_IO_REMOVE_LOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_IO_REMOVE_LOCK][m] == old(Mem[T.P_IO_REMOVE_LOCK])[m]);
+assume (forall m:int :: {Mem[T.P_LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_LIST_ENTRY][m] == old(Mem[T.P_LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.P_MOUSE_INPUT_DATA][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_MOUSE_INPUT_DATA][m] == old(Mem[T.P_MOUSE_INPUT_DATA])[m]);
+assume (forall m:int :: {Mem[T.P_UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_UNICODE_STRING][m] == old(Mem[T.P_UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.PnP__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PnP__DEVICE_EXTENSION][m] == old(Mem[T.PnP__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.QueryWmiDataBlock__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.QueryWmiDataBlock__WMILIB_CONTEXT][m] == old(Mem[T.QueryWmiDataBlock__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.QueryWmiRegInfo__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.QueryWmiRegInfo__WMILIB_CONTEXT][m] == old(Mem[T.QueryWmiRegInfo__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.ReadQueue__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.ReadQueue__DEVICE_EXTENSION][m] == old(Mem[T.ReadQueue__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.RemoveLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.RemoveLock__DEVICE_EXTENSION][m] == old(Mem[T.RemoveLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK][m] == old(Mem[T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK][m] == old(Mem[T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.SampleRate__MOUSE_ATTRIBUTES][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SampleRate__MOUSE_ATTRIBUTES][m] == old(Mem[T.SampleRate__MOUSE_ATTRIBUTES])[m]);
+assume (forall m:int :: {Mem[T.Self__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Self__DEVICE_EXTENSION][m] == old(Mem[T.Self__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SequenceNumber__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SequenceNumber__DEVICE_EXTENSION][m] == old(Mem[T.SequenceNumber__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SetWmiDataBlock__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SetWmiDataBlock__WMILIB_CONTEXT][m] == old(Mem[T.SetWmiDataBlock__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.SetWmiDataItem__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SetWmiDataItem__WMILIB_CONTEXT][m] == old(Mem[T.SetWmiDataItem__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T.SignalState__DISPATCHER_HEADER][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SignalState__DISPATCHER_HEADER][m] == old(Mem[T.SignalState__DISPATCHER_HEADER])[m]);
+assume (forall m:int :: {Mem[T.Signalling___unnamed_1_2bb39c56][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Signalling___unnamed_1_2bb39c56][m] == old(Mem[T.Signalling___unnamed_1_2bb39c56])[m]);
+assume (forall m:int :: {Mem[T.Signature__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Signature__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Signature__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Size___unnamed_1_e30779f5][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Size___unnamed_1_e30779f5][m] == old(Mem[T.Size___unnamed_1_e30779f5])[m]);
+assume (forall m:int :: {Mem[T.SpinLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SpinLock__DEVICE_EXTENSION][m] == old(Mem[T.SpinLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Spin__IO_REMOVE_LOCK_DBG_BLOCK][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Spin__IO_REMOVE_LOCK_DBG_BLOCK][m] == old(Mem[T.Spin__IO_REMOVE_LOCK_DBG_BLOCK])[m]);
+assume (forall m:int :: {Mem[T.Started__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Started__DEVICE_EXTENSION][m] == old(Mem[T.Started__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SurpriseRemoved__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SurpriseRemoved__DEVICE_EXTENSION][m] == old(Mem[T.SurpriseRemoved__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SystemState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SystemState__DEVICE_EXTENSION][m] == old(Mem[T.SystemState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SystemToDeviceState__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SystemToDeviceState__DEVICE_EXTENSION][m] == old(Mem[T.SystemToDeviceState__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TargetNotifyHandle__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TargetNotifyHandle__DEVICE_EXTENSION][m] == old(Mem[T.TargetNotifyHandle__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TopPort__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TopPort__DEVICE_EXTENSION][m] == old(Mem[T.TopPort__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TrueClassDevice__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TrueClassDevice__DEVICE_EXTENSION][m] == old(Mem[T.TrueClassDevice__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION][m] == old(Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Type___unnamed_4_846adf3f][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Type___unnamed_4_846adf3f][m] == old(Mem[T.Type___unnamed_4_846adf3f])[m]);
+assume (forall m:int :: {Mem[T.UCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UCHAR][m] == old(Mem[T.UCHAR])[m]);
+assume (forall m:int :: {Mem[T.UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT2][m] == old(Mem[T.UINT2])[m]);
+assume (forall m:int :: {Mem[T.UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT4][m] == old(Mem[T.UINT4])[m]);
+assume (forall m:int :: {Mem[T.UnitId__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UnitId__DEVICE_EXTENSION][m] == old(Mem[T.UnitId__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WaitWakeEnabled__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WaitWakeEnabled__DEVICE_EXTENSION][m] == old(Mem[T.WaitWakeEnabled__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WaitWakeIrp__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WaitWakeIrp__DEVICE_EXTENSION][m] == old(Mem[T.WaitWakeIrp__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION][m] == old(Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WmiFunctionControl__WMILIB_CONTEXT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WmiFunctionControl__WMILIB_CONTEXT][m] == old(Mem[T.WmiFunctionControl__WMILIB_CONTEXT])[m]);
+assume (forall m:int :: {Mem[T._POOL_TYPE][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T._POOL_TYPE][m] == old(Mem[T._POOL_TYPE])[m]);
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3440)
+label_2:
+assume false;
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3197)
+label_3:
+goto label_4;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3198)
+label_4:
+goto label_5;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3199)
+label_5:
+goto label_6;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3199)
+label_6:
+$deviceExtension$8$3199.24$MouCreateClassObject$20 := 0 ;
+goto label_7;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3200)
+label_7:
+goto label_8;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3200)
+label_8:
+$errorCode$9$3200.24$MouCreateClassObject$20 := 0 ;
+goto label_9;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3201)
+label_9:
+goto label_10;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3201)
+label_10:
+// Skipping Structure assignment due to the flag SkipStructAssignments
+goto label_11;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3202)
+label_11:
+goto label_12;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3202)
+label_12:
+$dumpCount$11$3202.24$MouCreateClassObject$20 := 0 ;
+goto label_13;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3203)
+label_13:
+goto label_14;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3204)
+label_14:
+goto label_15;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3205)
+label_15:
+goto label_16;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3207)
+label_16:
+call __PREfastPagedCode ();
+goto label_22;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3209)
+label_19:
+// skip MouDebugPrint
+goto label_23;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3209)
+label_22:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$2$ := havoc_stringTemp ;
+goto label_19;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3215)
+label_23:
+call ExAcquireFastMutex (Mutex__GLOBALS(Globals));
+goto label_26;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3220)
+label_26:
+Mem[T.P_DEVICE_OBJECT] := Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20 := 0];
+goto label_27;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3222)
+label_27:
+goto label_27_true , label_27_false ;
+
+
+label_27_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_89;
+
+
+label_27_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_28;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3226)
+label_28:
+call ExReleaseFastMutex (Mutex__GLOBALS(Globals));
+goto label_31;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3232)
+label_31:
+goto label_31_true , label_31_false ;
+
+
+label_31_true :
+assume (BOOGIE_LARGE_INT_4294967273 < Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING(BaseClassName__GLOBALS(Globals))]);
+goto label_32;
+
+
+label_31_false :
+assume !(BOOGIE_LARGE_INT_4294967273 < Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING(BaseClassName__GLOBALS(Globals))]);
+goto label_37;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3233)
+label_32:
+$status$6$3197.24$MouCreateClassObject$20 := -1073741823 ;
+goto label_33;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3234)
+label_33:
+$errorCode$9$3200.24$MouCreateClassObject$20 := -1073414143 ;
+goto label_34;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3235)
+label_34:
+$uniqueErrorValue$7$3198.24$MouCreateClassObject$20 := 20006 ;
+goto label_35;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3236)
+label_35:
+Mem[T.UINT4] := Mem[T.UINT4][PLUS($dumpData$12$3203.24$MouCreateClassObject$20, 4, 0) := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)]];
+goto label_36;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3237)
+label_36:
+$dumpCount$11$3202.24$MouCreateClassObject$20 := 1 ;
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3244)
+label_37:
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20) := PLUS(PLUS(18, 1, Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING(BaseClassName__GLOBALS(Globals))]), 1, 4)];
+goto label_38;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3248)
+label_38:
+goto label_38_true , label_38_false ;
+
+
+label_38_true :
+assume (Mem[T.ConnectOneClassToOnePort__GLOBALS][ConnectOneClassToOnePort__GLOBALS(Globals)] != 0);
+goto label_39;
+
+
+label_38_false :
+assume (Mem[T.ConnectOneClassToOnePort__GLOBALS][ConnectOneClassToOnePort__GLOBALS(Globals)] == 0);
+goto label_44;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3248)
+label_39:
+goto label_39_true , label_39_false ;
+
+
+label_39_true :
+assume ($Legacy$5$3169.28$MouCreateClassObject$20 != 0);
+goto label_40;
+
+
+label_39_false :
+assume ($Legacy$5$3169.28$MouCreateClassObject$20 == 0);
+goto label_44;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3249)
+label_40:
+tempBoogie0 := PLUS(Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)], 1, 14) ;
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20) := tempBoogie0];
+goto label_44;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3252)
+label_41:
+call $result.ExAllocatePoolWithTag$3252.0$3$ := ExAllocatePoolWithTag (1, $ExAllocatePoolWithTag.arg.2$4$, 1131377997);
+goto label_45;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3252)
+label_44:
+$ExAllocatePoolWithTag.arg.2$4$ := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)] ;
+goto label_41;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3252)
+label_45:
+Mem[T.Buffer__UNICODE_STRING] := Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20) := $result.ExAllocatePoolWithTag$3252.0$3$];
+goto label_46;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3255)
+label_46:
+goto label_46_true , label_46_false ;
+
+
+label_46_true :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)] != 0);
+goto label_59;
+
+
+label_46_false :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)] == 0);
+goto label_50;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3257)
+label_47:
+// skip MouDebugPrint
+goto label_51;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3257)
+label_50:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$5$ := havoc_stringTemp ;
+goto label_47;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3262)
+label_51:
+$status$6$3197.24$MouCreateClassObject$20 := -1073741823 ;
+goto label_52;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3263)
+label_52:
+$errorCode$9$3200.24$MouCreateClassObject$20 := -1073414143 ;
+goto label_53;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3264)
+label_53:
+$uniqueErrorValue$7$3198.24$MouCreateClassObject$20 := 20006 ;
+goto label_54;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3265)
+label_54:
+Mem[T.UINT4] := Mem[T.UINT4][PLUS($dumpData$12$3203.24$MouCreateClassObject$20, 4, 0) := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)]];
+goto label_55;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3266)
+label_55:
+$dumpCount$11$3202.24$MouCreateClassObject$20 := 1 ;
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3270)
+label_56:
+// ignoring intrinsic intrinsic.memset
+havoc $result.memset$3270.8$6$;
+goto label_63;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3270)
+label_59:
+$memset.arg.3$7$ := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)] ;
+goto label_56;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3271)
+label_60:
+call $result.RtlAppendUnicodeToString$3271.32$8$ := RtlAppendUnicodeToString ($fullClassName$10$3201.24$MouCreateClassObject$20, $RtlAppendUnicodeToString.arg.2$9$);
+goto label_64;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3271)
+label_63:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$9$ := havoc_stringTemp ;
+goto label_60;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3272)
+label_64:
+call $result.RtlAppendUnicodeToString$3272.32$10$ := RtlAppendUnicodeToString ($fullClassName$10$3201.24$MouCreateClassObject$20, Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING(BaseClassName__GLOBALS(Globals))]);
+goto label_67;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3274)
+label_67:
+goto label_67_true , label_67_false ;
+
+
+label_67_true :
+assume (Mem[T.ConnectOneClassToOnePort__GLOBALS][ConnectOneClassToOnePort__GLOBALS(Globals)] != 0);
+goto label_68;
+
+
+label_67_false :
+assume (Mem[T.ConnectOneClassToOnePort__GLOBALS][ConnectOneClassToOnePort__GLOBALS(Globals)] == 0);
+goto label_76;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3274)
+label_68:
+goto label_68_true , label_68_false ;
+
+
+label_68_true :
+assume ($Legacy$5$3169.28$MouCreateClassObject$20 != 0);
+goto label_72;
+
+
+label_68_false :
+assume ($Legacy$5$3169.28$MouCreateClassObject$20 == 0);
+goto label_76;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3275)
+label_69:
+call $result.RtlAppendUnicodeToString$3275.36$11$ := RtlAppendUnicodeToString ($fullClassName$10$3201.24$MouCreateClassObject$20, $RtlAppendUnicodeToString.arg.2$12$);
+goto label_76;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3275)
+label_72:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$12$ := havoc_stringTemp ;
+goto label_69;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3278)
+label_73:
+call $result.RtlAppendUnicodeToString$3278.32$13$ := RtlAppendUnicodeToString ($fullClassName$10$3201.24$MouCreateClassObject$20, $RtlAppendUnicodeToString.arg.2$14$);
+goto label_77;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3278)
+label_76:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$14$ := havoc_stringTemp ;
+goto label_73;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3284)
+label_77:
+$nameIndex$14$3205.24$MouCreateClassObject$20 := 0 ;
+goto label_78;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3288)
+label_78:
+// loop entry initialization...
+LOOP_78_alloc := alloc;
+LOOP_78_Mem := Mem;
+LOOP_78_Res_DEVICE_STACK := Res_DEVICE_STACK;
+LOOP_78_Res_DEV_EXTN := Res_DEV_EXTN;
+LOOP_78_Res_DEV_OBJ_INIT := Res_DEV_OBJ_INIT;
+LOOP_78_Res_SPIN_LOCK := Res_SPIN_LOCK;
+goto label_78_head;
+
+
+label_78_head:
+// loop head assertions...
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+assert((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+assert((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+assert((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+assert((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+assert((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+assert((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: requires __preserves_resource("DEV_OBJ_INIT")
+assert(Res_DEV_OBJ_INIT == LOOP_78_Res_DEV_OBJ_INIT);
+//TAG: requires __preserves_resource("DEV_EXTN")
+assert(Res_DEV_EXTN == LOOP_78_Res_DEV_EXTN);
+//TAG: requires __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+assert(Mem[T.Flink__LIST_ENTRY] == LOOP_78_Mem[T.Flink__LIST_ENTRY]);
+assume(forall f:int :: {alloc[Base(f)]} LOOP_78_alloc[Base(f)] == UNALLOCATED || LOOP_78_alloc[Base(f)] == alloc[Base(f)]);
+
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || LOOP_78_Res_DEVICE_STACK[r] == Res_DEVICE_STACK[r]));
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || LOOP_78_Res_DEV_EXTN[r] == Res_DEV_EXTN[r]));
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || LOOP_78_Res_DEV_OBJ_INIT[r] == Res_DEV_OBJ_INIT[r]));
+
+//TAG: net change in resource SPIN_LOCK only for: __set_true, __set_empty
+assert (Subset(Empty(), Union(Union(Empty(), SetTrue()), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (SetTrue()[r]) || (Empty()[r]) || LOOP_78_Res_SPIN_LOCK[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == LOOP_78_Mem[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == LOOP_78_Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == LOOP_78_Mem[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_true, __set_empty
+assert (Subset(Empty(), Union(Union(Empty(), SetTrue()), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (SetTrue()[_m]) || (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == LOOP_78_Mem[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == LOOP_78_Mem[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == LOOP_78_Mem[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == LOOP_78_Mem[T.P_DEVICE_OBJECT][_m]));
+
+// end loop head assertions
+
+Mem[T.UINT2] := Mem[T.UINT2][PLUS(Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)], 2, MINUS_BOTH_PTR_OR_BOTH_INT( BINARY_BOTH_INT(Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)], 2), 1, 1)) := PLUS(48, 1, $nameIndex$14$3205.24$MouCreateClassObject$20)];
+$nameIndex$14$3205.24$MouCreateClassObject$20 := PLUS($nameIndex$14$3205.24$MouCreateClassObject$20, 1, 1) ;
+goto label_82;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3290)
+label_79:
+// skip MouDebugPrint
+goto label_83;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3290)
+label_82:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$15$ := havoc_stringTemp ;
+goto label_79;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3296)
+label_83:
+call $result.IoCreateDevice$3296.35$16$ := IoCreateDevice ($DriverObject$1$3165.28$MouCreateClassObject$20, 272, $fullClassName$10$3201.24$MouCreateClassObject$20, 15, 0, 0, $ClassDeviceObject$3$3167.28$MouCreateClassObject$20);
+goto label_86;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3296)
+label_86:
+$status$6$3197.24$MouCreateClassObject$20 := $result.IoCreateDevice$3296.35$16$ ;
+goto label_87;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3304)
+label_87:
+goto label_87_true , label_87_false ;
+
+
+label_87_true :
+assume (-1073741771 == $status$6$3197.24$MouCreateClassObject$20);
+goto label_78_head;
+
+
+label_87_false :
+assume !(-1073741771 == $status$6$3197.24$MouCreateClassObject$20);
+goto label_88;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3306)
+label_88:
+Mem[T.PUINT2] := Mem[T.PUINT2][$FullDeviceName$4$3168.35$MouCreateClassObject$20 := Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)]];
+goto label_97;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3309)
+label_89:
+call ExReleaseFastMutex (Mutex__GLOBALS(Globals));
+goto label_92;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3310)
+label_92:
+call $result.IoCreateDevice$3310.31$17$ := IoCreateDevice ($DriverObject$1$3165.28$MouCreateClassObject$20, 272, 0, 15, 0, 0, $ClassDeviceObject$3$3167.28$MouCreateClassObject$20);
+goto label_95;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3310)
+label_95:
+$status$6$3197.24$MouCreateClassObject$20 := $result.IoCreateDevice$3310.31$17$ ;
+goto label_96;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3317)
+label_96:
+Mem[T.PUINT2] := Mem[T.PUINT2][$FullDeviceName$4$3168.35$MouCreateClassObject$20 := 0];
+goto label_97;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3320)
+label_97:
+goto label_97_true , label_97_false ;
+
+
+label_97_true :
+assume (0 <= $status$6$3197.24$MouCreateClassObject$20);
+goto label_98;
+
+
+label_97_false :
+assume !(0 <= $status$6$3197.24$MouCreateClassObject$20);
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3320)
+label_98:
+goto label_98_true , label_98_false ;
+
+
+label_98_true :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20] != 0);
+goto label_107;
+
+
+label_98_false :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20] == 0);
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3321)
+label_99:
+// skip MouDebugPrint
+goto label_103;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3321)
+label_102:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$18$ := havoc_stringTemp ;
+goto label_99;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3327)
+label_103:
+$errorCode$9$3200.24$MouCreateClassObject$20 := -1073414131 ;
+goto label_104;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3328)
+label_104:
+$uniqueErrorValue$7$3198.24$MouCreateClassObject$20 := 20006 ;
+goto label_105;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3329)
+label_105:
+Mem[T.UINT4] := Mem[T.UINT4][PLUS($dumpData$12$3203.24$MouCreateClassObject$20, 4, 0) := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullClassName$10$3201.24$MouCreateClassObject$20)]];
+goto label_106;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3330)
+label_106:
+$dumpCount$11$3202.24$MouCreateClassObject$20 := 1 ;
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3339)
+label_107:
+assume (forall r:int :: {BIT_BAND(BIT_BOR(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20])], 4),r)} BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20])],r)!= 0 || BIT_BAND(4,r)!= 0 <==> BIT_BAND(BIT_BOR(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20])], 4),r)!= 0);
+tempBoogie0 := BIT_BOR(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20])], 4) ;
+Mem[T.Flags__DEVICE_OBJECT] := Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20]) := tempBoogie0];
+goto label_108;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3340)
+label_108:
+$deviceExtension$8$3199.24$MouCreateClassObject$20 := Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20])] ;
+goto label_109;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3342)
+label_109:
+// Skipping Structure assignment due to the flag SkipStructAssignments
+goto label_110;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3344)
+label_110:
+Mem[T.Self__DEVICE_EXTENSION] := Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20) := Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20]];
+goto label_111;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3345)
+label_111:
+call IoInitializeRemoveLockEx (RemoveLock__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20), 1131377997, 0, 0, 88);
+goto label_114;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3351)
+label_114:
+assume (Mem[T.SpinLock__DEVICE_EXTENSION][SpinLock__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20)] == Mem[T.UINT4][SpinLock__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20)]);
+call KeInitializeSpinLock (SpinLock__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20));
+Mem[T.SpinLock__DEVICE_EXTENSION] := Mem[T.SpinLock__DEVICE_EXTENSION][SpinLock__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20) := Mem[T.UINT4][SpinLock__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20)]];
+goto label_117;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3357)
+label_117:
+call InitializeListHead_IRP (ReadQueue__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20));
+goto label_120;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3363)
+label_120:
+Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION] := Mem[T.TrustedSubsystemCount__DEVICE_EXTENSION][TrustedSubsystemCount__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20) := 0];
+goto label_121;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3370)
+label_121:
+call $result.ExAllocatePoolWithTag$3370.0$19$ := ExAllocatePoolWithTag (0, Mem[T.InputDataQueueLength__MOUSE_ATTRIBUTES][InputDataQueueLength__MOUSE_ATTRIBUTES(MouseAttributes__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20))], 1131377997);
+goto label_124;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3369)
+label_124:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20) := $result.ExAllocatePoolWithTag$3370.0$19$];
+goto label_125;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3375)
+label_125:
+goto label_125_true , label_125_false ;
+
+
+label_125_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20)] != 0);
+goto label_133;
+
+
+label_125_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20)] == 0);
+goto label_129;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3381)
+label_126:
+// skip MouDebugPrint
+goto label_130;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3381)
+label_129:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$20$ := havoc_stringTemp ;
+goto label_126;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3387)
+label_130:
+$status$6$3197.24$MouCreateClassObject$20 := -1073741670 ;
+goto label_131;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3393)
+label_131:
+$errorCode$9$3200.24$MouCreateClassObject$20 := -1073414142 ;
+goto label_132;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3394)
+label_132:
+$uniqueErrorValue$7$3198.24$MouCreateClassObject$20 := 20020 ;
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3402)
+label_133:
+call MouInitializeDataQueue ($deviceExtension$8$3199.24$MouCreateClassObject$20);
+goto label_136;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3406)
+label_136:
+goto label_136_true , label_136_false ;
+
+
+label_136_true :
+assume ($status$6$3197.24$MouCreateClassObject$20 != 0);
+goto label_137;
+
+
+label_136_false :
+assume ($status$6$3197.24$MouCreateClassObject$20 == 0);
+goto label_162;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3412)
+label_137:
+call RtlFreeUnicodeString ($fullClassName$10$3201.24$MouCreateClassObject$20);
+goto label_140;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3413)
+label_140:
+Mem[T.PUINT2] := Mem[T.PUINT2][$FullDeviceName$4$3168.35$MouCreateClassObject$20 := 0];
+goto label_141;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3415)
+label_141:
+goto label_141_true , label_141_false ;
+
+
+label_141_true :
+assume ($errorCode$9$3200.24$MouCreateClassObject$20 != 0);
+goto label_145;
+
+
+label_141_false :
+assume ($errorCode$9$3200.24$MouCreateClassObject$20 == 0);
+goto label_148;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3416)
+label_142:
+call MouseClassLogError ($result.question.21$, $errorCode$9$3200.24$MouCreateClassObject$20, $uniqueErrorValue$7$3198.24$MouCreateClassObject$20, $status$6$3197.24$MouCreateClassObject$20, $dumpCount$11$3202.24$MouCreateClassObject$20, $dumpData$12$3203.24$MouCreateClassObject$20, 0);
+goto label_148;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3417)
+label_145:
+goto label_145_true , label_145_false ;
+
+
+label_145_true :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20] != 0);
+goto label_147;
+
+
+label_145_false :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20] == 0);
+goto label_146;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3417)
+label_146:
+$result.question.21$ := $DriverObject$1$3165.28$MouCreateClassObject$20 ;
+goto label_142;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3417)
+label_147:
+$result.question.21$ := Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20] ;
+goto label_142;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3427)
+label_148:
+goto label_148_true , label_148_false ;
+
+
+label_148_true :
+assume ($deviceExtension$8$3199.24$MouCreateClassObject$20 != 0);
+goto label_149;
+
+
+label_148_false :
+assume ($deviceExtension$8$3199.24$MouCreateClassObject$20 == 0);
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3427)
+label_149:
+goto label_149_true , label_149_false ;
+
+
+label_149_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20)] != 0);
+goto label_150;
+
+
+label_149_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20)] == 0);
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3428)
+label_150:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20)], 0);
+goto label_153;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3429)
+label_153:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$8$3199.24$MouCreateClassObject$20) := 0];
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3431)
+label_154:
+goto label_154_true , label_154_false ;
+
+
+label_154_true :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20] != 0);
+goto label_155;
+
+
+label_154_false :
+assume (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20] == 0);
+goto label_162;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3432)
+label_155:
+call IoDeleteDevice (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20]);
+goto label_158;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3433)
+label_158:
+Mem[T.P_DEVICE_OBJECT] := Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$20 := 0];
+goto label_162;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3437)
+label_159:
+// skip MouDebugPrint
+goto label_163;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3437)
+label_162:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$22$ := havoc_stringTemp ;
+goto label_159;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(3439)
+label_163:
+$result.MouCreateClassObject$3164.0$1$ := $status$6$3197.24$MouCreateClassObject$20 ;
+goto label_1;
+
+}
+
diff --git a/Test/havoc0/MouseClassFindMorePorts.bpl b/Test/havoc0/MouseClassFindMorePorts.bpl
new file mode 100644
index 00000000..627d8502
--- /dev/null
+++ b/Test/havoc0/MouseClassFindMorePorts.bpl
@@ -0,0 +1,3837 @@
+type byte, name;
+function OneByteToInt(byte) returns (int);
+function TwoBytesToInt(byte, byte) returns (int);
+function FourBytesToInt(byte, byte, byte, byte) returns (int);
+axiom(forall b0:byte, c0:byte :: {OneByteToInt(b0), OneByteToInt(c0)} OneByteToInt(b0) == OneByteToInt(c0) ==> b0 == c0);
+axiom(forall b0:byte, b1: byte, c0:byte, c1:byte :: {TwoBytesToInt(b0, b1), TwoBytesToInt(c0, c1)} TwoBytesToInt(b0, b1) == TwoBytesToInt(c0, c1) ==> b0 == c0 && b1 == c1);
+axiom(forall b0:byte, b1: byte, b2:byte, b3:byte, c0:byte, c1:byte, c2:byte, c3:byte :: {FourBytesToInt(b0, b1, b2, b3), FourBytesToInt(c0, c1, c2, c3)} FourBytesToInt(b0, b1, b2, b3) == FourBytesToInt(c0, c1, c2, c3) ==> b0 == c0 && b1 == c1 && b2 == c2 && b3 == c3);
+
+// Mutable
+var Mem_BYTE:[int]byte;
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function SetTrue() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+/*
+function AtLeast(int, int) returns ([int]bool);
+function ModEqual(int, int, int) returns (bool);
+axiom(forall n:int, x:int :: ModEqual(n,x,x));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> ModEqual(n,y,x));
+axiom(forall n:int, x:int, y:int, z:int :: {ModEqual(n,x,y), ModEqual(n,y,z)} ModEqual(n,x,y) && ModEqual(n,y,z) ==> ModEqual(n,x,z));
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} ModEqual(n,x,PLUS(x,n,z)));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> (exists k:int :: x - y == n*k));
+axiom(forall x:int, n:int, y:int :: {AtLeast(n,x)[y]}{ModEqual(n,x,y)} AtLeast(n,x)[y] <==> x <= y && ModEqual(n,x,y));
+axiom(forall x:int, n:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+*/
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int :: SetTrue()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]}{Union(S,T),S[x]}{Union(S,T),T[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]}{Intersection(S,T),S[x]}{Intersection(S,T),T[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]}{Difference(S,T),S[x]}{Difference(S,T),T[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Subset(S,T)}{T[x],Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Disjoint(S,T)}{T[x],Disjoint(S,T)} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f,y), f[x]} Inverse(f,y)[x] ==> f[x] == y);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name, m:[name][int]int) returns (bool);
+function Values(t:name, m:[name][int]int) returns ([int]bool);
+function T.Ptr(t:name) returns (name);
+
+axiom(forall v:int, t:name, m:[name][int]int :: {Values(t, m)[v]} Values(t, m)[v] ==> HasType(v, t, m));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, t, m), Values(t, m)} HasType(v, t, m) ==> Values(t, m)[v]);
+
+axiom(forall a:int, t:name :: {Match(a, T.Ptr(t))} Match(a, T.Ptr(t)) <==> Field(a) == T.Ptr(t));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, T.Ptr(t), m)} HasType(v, T.Ptr(t), m) <==> (v == 0 || (v > 0 && Match(v, t))));
+
+axiom(forall v:int, t:name, m1:[name][int]int, m2:[name][int]int :: {HasType(v, t, m1), HasType(v, t, m2)}
+ (HasType(v, t, m1) <==> HasType(v, t, m2)));
+
+// Field declarations
+
+const unique T.Guid_WMIGUIDREGINFO:name;
+const unique T.InstanceCount_WMIGUIDREGINFO:name;
+const unique T.Flags_WMIGUIDREGINFO:name;
+const unique T.OperationID__ACCESS_STATE:name;
+const unique T.SecurityEvaluated__ACCESS_STATE:name;
+const unique T.GenerateAudit__ACCESS_STATE:name;
+const unique T.GenerateOnClose__ACCESS_STATE:name;
+const unique T.PrivilegesAllocated__ACCESS_STATE:name;
+const unique T.Flags__ACCESS_STATE:name;
+const unique T.RemainingDesiredAccess__ACCESS_STATE:name;
+const unique T.PreviouslyGrantedAccess__ACCESS_STATE:name;
+const unique T.OriginalDesiredAccess__ACCESS_STATE:name;
+const unique T.SubjectSecurityContext__ACCESS_STATE:name;
+const unique T.SecurityDescriptor__ACCESS_STATE:name;
+const unique T.AuxData__ACCESS_STATE:name;
+const unique T.Privileges__ACCESS_STATE:name;
+const unique T.AuditPrivileges__ACCESS_STATE:name;
+const unique T.ObjectName__ACCESS_STATE:name;
+const unique T.ObjectTypeName__ACCESS_STATE:name;
+const unique T.InterfaceType__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.BusNumber__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.PartialResourceList__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.u__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Revision__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.PartialDescriptors__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_RESOURCE_LIST:name;
+const unique T.List__CM_RESOURCE_LIST:name;
+const unique T.Size__DEVICE_CAPABILITIES:name;
+const unique T.Version__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD1__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD2__DEVICE_CAPABILITIES:name;
+const unique T.LockSupported__DEVICE_CAPABILITIES:name;
+const unique T.EjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.Removable__DEVICE_CAPABILITIES:name;
+const unique T.DockDevice__DEVICE_CAPABILITIES:name;
+const unique T.UniqueID__DEVICE_CAPABILITIES:name;
+const unique T.SilentInstall__DEVICE_CAPABILITIES:name;
+const unique T.RawDeviceOK__DEVICE_CAPABILITIES:name;
+const unique T.SurpriseRemovalOK__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD0__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD1__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD2__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD3__DEVICE_CAPABILITIES:name;
+const unique T.HardwareDisabled__DEVICE_CAPABILITIES:name;
+const unique T.NonDynamic__DEVICE_CAPABILITIES:name;
+const unique T.WarmEjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.NoDisplayInUI__DEVICE_CAPABILITIES:name;
+const unique T.Reserved__DEVICE_CAPABILITIES:name;
+const unique T.Address__DEVICE_CAPABILITIES:name;
+const unique T.UINumber__DEVICE_CAPABILITIES:name;
+const unique T.DeviceState__DEVICE_CAPABILITIES:name;
+const unique T.SystemWake__DEVICE_CAPABILITIES:name;
+const unique T.DeviceWake__DEVICE_CAPABILITIES:name;
+const unique T.D1Latency__DEVICE_CAPABILITIES:name;
+const unique T.D2Latency__DEVICE_CAPABILITIES:name;
+const unique T.D3Latency__DEVICE_CAPABILITIES:name;
+const unique T.Self__DEVICE_EXTENSION:name;
+const unique T.TrueClassDevice__DEVICE_EXTENSION:name;
+const unique T.TopPort__DEVICE_EXTENSION:name;
+const unique T.PDO__DEVICE_EXTENSION:name;
+const unique T.RemoveLock__DEVICE_EXTENSION:name;
+const unique T.PnP__DEVICE_EXTENSION:name;
+const unique T.Started__DEVICE_EXTENSION:name;
+const unique T.OkayToLogOverflow__DEVICE_EXTENSION:name;
+const unique T.WaitWakeSpinLock__DEVICE_EXTENSION:name;
+const unique T.TrustedSubsystemCount__DEVICE_EXTENSION:name;
+const unique T.InputCount__DEVICE_EXTENSION:name;
+const unique T.SymbolicLinkName__DEVICE_EXTENSION:name;
+const unique T.InputData__DEVICE_EXTENSION:name;
+const unique T.DataIn__DEVICE_EXTENSION:name;
+const unique T.DataOut__DEVICE_EXTENSION:name;
+const unique T.MouseAttributes__DEVICE_EXTENSION:name;
+const unique T.SpinLock__DEVICE_EXTENSION:name;
+const unique T.ReadQueue__DEVICE_EXTENSION:name;
+const unique T.SequenceNumber__DEVICE_EXTENSION:name;
+const unique T.DeviceState__DEVICE_EXTENSION:name;
+const unique T.SystemState__DEVICE_EXTENSION:name;
+const unique T.UnitId__DEVICE_EXTENSION:name;
+const unique T.WmiLibInfo__DEVICE_EXTENSION:name;
+const unique T.SystemToDeviceState__DEVICE_EXTENSION:name;
+const unique T.MinDeviceWakeState__DEVICE_EXTENSION:name;
+const unique T.MinSystemWakeState__DEVICE_EXTENSION:name;
+const unique T.WaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.ExtraWaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.TargetNotifyHandle__DEVICE_EXTENSION:name;
+const unique T.Link__DEVICE_EXTENSION:name;
+const unique T.File__DEVICE_EXTENSION:name;
+const unique T.Enabled__DEVICE_EXTENSION:name;
+const unique T.WaitWakeEnabled__DEVICE_EXTENSION:name;
+const unique T.SurpriseRemoved__DEVICE_EXTENSION:name;
+const unique T.Type__DEVICE_OBJECT:name;
+const unique T.Size__DEVICE_OBJECT:name;
+const unique T.ReferenceCount__DEVICE_OBJECT:name;
+const unique T.DriverObject__DEVICE_OBJECT:name;
+const unique T.NextDevice__DEVICE_OBJECT:name;
+const unique T.AttachedDevice__DEVICE_OBJECT:name;
+const unique T.CurrentIrp__DEVICE_OBJECT:name;
+const unique T.Timer__DEVICE_OBJECT:name;
+const unique T.Flags__DEVICE_OBJECT:name;
+const unique T.Characteristics__DEVICE_OBJECT:name;
+const unique T.Vpb__DEVICE_OBJECT:name;
+const unique T.DeviceExtension__DEVICE_OBJECT:name;
+const unique T.DeviceType__DEVICE_OBJECT:name;
+const unique T.StackSize__DEVICE_OBJECT:name;
+const unique T.Queue__DEVICE_OBJECT:name;
+const unique T.AlignmentRequirement__DEVICE_OBJECT:name;
+const unique T.DeviceQueue__DEVICE_OBJECT:name;
+const unique T.Dpc__DEVICE_OBJECT:name;
+const unique T.ActiveThreadCount__DEVICE_OBJECT:name;
+const unique T.SecurityDescriptor__DEVICE_OBJECT:name;
+const unique T.DeviceLock__DEVICE_OBJECT:name;
+const unique T.SectorSize__DEVICE_OBJECT:name;
+const unique T.Spare1__DEVICE_OBJECT:name;
+const unique T.DeviceObjectExtension__DEVICE_OBJECT:name;
+const unique T.Reserved__DEVICE_OBJECT:name;
+const unique T.Type__DEVOBJ_EXTENSION:name;
+const unique T.Size__DEVOBJ_EXTENSION:name;
+const unique T.DeviceObject__DEVOBJ_EXTENSION:name;
+const unique T.__unnamed_4_c9b2e921__DISPATCHER_HEADER:name;
+const unique T.SignalState__DISPATCHER_HEADER:name;
+const unique T.WaitListHead__DISPATCHER_HEADER:name;
+const unique T.DriverObject__DRIVER_EXTENSION:name;
+const unique T.AddDevice__DRIVER_EXTENSION:name;
+const unique T.Count__DRIVER_EXTENSION:name;
+const unique T.ServiceKeyName__DRIVER_EXTENSION:name;
+const unique T.Type__DRIVER_OBJECT:name;
+const unique T.Size__DRIVER_OBJECT:name;
+const unique T.DeviceObject__DRIVER_OBJECT:name;
+const unique T.Flags__DRIVER_OBJECT:name;
+const unique T.DriverStart__DRIVER_OBJECT:name;
+const unique T.DriverSize__DRIVER_OBJECT:name;
+const unique T.DriverSection__DRIVER_OBJECT:name;
+const unique T.DriverExtension__DRIVER_OBJECT:name;
+const unique T.DriverName__DRIVER_OBJECT:name;
+const unique T.HardwareDatabase__DRIVER_OBJECT:name;
+const unique T.FastIoDispatch__DRIVER_OBJECT:name;
+const unique T.DriverInit__DRIVER_OBJECT:name;
+const unique T.DriverStartIo__DRIVER_OBJECT:name;
+const unique T.DriverUnload__DRIVER_OBJECT:name;
+const unique T.MajorFunction__DRIVER_OBJECT:name;
+const unique T.SystemResourcesList__ERESOURCE:name;
+const unique T.OwnerTable__ERESOURCE:name;
+const unique T.ActiveCount__ERESOURCE:name;
+const unique T.Flag__ERESOURCE:name;
+const unique T.SharedWaiters__ERESOURCE:name;
+const unique T.ExclusiveWaiters__ERESOURCE:name;
+const unique T.OwnerEntry__ERESOURCE:name;
+const unique T.ActiveEntries__ERESOURCE:name;
+const unique T.ContentionCount__ERESOURCE:name;
+const unique T.NumberOfSharedWaiters__ERESOURCE:name;
+const unique T.NumberOfExclusiveWaiters__ERESOURCE:name;
+const unique T.__unnamed_4_46b62f69__ERESOURCE:name;
+const unique T.SpinLock__ERESOURCE:name;
+const unique T.SizeOfFastIoDispatch__FAST_IO_DISPATCH:name;
+const unique T.FastIoCheckIfPossible__FAST_IO_DISPATCH:name;
+const unique T.FastIoRead__FAST_IO_DISPATCH:name;
+const unique T.FastIoWrite__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryBasicInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryStandardInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoLock__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockSingle__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAll__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAllByKey__FAST_IO_DISPATCH:name;
+const unique T.FastIoDeviceControl__FAST_IO_DISPATCH:name;
+const unique T.AcquireFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.ReleaseFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.FastIoDetachDevice__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryNetworkOpenInfo__FAST_IO_DISPATCH:name;
+const unique T.AcquireForModWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlRead__FAST_IO_DISPATCH:name;
+const unique T.MdlReadComplete__FAST_IO_DISPATCH:name;
+const unique T.PrepareMdlWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteComplete__FAST_IO_DISPATCH:name;
+const unique T.FastIoReadCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoWriteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlReadCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryOpen__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForModWrite__FAST_IO_DISPATCH:name;
+const unique T.AcquireForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.Count__FAST_MUTEX:name;
+const unique T.Owner__FAST_MUTEX:name;
+const unique T.Contention__FAST_MUTEX:name;
+const unique T.Gate__FAST_MUTEX:name;
+const unique T.OldIrql__FAST_MUTEX:name;
+const unique T.CreationTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastAccessTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastWriteTime__FILE_BASIC_INFORMATION:name;
+const unique T.ChangeTime__FILE_BASIC_INFORMATION:name;
+const unique T.FileAttributes__FILE_BASIC_INFORMATION:name;
+const unique T.CreationTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastAccessTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastWriteTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.ChangeTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.AllocationSize__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.EndOfFile__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.FileAttributes__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.Type__FILE_OBJECT:name;
+const unique T.Size__FILE_OBJECT:name;
+const unique T.DeviceObject__FILE_OBJECT:name;
+const unique T.Vpb__FILE_OBJECT:name;
+const unique T.FsContext__FILE_OBJECT:name;
+const unique T.FsContext2__FILE_OBJECT:name;
+const unique T.SectionObjectPointer__FILE_OBJECT:name;
+const unique T.PrivateCacheMap__FILE_OBJECT:name;
+const unique T.FinalStatus__FILE_OBJECT:name;
+const unique T.RelatedFileObject__FILE_OBJECT:name;
+const unique T.LockOperation__FILE_OBJECT:name;
+const unique T.DeletePending__FILE_OBJECT:name;
+const unique T.ReadAccess__FILE_OBJECT:name;
+const unique T.WriteAccess__FILE_OBJECT:name;
+const unique T.DeleteAccess__FILE_OBJECT:name;
+const unique T.SharedRead__FILE_OBJECT:name;
+const unique T.SharedWrite__FILE_OBJECT:name;
+const unique T.SharedDelete__FILE_OBJECT:name;
+const unique T.Flags__FILE_OBJECT:name;
+const unique T.FileName__FILE_OBJECT:name;
+const unique T.CurrentByteOffset__FILE_OBJECT:name;
+const unique T.Waiters__FILE_OBJECT:name;
+const unique T.Busy__FILE_OBJECT:name;
+const unique T.LastLock__FILE_OBJECT:name;
+const unique T.Lock__FILE_OBJECT:name;
+const unique T.Event__FILE_OBJECT:name;
+const unique T.CompletionContext__FILE_OBJECT:name;
+const unique T.IrpListLock__FILE_OBJECT:name;
+const unique T.IrpList__FILE_OBJECT:name;
+const unique T.FileObjectExtension__FILE_OBJECT:name;
+const unique T.AllocationSize__FILE_STANDARD_INFORMATION:name;
+const unique T.EndOfFile__FILE_STANDARD_INFORMATION:name;
+const unique T.NumberOfLinks__FILE_STANDARD_INFORMATION:name;
+const unique T.DeletePending__FILE_STANDARD_INFORMATION:name;
+const unique T.Directory__FILE_STANDARD_INFORMATION:name;
+const unique T.Debug__GLOBALS:name;
+const unique T.GrandMaster__GLOBALS:name;
+const unique T.AssocClassList__GLOBALS:name;
+const unique T.NumAssocClass__GLOBALS:name;
+const unique T.Opens__GLOBALS:name;
+const unique T.NumberLegacyPorts__GLOBALS:name;
+const unique T.Mutex__GLOBALS:name;
+const unique T.ConnectOneClassToOnePort__GLOBALS:name;
+const unique T.PortsServiced__GLOBALS:name;
+const unique T.InitExtension__GLOBALS:name;
+const unique T.RegistryPath__GLOBALS:name;
+const unique T.BaseClassName__GLOBALS:name;
+const unique T.BaseClassBuffer__GLOBALS:name;
+const unique T.LegacyDeviceList__GLOBALS:name;
+const unique T.Data1__GUID:name;
+const unique T.Data2__GUID:name;
+const unique T.Data3__GUID:name;
+const unique T.Data4__GUID:name;
+const unique T.PrivilegeCount__INITIAL_PRIVILEGE_SET:name;
+const unique T.Control__INITIAL_PRIVILEGE_SET:name;
+const unique T.Privilege__INITIAL_PRIVILEGE_SET:name;
+const unique T.Size__INTERFACE:name;
+const unique T.Version__INTERFACE:name;
+const unique T.Context__INTERFACE:name;
+const unique T.InterfaceReference__INTERFACE:name;
+const unique T.InterfaceDereference__INTERFACE:name;
+const unique T.Port__IO_COMPLETION_CONTEXT:name;
+const unique T.Key__IO_COMPLETION_CONTEXT:name;
+const unique T.Common__IO_REMOVE_LOCK:name;
+const unique T.Dbg__IO_REMOVE_LOCK:name;
+const unique T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Signature__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LockList__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Spin__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Option__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare1__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare2__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.u__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__IO_RESOURCE_LIST:name;
+const unique T.Revision__IO_RESOURCE_LIST:name;
+const unique T.Count__IO_RESOURCE_LIST:name;
+const unique T.Descriptors__IO_RESOURCE_LIST:name;
+const unique T.ListSize__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.InterfaceType__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.BusNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SlotNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.Reserved__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.AlternativeLists__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.List__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SecurityQos__IO_SECURITY_CONTEXT:name;
+const unique T.AccessState__IO_SECURITY_CONTEXT:name;
+const unique T.DesiredAccess__IO_SECURITY_CONTEXT:name;
+const unique T.FullCreateOptions__IO_SECURITY_CONTEXT:name;
+const unique T.MajorFunction__IO_STACK_LOCATION:name;
+const unique T.MinorFunction__IO_STACK_LOCATION:name;
+const unique T.Flags__IO_STACK_LOCATION:name;
+const unique T.Control__IO_STACK_LOCATION:name;
+const unique T.Parameters__IO_STACK_LOCATION:name;
+const unique T.DeviceObject__IO_STACK_LOCATION:name;
+const unique T.FileObject__IO_STACK_LOCATION:name;
+const unique T.CompletionRoutine__IO_STACK_LOCATION:name;
+const unique T.Context__IO_STACK_LOCATION:name;
+const unique T.__unnamed_4_16aff58e__IO_STATUS_BLOCK:name;
+const unique T.Information__IO_STATUS_BLOCK:name;
+const unique T.Type__IRP:name;
+const unique T.Size__IRP:name;
+const unique T.MdlAddress__IRP:name;
+const unique T.Flags__IRP:name;
+const unique T.AssociatedIrp__IRP:name;
+const unique T.ThreadListEntry__IRP:name;
+const unique T.IoStatus__IRP:name;
+const unique T.RequestorMode__IRP:name;
+const unique T.PendingReturned__IRP:name;
+const unique T.StackCount__IRP:name;
+const unique T.CurrentLocation__IRP:name;
+const unique T.Cancel__IRP:name;
+const unique T.CancelIrql__IRP:name;
+const unique T.ApcEnvironment__IRP:name;
+const unique T.AllocationFlags__IRP:name;
+const unique T.UserIosb__IRP:name;
+const unique T.UserEvent__IRP:name;
+const unique T.Overlay__IRP:name;
+const unique T.CancelRoutine__IRP:name;
+const unique T.UserBuffer__IRP:name;
+const unique T.Tail__IRP:name;
+const unique T.Type__KAPC:name;
+const unique T.SpareByte0__KAPC:name;
+const unique T.Size__KAPC:name;
+const unique T.SpareByte1__KAPC:name;
+const unique T.SpareLong0__KAPC:name;
+const unique T.Thread__KAPC:name;
+const unique T.ApcListEntry__KAPC:name;
+const unique T.KernelRoutine__KAPC:name;
+const unique T.RundownRoutine__KAPC:name;
+const unique T.NormalRoutine__KAPC:name;
+const unique T.NormalContext__KAPC:name;
+const unique T.SystemArgument1__KAPC:name;
+const unique T.SystemArgument2__KAPC:name;
+const unique T.ApcStateIndex__KAPC:name;
+const unique T.ApcMode__KAPC:name;
+const unique T.Inserted__KAPC:name;
+const unique T.Type__KDEVICE_QUEUE:name;
+const unique T.Size__KDEVICE_QUEUE:name;
+const unique T.DeviceListHead__KDEVICE_QUEUE:name;
+const unique T.Lock__KDEVICE_QUEUE:name;
+const unique T.Busy__KDEVICE_QUEUE:name;
+const unique T.DeviceListEntry__KDEVICE_QUEUE_ENTRY:name;
+const unique T.SortKey__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Inserted__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Type__KDPC:name;
+const unique T.Importance__KDPC:name;
+const unique T.Number__KDPC:name;
+const unique T.DpcListEntry__KDPC:name;
+const unique T.DeferredRoutine__KDPC:name;
+const unique T.DeferredContext__KDPC:name;
+const unique T.SystemArgument1__KDPC:name;
+const unique T.SystemArgument2__KDPC:name;
+const unique T.DpcData__KDPC:name;
+const unique T.Header__KEVENT:name;
+const unique T.Header__KSEMAPHORE:name;
+const unique T.Limit__KSEMAPHORE:name;
+const unique T.__unnamed_8_8684a3e7__LARGE_INTEGER:name;
+const unique T.u__LARGE_INTEGER:name;
+const unique T.QuadPart__LARGE_INTEGER:name;
+const unique T.Flink__LIST_ENTRY:name;
+const unique T.Blink__LIST_ENTRY:name;
+const unique T.LowPart__LUID:name;
+const unique T.HighPart__LUID:name;
+const unique T.Luid__LUID_AND_ATTRIBUTES:name;
+const unique T.Attributes__LUID_AND_ATTRIBUTES:name;
+const unique T.Next__MDL:name;
+const unique T.Size__MDL:name;
+const unique T.MdlFlags__MDL:name;
+const unique T.Process__MDL:name;
+const unique T.MappedSystemVa__MDL:name;
+const unique T.StartVa__MDL:name;
+const unique T.ByteCount__MDL:name;
+const unique T.ByteOffset__MDL:name;
+const unique T.MouseIdentifier__MOUSE_ATTRIBUTES:name;
+const unique T.NumberOfButtons__MOUSE_ATTRIBUTES:name;
+const unique T.SampleRate__MOUSE_ATTRIBUTES:name;
+const unique T.InputDataQueueLength__MOUSE_ATTRIBUTES:name;
+const unique T.UnitId__MOUSE_INPUT_DATA:name;
+const unique T.Flags__MOUSE_INPUT_DATA:name;
+const unique T.__unnamed_4_9c11ed91__MOUSE_INPUT_DATA:name;
+const unique T.RawButtons__MOUSE_INPUT_DATA:name;
+const unique T.LastX__MOUSE_INPUT_DATA:name;
+const unique T.LastY__MOUSE_INPUT_DATA:name;
+const unique T.ExtraInformation__MOUSE_INPUT_DATA:name;
+const unique T.OwnerThread__OWNER_ENTRY:name;
+const unique T.__unnamed_4_c1e23b02__OWNER_ENTRY:name;
+const unique T.File__PORT:name;
+const unique T.Port__PORT:name;
+const unique T.Enabled__PORT:name;
+const unique T.Reserved__PORT:name;
+const unique T.Free__PORT:name;
+const unique T.SequenceD1__POWER_SEQUENCE:name;
+const unique T.SequenceD2__POWER_SEQUENCE:name;
+const unique T.SequenceD3__POWER_SEQUENCE:name;
+const unique T.SystemState__POWER_STATE:name;
+const unique T.DeviceState__POWER_STATE:name;
+const unique T.PrivilegeCount__PRIVILEGE_SET:name;
+const unique T.Control__PRIVILEGE_SET:name;
+const unique T.Privilege__PRIVILEGE_SET:name;
+const unique T.DataSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.SharedCacheMap__SECTION_OBJECT_POINTERS:name;
+const unique T.ImageSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.Length__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ImpersonationLevel__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ContextTrackingMode__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.EffectiveOnly__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ClientToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ImpersonationLevel__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.PrimaryToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ProcessAuditId__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.__unnamed_4_b4f5a780__SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T.Length__UNICODE_STRING:name;
+const unique T.MaximumLength__UNICODE_STRING:name;
+const unique T.Buffer__UNICODE_STRING:name;
+const unique T.Type__VPB:name;
+const unique T.Size__VPB:name;
+const unique T.Flags__VPB:name;
+const unique T.VolumeLabelLength__VPB:name;
+const unique T.DeviceObject__VPB:name;
+const unique T.RealDevice__VPB:name;
+const unique T.SerialNumber__VPB:name;
+const unique T.ReferenceCount__VPB:name;
+const unique T.VolumeLabel__VPB:name;
+const unique T.WaitQueueEntry__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceRoutine__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceContext__WAIT_CONTEXT_BLOCK:name;
+const unique T.NumberOfMapRegisters__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceObject__WAIT_CONTEXT_BLOCK:name;
+const unique T.CurrentIrp__WAIT_CONTEXT_BLOCK:name;
+const unique T.BufferChainingDpc__WAIT_CONTEXT_BLOCK:name;
+const unique T.GuidCount__WMILIB_CONTEXT:name;
+const unique T.GuidList__WMILIB_CONTEXT:name;
+const unique T.QueryWmiRegInfo__WMILIB_CONTEXT:name;
+const unique T.QueryWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataItem__WMILIB_CONTEXT:name;
+const unique T.ExecuteWmiMethod__WMILIB_CONTEXT:name;
+const unique T.WmiFunctionControl__WMILIB_CONTEXT:name;
+const unique T.Start___unnamed_12_06b9ee6e:name;
+const unique T.Length48___unnamed_12_06b9ee6e:name;
+const unique T.Start___unnamed_12_0882bd02:name;
+const unique T.Length64___unnamed_12_0882bd02:name;
+const unique T.__unnamed_12_2e80217b___unnamed_12_264d0dab:name;
+const unique T.Raw___unnamed_12_2e80217b:name;
+const unique T.Translated___unnamed_12_2e80217b:name;
+const unique T.Data___unnamed_12_5cc7ace2:name;
+const unique T.Channel___unnamed_12_6374506e:name;
+const unique T.Port___unnamed_12_6374506e:name;
+const unique T.Reserved1___unnamed_12_6374506e:name;
+const unique T.Priority___unnamed_12_68a4278e:name;
+const unique T.Reserved1___unnamed_12_68a4278e:name;
+const unique T.Reserved2___unnamed_12_68a4278e:name;
+const unique T.Generic___unnamed_12_79ed2653:name;
+const unique T.Port___unnamed_12_79ed2653:name;
+const unique T.Interrupt___unnamed_12_79ed2653:name;
+const unique T.MessageInterrupt___unnamed_12_79ed2653:name;
+const unique T.Memory___unnamed_12_79ed2653:name;
+const unique T.Dma___unnamed_12_79ed2653:name;
+const unique T.DevicePrivate___unnamed_12_79ed2653:name;
+const unique T.BusNumber___unnamed_12_79ed2653:name;
+const unique T.DeviceSpecificData___unnamed_12_79ed2653:name;
+const unique T.Memory40___unnamed_12_79ed2653:name;
+const unique T.Memory48___unnamed_12_79ed2653:name;
+const unique T.Memory64___unnamed_12_79ed2653:name;
+const unique T.Start___unnamed_12_7da594c0:name;
+const unique T.Length40___unnamed_12_7da594c0:name;
+const unique T.Start___unnamed_12_9873e05d:name;
+const unique T.Length___unnamed_12_9873e05d:name;
+const unique T.DataSize___unnamed_12_9cc8cebc:name;
+const unique T.Reserved1___unnamed_12_9cc8cebc:name;
+const unique T.Reserved2___unnamed_12_9cc8cebc:name;
+const unique T.Start___unnamed_12_b98da82e:name;
+const unique T.Length___unnamed_12_b98da82e:name;
+const unique T.Level___unnamed_12_c2880e88:name;
+const unique T.Vector___unnamed_12_c2880e88:name;
+const unique T.Affinity___unnamed_12_c2880e88:name;
+const unique T.Start___unnamed_12_c49ab31a:name;
+const unique T.Length___unnamed_12_c49ab31a:name;
+const unique T.ListEntry___unnamed_12_c6ed93f3:name;
+const unique T.__unnamed_4_a7aa989c___unnamed_12_c6ed93f3:name;
+const unique T.Data___unnamed_12_ced61554:name;
+const unique T.Reserved___unnamed_12_d9c44df5:name;
+const unique T.MessageCount___unnamed_12_d9c44df5:name;
+const unique T.Vector___unnamed_12_d9c44df5:name;
+const unique T.Affinity___unnamed_12_d9c44df5:name;
+const unique T.Start___unnamed_12_db3dcbfc:name;
+const unique T.Length___unnamed_12_db3dcbfc:name;
+const unique T.Reserved___unnamed_12_db3dcbfc:name;
+const unique T.Level___unnamed_12_fb26b3fc:name;
+const unique T.Vector___unnamed_12_fb26b3fc:name;
+const unique T.Affinity___unnamed_12_fb26b3fc:name;
+const unique T.OutputBufferLength___unnamed_16_22e4d054:name;
+const unique T.InputBufferLength___unnamed_16_22e4d054:name;
+const unique T.IoControlCode___unnamed_16_22e4d054:name;
+const unique T.Type3InputBuffer___unnamed_16_22e4d054:name;
+const unique T.Create___unnamed_16_39b626ad:name;
+const unique T.Read___unnamed_16_39b626ad:name;
+const unique T.Write___unnamed_16_39b626ad:name;
+const unique T.QueryDirectory___unnamed_16_39b626ad:name;
+const unique T.NotifyDirectory___unnamed_16_39b626ad:name;
+const unique T.QueryFile___unnamed_16_39b626ad:name;
+const unique T.SetFile___unnamed_16_39b626ad:name;
+const unique T.QueryEa___unnamed_16_39b626ad:name;
+const unique T.SetEa___unnamed_16_39b626ad:name;
+const unique T.QueryVolume___unnamed_16_39b626ad:name;
+const unique T.SetVolume___unnamed_16_39b626ad:name;
+const unique T.FileSystemControl___unnamed_16_39b626ad:name;
+const unique T.LockControl___unnamed_16_39b626ad:name;
+const unique T.DeviceIoControl___unnamed_16_39b626ad:name;
+const unique T.QuerySecurity___unnamed_16_39b626ad:name;
+const unique T.SetSecurity___unnamed_16_39b626ad:name;
+const unique T.MountVolume___unnamed_16_39b626ad:name;
+const unique T.VerifyVolume___unnamed_16_39b626ad:name;
+const unique T.Scsi___unnamed_16_39b626ad:name;
+const unique T.QueryQuota___unnamed_16_39b626ad:name;
+const unique T.SetQuota___unnamed_16_39b626ad:name;
+const unique T.QueryDeviceRelations___unnamed_16_39b626ad:name;
+const unique T.QueryInterface___unnamed_16_39b626ad:name;
+const unique T.DeviceCapabilities___unnamed_16_39b626ad:name;
+const unique T.FilterResourceRequirements___unnamed_16_39b626ad:name;
+const unique T.ReadWriteConfig___unnamed_16_39b626ad:name;
+const unique T.SetLock___unnamed_16_39b626ad:name;
+const unique T.QueryId___unnamed_16_39b626ad:name;
+const unique T.QueryDeviceText___unnamed_16_39b626ad:name;
+const unique T.UsageNotification___unnamed_16_39b626ad:name;
+const unique T.WaitWake___unnamed_16_39b626ad:name;
+const unique T.PowerSequence___unnamed_16_39b626ad:name;
+const unique T.Power___unnamed_16_39b626ad:name;
+const unique T.StartDevice___unnamed_16_39b626ad:name;
+const unique T.WMI___unnamed_16_39b626ad:name;
+const unique T.Others___unnamed_16_39b626ad:name;
+const unique T.WhichSpace___unnamed_16_56c011d7:name;
+const unique T.Buffer___unnamed_16_56c011d7:name;
+const unique T.Offset___unnamed_16_56c011d7:name;
+const unique T.Length___unnamed_16_56c011d7:name;
+const unique T.DeviceQueueEntry___unnamed_16_5fed8f23:name;
+const unique T.__unnamed_16_ae643f17___unnamed_16_5fed8f23:name;
+const unique T.Length___unnamed_16_6be9abe0:name;
+const unique T.FileName___unnamed_16_6be9abe0:name;
+const unique T.FileInformationClass___unnamed_16_6be9abe0:name;
+const unique T.FileIndex___unnamed_16_6be9abe0:name;
+const unique T.InterfaceType___unnamed_16_78879a38:name;
+const unique T.Size___unnamed_16_78879a38:name;
+const unique T.Version___unnamed_16_78879a38:name;
+const unique T.Interface___unnamed_16_78879a38:name;
+const unique T.InterfaceSpecificData___unnamed_16_78879a38:name;
+const unique T.Length___unnamed_16_804a2f24:name;
+const unique T.StartSid___unnamed_16_804a2f24:name;
+const unique T.SidList___unnamed_16_804a2f24:name;
+const unique T.SidListLength___unnamed_16_804a2f24:name;
+const unique T.Argument1___unnamed_16_8586693f:name;
+const unique T.Argument2___unnamed_16_8586693f:name;
+const unique T.Argument3___unnamed_16_8586693f:name;
+const unique T.Argument4___unnamed_16_8586693f:name;
+const unique T.Length___unnamed_16_8831e65f:name;
+const unique T.Key___unnamed_16_8831e65f:name;
+const unique T.ByteOffset___unnamed_16_8831e65f:name;
+const unique T.SecurityContext___unnamed_16_8c2d663a:name;
+const unique T.Options___unnamed_16_8c2d663a:name;
+const unique T.FileAttributes___unnamed_16_8c2d663a:name;
+const unique T.ShareAccess___unnamed_16_8c2d663a:name;
+const unique T.EaLength___unnamed_16_8c2d663a:name;
+const unique T.Length___unnamed_16_913b9a7a:name;
+const unique T.Key___unnamed_16_913b9a7a:name;
+const unique T.ByteOffset___unnamed_16_913b9a7a:name;
+const unique T.OutputBufferLength___unnamed_16_94d1d1c7:name;
+const unique T.InputBufferLength___unnamed_16_94d1d1c7:name;
+const unique T.FsControlCode___unnamed_16_94d1d1c7:name;
+const unique T.Type3InputBuffer___unnamed_16_94d1d1c7:name;
+const unique T.Length___unnamed_16_a2fab4da:name;
+const unique T.FileInformationClass___unnamed_16_a2fab4da:name;
+const unique T.FileObject___unnamed_16_a2fab4da:name;
+const unique T.__unnamed_4_a7d0864c___unnamed_16_a2fab4da:name;
+const unique T.DriverContext___unnamed_16_ae643f17:name;
+const unique T.Length___unnamed_16_c1b29316:name;
+const unique T.Key___unnamed_16_c1b29316:name;
+const unique T.ByteOffset___unnamed_16_c1b29316:name;
+const unique T.ProviderId___unnamed_16_cbd53ed4:name;
+const unique T.DataPath___unnamed_16_cbd53ed4:name;
+const unique T.BufferSize___unnamed_16_cbd53ed4:name;
+const unique T.Buffer___unnamed_16_cbd53ed4:name;
+const unique T.Length___unnamed_16_db70db6e:name;
+const unique T.MinBusNumber___unnamed_16_db70db6e:name;
+const unique T.MaxBusNumber___unnamed_16_db70db6e:name;
+const unique T.Reserved___unnamed_16_db70db6e:name;
+const unique T.Length___unnamed_16_ef4b6307:name;
+const unique T.EaList___unnamed_16_ef4b6307:name;
+const unique T.EaListLength___unnamed_16_ef4b6307:name;
+const unique T.EaIndex___unnamed_16_ef4b6307:name;
+const unique T.__unnamed_4_b060dea6___unnamed_16_fdda1f62:name;
+const unique T.Type___unnamed_16_fdda1f62:name;
+const unique T.State___unnamed_16_fdda1f62:name;
+const unique T.ShutdownType___unnamed_16_fdda1f62:name;
+const unique T.Lock___unnamed_1_1394de4b:name;
+const unique T.Abandoned___unnamed_1_2bb39c56:name;
+const unique T.Absolute___unnamed_1_2bb39c56:name;
+const unique T.NpxIrql___unnamed_1_2bb39c56:name;
+const unique T.Signalling___unnamed_1_2bb39c56:name;
+const unique T.Inserted___unnamed_1_9fa0583a:name;
+const unique T.DebugActive___unnamed_1_9fa0583a:name;
+const unique T.DpcActive___unnamed_1_9fa0583a:name;
+const unique T.Size___unnamed_1_e30779f5:name;
+const unique T.Hand___unnamed_1_e30779f5:name;
+const unique T.MinimumVector___unnamed_20_83d468e4:name;
+const unique T.MaximumVector___unnamed_20_83d468e4:name;
+const unique T.AffinityPolicy___unnamed_20_83d468e4:name;
+const unique T.PriorityPolicy___unnamed_20_83d468e4:name;
+const unique T.TargetedProcessors___unnamed_20_83d468e4:name;
+const unique T.Length40___unnamed_24_035931da:name;
+const unique T.Alignment40___unnamed_24_035931da:name;
+const unique T.MinimumAddress___unnamed_24_035931da:name;
+const unique T.MaximumAddress___unnamed_24_035931da:name;
+const unique T.Length___unnamed_24_38e128db:name;
+const unique T.Alignment___unnamed_24_38e128db:name;
+const unique T.MinimumAddress___unnamed_24_38e128db:name;
+const unique T.MaximumAddress___unnamed_24_38e128db:name;
+const unique T.Length___unnamed_24_9500ea34:name;
+const unique T.Alignment___unnamed_24_9500ea34:name;
+const unique T.MinimumAddress___unnamed_24_9500ea34:name;
+const unique T.MaximumAddress___unnamed_24_9500ea34:name;
+const unique T.Length___unnamed_24_9734802c:name;
+const unique T.Alignment___unnamed_24_9734802c:name;
+const unique T.MinimumAddress___unnamed_24_9734802c:name;
+const unique T.MaximumAddress___unnamed_24_9734802c:name;
+const unique T.Length64___unnamed_24_af62813f:name;
+const unique T.Alignment64___unnamed_24_af62813f:name;
+const unique T.MinimumAddress___unnamed_24_af62813f:name;
+const unique T.MaximumAddress___unnamed_24_af62813f:name;
+const unique T.Length48___unnamed_24_c0555099:name;
+const unique T.Alignment48___unnamed_24_c0555099:name;
+const unique T.MinimumAddress___unnamed_24_c0555099:name;
+const unique T.MaximumAddress___unnamed_24_c0555099:name;
+const unique T.Port___unnamed_24_d7c4ec3a:name;
+const unique T.Memory___unnamed_24_d7c4ec3a:name;
+const unique T.Interrupt___unnamed_24_d7c4ec3a:name;
+const unique T.Dma___unnamed_24_d7c4ec3a:name;
+const unique T.Generic___unnamed_24_d7c4ec3a:name;
+const unique T.DevicePrivate___unnamed_24_d7c4ec3a:name;
+const unique T.BusNumber___unnamed_24_d7c4ec3a:name;
+const unique T.ConfigData___unnamed_24_d7c4ec3a:name;
+const unique T.Memory40___unnamed_24_d7c4ec3a:name;
+const unique T.Memory48___unnamed_24_d7c4ec3a:name;
+const unique T.Memory64___unnamed_24_d7c4ec3a:name;
+const unique T.ReplaceIfExists___unnamed_2_196a7f56:name;
+const unique T.AdvanceOnly___unnamed_2_196a7f56:name;
+const unique T.__unnamed_16_5fed8f23___unnamed_40_a0414182:name;
+const unique T.Thread___unnamed_40_a0414182:name;
+const unique T.AuxiliaryBuffer___unnamed_40_a0414182:name;
+const unique T.__unnamed_12_c6ed93f3___unnamed_40_a0414182:name;
+const unique T.OriginalFileObject___unnamed_40_a0414182:name;
+const unique T.ListEntry___unnamed_40_d90496f4:name;
+const unique T.Wcb___unnamed_40_d90496f4:name;
+const unique T.InitialPrivilegeSet___unnamed_44_a7026dca:name;
+const unique T.PrivilegeSet___unnamed_44_a7026dca:name;
+const unique T.Overlay___unnamed_48_c1da9fa5:name;
+const unique T.Apc___unnamed_48_c1da9fa5:name;
+const unique T.CompletionKey___unnamed_48_c1da9fa5:name;
+const unique T.PowerSequence___unnamed_4_0510b147:name;
+const unique T.Length___unnamed_4_0a569078:name;
+const unique T.Status___unnamed_4_16aff58e:name;
+const unique T.Pointer___unnamed_4_16aff58e:name;
+const unique T.IdType___unnamed_4_40bf8e34:name;
+const unique T.Address___unnamed_4_46b62f69:name;
+const unique T.CreatorBackTraceIndex___unnamed_4_46b62f69:name;
+const unique T.Capabilities___unnamed_4_73d46255:name;
+const unique T.Srb___unnamed_4_765e3037:name;
+const unique T.Type___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_2bb39c56___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_e30779f5___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_9fa0583a___unnamed_4_846adf3f:name;
+const unique T.PowerState___unnamed_4_8dd73d30:name;
+const unique T.Type___unnamed_4_957e0d74:name;
+const unique T.Buttons___unnamed_4_9c11ed91:name;
+const unique T.__unnamed_4_b5247f10___unnamed_4_9c11ed91:name;
+const unique T.IoResourceRequirementList___unnamed_4_a58d40c8:name;
+const unique T.CurrentStackLocation___unnamed_4_a7aa989c:name;
+const unique T.PacketType___unnamed_4_a7aa989c:name;
+const unique T.__unnamed_2_196a7f56___unnamed_4_a7d0864c:name;
+const unique T.ClusterCount___unnamed_4_a7d0864c:name;
+const unique T.DeleteHandle___unnamed_4_a7d0864c:name;
+const unique T.Length___unnamed_4_aa20b426:name;
+const unique T.UserApcRoutine___unnamed_4_ab87ddfd:name;
+const unique T.IssuingProcess___unnamed_4_ab87ddfd:name;
+const unique T.Reserved1___unnamed_4_b016b1e1:name;
+const unique T.TargetSystemState___unnamed_4_b016b1e1:name;
+const unique T.EffectiveSystemState___unnamed_4_b016b1e1:name;
+const unique T.CurrentSystemState___unnamed_4_b016b1e1:name;
+const unique T.IgnoreHibernationPath___unnamed_4_b016b1e1:name;
+const unique T.PseudoTransition___unnamed_4_b016b1e1:name;
+const unique T.Reserved2___unnamed_4_b016b1e1:name;
+const unique T.SystemContext___unnamed_4_b060dea6:name;
+const unique T.SystemPowerStateContext___unnamed_4_b060dea6:name;
+const unique T.__unnamed_4_b016b1e1___unnamed_4_b4f5a780:name;
+const unique T.ContextAsUlong___unnamed_4_b4f5a780:name;
+const unique T.ButtonFlags___unnamed_4_b5247f10:name;
+const unique T.ButtonData___unnamed_4_b5247f10:name;
+const unique T.OwnerCount___unnamed_4_c1e23b02:name;
+const unique T.TableSize___unnamed_4_c1e23b02:name;
+const unique T.__unnamed_4_846adf3f___unnamed_4_c9b2e921:name;
+const unique T.Lock___unnamed_4_c9b2e921:name;
+const unique T.MasterIrp___unnamed_4_fa7b96a7:name;
+const unique T.IrpCount___unnamed_4_fa7b96a7:name;
+const unique T.SystemBuffer___unnamed_4_fa7b96a7:name;
+const unique T.Vpb___unnamed_8_09ad2712:name;
+const unique T.DeviceObject___unnamed_8_09ad2712:name;
+const unique T.Length___unnamed_8_21ac1dba:name;
+const unique T.CompletionFilter___unnamed_8_21ac1dba:name;
+const unique T.Length___unnamed_8_27d3ab76:name;
+const unique T.FsInformationClass___unnamed_8_27d3ab76:name;
+const unique T.Vpb___unnamed_8_4289df81:name;
+const unique T.DeviceObject___unnamed_8_4289df81:name;
+const unique T.Length___unnamed_8_47b72724:name;
+const unique T.FileInformationClass___unnamed_8_47b72724:name;
+const unique T.DeviceTextType___unnamed_8_4b3e3ba3:name;
+const unique T.LocaleId___unnamed_8_4b3e3ba3:name;
+const unique T.__unnamed_4_ab87ddfd___unnamed_8_4f695993:name;
+const unique T.UserApcContext___unnamed_8_4f695993:name;
+const unique T.AllocatedResources___unnamed_8_5cfb6ca4:name;
+const unique T.AllocatedResourcesTranslated___unnamed_8_5cfb6ca4:name;
+const unique T.SecurityInformation___unnamed_8_606438c5:name;
+const unique T.Length___unnamed_8_606438c5:name;
+const unique T.MinimumChannel___unnamed_8_6ad774c0:name;
+const unique T.MaximumChannel___unnamed_8_6ad774c0:name;
+const unique T.Length___unnamed_8_805045cb:name;
+const unique T.FsInformationClass___unnamed_8_805045cb:name;
+const unique T.LowPart___unnamed_8_8684a3e7:name;
+const unique T.HighPart___unnamed_8_8684a3e7:name;
+const unique T.SecurityInformation___unnamed_8_8cc410da:name;
+const unique T.SecurityDescriptor___unnamed_8_8cc410da:name;
+const unique T.InPath___unnamed_8_a47253e0:name;
+const unique T.Reserved___unnamed_8_a47253e0:name;
+const unique T.Type___unnamed_8_a47253e0:name;
+const unique T.AsynchronousParameters___unnamed_8_bbd07f6c:name;
+const unique T.AllocationSize___unnamed_8_bbd07f6c:name;
+const unique T.LowPart___unnamed_8_c9ca8234:name;
+const unique T.HighPart___unnamed_8_c9ca8234:name;
+
+// Type declarations
+
+const unique T.A1_CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_LIST:name;
+const unique T.A1_LUID_AND_ATTRIBUTES:name;
+const unique T.A256UINT2:name;
+const unique T.A28PFDRIVER_DISPATCH:name;
+const unique T.A2UCHAR:name;
+const unique T.A2UINT2:name;
+const unique T.A32UINT2:name;
+const unique T.A3UCHAR:name;
+const unique T.A3UINT4:name;
+const unique T.A3_LUID_AND_ATTRIBUTES:name;
+const unique T.A4PVOID:name;
+const unique T.A4UINT4:name;
+const unique T.A5UINT2:name;
+const unique T.A5_DEVICE_POWER_STATE:name;
+const unique T.A7_DEVICE_POWER_STATE:name;
+const unique T.A85CHAR:name;
+const unique T.A8UCHAR:name;
+const unique T.A9UINT2:name;
+const unique T.BUS_QUERY_ID_TYPE:name;
+const unique T.CHAR:name;
+const unique T.DEVICE_TEXT_TYPE:name;
+const unique T.F0:name;
+const unique T.F1:name;
+const unique T.F10:name;
+const unique T.F11:name;
+const unique T.F12:name;
+const unique T.F13:name;
+const unique T.F14:name;
+const unique T.F15:name;
+const unique T.F16:name;
+const unique T.F17:name;
+const unique T.F18:name;
+const unique T.F19:name;
+const unique T.F2:name;
+const unique T.F20:name;
+const unique T.F21:name;
+const unique T.F22:name;
+const unique T.F23:name;
+const unique T.F24:name;
+const unique T.F25:name;
+const unique T.F26:name;
+const unique T.F27:name;
+const unique T.F28:name;
+const unique T.F29:name;
+const unique T.F3:name;
+const unique T.F30:name;
+const unique T.F31:name;
+const unique T.F32:name;
+const unique T.F33:name;
+const unique T.F34:name;
+const unique T.F35:name;
+const unique T.F36:name;
+const unique T.F37:name;
+const unique T.F38:name;
+const unique T.F4:name;
+const unique T.F5:name;
+const unique T.F6:name;
+const unique T.F7:name;
+const unique T.F8:name;
+const unique T.F9:name;
+const unique T.FDRIVER_ADD_DEVICE:name;
+const unique T.FDRIVER_CANCEL:name;
+const unique T.FDRIVER_CONTROL:name;
+const unique T.FDRIVER_DISPATCH:name;
+const unique T.FDRIVER_INITIALIZE:name;
+const unique T.FDRIVER_STARTIO:name;
+const unique T.FDRIVER_UNLOAD:name;
+const unique T.FFAST_IO_ACQUIRE_FILE:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.FFAST_IO_DETACH_DEVICE:name;
+const unique T.FFAST_IO_DEVICE_CONTROL:name;
+const unique T.FFAST_IO_LOCK:name;
+const unique T.FFAST_IO_MDL_READ:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.FFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.FFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.FFAST_IO_QUERY_OPEN:name;
+const unique T.FFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.FFAST_IO_READ:name;
+const unique T.FFAST_IO_READ_COMPRESSED:name;
+const unique T.FFAST_IO_RELEASE_FILE:name;
+const unique T.FFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_UNLOCK_ALL:name;
+const unique T.FFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.FFAST_IO_UNLOCK_SINGLE:name;
+const unique T.FFAST_IO_WRITE:name;
+const unique T.FFAST_IO_WRITE_COMPRESSED:name;
+const unique T.FIO_COMPLETION_ROUTINE:name;
+const unique T.FKDEFERRED_ROUTINE:name;
+const unique T.INT2:name;
+const unique T.INT4:name;
+const unique T.INT8:name;
+const unique T.PA256UINT2:name;
+const unique T.PA2UINT2:name;
+const unique T.PA4UINT4:name;
+const unique T.PA5UINT2:name;
+const unique T.PA85CHAR:name;
+const unique T.PA9UINT2:name;
+const unique T.PCHAR:name;
+const unique T.PF19:name;
+const unique T.PF21:name;
+const unique T.PF23:name;
+const unique T.PF24:name;
+const unique T.PF25:name;
+const unique T.PF33:name;
+const unique T.PF34:name;
+const unique T.PF35:name;
+const unique T.PF36:name;
+const unique T.PF37:name;
+const unique T.PF38:name;
+const unique T.PFDRIVER_ADD_DEVICE:name;
+const unique T.PFDRIVER_CANCEL:name;
+const unique T.PFDRIVER_CONTROL:name;
+const unique T.PFDRIVER_DISPATCH:name;
+const unique T.PFDRIVER_INITIALIZE:name;
+const unique T.PFDRIVER_STARTIO:name;
+const unique T.PFDRIVER_UNLOAD:name;
+const unique T.PFFAST_IO_ACQUIRE_FILE:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.PFFAST_IO_DETACH_DEVICE:name;
+const unique T.PFFAST_IO_DEVICE_CONTROL:name;
+const unique T.PFFAST_IO_LOCK:name;
+const unique T.PFFAST_IO_MDL_READ:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.PFFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.PFFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.PFFAST_IO_QUERY_OPEN:name;
+const unique T.PFFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.PFFAST_IO_READ:name;
+const unique T.PFFAST_IO_READ_COMPRESSED:name;
+const unique T.PFFAST_IO_RELEASE_FILE:name;
+const unique T.PFFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_UNLOCK_ALL:name;
+const unique T.PFFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.PFFAST_IO_UNLOCK_SINGLE:name;
+const unique T.PFFAST_IO_WRITE:name;
+const unique T.PFFAST_IO_WRITE_COMPRESSED:name;
+const unique T.PFIO_COMPLETION_ROUTINE:name;
+const unique T.PFKDEFERRED_ROUTINE:name;
+const unique T.PINT4:name;
+const unique T.POWER_ACTION:name;
+const unique T.PPCHAR:name;
+const unique T.PPF24:name;
+const unique T.PPPUINT2:name;
+const unique T.PPP_DEVICE_OBJECT:name;
+const unique T.PPP_FILE_OBJECT:name;
+const unique T.PPUINT2:name;
+const unique T.PPUINT4:name;
+const unique T.PPVOID:name;
+const unique T.PP_DEVICE_EXTENSION:name;
+const unique T.PP_DEVICE_OBJECT:name;
+const unique T.PP_DRIVER_OBJECT:name;
+const unique T.PP_ERESOURCE:name;
+const unique T.PP_FAST_MUTEX:name;
+const unique T.PP_FILE_OBJECT:name;
+const unique T.PP_LIST_ENTRY:name;
+const unique T.PP_MDL:name;
+const unique T.PP_PORT:name;
+const unique T.PP_UNICODE_STRING:name;
+const unique T.PUCHAR:name;
+const unique T.PUINT2:name;
+const unique T.PUINT4:name;
+const unique T.PVOID:name;
+const unique T.PWMIGUIDREGINFO:name;
+const unique T.P_ACCESS_STATE:name;
+const unique T.P_CM_RESOURCE_LIST:name;
+const unique T.P_COMPRESSED_DATA_INFO:name;
+const unique T.P_DEVICE_CAPABILITIES:name;
+const unique T.P_DEVICE_EXTENSION:name;
+const unique T.P_DEVICE_OBJECT:name;
+const unique T.P_DEVOBJ_EXTENSION:name;
+const unique T.P_DRIVER_EXTENSION:name;
+const unique T.P_DRIVER_OBJECT:name;
+const unique T.P_EPROCESS:name;
+const unique T.P_ERESOURCE:name;
+const unique T.P_ETHREAD:name;
+const unique T.P_FAST_IO_DISPATCH:name;
+const unique T.P_FAST_MUTEX:name;
+const unique T.P_FILE_BASIC_INFORMATION:name;
+const unique T.P_FILE_GET_QUOTA_INFORMATION:name;
+const unique T.P_FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.P_FILE_OBJECT:name;
+const unique T.P_FILE_STANDARD_INFORMATION:name;
+const unique T.P_GLOBALS:name;
+const unique T.P_GUID:name;
+const unique T.P_INTERFACE:name;
+const unique T.P_IO_COMPLETION_CONTEXT:name;
+const unique T.P_IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T.P_IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.P_IO_SECURITY_CONTEXT:name;
+const unique T.P_IO_STACK_LOCATION:name;
+const unique T.P_IO_STATUS_BLOCK:name;
+const unique T.P_IO_TIMER:name;
+const unique T.P_IRP:name;
+const unique T.P_KAPC:name;
+const unique T.P_KDPC:name;
+const unique T.P_KEVENT:name;
+const unique T.P_KSEMAPHORE:name;
+const unique T.P_KTHREAD:name;
+const unique T.P_LARGE_INTEGER:name;
+const unique T.P_LIST_ENTRY:name;
+const unique T.P_MDL:name;
+const unique T.P_MOUSE_INPUT_DATA:name;
+const unique T.P_OWNER_ENTRY:name;
+const unique T.P_POOL_TYPE:name;
+const unique T.P_PORT:name;
+const unique T.P_POWER_SEQUENCE:name;
+const unique T.P_SCSI_REQUEST_BLOCK:name;
+const unique T.P_SECTION_OBJECT_POINTERS:name;
+const unique T.P_SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.P_UNICODE_STRING:name;
+const unique T.P_VPB:name;
+const unique T.UCHAR:name;
+const unique T.UINT2:name;
+const unique T.UINT4:name;
+const unique T.VOID:name;
+const unique T.WMIENABLEDISABLECONTROL:name;
+const unique T.WMIGUIDREGINFO:name;
+const unique T._ACCESS_STATE:name;
+const unique T._CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_LIST:name;
+const unique T._CM_RESOURCE_LIST:name;
+const unique T._COMPRESSED_DATA_INFO:name;
+const unique T._DEVICE_CAPABILITIES:name;
+const unique T._DEVICE_EXTENSION:name;
+const unique T._DEVICE_OBJECT:name;
+const unique T._DEVICE_POWER_STATE:name;
+const unique T._DEVICE_RELATION_TYPE:name;
+const unique T._DEVICE_USAGE_NOTIFICATION_TYPE:name;
+const unique T._DEVOBJ_EXTENSION:name;
+const unique T._DISPATCHER_HEADER:name;
+const unique T._DRIVER_EXTENSION:name;
+const unique T._DRIVER_OBJECT:name;
+const unique T._EPROCESS:name;
+const unique T._ERESOURCE:name;
+const unique T._ETHREAD:name;
+const unique T._FAST_IO_DISPATCH:name;
+const unique T._FAST_MUTEX:name;
+const unique T._FILE_BASIC_INFORMATION:name;
+const unique T._FILE_GET_QUOTA_INFORMATION:name;
+const unique T._FILE_INFORMATION_CLASS:name;
+const unique T._FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T._FILE_OBJECT:name;
+const unique T._FILE_STANDARD_INFORMATION:name;
+const unique T._FSINFOCLASS:name;
+const unique T._GLOBALS:name;
+const unique T._GUID:name;
+const unique T._INITIAL_PRIVILEGE_SET:name;
+const unique T._INTERFACE:name;
+const unique T._INTERFACE_TYPE:name;
+const unique T._IO_ALLOCATION_ACTION:name;
+const unique T._IO_COMPLETION_CONTEXT:name;
+const unique T._IO_REMOVE_LOCK:name;
+const unique T._IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T._IO_RESOURCE_DESCRIPTOR:name;
+const unique T._IO_RESOURCE_LIST:name;
+const unique T._IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T._IO_SECURITY_CONTEXT:name;
+const unique T._IO_STACK_LOCATION:name;
+const unique T._IO_STATUS_BLOCK:name;
+const unique T._IO_TIMER:name;
+const unique T._IRP:name;
+const unique T._IRQ_DEVICE_POLICY:name;
+const unique T._IRQ_PRIORITY:name;
+const unique T._KAPC:name;
+const unique T._KDEVICE_QUEUE:name;
+const unique T._KDEVICE_QUEUE_ENTRY:name;
+const unique T._KDPC:name;
+const unique T._KEVENT:name;
+const unique T._KSEMAPHORE:name;
+const unique T._KTHREAD:name;
+const unique T._LARGE_INTEGER:name;
+const unique T._LIST_ENTRY:name;
+const unique T._LUID:name;
+const unique T._LUID_AND_ATTRIBUTES:name;
+const unique T._MDL:name;
+const unique T._MOUSE_ATTRIBUTES:name;
+const unique T._MOUSE_INPUT_DATA:name;
+const unique T._OWNER_ENTRY:name;
+const unique T._POOL_TYPE:name;
+const unique T._PORT:name;
+const unique T._POWER_SEQUENCE:name;
+const unique T._POWER_STATE:name;
+const unique T._POWER_STATE_TYPE:name;
+const unique T._PRIVILEGE_SET:name;
+const unique T._SCSI_REQUEST_BLOCK:name;
+const unique T._SECTION_OBJECT_POINTERS:name;
+const unique T._SECURITY_IMPERSONATION_LEVEL:name;
+const unique T._SECURITY_QUALITY_OF_SERVICE:name;
+const unique T._SECURITY_SUBJECT_CONTEXT:name;
+const unique T._SYSTEM_POWER_STATE:name;
+const unique T._SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T._UNICODE_STRING:name;
+const unique T._VPB:name;
+const unique T._WAIT_CONTEXT_BLOCK:name;
+const unique T._WMILIB_CONTEXT:name;
+const unique T.__unnamed_12_06b9ee6e:name;
+const unique T.__unnamed_12_0882bd02:name;
+const unique T.__unnamed_12_264d0dab:name;
+const unique T.__unnamed_12_2e80217b:name;
+const unique T.__unnamed_12_5cc7ace2:name;
+const unique T.__unnamed_12_6374506e:name;
+const unique T.__unnamed_12_68a4278e:name;
+const unique T.__unnamed_12_79ed2653:name;
+const unique T.__unnamed_12_7da594c0:name;
+const unique T.__unnamed_12_9873e05d:name;
+const unique T.__unnamed_12_9cc8cebc:name;
+const unique T.__unnamed_12_b98da82e:name;
+const unique T.__unnamed_12_c2880e88:name;
+const unique T.__unnamed_12_c49ab31a:name;
+const unique T.__unnamed_12_c6ed93f3:name;
+const unique T.__unnamed_12_ced61554:name;
+const unique T.__unnamed_12_d9c44df5:name;
+const unique T.__unnamed_12_db3dcbfc:name;
+const unique T.__unnamed_12_fb26b3fc:name;
+const unique T.__unnamed_16_22e4d054:name;
+const unique T.__unnamed_16_39b626ad:name;
+const unique T.__unnamed_16_56c011d7:name;
+const unique T.__unnamed_16_5fed8f23:name;
+const unique T.__unnamed_16_6be9abe0:name;
+const unique T.__unnamed_16_78879a38:name;
+const unique T.__unnamed_16_804a2f24:name;
+const unique T.__unnamed_16_8586693f:name;
+const unique T.__unnamed_16_8831e65f:name;
+const unique T.__unnamed_16_8c2d663a:name;
+const unique T.__unnamed_16_913b9a7a:name;
+const unique T.__unnamed_16_94d1d1c7:name;
+const unique T.__unnamed_16_a2fab4da:name;
+const unique T.__unnamed_16_ae643f17:name;
+const unique T.__unnamed_16_c1b29316:name;
+const unique T.__unnamed_16_cbd53ed4:name;
+const unique T.__unnamed_16_db70db6e:name;
+const unique T.__unnamed_16_ef4b6307:name;
+const unique T.__unnamed_16_fdda1f62:name;
+const unique T.__unnamed_1_1394de4b:name;
+const unique T.__unnamed_1_2bb39c56:name;
+const unique T.__unnamed_1_9fa0583a:name;
+const unique T.__unnamed_1_e30779f5:name;
+const unique T.__unnamed_20_83d468e4:name;
+const unique T.__unnamed_24_035931da:name;
+const unique T.__unnamed_24_38e128db:name;
+const unique T.__unnamed_24_9500ea34:name;
+const unique T.__unnamed_24_9734802c:name;
+const unique T.__unnamed_24_af62813f:name;
+const unique T.__unnamed_24_c0555099:name;
+const unique T.__unnamed_24_d7c4ec3a:name;
+const unique T.__unnamed_2_196a7f56:name;
+const unique T.__unnamed_40_a0414182:name;
+const unique T.__unnamed_40_d90496f4:name;
+const unique T.__unnamed_44_a7026dca:name;
+const unique T.__unnamed_48_c1da9fa5:name;
+const unique T.__unnamed_4_0510b147:name;
+const unique T.__unnamed_4_0a569078:name;
+const unique T.__unnamed_4_16aff58e:name;
+const unique T.__unnamed_4_40bf8e34:name;
+const unique T.__unnamed_4_46b62f69:name;
+const unique T.__unnamed_4_73d46255:name;
+const unique T.__unnamed_4_765e3037:name;
+const unique T.__unnamed_4_846adf3f:name;
+const unique T.__unnamed_4_8dd73d30:name;
+const unique T.__unnamed_4_957e0d74:name;
+const unique T.__unnamed_4_9c11ed91:name;
+const unique T.__unnamed_4_a58d40c8:name;
+const unique T.__unnamed_4_a7aa989c:name;
+const unique T.__unnamed_4_a7d0864c:name;
+const unique T.__unnamed_4_aa20b426:name;
+const unique T.__unnamed_4_ab87ddfd:name;
+const unique T.__unnamed_4_b016b1e1:name;
+const unique T.__unnamed_4_b060dea6:name;
+const unique T.__unnamed_4_b4f5a780:name;
+const unique T.__unnamed_4_b5247f10:name;
+const unique T.__unnamed_4_c1e23b02:name;
+const unique T.__unnamed_4_c9b2e921:name;
+const unique T.__unnamed_4_fa7b96a7:name;
+const unique T.__unnamed_8_09ad2712:name;
+const unique T.__unnamed_8_21ac1dba:name;
+const unique T.__unnamed_8_27d3ab76:name;
+const unique T.__unnamed_8_4289df81:name;
+const unique T.__unnamed_8_47b72724:name;
+const unique T.__unnamed_8_4b3e3ba3:name;
+const unique T.__unnamed_8_4f695993:name;
+const unique T.__unnamed_8_5cfb6ca4:name;
+const unique T.__unnamed_8_606438c5:name;
+const unique T.__unnamed_8_6ad774c0:name;
+const unique T.__unnamed_8_805045cb:name;
+const unique T.__unnamed_8_8684a3e7:name;
+const unique T.__unnamed_8_8cc410da:name;
+const unique T.__unnamed_8_a47253e0:name;
+const unique T.__unnamed_8_bbd07f6c:name;
+const unique T.__unnamed_8_c9ca8234:name;
+
+function AssocClassList__GLOBALS(int) returns (int);
+function AssocClassList__GLOBALSInv(int) returns (int);
+function _S_AssocClassList__GLOBALS([int]bool) returns ([int]bool);
+function _S_AssocClassList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(AssocClassList__GLOBALS(x))} AssocClassList__GLOBALSInv(AssocClassList__GLOBALS(x)) == x);
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(x)} AssocClassList__GLOBALS(AssocClassList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_AssocClassList__GLOBALS(S)[x]} _S_AssocClassList__GLOBALS(S)[x] <==> S[AssocClassList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_AssocClassList__GLOBALSInv(S)[x]} _S_AssocClassList__GLOBALSInv(S)[x] <==> S[AssocClassList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AssocClassList__GLOBALS(S)} S[x] ==> _S_AssocClassList__GLOBALS(S)[AssocClassList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AssocClassList__GLOBALSInv(S)} S[x] ==> _S_AssocClassList__GLOBALSInv(S)[AssocClassList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {AssocClassList__GLOBALS(x)} AssocClassList__GLOBALS(x) == x + 8);
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(x)} AssocClassList__GLOBALSInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == AssocClassList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == AssocClassList__GLOBALSInv(x));
+function BaseClassName__GLOBALS(int) returns (int);
+function BaseClassName__GLOBALSInv(int) returns (int);
+function _S_BaseClassName__GLOBALS([int]bool) returns ([int]bool);
+function _S_BaseClassName__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(BaseClassName__GLOBALS(x))} BaseClassName__GLOBALSInv(BaseClassName__GLOBALS(x)) == x);
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(x)} BaseClassName__GLOBALS(BaseClassName__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_BaseClassName__GLOBALS(S)[x]} _S_BaseClassName__GLOBALS(S)[x] <==> S[BaseClassName__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_BaseClassName__GLOBALSInv(S)[x]} _S_BaseClassName__GLOBALSInv(S)[x] <==> S[BaseClassName__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_BaseClassName__GLOBALS(S)} S[x] ==> _S_BaseClassName__GLOBALS(S)[BaseClassName__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_BaseClassName__GLOBALSInv(S)} S[x] ==> _S_BaseClassName__GLOBALSInv(S)[BaseClassName__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {BaseClassName__GLOBALS(x)} BaseClassName__GLOBALS(x) == x + 344);
+axiom (forall x:int :: {BaseClassName__GLOBALSInv(x)} BaseClassName__GLOBALSInv(x) == x - 344);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 344, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 344, 1) == BaseClassName__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 344)} MINUS_LEFT_PTR(x, 1, 344) == BaseClassName__GLOBALSInv(x));
+function Buffer__UNICODE_STRING(int) returns (int);
+function Buffer__UNICODE_STRINGInv(int) returns (int);
+function _S_Buffer__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Buffer__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x))} Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRING(Buffer__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRING(S)[x]} _S_Buffer__UNICODE_STRING(S)[x] <==> S[Buffer__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRINGInv(S)[x]} _S_Buffer__UNICODE_STRINGInv(S)[x] <==> S[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRING(S)} S[x] ==> _S_Buffer__UNICODE_STRING(S)[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRINGInv(S)} S[x] ==> _S_Buffer__UNICODE_STRINGInv(S)[Buffer__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRING(x)} Buffer__UNICODE_STRING(x) == x + 4);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRINGInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Buffer__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Buffer__UNICODE_STRINGInv(x));
+function DataIn__DEVICE_EXTENSION(int) returns (int);
+function DataIn__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataIn__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataIn__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x))} DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSION(DataIn__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSION(S)[x]} _S_DataIn__DEVICE_EXTENSION(S)[x] <==> S[DataIn__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSIONInv(S)[x]} _S_DataIn__DEVICE_EXTENSIONInv(S)[x] <==> S[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSION(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSION(S)[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSIONInv(S)[DataIn__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSION(x)} DataIn__DEVICE_EXTENSION(x) == x + 132);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSIONInv(x) == x - 132);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1) == DataIn__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 132)} MINUS_LEFT_PTR(x, 1, 132) == DataIn__DEVICE_EXTENSIONInv(x));
+function DataOut__DEVICE_EXTENSION(int) returns (int);
+function DataOut__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataOut__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataOut__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x))} DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSION(DataOut__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSION(S)[x]} _S_DataOut__DEVICE_EXTENSION(S)[x] <==> S[DataOut__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSIONInv(S)[x]} _S_DataOut__DEVICE_EXTENSIONInv(S)[x] <==> S[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSION(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSION(S)[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSIONInv(S)[DataOut__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSION(x)} DataOut__DEVICE_EXTENSION(x) == x + 136);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSIONInv(x) == x - 136);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1) == DataOut__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 136)} MINUS_LEFT_PTR(x, 1, 136) == DataOut__DEVICE_EXTENSIONInv(x));
+function DeviceExtension__DEVICE_OBJECT(int) returns (int);
+function DeviceExtension__DEVICE_OBJECTInv(int) returns (int);
+function _S_DeviceExtension__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_DeviceExtension__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x))} DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECT(DeviceExtension__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECT(S)[x]} _S_DeviceExtension__DEVICE_OBJECT(S)[x] <==> S[DeviceExtension__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECTInv(S)[x]} _S_DeviceExtension__DEVICE_OBJECTInv(S)[x] <==> S[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECT(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECT(S)[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECTInv(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECTInv(S)[DeviceExtension__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECT(x)} DeviceExtension__DEVICE_OBJECT(x) == x + 40);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECTInv(x) == x - 40);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1) == DeviceExtension__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 40)} MINUS_LEFT_PTR(x, 1, 40) == DeviceExtension__DEVICE_OBJECTInv(x));
+function File__DEVICE_EXTENSION(int) returns (int);
+function File__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_File__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_File__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x))} File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSION(File__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSION(S)[x]} _S_File__DEVICE_EXTENSION(S)[x] <==> S[File__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSIONInv(S)[x]} _S_File__DEVICE_EXTENSIONInv(S)[x] <==> S[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSION(S)} S[x] ==> _S_File__DEVICE_EXTENSION(S)[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_File__DEVICE_EXTENSIONInv(S)[File__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSION(x)} File__DEVICE_EXTENSION(x) == x + 260);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSIONInv(x) == x - 260);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 260, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 260, 1) == File__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 260)} MINUS_LEFT_PTR(x, 1, 260) == File__DEVICE_EXTENSIONInv(x));
+function File__PORT(int) returns (int);
+function File__PORTInv(int) returns (int);
+function _S_File__PORT([int]bool) returns ([int]bool);
+function _S_File__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__PORTInv(File__PORT(x))} File__PORTInv(File__PORT(x)) == x);
+axiom (forall x:int :: {File__PORTInv(x)} File__PORT(File__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__PORT(S)[x]} _S_File__PORT(S)[x] <==> S[File__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__PORTInv(S)[x]} _S_File__PORTInv(S)[x] <==> S[File__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__PORT(S)} S[x] ==> _S_File__PORT(S)[File__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__PORTInv(S)} S[x] ==> _S_File__PORTInv(S)[File__PORTInv(x)]);
+
+axiom (forall x:int :: {File__PORT(x)} File__PORT(x) == x + 0);
+axiom (forall x:int :: {File__PORTInv(x)} File__PORTInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == File__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == File__PORTInv(x));
+function Flags__DEVICE_OBJECT(int) returns (int);
+function Flags__DEVICE_OBJECTInv(int) returns (int);
+function _S_Flags__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_Flags__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(Flags__DEVICE_OBJECT(x))} Flags__DEVICE_OBJECTInv(Flags__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(x)} Flags__DEVICE_OBJECT(Flags__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flags__DEVICE_OBJECT(S)[x]} _S_Flags__DEVICE_OBJECT(S)[x] <==> S[Flags__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flags__DEVICE_OBJECTInv(S)[x]} _S_Flags__DEVICE_OBJECTInv(S)[x] <==> S[Flags__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flags__DEVICE_OBJECT(S)} S[x] ==> _S_Flags__DEVICE_OBJECT(S)[Flags__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flags__DEVICE_OBJECTInv(S)} S[x] ==> _S_Flags__DEVICE_OBJECTInv(S)[Flags__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {Flags__DEVICE_OBJECT(x)} Flags__DEVICE_OBJECT(x) == x + 28);
+axiom (forall x:int :: {Flags__DEVICE_OBJECTInv(x)} Flags__DEVICE_OBJECTInv(x) == x - 28);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 28, 1) == Flags__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 28)} MINUS_LEFT_PTR(x, 1, 28) == Flags__DEVICE_OBJECTInv(x));
+function Flink__LIST_ENTRY(int) returns (int);
+function Flink__LIST_ENTRYInv(int) returns (int);
+function _S_Flink__LIST_ENTRY([int]bool) returns ([int]bool);
+function _S_Flink__LIST_ENTRYInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x))} Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x)) == x);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRY(Flink__LIST_ENTRYInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRY(S)[x]} _S_Flink__LIST_ENTRY(S)[x] <==> S[Flink__LIST_ENTRYInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRYInv(S)[x]} _S_Flink__LIST_ENTRYInv(S)[x] <==> S[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRY(S)} S[x] ==> _S_Flink__LIST_ENTRY(S)[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRYInv(S)} S[x] ==> _S_Flink__LIST_ENTRYInv(S)[Flink__LIST_ENTRYInv(x)]);
+
+axiom (forall x:int :: {Flink__LIST_ENTRY(x)} Flink__LIST_ENTRY(x) == x + 0);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRYInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Flink__LIST_ENTRYInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Flink__LIST_ENTRYInv(x));
+function Free__PORT(int) returns (int);
+function Free__PORTInv(int) returns (int);
+function _S_Free__PORT([int]bool) returns ([int]bool);
+function _S_Free__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Free__PORTInv(Free__PORT(x))} Free__PORTInv(Free__PORT(x)) == x);
+axiom (forall x:int :: {Free__PORTInv(x)} Free__PORT(Free__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Free__PORT(S)[x]} _S_Free__PORT(S)[x] <==> S[Free__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Free__PORTInv(S)[x]} _S_Free__PORTInv(S)[x] <==> S[Free__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Free__PORT(S)} S[x] ==> _S_Free__PORT(S)[Free__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Free__PORTInv(S)} S[x] ==> _S_Free__PORTInv(S)[Free__PORTInv(x)]);
+
+axiom (forall x:int :: {Free__PORT(x)} Free__PORT(x) == x + 11);
+axiom (forall x:int :: {Free__PORTInv(x)} Free__PORTInv(x) == x - 11);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 11, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 11, 1) == Free__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 11)} MINUS_LEFT_PTR(x, 1, 11) == Free__PORTInv(x));
+function GrandMaster__GLOBALS(int) returns (int);
+function GrandMaster__GLOBALSInv(int) returns (int);
+function _S_GrandMaster__GLOBALS([int]bool) returns ([int]bool);
+function _S_GrandMaster__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x))} GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x)) == x);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALS(GrandMaster__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALS(S)[x]} _S_GrandMaster__GLOBALS(S)[x] <==> S[GrandMaster__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALSInv(S)[x]} _S_GrandMaster__GLOBALSInv(S)[x] <==> S[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALS(S)} S[x] ==> _S_GrandMaster__GLOBALS(S)[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALSInv(S)} S[x] ==> _S_GrandMaster__GLOBALSInv(S)[GrandMaster__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {GrandMaster__GLOBALS(x)} GrandMaster__GLOBALS(x) == x + 4);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALSInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == GrandMaster__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == GrandMaster__GLOBALSInv(x));
+function InitExtension__GLOBALS(int) returns (int);
+function InitExtension__GLOBALSInv(int) returns (int);
+function _S_InitExtension__GLOBALS([int]bool) returns ([int]bool);
+function _S_InitExtension__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InitExtension__GLOBALSInv(InitExtension__GLOBALS(x))} InitExtension__GLOBALSInv(InitExtension__GLOBALS(x)) == x);
+axiom (forall x:int :: {InitExtension__GLOBALSInv(x)} InitExtension__GLOBALS(InitExtension__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InitExtension__GLOBALS(S)[x]} _S_InitExtension__GLOBALS(S)[x] <==> S[InitExtension__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InitExtension__GLOBALSInv(S)[x]} _S_InitExtension__GLOBALSInv(S)[x] <==> S[InitExtension__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InitExtension__GLOBALS(S)} S[x] ==> _S_InitExtension__GLOBALS(S)[InitExtension__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InitExtension__GLOBALSInv(S)} S[x] ==> _S_InitExtension__GLOBALSInv(S)[InitExtension__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {InitExtension__GLOBALS(x)} InitExtension__GLOBALS(x) == x + 64);
+axiom (forall x:int :: {InitExtension__GLOBALSInv(x)} InitExtension__GLOBALSInv(x) == x - 64);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 64, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 64, 1) == InitExtension__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 64)} MINUS_LEFT_PTR(x, 1, 64) == InitExtension__GLOBALSInv(x));
+function InputData__DEVICE_EXTENSION(int) returns (int);
+function InputData__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_InputData__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_InputData__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x))} InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSION(InputData__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSION(S)[x]} _S_InputData__DEVICE_EXTENSION(S)[x] <==> S[InputData__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSIONInv(S)[x]} _S_InputData__DEVICE_EXTENSIONInv(S)[x] <==> S[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSION(S)} S[x] ==> _S_InputData__DEVICE_EXTENSION(S)[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_InputData__DEVICE_EXTENSIONInv(S)[InputData__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSION(x)} InputData__DEVICE_EXTENSION(x) == x + 128);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSIONInv(x) == x - 128);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1) == InputData__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 128)} MINUS_LEFT_PTR(x, 1, 128) == InputData__DEVICE_EXTENSIONInv(x));
+function LegacyDeviceList__GLOBALS(int) returns (int);
+function LegacyDeviceList__GLOBALSInv(int) returns (int);
+function _S_LegacyDeviceList__GLOBALS([int]bool) returns ([int]bool);
+function _S_LegacyDeviceList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x))} LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x)) == x);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALS(LegacyDeviceList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALS(S)[x]} _S_LegacyDeviceList__GLOBALS(S)[x] <==> S[LegacyDeviceList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALSInv(S)[x]} _S_LegacyDeviceList__GLOBALSInv(S)[x] <==> S[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALS(S)} S[x] ==> _S_LegacyDeviceList__GLOBALS(S)[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALSInv(S)} S[x] ==> _S_LegacyDeviceList__GLOBALSInv(S)[LegacyDeviceList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALS(x)} LegacyDeviceList__GLOBALS(x) == x + 864);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALSInv(x) == x - 864);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 864, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 864, 1) == LegacyDeviceList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 864)} MINUS_LEFT_PTR(x, 1, 864) == LegacyDeviceList__GLOBALSInv(x));
+function Length__UNICODE_STRING(int) returns (int);
+function Length__UNICODE_STRINGInv(int) returns (int);
+function _S_Length__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Length__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(Length__UNICODE_STRING(x))} Length__UNICODE_STRINGInv(Length__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(x)} Length__UNICODE_STRING(Length__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Length__UNICODE_STRING(S)[x]} _S_Length__UNICODE_STRING(S)[x] <==> S[Length__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Length__UNICODE_STRINGInv(S)[x]} _S_Length__UNICODE_STRINGInv(S)[x] <==> S[Length__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Length__UNICODE_STRING(S)} S[x] ==> _S_Length__UNICODE_STRING(S)[Length__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Length__UNICODE_STRINGInv(S)} S[x] ==> _S_Length__UNICODE_STRINGInv(S)[Length__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Length__UNICODE_STRING(x)} Length__UNICODE_STRING(x) == x + 0);
+axiom (forall x:int :: {Length__UNICODE_STRINGInv(x)} Length__UNICODE_STRINGInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Length__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Length__UNICODE_STRINGInv(x));
+function Link__DEVICE_EXTENSION(int) returns (int);
+function Link__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Link__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Link__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x))} Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSION(Link__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSION(S)[x]} _S_Link__DEVICE_EXTENSION(S)[x] <==> S[Link__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSIONInv(S)[x]} _S_Link__DEVICE_EXTENSIONInv(S)[x] <==> S[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSION(S)} S[x] ==> _S_Link__DEVICE_EXTENSION(S)[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Link__DEVICE_EXTENSIONInv(S)[Link__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSION(x)} Link__DEVICE_EXTENSION(x) == x + 252);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSIONInv(x) == x - 252);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 252, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 252, 1) == Link__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 252)} MINUS_LEFT_PTR(x, 1, 252) == Link__DEVICE_EXTENSIONInv(x));
+function MaximumLength__UNICODE_STRING(int) returns (int);
+function MaximumLength__UNICODE_STRINGInv(int) returns (int);
+function _S_MaximumLength__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_MaximumLength__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(MaximumLength__UNICODE_STRING(x))} MaximumLength__UNICODE_STRINGInv(MaximumLength__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(x)} MaximumLength__UNICODE_STRING(MaximumLength__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_MaximumLength__UNICODE_STRING(S)[x]} _S_MaximumLength__UNICODE_STRING(S)[x] <==> S[MaximumLength__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_MaximumLength__UNICODE_STRINGInv(S)[x]} _S_MaximumLength__UNICODE_STRINGInv(S)[x] <==> S[MaximumLength__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaximumLength__UNICODE_STRING(S)} S[x] ==> _S_MaximumLength__UNICODE_STRING(S)[MaximumLength__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_MaximumLength__UNICODE_STRINGInv(S)} S[x] ==> _S_MaximumLength__UNICODE_STRINGInv(S)[MaximumLength__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {MaximumLength__UNICODE_STRING(x)} MaximumLength__UNICODE_STRING(x) == x + 2);
+axiom (forall x:int :: {MaximumLength__UNICODE_STRINGInv(x)} MaximumLength__UNICODE_STRINGInv(x) == x - 2);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 2, 1) == MaximumLength__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 2)} MINUS_LEFT_PTR(x, 1, 2) == MaximumLength__UNICODE_STRINGInv(x));
+function Mutex__GLOBALS(int) returns (int);
+function Mutex__GLOBALSInv(int) returns (int);
+function _S_Mutex__GLOBALS([int]bool) returns ([int]bool);
+function _S_Mutex__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Mutex__GLOBALSInv(Mutex__GLOBALS(x))} Mutex__GLOBALSInv(Mutex__GLOBALS(x)) == x);
+axiom (forall x:int :: {Mutex__GLOBALSInv(x)} Mutex__GLOBALS(Mutex__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Mutex__GLOBALS(S)[x]} _S_Mutex__GLOBALS(S)[x] <==> S[Mutex__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Mutex__GLOBALSInv(S)[x]} _S_Mutex__GLOBALSInv(S)[x] <==> S[Mutex__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Mutex__GLOBALS(S)} S[x] ==> _S_Mutex__GLOBALS(S)[Mutex__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Mutex__GLOBALSInv(S)} S[x] ==> _S_Mutex__GLOBALSInv(S)[Mutex__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {Mutex__GLOBALS(x)} Mutex__GLOBALS(x) == x + 24);
+axiom (forall x:int :: {Mutex__GLOBALSInv(x)} Mutex__GLOBALSInv(x) == x - 24);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 24, 1) == Mutex__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 24)} MINUS_LEFT_PTR(x, 1, 24) == Mutex__GLOBALSInv(x));
+function NumberLegacyPorts__GLOBALS(int) returns (int);
+function NumberLegacyPorts__GLOBALSInv(int) returns (int);
+function _S_NumberLegacyPorts__GLOBALS([int]bool) returns ([int]bool);
+function _S_NumberLegacyPorts__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NumberLegacyPorts__GLOBALSInv(NumberLegacyPorts__GLOBALS(x))} NumberLegacyPorts__GLOBALSInv(NumberLegacyPorts__GLOBALS(x)) == x);
+axiom (forall x:int :: {NumberLegacyPorts__GLOBALSInv(x)} NumberLegacyPorts__GLOBALS(NumberLegacyPorts__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NumberLegacyPorts__GLOBALS(S)[x]} _S_NumberLegacyPorts__GLOBALS(S)[x] <==> S[NumberLegacyPorts__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NumberLegacyPorts__GLOBALSInv(S)[x]} _S_NumberLegacyPorts__GLOBALSInv(S)[x] <==> S[NumberLegacyPorts__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberLegacyPorts__GLOBALS(S)} S[x] ==> _S_NumberLegacyPorts__GLOBALS(S)[NumberLegacyPorts__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumberLegacyPorts__GLOBALSInv(S)} S[x] ==> _S_NumberLegacyPorts__GLOBALSInv(S)[NumberLegacyPorts__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {NumberLegacyPorts__GLOBALS(x)} NumberLegacyPorts__GLOBALS(x) == x + 20);
+axiom (forall x:int :: {NumberLegacyPorts__GLOBALSInv(x)} NumberLegacyPorts__GLOBALSInv(x) == x - 20);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 20, 1) == NumberLegacyPorts__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 20)} MINUS_LEFT_PTR(x, 1, 20) == NumberLegacyPorts__GLOBALSInv(x));
+function PnP__DEVICE_EXTENSION(int) returns (int);
+function PnP__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_PnP__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_PnP__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x))} PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSION(PnP__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSION(S)[x]} _S_PnP__DEVICE_EXTENSION(S)[x] <==> S[PnP__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSIONInv(S)[x]} _S_PnP__DEVICE_EXTENSIONInv(S)[x] <==> S[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSION(S)} S[x] ==> _S_PnP__DEVICE_EXTENSION(S)[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_PnP__DEVICE_EXTENSIONInv(S)[PnP__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSION(x)} PnP__DEVICE_EXTENSION(x) == x + 104);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSIONInv(x) == x - 104);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1) == PnP__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 104)} MINUS_LEFT_PTR(x, 1, 104) == PnP__DEVICE_EXTENSIONInv(x));
+function Port__PORT(int) returns (int);
+function Port__PORTInv(int) returns (int);
+function _S_Port__PORT([int]bool) returns ([int]bool);
+function _S_Port__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Port__PORTInv(Port__PORT(x))} Port__PORTInv(Port__PORT(x)) == x);
+axiom (forall x:int :: {Port__PORTInv(x)} Port__PORT(Port__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Port__PORT(S)[x]} _S_Port__PORT(S)[x] <==> S[Port__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Port__PORTInv(S)[x]} _S_Port__PORTInv(S)[x] <==> S[Port__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Port__PORT(S)} S[x] ==> _S_Port__PORT(S)[Port__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Port__PORTInv(S)} S[x] ==> _S_Port__PORTInv(S)[Port__PORTInv(x)]);
+
+axiom (forall x:int :: {Port__PORT(x)} Port__PORT(x) == x + 4);
+axiom (forall x:int :: {Port__PORTInv(x)} Port__PORTInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Port__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Port__PORTInv(x));
+function PortsServiced__GLOBALS(int) returns (int);
+function PortsServiced__GLOBALSInv(int) returns (int);
+function _S_PortsServiced__GLOBALS([int]bool) returns ([int]bool);
+function _S_PortsServiced__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PortsServiced__GLOBALSInv(PortsServiced__GLOBALS(x))} PortsServiced__GLOBALSInv(PortsServiced__GLOBALS(x)) == x);
+axiom (forall x:int :: {PortsServiced__GLOBALSInv(x)} PortsServiced__GLOBALS(PortsServiced__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PortsServiced__GLOBALS(S)[x]} _S_PortsServiced__GLOBALS(S)[x] <==> S[PortsServiced__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PortsServiced__GLOBALSInv(S)[x]} _S_PortsServiced__GLOBALSInv(S)[x] <==> S[PortsServiced__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PortsServiced__GLOBALS(S)} S[x] ==> _S_PortsServiced__GLOBALS(S)[PortsServiced__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PortsServiced__GLOBALSInv(S)} S[x] ==> _S_PortsServiced__GLOBALSInv(S)[PortsServiced__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {PortsServiced__GLOBALS(x)} PortsServiced__GLOBALS(x) == x + 60);
+axiom (forall x:int :: {PortsServiced__GLOBALSInv(x)} PortsServiced__GLOBALSInv(x) == x - 60);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 60, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 60, 1) == PortsServiced__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 60)} MINUS_LEFT_PTR(x, 1, 60) == PortsServiced__GLOBALSInv(x));
+function Self__DEVICE_EXTENSION(int) returns (int);
+function Self__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Self__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Self__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x))} Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSION(Self__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSION(S)[x]} _S_Self__DEVICE_EXTENSION(S)[x] <==> S[Self__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSIONInv(S)[x]} _S_Self__DEVICE_EXTENSIONInv(S)[x] <==> S[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSION(S)} S[x] ==> _S_Self__DEVICE_EXTENSION(S)[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Self__DEVICE_EXTENSIONInv(S)[Self__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSION(x)} Self__DEVICE_EXTENSION(x) == x + 0);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSIONInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Self__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Self__DEVICE_EXTENSIONInv(x));
+function SpinLock__DEVICE_EXTENSION(int) returns (int);
+function SpinLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SpinLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SpinLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(SpinLock__DEVICE_EXTENSION(x))} SpinLock__DEVICE_EXTENSIONInv(SpinLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(x)} SpinLock__DEVICE_EXTENSION(SpinLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SpinLock__DEVICE_EXTENSION(S)[x]} _S_SpinLock__DEVICE_EXTENSION(S)[x] <==> S[SpinLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SpinLock__DEVICE_EXTENSIONInv(S)[x]} _S_SpinLock__DEVICE_EXTENSIONInv(S)[x] <==> S[SpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SpinLock__DEVICE_EXTENSION(S)} S[x] ==> _S_SpinLock__DEVICE_EXTENSION(S)[SpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SpinLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SpinLock__DEVICE_EXTENSIONInv(S)[SpinLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSION(x)} SpinLock__DEVICE_EXTENSION(x) == x + 152);
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(x)} SpinLock__DEVICE_EXTENSIONInv(x) == x - 152);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 152, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 152, 1) == SpinLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 152)} MINUS_LEFT_PTR(x, 1, 152) == SpinLock__DEVICE_EXTENSIONInv(x));
+function StackSize__DEVICE_OBJECT(int) returns (int);
+function StackSize__DEVICE_OBJECTInv(int) returns (int);
+function _S_StackSize__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_StackSize__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(StackSize__DEVICE_OBJECT(x))} StackSize__DEVICE_OBJECTInv(StackSize__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(x)} StackSize__DEVICE_OBJECT(StackSize__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_StackSize__DEVICE_OBJECT(S)[x]} _S_StackSize__DEVICE_OBJECT(S)[x] <==> S[StackSize__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_StackSize__DEVICE_OBJECTInv(S)[x]} _S_StackSize__DEVICE_OBJECTInv(S)[x] <==> S[StackSize__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_StackSize__DEVICE_OBJECT(S)} S[x] ==> _S_StackSize__DEVICE_OBJECT(S)[StackSize__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_StackSize__DEVICE_OBJECTInv(S)} S[x] ==> _S_StackSize__DEVICE_OBJECTInv(S)[StackSize__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {StackSize__DEVICE_OBJECT(x)} StackSize__DEVICE_OBJECT(x) == x + 48);
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(x)} StackSize__DEVICE_OBJECTInv(x) == x - 48);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 48, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 48, 1) == StackSize__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 48)} MINUS_LEFT_PTR(x, 1, 48) == StackSize__DEVICE_OBJECTInv(x));
+function Started__DEVICE_EXTENSION(int) returns (int);
+function Started__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Started__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Started__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x))} Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSION(Started__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSION(S)[x]} _S_Started__DEVICE_EXTENSION(S)[x] <==> S[Started__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSIONInv(S)[x]} _S_Started__DEVICE_EXTENSIONInv(S)[x] <==> S[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSION(S)} S[x] ==> _S_Started__DEVICE_EXTENSION(S)[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Started__DEVICE_EXTENSIONInv(S)[Started__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSION(x)} Started__DEVICE_EXTENSION(x) == x + 105);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSIONInv(x) == x - 105);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1) == Started__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 105)} MINUS_LEFT_PTR(x, 1, 105) == Started__DEVICE_EXTENSIONInv(x));
+function TopPort__DEVICE_EXTENSION(int) returns (int);
+function TopPort__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TopPort__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TopPort__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x))} TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSION(TopPort__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSION(S)[x]} _S_TopPort__DEVICE_EXTENSION(S)[x] <==> S[TopPort__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSIONInv(S)[x]} _S_TopPort__DEVICE_EXTENSIONInv(S)[x] <==> S[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSION(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSION(S)[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSIONInv(S)[TopPort__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSION(x)} TopPort__DEVICE_EXTENSION(x) == x + 8);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSIONInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == TopPort__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == TopPort__DEVICE_EXTENSIONInv(x));
+function UnitId__DEVICE_EXTENSION(int) returns (int);
+function UnitId__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_UnitId__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_UnitId__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x))} UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSION(UnitId__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSION(S)[x]} _S_UnitId__DEVICE_EXTENSION(S)[x] <==> S[UnitId__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSIONInv(S)[x]} _S_UnitId__DEVICE_EXTENSIONInv(S)[x] <==> S[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSION(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSION(S)[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSIONInv(S)[UnitId__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSION(x)} UnitId__DEVICE_EXTENSION(x) == x + 176);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSIONInv(x) == x - 176);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 176, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 176, 1) == UnitId__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 176)} MINUS_LEFT_PTR(x, 1, 176) == UnitId__DEVICE_EXTENSIONInv(x));
+function WaitWakeSpinLock__DEVICE_EXTENSION(int) returns (int);
+function WaitWakeSpinLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WaitWakeSpinLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(WaitWakeSpinLock__DEVICE_EXTENSION(x))} WaitWakeSpinLock__DEVICE_EXTENSIONInv(WaitWakeSpinLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)} WaitWakeSpinLock__DEVICE_EXTENSION(WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[x]} _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[x] <==> S[WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[x]} _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[x] <==> S[WaitWakeSpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)} S[x] ==> _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[WaitWakeSpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSION(x)} WaitWakeSpinLock__DEVICE_EXTENSION(x) == x + 108);
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)} WaitWakeSpinLock__DEVICE_EXTENSIONInv(x) == x - 108);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 108, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 108, 1) == WaitWakeSpinLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 108)} MINUS_LEFT_PTR(x, 1, 108) == WaitWakeSpinLock__DEVICE_EXTENSIONInv(x));
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom (forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom (forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:int, b:int) returns (x:int);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == 0);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == 0 || b == 0 ==> BIT_BAND(a,b) == 0);
+
+function BIT_BOR(a:int, b:int) returns (x:int);
+
+function BIT_BXOR(a:int, b:int) returns (x:int);
+
+function BIT_BNOT(a:int) returns (int);
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+
+
+
+procedure havoc_assert(i:int);
+requires (i != 0);
+
+procedure havoc_assume(i:int);
+ensures (i != 0);
+
+procedure __HAVOC_free(a:int);
+modifies alloc;
+ensures (forall x:int :: {alloc[x]} x == a || old(alloc)[x] == alloc[x]);
+ensures (alloc[a] == FREED);
+// Additional checks guarded by tranlator flags
+// requires alloc[a] == ALLOCATED;
+// requires Base(a) == a;
+
+procedure __HAVOC_malloc(obj_size:int) returns (new:int);
+requires obj_size >= 0;
+modifies alloc;
+ensures (new > 0);
+ensures (forall x:int :: {Base(x)} new <= x && x < new+obj_size ==> Base(x) == new);
+ensures (forall x:int :: {alloc[x]} x == new || old(alloc)[x] == alloc[x]);
+ensures old(alloc)[new] == UNALLOCATED && alloc[new] == ALLOCATED;
+
+procedure nondet_choice() returns (x:int);
+
+procedure _strdup(str:int) returns (new:int);
+
+procedure _xstrcasecmp(a0:int, a1:int) returns (ret:int);
+
+procedure _xstrcmp(a0:int, a1:int) returns (ret:int);
+
+var Res_DEVICE_STACK:[int]int;
+var Res_DEV_EXTN:[int]int;
+var Res_DEV_OBJ_INIT:[int]int;
+var Res_SPIN_LOCK:[int]int;
+
+
+
+////////////////////
+// Between predicate
+////////////////////
+function ReachBetween(f: [int]int, x: int, y: int, z: int) returns (bool);
+function ReachAvoiding(f: [int]int, x: int, y: int, z: int) returns (bool);
+
+
+//////////////////////////
+// Between set constructor
+//////////////////////////
+function ReachBetweenSet(f: [int]int, x: int, z: int) returns ([int]bool);
+
+////////////////////////////////////////////////////
+// axioms relating ReachBetween and ReachBetweenSet
+////////////////////////////////////////////////////
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetweenSet(f, x, z)[y]} ReachBetweenSet(f, x, z)[y] <==> ReachBetween(f, x, y, z));
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z), ReachBetweenSet(f, x, z)} ReachBetween(f, x, y, z) ==> ReachBetweenSet(f, x, z)[y]);
+axiom(forall f: [int]int, x: int, z: int :: {ReachBetweenSet(f, x, z)} ReachBetween(f, x, x, x));
+
+
+//////////////////////////
+// Axioms for ReachBetween
+//////////////////////////
+
+// reflexive
+axiom(forall f: [int]int, x: int :: ReachBetween(f, x, x, x));
+
+// step
+//axiom(forall f: [int]int, x: int :: {f[x]} ReachBetween(f, x, f[x], f[x]));
+axiom(forall f: [int]int, x: int, y: int, z: int, w:int :: {ReachBetween(f, y, z, w), f[x]} ReachBetween(f, x, f[x], f[x]));
+
+// reach
+axiom(forall f: [int]int, x: int, y: int :: {f[x], ReachBetween(f, x, y, y)} ReachBetween(f, x, y, y) ==> x == y || ReachBetween(f, x, f[x], y));
+
+// cycle
+axiom(forall f: [int]int, x: int, y:int :: {f[x], ReachBetween(f, x, y, y)} f[x] == x && ReachBetween(f, x, y, y) ==> x == y);
+
+// sandwich
+axiom(forall f: [int]int, x: int, y: int :: {ReachBetween(f, x, y, x)} ReachBetween(f, x, y, x) ==> x == y);
+
+// order1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, x, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, x, z, z) ==> ReachBetween(f, x, y, z) || ReachBetween(f, x, z, y));
+
+// order2
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z)} ReachBetween(f, x, y, z) ==> ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z));
+
+// transitive1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, y, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z) ==> ReachBetween(f, x, z, z));
+
+// transitive2
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, y, w, z)} ReachBetween(f, x, y, z) && ReachBetween(f, y, w, z) ==> ReachBetween(f, x, y, w) && ReachBetween(f, x, w, z));
+
+// transitive3
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, x, w, y)} ReachBetween(f, x, y, z) && ReachBetween(f, x, w, y) ==> ReachBetween(f, x, w, z) && ReachBetween(f, w, y, z));
+
+// This axiom is required to deal with the incompleteness of the trigger for the reflexive axiom.
+// It cannot be proved using the rest of the axioms.
+axiom(forall f: [int]int, u:int, x: int :: {ReachBetween(f, u, x, x)} ReachBetween(f, u, x, x) ==> ReachBetween(f, u, u, x));
+
+// relation between ReachAvoiding and ReachBetween
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachAvoiding(f, x, y, z)}{ReachBetween(f, x, y, z)} ReachAvoiding(f, x, y, z) <==> (ReachBetween(f, x, y, z) || (ReachBetween(f, x, y, y) && !ReachBetween(f, x, z, z))));
+
+// update
+axiom(forall f: [int]int, u: int, v: int, x: int, p: int, q: int :: {ReachAvoiding(f[p := q], u, v, x)} ReachAvoiding(f[p := q], u, v, x) <==> ((ReachAvoiding(f, u, v, p) && ReachAvoiding(f, u, v, x)) || (ReachAvoiding(f, u, p, x) && p != x && ReachAvoiding(f, q, v, p) && ReachAvoiding(f, q, v, x))));
+ ///////////////////////////////
+ // Shifts for linking fields
+ ///////////////////////////////
+function Shift_Flink__LIST_ENTRY(f: [int]int) returns ([int]int);
+axiom( forall f: [int]int, __x:int :: {f[Flink__LIST_ENTRY(__x)],Shift_Flink__LIST_ENTRY(f)} {Shift_Flink__LIST_ENTRY(f)[__x]} Shift_Flink__LIST_ENTRY(f)[__x] == f[Flink__LIST_ENTRY(__x)]);
+axiom(forall f: [int]int, __x:int, __v:int :: {Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v])} Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v]) == Shift_Flink__LIST_ENTRY(f)[__x := __v]);
+
+const unique Globals : int;
+axiom(Globals != 0);
+// the set of constants for 64 bit integers that Boogie doesn't parse
+const unique BOOGIE_LARGE_INT_3221553153:int;
+
+
+
+procedure ExAcquireFastMutex($FastMutex$1$15000.16$ExAcquireFastMutex$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExAllocatePoolWithTag($PoolType$1$14789.57$ExAllocatePoolWithTag$121:int, $NumberOfBytes$2$14790.16$ExAllocatePoolWithTag$121:int, $Tag$3$14791.15$ExAllocatePoolWithTag$121:int) returns ($result.ExAllocatePoolWithTag$14788.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExFreePoolWithTag($P$1$14901.35$ExFreePoolWithTag$81:int, $Tag$2$14902.15$ExFreePoolWithTag$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ExReleaseFastMutex($FastMutex$1$15013.16$ExReleaseFastMutex$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure InsertTailList($ListHead$1$6980.24$InsertTailList$81:int, $Entry$2$6981.41$InsertTailList$81:int);
+
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+//TAG: ensures __seteq(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), ListHead->Flink, ListHead), __setunion(__old(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), ListHead->Flink, ListHead)), __set(Entry)))
+ensures((Subset(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($ListHead$1$6980.24$InsertTailList$81)], $ListHead$1$6980.24$InsertTailList$81), Union(ReachBetweenSet(Shift_Flink__LIST_ENTRY(old(Mem)[T.Flink__LIST_ENTRY]), old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($ListHead$1$6980.24$InsertTailList$81)], $ListHead$1$6980.24$InsertTailList$81), Singleton($Entry$2$6981.41$InsertTailList$81))) && Subset(Union(ReachBetweenSet(Shift_Flink__LIST_ENTRY(old(Mem)[T.Flink__LIST_ENTRY]), old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($ListHead$1$6980.24$InsertTailList$81)], $ListHead$1$6980.24$InsertTailList$81), Singleton($Entry$2$6981.41$InsertTailList$81)), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($ListHead$1$6980.24$InsertTailList$81)], $ListHead$1$6980.24$InsertTailList$81))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoDeleteDevice($DeviceObject$1$21328.67$IoDeleteDevice$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: requires 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 1
+requires((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 1)));
+//TAG: ensures 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 0 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 0
+ensures((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 0) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 0)));
+//TAG: ensures 1 ==> __updates_resource("DEV_OBJ_INIT", DeviceObject, 0) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension), 0)
+ensures((true) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41 := 0]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] := 0])));
+//TAG: ensures !1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == __old_resource("DEV_OBJ_INIT", DeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension))
+ensures((!(true)) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]])));
+//TAG: ensures !1 ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!(true)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($DeviceObject$1$21328.67$IoDeleteDevice$41))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || ($DeviceObject$1$21328.67$IoDeleteDevice$41 == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoGetDeviceObjectPointer($ObjectName$1$21492.26$IoGetDeviceObjectPointer$161:int, $DesiredAccess$2$21493.22$IoGetDeviceObjectPointer$161:int, $FileObject$3$21494.24$IoGetDeviceObjectPointer$161:int, $DeviceObject$4$21495.26$IoGetDeviceObjectPointer$161:int) returns ($result.IoGetDeviceObjectPointer$21491.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouCreateClassObject($DriverObject$1$3165.28$MouCreateClassObject$201:int, $TmpDeviceExtension$2$3166.28$MouCreateClassObject$201:int, $ClassDeviceObject$3$3167.28$MouCreateClassObject$201:int, $FullDeviceName$4$3168.35$MouCreateClassObject$201:int, $Legacy$5$3169.28$MouCreateClassObject$201:int) returns ($result.MouCreateClassObject$3164.0$1$:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures (LONG)__return >= 0 ==> *ClassDeviceObject != (void *)0
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> (*ClassDeviceObject)->DeviceExtension != (void *)0
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])] != 0));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_EXTN", (*ClassDeviceObject)->DeviceExtension) == 1
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]] == 1));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("DEV_OBJ_INIT", *ClassDeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == 1
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]] == 1)));
+//TAG: ensures (LONG)__return >= 0 ==> __old_resource("DEV_OBJ_INIT", *ClassDeviceObject) == 0 && __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == 0
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> ((old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]] == 0) && (old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]] == 0)));
+//TAG: ensures (LONG)__return >= 0 ==> __updates_resource("DEV_OBJ_INIT", *ClassDeviceObject, 1) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension), 1)
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201] := 1]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])] := 1])));
+//TAG: ensures !((LONG)__return >= 0) ==> __resource("DEV_OBJ_INIT", *ClassDeviceObject) == __old_resource("DEV_OBJ_INIT", *ClassDeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension))
+ensures((!($result.MouCreateClassObject$3164.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]] == old(Res_DEV_OBJ_INIT)[Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]])));
+//TAG: ensures !((LONG)__return >= 0) ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!($result.MouCreateClassObject$3164.0$1$ >= 0)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), __setin(_H_z, __set((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension))) || __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])])[_H_z]) || ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0))))));
+//TAG: ensures !((LONG)__return >= 0) ==> __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures((!($result.MouCreateClassObject$3164.0$1$ >= 0)) ==> ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0))))));
+//TAG: ensures (LONG)__return >= 0 ==> __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension))->SpinLock) == 0
+ensures(($result.MouCreateClassObject$3164.0$1$ >= 0) ==> (Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])])] == 0));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(*ClassDeviceObject))->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201])] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, *ClassDeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201]))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || (Mem[T.P_DEVICE_OBJECT][$ClassDeviceObject$3$3167.28$MouCreateClassObject$201] == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: &TmpDeviceExtension->WaitWakeSpinLock, &((struct _DEVICE_EXTENSION *)TmpDeviceExtension)->SpinLock, __set_true
+ensures (Subset(Empty(), Union(Union(Union(Empty(), Singleton(WaitWakeSpinLock__DEVICE_EXTENSION($TmpDeviceExtension$2$3166.28$MouCreateClassObject$201))), Singleton(SpinLock__DEVICE_EXTENSION($TmpDeviceExtension$2$3166.28$MouCreateClassObject$201))), SetTrue())) && (forall r:int :: {Res_SPIN_LOCK[r]} (WaitWakeSpinLock__DEVICE_EXTENSION($TmpDeviceExtension$2$3166.28$MouCreateClassObject$201) == r) || (SpinLock__DEVICE_EXTENSION($TmpDeviceExtension$2$3166.28$MouCreateClassObject$201) == r) || (SetTrue()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_true
+ensures (Subset(Empty(), Union(Empty(), SetTrue())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (SetTrue()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty, ClassDeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($ClassDeviceObject$3$3167.28$MouCreateClassObject$201))) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || (_m == $ClassDeviceObject$3$3167.28$MouCreateClassObject$201) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouDeterminePortsServiced($BasePortName$1$3491.23$MouDeterminePortsServiced$81:int, $NumberPortsServiced$2$3492.18$MouDeterminePortsServiced$81:int) returns ($result.MouDeterminePortsServiced$3490.0$1$:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouseAddDeviceEx($ClassData$1$792.28$MouseAddDeviceEx$121:int, $FullClassName$2$793.29$MouseAddDeviceEx$121:int, $File$3$794.28$MouseAddDeviceEx$121:int) returns ($result.MouseAddDeviceEx$791.0$1$:int);
+
+//TAG: requires __resource("DEV_EXTN", ClassData) == 1
+requires(Res_DEV_EXTN[$ClassData$1$792.28$MouseAddDeviceEx$121] == 1);
+//TAG: requires __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)ClassData)->SpinLock) == 0
+requires(Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION($ClassData$1$792.28$MouseAddDeviceEx$121)] == 0);
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __resource("DEV_EXTN", ClassData) == 1
+ensures(Res_DEV_EXTN[$ClassData$1$792.28$MouseAddDeviceEx$121] == 1);
+//TAG: ensures __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)ClassData)->WaitWakeSpinLock) == 0
+ensures(Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION($ClassData$1$792.28$MouseAddDeviceEx$121)] == 0);
+//TAG: ensures __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)ClassData)->SpinLock) == 0
+ensures(Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION($ClassData$1$792.28$MouseAddDeviceEx$121)] == 0);
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: &ClassData->WaitWakeSpinLock, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Singleton(WaitWakeSpinLock__DEVICE_EXTENSION($ClassData$1$792.28$MouseAddDeviceEx$121))), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (WaitWakeSpinLock__DEVICE_EXTENSION($ClassData$1$792.28$MouseAddDeviceEx$121) == r) || (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouseClassLogError($Object$1$4550.10$MouseClassLogError$281:int, $ErrorCode$2$4551.10$MouseClassLogError$281:int, $UniqueErrorValue$3$4552.10$MouseClassLogError$281:int, $FinalStatus$4$4553.13$MouseClassLogError$281:int, $DumpCount$5$4554.10$MouseClassLogError$281:int, $DumpData$6$4555.11$MouseClassLogError$281:int, $MajorFunction$7$4556.10$MouseClassLogError$281:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ObfDereferenceObject($Object$1$24931.15$ObfDereferenceObject$41:int) returns ($result.ObfDereferenceObject$24930.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlAppendUnicodeToString($Destination$1$7421.28$RtlAppendUnicodeToString$81:int, $Source$2$7422.20$RtlAppendUnicodeToString$81:int) returns ($result.RtlAppendUnicodeToString$7420.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlCopyUnicodeString($DestinationString$1$7401.28$RtlCopyUnicodeString$81:int, $SourceString$2$7402.30$RtlCopyUnicodeString$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RtlInitUnicodeString($DestinationString$1$7281.26$RtlInitUnicodeString$81:int, $SourceString$2$7282.37$RtlInitUnicodeString$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure __PREfastPagedCode();
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouseClassFindMorePorts($DriverObject$1$4588.20$MouseClassFindMorePorts$121:int, $Context$2$4589.20$MouseClassFindMorePorts$121:int, $Count$3$4590.20$MouseClassFindMorePorts$121:int)
+
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z) && __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+requires(((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z)))) && ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0))))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z) && __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures(((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z)))) && ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0))))));
+modifies alloc;
+free ensures(forall f:int :: {alloc[Base(f)]} old(alloc)[Base(f)] == UNALLOCATED || old(alloc)[Base(f)] == alloc[Base(f)]);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for:
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for:
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for:
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for:
+
+//TAG: havoc memory locations by default
+modifies Mem;
+{
+var havoc_stringTemp:int;
+var condVal:int;
+var $Context$2$4589.20$MouseClassFindMorePorts$12 : int;
+var $Count$3$4590.20$MouseClassFindMorePorts$12 : int;
+var $DriverObject$1$4588.20$MouseClassFindMorePorts$12 : int;
+var $ExAllocatePoolWithTag.arg.2$5$ : int;
+var $MouDebugPrint.arg.2$6$ : int;
+var $RtlAppendUnicodeToString.arg.2$10$ : int;
+var $RtlAppendUnicodeToString.arg.2$13$ : int;
+var $RtlAppendUnicodeToString.arg.2$3$ : int;
+var $basePortBuffer$13$4622.28$MouseClassFindMorePorts$12 : int;
+var $basePortName$11$4620.28$MouseClassFindMorePorts$12 : int;
+var $classDeviceObject$6$4615.28$MouseClassFindMorePorts$12 : int;
+var $deviceExtension$5$4614.28$MouseClassFindMorePorts$12 : int;
+var $dumpData$7$4616.28$MouseClassFindMorePorts$12 : int;
+var $file$15$4624.28$MouseClassFindMorePorts$12 : int;
+var $fullClassName$14$4623.28$MouseClassFindMorePorts$12 : int;
+var $fullPortName$12$4621.28$MouseClassFindMorePorts$12 : int;
+var $i$8$4617.28$MouseClassFindMorePorts$12 : int;
+var $memset.arg.3$8$ : int;
+var $numPorts$9$4618.28$MouseClassFindMorePorts$12 : int;
+var $port$16$4759.22$MouseClassFindMorePorts$12 : int;
+var $result.ExAllocatePoolWithTag$4653.0$4$ : int;
+var $result.IoGetDeviceObjectPointer$4731.42$16$ : int;
+var $result.MouCreateClassObject$4708.37$15$ : int;
+var $result.MouDeterminePortsServiced$4680.29$14$ : int;
+var $result.MouseAddDeviceEx$4743.34$17$ : int;
+var $result.ObfDereferenceObject$4772.16$18$ : int;
+var $result.RtlAppendUnicodeToString$4642.28$2$ : int;
+var $result.RtlAppendUnicodeToString$4676.28$9$ : int;
+var $result.RtlAppendUnicodeToString$4677.28$11$ : int;
+var $result.RtlAppendUnicodeToString$4678.28$12$ : int;
+var $result.memset$4630.4$1$ : int;
+var $result.memset$4675.4$7$ : int;
+var $status$4$4613.28$MouseClassFindMorePorts$12 : int;
+var $successfulCreates$10$4619.28$MouseClassFindMorePorts$12 : int;
+var tempBoogie0:int;
+var tempBoogie1:int;
+var tempBoogie2:int;
+var tempBoogie3:int;
+var tempBoogie4:int;
+var tempBoogie5:int;
+var tempBoogie6:int;
+var tempBoogie7:int;
+var tempBoogie8:int;
+var tempBoogie9:int;
+var tempBoogie10:int;
+var tempBoogie11:int;
+var tempBoogie12:int;
+var tempBoogie13:int;
+var tempBoogie14:int;
+var tempBoogie15:int;
+var tempBoogie16:int;
+var tempBoogie17:int;
+var tempBoogie18:int;
+var tempBoogie19:int;
+var LOOP_74_alloc:[int]name;
+var LOOP_74_Mem:[name][int]int;
+var LOOP_74_Res_DEVICE_STACK:[int]int;
+var LOOP_74_Res_DEV_EXTN:[int]int;
+var LOOP_74_Res_DEV_OBJ_INIT:[int]int;
+var LOOP_74_Res_SPIN_LOCK:[int]int;
+
+
+start:
+
+assume (alloc[$DriverObject$1$4588.20$MouseClassFindMorePorts$121] != UNALLOCATED);
+assume (alloc[$Context$2$4589.20$MouseClassFindMorePorts$121] != UNALLOCATED);
+call $basePortBuffer$13$4622.28$MouseClassFindMorePorts$12 := __HAVOC_malloc(512);
+call $basePortName$11$4620.28$MouseClassFindMorePorts$12 := __HAVOC_malloc(8);
+call $classDeviceObject$6$4615.28$MouseClassFindMorePorts$12 := __HAVOC_malloc(4);
+call $dumpData$7$4616.28$MouseClassFindMorePorts$12 := __HAVOC_malloc(16);
+call $file$15$4624.28$MouseClassFindMorePorts$12 := __HAVOC_malloc(4);
+call $fullClassName$14$4623.28$MouseClassFindMorePorts$12 := __HAVOC_malloc(4);
+call $fullPortName$12$4621.28$MouseClassFindMorePorts$12 := __HAVOC_malloc(8);
+call $numPorts$9$4618.28$MouseClassFindMorePorts$12 := __HAVOC_malloc(4);
+$DriverObject$1$4588.20$MouseClassFindMorePorts$12 := $DriverObject$1$4588.20$MouseClassFindMorePorts$121;
+$Context$2$4589.20$MouseClassFindMorePorts$12 := $Context$2$4589.20$MouseClassFindMorePorts$121;
+$Count$3$4590.20$MouseClassFindMorePorts$12 := $Count$3$4590.20$MouseClassFindMorePorts$121;
+goto label_3;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4799)
+label_1:
+call __HAVOC_free($basePortBuffer$13$4622.28$MouseClassFindMorePorts$12);
+call __HAVOC_free($basePortName$11$4620.28$MouseClassFindMorePorts$12);
+call __HAVOC_free($classDeviceObject$6$4615.28$MouseClassFindMorePorts$12);
+call __HAVOC_free($dumpData$7$4616.28$MouseClassFindMorePorts$12);
+call __HAVOC_free($file$15$4624.28$MouseClassFindMorePorts$12);
+call __HAVOC_free($fullClassName$14$4623.28$MouseClassFindMorePorts$12);
+call __HAVOC_free($fullPortName$12$4621.28$MouseClassFindMorePorts$12);
+call __HAVOC_free($numPorts$9$4618.28$MouseClassFindMorePorts$12);
+assume (forall m:int:: {Res_DEVICE_STACK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEVICE_STACK[m] == old(Res_DEVICE_STACK)[m]);
+assume (forall m:int:: {Res_DEV_EXTN[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_EXTN[m] == old(Res_DEV_EXTN)[m]);
+assume (forall m:int:: {Res_DEV_OBJ_INIT[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_OBJ_INIT[m] == old(Res_DEV_OBJ_INIT)[m]);
+assume (forall m:int:: {Res_SPIN_LOCK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_SPIN_LOCK[m] == old(Res_SPIN_LOCK)[m]);
+assume (forall m:int :: {Mem[T.A256UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A256UINT2][m] == old(Mem[T.A256UINT2])[m]);
+assume (forall m:int :: {Mem[T.A2UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A2UINT2][m] == old(Mem[T.A2UINT2])[m]);
+assume (forall m:int :: {Mem[T.A4UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A4UINT4][m] == old(Mem[T.A4UINT4])[m]);
+assume (forall m:int :: {Mem[T.A5UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A5UINT2][m] == old(Mem[T.A5UINT2])[m]);
+assume (forall m:int :: {Mem[T.A85CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A85CHAR][m] == old(Mem[T.A85CHAR])[m]);
+assume (forall m:int :: {Mem[T.A9UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A9UINT2][m] == old(Mem[T.A9UINT2])[m]);
+assume (forall m:int :: {Mem[T.AssocClassList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.AssocClassList__GLOBALS][m] == old(Mem[T.AssocClassList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.BaseClassName__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.BaseClassName__GLOBALS][m] == old(Mem[T.BaseClassName__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Buffer__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Buffer__UNICODE_STRING][m] == old(Mem[T.Buffer__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.CHAR][m] == old(Mem[T.CHAR])[m]);
+assume (forall m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][m] == old(Mem[T.CurrentStackLocation___unnamed_4_a7aa989c])[m]);
+assume (forall m:int :: {Mem[T.DataIn__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataIn__DEVICE_EXTENSION][m] == old(Mem[T.DataIn__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DataOut__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataOut__DEVICE_EXTENSION][m] == old(Mem[T.DataOut__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DeviceExtension__DEVICE_OBJECT][m] == old(Mem[T.DeviceExtension__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.File__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__DEVICE_EXTENSION][m] == old(Mem[T.File__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.File__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__PORT][m] == old(Mem[T.File__PORT])[m]);
+assume (forall m:int :: {Mem[T.Flags__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flags__DEVICE_OBJECT][m] == old(Mem[T.Flags__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Flink__LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flink__LIST_ENTRY][m] == old(Mem[T.Flink__LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.Free__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Free__PORT][m] == old(Mem[T.Free__PORT])[m]);
+assume (forall m:int :: {Mem[T.GrandMaster__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GrandMaster__GLOBALS][m] == old(Mem[T.GrandMaster__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.INT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.INT4][m] == old(Mem[T.INT4])[m]);
+assume (forall m:int :: {Mem[T.InitExtension__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InitExtension__GLOBALS][m] == old(Mem[T.InitExtension__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.InputData__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputData__DEVICE_EXTENSION][m] == old(Mem[T.InputData__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.LegacyDeviceList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LegacyDeviceList__GLOBALS][m] == old(Mem[T.LegacyDeviceList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Length__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Length__UNICODE_STRING][m] == old(Mem[T.Length__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.Link__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Link__DEVICE_EXTENSION][m] == old(Mem[T.Link__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MaximumLength__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MaximumLength__UNICODE_STRING][m] == old(Mem[T.MaximumLength__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinorFunction__IO_STACK_LOCATION][m] == old(Mem[T.MinorFunction__IO_STACK_LOCATION])[m]);
+assume (forall m:int :: {Mem[T.Mutex__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Mutex__GLOBALS][m] == old(Mem[T.Mutex__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.NumberLegacyPorts__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NumberLegacyPorts__GLOBALS][m] == old(Mem[T.NumberLegacyPorts__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.PCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PCHAR][m] == old(Mem[T.PCHAR])[m]);
+assume (forall m:int :: {Mem[T.PPUINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PPUINT2][m] == old(Mem[T.PPUINT2])[m]);
+assume (forall m:int :: {Mem[T.PP_DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PP_DEVICE_OBJECT][m] == old(Mem[T.PP_DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.PP_FILE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PP_FILE_OBJECT][m] == old(Mem[T.PP_FILE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.PUINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT2][m] == old(Mem[T.PUINT2])[m]);
+assume (forall m:int :: {Mem[T.PUINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT4][m] == old(Mem[T.PUINT4])[m]);
+assume (forall m:int :: {Mem[T.PVOID][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PVOID][m] == old(Mem[T.PVOID])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_EXTENSION][m] == old(Mem[T.P_DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_OBJECT][m] == old(Mem[T.P_DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_DRIVER_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DRIVER_OBJECT][m] == old(Mem[T.P_DRIVER_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_FAST_MUTEX][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_FAST_MUTEX][m] == old(Mem[T.P_FAST_MUTEX])[m]);
+assume (forall m:int :: {Mem[T.P_FILE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_FILE_OBJECT][m] == old(Mem[T.P_FILE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_LIST_ENTRY][m] == old(Mem[T.P_LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.P_MOUSE_INPUT_DATA][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_MOUSE_INPUT_DATA][m] == old(Mem[T.P_MOUSE_INPUT_DATA])[m]);
+assume (forall m:int :: {Mem[T.P_UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_UNICODE_STRING][m] == old(Mem[T.P_UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.PnP__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PnP__DEVICE_EXTENSION][m] == old(Mem[T.PnP__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Port__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Port__PORT][m] == old(Mem[T.Port__PORT])[m]);
+assume (forall m:int :: {Mem[T.PortsServiced__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PortsServiced__GLOBALS][m] == old(Mem[T.PortsServiced__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Self__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Self__DEVICE_EXTENSION][m] == old(Mem[T.Self__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SpinLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SpinLock__DEVICE_EXTENSION][m] == old(Mem[T.SpinLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.StackSize__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.StackSize__DEVICE_OBJECT][m] == old(Mem[T.StackSize__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Started__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Started__DEVICE_EXTENSION][m] == old(Mem[T.Started__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TopPort__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TopPort__DEVICE_EXTENSION][m] == old(Mem[T.TopPort__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.UCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UCHAR][m] == old(Mem[T.UCHAR])[m]);
+assume (forall m:int :: {Mem[T.UINT2][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT2][m] == old(Mem[T.UINT2])[m]);
+assume (forall m:int :: {Mem[T.UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT4][m] == old(Mem[T.UINT4])[m]);
+assume (forall m:int :: {Mem[T.UnitId__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UnitId__DEVICE_EXTENSION][m] == old(Mem[T.UnitId__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION][m] == old(Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T._POOL_TYPE][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T._POOL_TYPE][m] == old(Mem[T._POOL_TYPE])[m]);
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4799)
+label_2:
+assume false;
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4613)
+label_3:
+goto label_4;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4614)
+label_4:
+goto label_5;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4614)
+label_5:
+$deviceExtension$5$4614.28$MouseClassFindMorePorts$12 := 0 ;
+goto label_6;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4615)
+label_6:
+goto label_7;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4615)
+label_7:
+Mem[T.P_DEVICE_OBJECT] := Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12 := 0];
+goto label_8;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4616)
+label_8:
+goto label_9;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4617)
+label_9:
+goto label_10;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4618)
+label_10:
+goto label_11;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4619)
+label_11:
+goto label_12;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4620)
+label_12:
+goto label_13;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4621)
+label_13:
+goto label_14;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4622)
+label_14:
+goto label_15;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4623)
+label_15:
+goto label_16;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4623)
+label_16:
+Mem[T.PUINT2] := Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12 := 0];
+goto label_17;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4624)
+label_17:
+goto label_18;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4626)
+label_18:
+call __PREfastPagedCode ();
+goto label_21;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4628)
+label_21:
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12) := 0];
+goto label_22;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4630)
+label_22:
+// ignoring intrinsic intrinsic.memset
+havoc $result.memset$4630.4$1$;
+goto label_25;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4631)
+label_25:
+Mem[T.Buffer__UNICODE_STRING] := Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($basePortName$11$4620.28$MouseClassFindMorePorts$12) := $basePortBuffer$13$4622.28$MouseClassFindMorePorts$12];
+goto label_26;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4632)
+label_26:
+Mem[T.Length__UNICODE_STRING] := Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($basePortName$11$4620.28$MouseClassFindMorePorts$12) := 0];
+goto label_27;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4633)
+label_27:
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($basePortName$11$4620.28$MouseClassFindMorePorts$12) := 512];
+goto label_28;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4640)
+label_28:
+call RtlCopyUnicodeString ($basePortName$11$4620.28$MouseClassFindMorePorts$12, BaseClassName__GLOBALS(Globals));
+goto label_31;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4641)
+label_31:
+tempBoogie0 := MINUS_BOTH_PTR_OR_BOTH_INT( Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($basePortName$11$4620.28$MouseClassFindMorePorts$12)], 10, 1) ;
+Mem[T.Length__UNICODE_STRING] := Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($basePortName$11$4620.28$MouseClassFindMorePorts$12) := tempBoogie0];
+goto label_35;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4642)
+label_32:
+call $result.RtlAppendUnicodeToString$4642.28$2$ := RtlAppendUnicodeToString ($basePortName$11$4620.28$MouseClassFindMorePorts$12, $RtlAppendUnicodeToString.arg.2$3$);
+goto label_36;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4642)
+label_35:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$3$ := havoc_stringTemp ;
+goto label_32;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4647)
+label_36:
+call RtlInitUnicodeString ($fullPortName$12$4621.28$MouseClassFindMorePorts$12, 0);
+goto label_39;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4649)
+label_39:
+Mem[T.MaximumLength__UNICODE_STRING] := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12) := PLUS(PLUS(18, 1, Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($basePortName$11$4620.28$MouseClassFindMorePorts$12)]), 1, 2)];
+goto label_43;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4653)
+label_40:
+call $result.ExAllocatePoolWithTag$4653.0$4$ := ExAllocatePoolWithTag (1, $ExAllocatePoolWithTag.arg.2$5$, 1131377997);
+goto label_44;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4653)
+label_43:
+$ExAllocatePoolWithTag.arg.2$5$ := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)] ;
+goto label_40;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4653)
+label_44:
+Mem[T.Buffer__UNICODE_STRING] := Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12) := $result.ExAllocatePoolWithTag$4653.0$4$];
+goto label_45;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4656)
+label_45:
+goto label_45_true , label_45_false ;
+
+
+label_45_true :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)] != 0);
+goto label_57;
+
+
+label_45_false :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)] == 0);
+goto label_49;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4658)
+label_46:
+// skip MouDebugPrint
+goto label_50;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4658)
+label_49:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$6$ := havoc_stringTemp ;
+goto label_46;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4663)
+label_50:
+Mem[T.UINT4] := Mem[T.UINT4][PLUS($dumpData$7$4616.28$MouseClassFindMorePorts$12, 4, 0) := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)]];
+goto label_51;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4664)
+label_51:
+call MouseClassLogError ($DriverObject$1$4588.20$MouseClassFindMorePorts$12, BOOGIE_LARGE_INT_3221553153, 20008, -1073741823, 1, $dumpData$7$4616.28$MouseClassFindMorePorts$12, 0);
+goto label_156;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4675)
+label_54:
+// ignoring intrinsic intrinsic.memset
+havoc $result.memset$4675.4$7$;
+goto label_61;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4675)
+label_57:
+$memset.arg.3$8$ := Mem[T.MaximumLength__UNICODE_STRING][MaximumLength__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)] ;
+goto label_54;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4676)
+label_58:
+call $result.RtlAppendUnicodeToString$4676.28$9$ := RtlAppendUnicodeToString ($fullPortName$12$4621.28$MouseClassFindMorePorts$12, $RtlAppendUnicodeToString.arg.2$10$);
+goto label_62;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4676)
+label_61:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$10$ := havoc_stringTemp ;
+goto label_58;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4677)
+label_62:
+call $result.RtlAppendUnicodeToString$4677.28$11$ := RtlAppendUnicodeToString ($fullPortName$12$4621.28$MouseClassFindMorePorts$12, Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($basePortName$11$4620.28$MouseClassFindMorePorts$12)]);
+goto label_68;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4678)
+label_65:
+call $result.RtlAppendUnicodeToString$4678.28$12$ := RtlAppendUnicodeToString ($fullPortName$12$4621.28$MouseClassFindMorePorts$12, $RtlAppendUnicodeToString.arg.2$13$);
+goto label_69;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4678)
+label_68:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAppendUnicodeToString.arg.2$13$ := havoc_stringTemp ;
+goto label_65;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4680)
+label_69:
+call $result.MouDeterminePortsServiced$4680.29$14$ := MouDeterminePortsServiced ($basePortName$11$4620.28$MouseClassFindMorePorts$12, $numPorts$9$4618.28$MouseClassFindMorePorts$12);
+goto label_72;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4687)
+label_72:
+$i$8$4617.28$MouseClassFindMorePorts$12 := Mem[T.NumberLegacyPorts__GLOBALS][NumberLegacyPorts__GLOBALS(Globals)] ;
+goto label_73;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4687)
+label_73:
+$successfulCreates$10$4619.28$MouseClassFindMorePorts$12 := 0 ;
+goto label_74;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4688)
+label_74:
+// loop entry initialization...
+LOOP_74_alloc := alloc;
+LOOP_74_Mem := Mem;
+LOOP_74_Res_DEVICE_STACK := Res_DEVICE_STACK;
+LOOP_74_Res_DEV_EXTN := Res_DEV_EXTN;
+LOOP_74_Res_DEV_OBJ_INIT := Res_DEV_OBJ_INIT;
+LOOP_74_Res_SPIN_LOCK := Res_SPIN_LOCK;
+goto label_74_head;
+
+
+label_74_head:
+// loop head assertions...
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+assert((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+assert((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+assert((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+assert((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+assert((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+assert((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+assume(forall f:int :: {alloc[Base(f)]} LOOP_74_alloc[Base(f)] == UNALLOCATED || LOOP_74_alloc[Base(f)] == alloc[Base(f)]);
+
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || LOOP_74_Res_DEVICE_STACK[r] == Res_DEVICE_STACK[r]));
+
+//TAG: net change in resource DEV_EXTN only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_DEV_EXTN[r]} (SetTrue()[r]) || LOOP_74_Res_DEV_EXTN[r] == Res_DEV_EXTN[r]));
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (SetTrue()[r]) || LOOP_74_Res_DEV_OBJ_INIT[r] == Res_DEV_OBJ_INIT[r]));
+
+//TAG: net change in resource SPIN_LOCK only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_SPIN_LOCK[r]} (SetTrue()[r]) || LOOP_74_Res_SPIN_LOCK[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == LOOP_74_Mem[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == LOOP_74_Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == LOOP_74_Mem[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (SetTrue()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == LOOP_74_Mem[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == LOOP_74_Mem[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == LOOP_74_Mem[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (SetTrue()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == LOOP_74_Mem[T.P_DEVICE_OBJECT][_m]));
+
+// end loop head assertions
+
+goto label_74_true , label_74_false ;
+
+
+label_74_true :
+assume ($i$8$4617.28$MouseClassFindMorePorts$12 < Mem[T.PortsServiced__GLOBALS][PortsServiced__GLOBALS(Globals)]);
+goto label_75;
+
+
+label_74_false :
+assume !($i$8$4617.28$MouseClassFindMorePorts$12 < Mem[T.PortsServiced__GLOBALS][PortsServiced__GLOBALS(Globals)]);
+goto label_155;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4688)
+label_75:
+goto label_75_true , label_75_false ;
+
+
+label_75_true :
+assume ($i$8$4617.28$MouseClassFindMorePorts$12 < Mem[T.UINT4][$numPorts$9$4618.28$MouseClassFindMorePorts$12]);
+goto label_76;
+
+
+label_75_false :
+assume !($i$8$4617.28$MouseClassFindMorePorts$12 < Mem[T.UINT4][$numPorts$9$4618.28$MouseClassFindMorePorts$12]);
+goto label_155;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4698)
+label_76:
+Mem[T.UINT2] := Mem[T.UINT2][PLUS(Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)], 2, MINUS_BOTH_PTR_OR_BOTH_INT( BINARY_BOTH_INT(Mem[T.Length__UNICODE_STRING][Length__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)], 2), 1, 1)) := PLUS(48, 1, $i$8$4617.28$MouseClassFindMorePorts$12)];
+goto label_77;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4700)
+label_77:
+goto label_77_true , label_77_false ;
+
+
+label_77_true :
+assume (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12] != 0);
+goto label_78;
+
+
+label_77_false :
+assume (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12] == 0);
+goto label_82;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4701)
+label_78:
+call ExFreePoolWithTag (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12], 0);
+goto label_81;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4702)
+label_81:
+Mem[T.PUINT2] := Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12 := 0];
+goto label_82;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4708)
+label_82:
+call $result.MouCreateClassObject$4708.37$15$ := MouCreateClassObject ($DriverObject$1$4588.20$MouseClassFindMorePorts$12, InitExtension__GLOBALS(Globals), $classDeviceObject$6$4615.28$MouseClassFindMorePorts$12, $fullClassName$14$4623.28$MouseClassFindMorePorts$12, 1);
+goto label_85;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4708)
+label_85:
+$status$4$4613.28$MouseClassFindMorePorts$12 := $result.MouCreateClassObject$4708.37$15$ ;
+goto label_86;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4714)
+label_86:
+goto label_86_true , label_86_false ;
+
+
+label_86_true :
+assume (0 <= $status$4$4613.28$MouseClassFindMorePorts$12);
+goto label_90;
+
+
+label_86_false :
+assume !(0 <= $status$4$4613.28$MouseClassFindMorePorts$12);
+goto label_87;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4715)
+label_87:
+call MouseClassLogError ($DriverObject$1$4588.20$MouseClassFindMorePorts$12, BOOGIE_LARGE_INT_3221553153, 20008, $status$4$4613.28$MouseClassFindMorePorts$12, 0, 0, 0);
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4725)
+label_90:
+$deviceExtension$5$4614.28$MouseClassFindMorePorts$12 := Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12])] ;
+goto label_91;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4726)
+label_91:
+Mem[T.PnP__DEVICE_EXTENSION] := Mem[T.PnP__DEVICE_EXTENSION][PnP__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := 0];
+goto label_92;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4731)
+label_92:
+assume (Mem[T.TopPort__DEVICE_EXTENSION][TopPort__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)] == Mem[T.P_DEVICE_OBJECT][TopPort__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]);
+call $result.IoGetDeviceObjectPointer$4731.42$16$ := IoGetDeviceObjectPointer ($fullPortName$12$4621.28$MouseClassFindMorePorts$12, 128, $file$15$4624.28$MouseClassFindMorePorts$12, TopPort__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12));
+Mem[T.TopPort__DEVICE_EXTENSION] := Mem[T.TopPort__DEVICE_EXTENSION][TopPort__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := Mem[T.P_DEVICE_OBJECT][TopPort__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]];
+goto label_95;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4731)
+label_95:
+$status$4$4613.28$MouseClassFindMorePorts$12 := $result.IoGetDeviceObjectPointer$4731.42$16$ ;
+goto label_96;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4736)
+label_96:
+goto label_96_true , label_96_false ;
+
+
+label_96_true :
+assume ($status$4$4613.28$MouseClassFindMorePorts$12 != 0);
+goto label_97;
+
+
+label_96_false :
+assume ($status$4$4613.28$MouseClassFindMorePorts$12 == 0);
+goto label_108;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4738)
+label_97:
+goto label_97_true , label_97_false ;
+
+
+label_97_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)] != 0);
+goto label_98;
+
+
+label_97_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)] == 0);
+goto label_104;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4738)
+label_98:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)], 0);
+goto label_101;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4738)
+label_101:
+Mem[T.DataOut__DEVICE_EXTENSION] := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := 0];
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4738)
+label_102:
+Mem[T.DataIn__DEVICE_EXTENSION] := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]];
+goto label_103;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4738)
+label_103:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]];
+goto label_104;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4738)
+label_104:
+call IoDeleteDevice (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]);
+goto label_107;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4738)
+label_107:
+$deviceExtension$5$4614.28$MouseClassFindMorePorts$12 := 0 ;
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4742)
+label_108:
+Mem[T.StackSize__DEVICE_OBJECT] := Mem[T.StackSize__DEVICE_OBJECT][StackSize__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12]) := PLUS(1, 1, Mem[T.StackSize__DEVICE_OBJECT][StackSize__DEVICE_OBJECT(Mem[T.TopPort__DEVICE_EXTENSION][TopPort__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)])])];
+goto label_109;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4743)
+label_109:
+call $result.MouseAddDeviceEx$4743.34$17$ := MouseAddDeviceEx ($deviceExtension$5$4614.28$MouseClassFindMorePorts$12, Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12], Mem[T.P_FILE_OBJECT][$file$15$4624.28$MouseClassFindMorePorts$12]);
+goto label_112;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4743)
+label_112:
+$status$4$4613.28$MouseClassFindMorePorts$12 := $result.MouseAddDeviceEx$4743.34$17$ ;
+goto label_113;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4744)
+label_113:
+assume (forall r:int :: {BIT_BAND(BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12])], BIT_BNOT(128)),r)} (POW2(r) && POW2(128) && r != 128) ==> (BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12])],r)!= 0 <==> BIT_BAND(BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12])], BIT_BNOT(128)),r)!= 0));
+assume (BIT_BAND(BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12])], BIT_BNOT(128)),128) == 0);
+tempBoogie0 := BIT_BAND(Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12])], BIT_BNOT(128)) ;
+Mem[T.Flags__DEVICE_OBJECT] := Mem[T.Flags__DEVICE_OBJECT][Flags__DEVICE_OBJECT(Mem[T.P_DEVICE_OBJECT][$classDeviceObject$6$4615.28$MouseClassFindMorePorts$12]) := tempBoogie0];
+goto label_114;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4746)
+label_114:
+goto label_114_true , label_114_false ;
+
+
+label_114_true :
+assume (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12] != 0);
+goto label_115;
+
+
+label_114_false :
+assume (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12] == 0);
+goto label_119;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4747)
+label_115:
+call ExFreePoolWithTag (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12], 0);
+goto label_118;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4748)
+label_118:
+Mem[T.PUINT2] := Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12 := 0];
+goto label_119;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4751)
+label_119:
+goto label_119_true , label_119_false ;
+
+
+label_119_true :
+assume (0 <= $status$4$4613.28$MouseClassFindMorePorts$12);
+goto label_150;
+
+
+label_119_false :
+assume !(0 <= $status$4$4613.28$MouseClassFindMorePorts$12);
+goto label_120;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4752)
+label_120:
+goto label_120_true , label_120_false ;
+
+
+label_120_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_124;
+
+
+label_120_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_121;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4753)
+label_121:
+goto label_121_true , label_121_false ;
+
+
+label_121_true :
+assume (Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)] != 0);
+goto label_122;
+
+
+label_121_false :
+assume (Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)] == 0);
+goto label_135;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4754)
+label_122:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$15$4624.28$MouseClassFindMorePorts$12 := Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]];
+goto label_123;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4755)
+label_123:
+Mem[T.File__DEVICE_EXTENSION] := Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := 0];
+goto label_135;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4759)
+label_124:
+goto label_125;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4761)
+label_125:
+call ExAcquireFastMutex (Mutex__GLOBALS(Globals));
+goto label_128;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4763)
+label_128:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$15$4624.28$MouseClassFindMorePorts$12 := Mem[T.File__PORT][File__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]))]];
+goto label_129;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4764)
+label_129:
+Mem[T.File__PORT] := Mem[T.File__PORT][File__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)])) := 0];
+goto label_130;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4765)
+label_130:
+Mem[T.Free__PORT] := Mem[T.Free__PORT][Free__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)])) := 1];
+goto label_131;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4766)
+label_131:
+Mem[T.Port__PORT] := Mem[T.Port__PORT][Port__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)])) := 0];
+goto label_132;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4768)
+label_132:
+call ExReleaseFastMutex (Mutex__GLOBALS(Globals));
+goto label_135;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4771)
+label_135:
+goto label_135_true , label_135_false ;
+
+
+label_135_true :
+assume (Mem[T.P_FILE_OBJECT][$file$15$4624.28$MouseClassFindMorePorts$12] != 0);
+goto label_136;
+
+
+label_135_false :
+assume (Mem[T.P_FILE_OBJECT][$file$15$4624.28$MouseClassFindMorePorts$12] == 0);
+goto label_139;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4772)
+label_136:
+call $result.ObfDereferenceObject$4772.16$18$ := ObfDereferenceObject (Mem[T.P_FILE_OBJECT][$file$15$4624.28$MouseClassFindMorePorts$12]);
+goto label_139;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4775)
+label_139:
+goto label_139_true , label_139_false ;
+
+
+label_139_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)] != 0);
+goto label_140;
+
+
+label_139_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)] == 0);
+goto label_146;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4775)
+label_140:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)], 0);
+goto label_143;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4775)
+label_143:
+Mem[T.DataOut__DEVICE_EXTENSION] := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := 0];
+goto label_144;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4775)
+label_144:
+Mem[T.DataIn__DEVICE_EXTENSION] := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]];
+goto label_145;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4775)
+label_145:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12) := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]];
+goto label_146;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4775)
+label_146:
+call IoDeleteDevice (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12)]);
+goto label_149;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4775)
+label_149:
+$deviceExtension$5$4614.28$MouseClassFindMorePorts$12 := 0 ;
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4782)
+label_150:
+call InsertTailList (LegacyDeviceList__GLOBALS(Globals), Link__DEVICE_EXTENSION($deviceExtension$5$4614.28$MouseClassFindMorePorts$12));
+goto label_153;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4783)
+label_153:
+$successfulCreates$10$4619.28$MouseClassFindMorePorts$12 := PLUS($successfulCreates$10$4619.28$MouseClassFindMorePorts$12, 1, 1) ;
+goto label_154;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4689)
+label_154:
+$i$8$4617.28$MouseClassFindMorePorts$12 := PLUS($i$8$4617.28$MouseClassFindMorePorts$12, 1, 1) ;
+goto label_74_head;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4786)
+label_155:
+tempBoogie0 := PLUS(Mem[T.NumberLegacyPorts__GLOBALS][NumberLegacyPorts__GLOBALS(Globals)], 1, $successfulCreates$10$4619.28$MouseClassFindMorePorts$12) ;
+Mem[T.NumberLegacyPorts__GLOBALS] := Mem[T.NumberLegacyPorts__GLOBALS][NumberLegacyPorts__GLOBALS(Globals) := tempBoogie0];
+goto label_156;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4792)
+label_156:
+goto label_156_true , label_156_false ;
+
+
+label_156_true :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)] != 0);
+goto label_157;
+
+
+label_156_false :
+assume (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)] == 0);
+goto label_160;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4793)
+label_157:
+call ExFreePoolWithTag (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING($fullPortName$12$4621.28$MouseClassFindMorePorts$12)], 0);
+goto label_160;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4796)
+label_160:
+goto label_160_true , label_160_false ;
+
+
+label_160_true :
+assume (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12] != 0);
+goto label_161;
+
+
+label_160_false :
+assume (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12] == 0);
+goto label_1;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(4797)
+label_161:
+call ExFreePoolWithTag (Mem[T.PUINT2][$fullClassName$14$4623.28$MouseClassFindMorePorts$12], 0);
+goto label_1;
+
+}
+
diff --git a/Test/havoc0/MouseClassUnload.bpl b/Test/havoc0/MouseClassUnload.bpl
new file mode 100644
index 00000000..87e31029
--- /dev/null
+++ b/Test/havoc0/MouseClassUnload.bpl
@@ -0,0 +1,3369 @@
+type byte, name;
+function OneByteToInt(byte) returns (int);
+function TwoBytesToInt(byte, byte) returns (int);
+function FourBytesToInt(byte, byte, byte, byte) returns (int);
+axiom(forall b0:byte, c0:byte :: {OneByteToInt(b0), OneByteToInt(c0)} OneByteToInt(b0) == OneByteToInt(c0) ==> b0 == c0);
+axiom(forall b0:byte, b1: byte, c0:byte, c1:byte :: {TwoBytesToInt(b0, b1), TwoBytesToInt(c0, c1)} TwoBytesToInt(b0, b1) == TwoBytesToInt(c0, c1) ==> b0 == c0 && b1 == c1);
+axiom(forall b0:byte, b1: byte, b2:byte, b3:byte, c0:byte, c1:byte, c2:byte, c3:byte :: {FourBytesToInt(b0, b1, b2, b3), FourBytesToInt(c0, c1, c2, c3)} FourBytesToInt(b0, b1, b2, b3) == FourBytesToInt(c0, c1, c2, c3) ==> b0 == c0 && b1 == c1 && b2 == c2 && b3 == c3);
+
+// Mutable
+var Mem_BYTE:[int]byte;
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function SetTrue() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+/*
+function AtLeast(int, int) returns ([int]bool);
+function ModEqual(int, int, int) returns (bool);
+axiom(forall n:int, x:int :: ModEqual(n,x,x));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> ModEqual(n,y,x));
+axiom(forall n:int, x:int, y:int, z:int :: {ModEqual(n,x,y), ModEqual(n,y,z)} ModEqual(n,x,y) && ModEqual(n,y,z) ==> ModEqual(n,x,z));
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} ModEqual(n,x,PLUS(x,n,z)));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> (exists k:int :: x - y == n*k));
+axiom(forall x:int, n:int, y:int :: {AtLeast(n,x)[y]}{ModEqual(n,x,y)} AtLeast(n,x)[y] <==> x <= y && ModEqual(n,x,y));
+axiom(forall x:int, n:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+*/
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int :: SetTrue()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]}{Union(S,T),S[x]}{Union(S,T),T[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]}{Intersection(S,T),S[x]}{Intersection(S,T),T[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]}{Difference(S,T),S[x]}{Difference(S,T),T[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Subset(S,T)}{T[x],Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x],Disjoint(S,T)}{T[x],Disjoint(S,T)} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f,y), f[x]} Inverse(f,y)[x] ==> f[x] == y);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name, m:[name][int]int) returns (bool);
+function Values(t:name, m:[name][int]int) returns ([int]bool);
+function T.Ptr(t:name) returns (name);
+
+axiom(forall v:int, t:name, m:[name][int]int :: {Values(t, m)[v]} Values(t, m)[v] ==> HasType(v, t, m));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, t, m), Values(t, m)} HasType(v, t, m) ==> Values(t, m)[v]);
+
+axiom(forall a:int, t:name :: {Match(a, T.Ptr(t))} Match(a, T.Ptr(t)) <==> Field(a) == T.Ptr(t));
+axiom(forall v:int, t:name, m:[name][int]int :: {HasType(v, T.Ptr(t), m)} HasType(v, T.Ptr(t), m) <==> (v == 0 || (v > 0 && Match(v, t))));
+
+axiom(forall v:int, t:name, m1:[name][int]int, m2:[name][int]int :: {HasType(v, t, m1), HasType(v, t, m2)}
+ (HasType(v, t, m1) <==> HasType(v, t, m2)));
+
+// Field declarations
+
+const unique T.Guid_WMIGUIDREGINFO:name;
+const unique T.InstanceCount_WMIGUIDREGINFO:name;
+const unique T.Flags_WMIGUIDREGINFO:name;
+const unique T.OperationID__ACCESS_STATE:name;
+const unique T.SecurityEvaluated__ACCESS_STATE:name;
+const unique T.GenerateAudit__ACCESS_STATE:name;
+const unique T.GenerateOnClose__ACCESS_STATE:name;
+const unique T.PrivilegesAllocated__ACCESS_STATE:name;
+const unique T.Flags__ACCESS_STATE:name;
+const unique T.RemainingDesiredAccess__ACCESS_STATE:name;
+const unique T.PreviouslyGrantedAccess__ACCESS_STATE:name;
+const unique T.OriginalDesiredAccess__ACCESS_STATE:name;
+const unique T.SubjectSecurityContext__ACCESS_STATE:name;
+const unique T.SecurityDescriptor__ACCESS_STATE:name;
+const unique T.AuxData__ACCESS_STATE:name;
+const unique T.Privileges__ACCESS_STATE:name;
+const unique T.AuditPrivileges__ACCESS_STATE:name;
+const unique T.ObjectName__ACCESS_STATE:name;
+const unique T.ObjectTypeName__ACCESS_STATE:name;
+const unique T.InterfaceType__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.BusNumber__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.PartialResourceList__CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.u__CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Revision__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.PartialDescriptors__CM_PARTIAL_RESOURCE_LIST:name;
+const unique T.Count__CM_RESOURCE_LIST:name;
+const unique T.List__CM_RESOURCE_LIST:name;
+const unique T.Size__DEVICE_CAPABILITIES:name;
+const unique T.Version__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD1__DEVICE_CAPABILITIES:name;
+const unique T.DeviceD2__DEVICE_CAPABILITIES:name;
+const unique T.LockSupported__DEVICE_CAPABILITIES:name;
+const unique T.EjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.Removable__DEVICE_CAPABILITIES:name;
+const unique T.DockDevice__DEVICE_CAPABILITIES:name;
+const unique T.UniqueID__DEVICE_CAPABILITIES:name;
+const unique T.SilentInstall__DEVICE_CAPABILITIES:name;
+const unique T.RawDeviceOK__DEVICE_CAPABILITIES:name;
+const unique T.SurpriseRemovalOK__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD0__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD1__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD2__DEVICE_CAPABILITIES:name;
+const unique T.WakeFromD3__DEVICE_CAPABILITIES:name;
+const unique T.HardwareDisabled__DEVICE_CAPABILITIES:name;
+const unique T.NonDynamic__DEVICE_CAPABILITIES:name;
+const unique T.WarmEjectSupported__DEVICE_CAPABILITIES:name;
+const unique T.NoDisplayInUI__DEVICE_CAPABILITIES:name;
+const unique T.Reserved__DEVICE_CAPABILITIES:name;
+const unique T.Address__DEVICE_CAPABILITIES:name;
+const unique T.UINumber__DEVICE_CAPABILITIES:name;
+const unique T.DeviceState__DEVICE_CAPABILITIES:name;
+const unique T.SystemWake__DEVICE_CAPABILITIES:name;
+const unique T.DeviceWake__DEVICE_CAPABILITIES:name;
+const unique T.D1Latency__DEVICE_CAPABILITIES:name;
+const unique T.D2Latency__DEVICE_CAPABILITIES:name;
+const unique T.D3Latency__DEVICE_CAPABILITIES:name;
+const unique T.Self__DEVICE_EXTENSION:name;
+const unique T.TrueClassDevice__DEVICE_EXTENSION:name;
+const unique T.TopPort__DEVICE_EXTENSION:name;
+const unique T.PDO__DEVICE_EXTENSION:name;
+const unique T.RemoveLock__DEVICE_EXTENSION:name;
+const unique T.PnP__DEVICE_EXTENSION:name;
+const unique T.Started__DEVICE_EXTENSION:name;
+const unique T.OkayToLogOverflow__DEVICE_EXTENSION:name;
+const unique T.WaitWakeSpinLock__DEVICE_EXTENSION:name;
+const unique T.TrustedSubsystemCount__DEVICE_EXTENSION:name;
+const unique T.InputCount__DEVICE_EXTENSION:name;
+const unique T.SymbolicLinkName__DEVICE_EXTENSION:name;
+const unique T.InputData__DEVICE_EXTENSION:name;
+const unique T.DataIn__DEVICE_EXTENSION:name;
+const unique T.DataOut__DEVICE_EXTENSION:name;
+const unique T.MouseAttributes__DEVICE_EXTENSION:name;
+const unique T.SpinLock__DEVICE_EXTENSION:name;
+const unique T.ReadQueue__DEVICE_EXTENSION:name;
+const unique T.SequenceNumber__DEVICE_EXTENSION:name;
+const unique T.DeviceState__DEVICE_EXTENSION:name;
+const unique T.SystemState__DEVICE_EXTENSION:name;
+const unique T.UnitId__DEVICE_EXTENSION:name;
+const unique T.WmiLibInfo__DEVICE_EXTENSION:name;
+const unique T.SystemToDeviceState__DEVICE_EXTENSION:name;
+const unique T.MinDeviceWakeState__DEVICE_EXTENSION:name;
+const unique T.MinSystemWakeState__DEVICE_EXTENSION:name;
+const unique T.WaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.ExtraWaitWakeIrp__DEVICE_EXTENSION:name;
+const unique T.TargetNotifyHandle__DEVICE_EXTENSION:name;
+const unique T.Link__DEVICE_EXTENSION:name;
+const unique T.File__DEVICE_EXTENSION:name;
+const unique T.Enabled__DEVICE_EXTENSION:name;
+const unique T.WaitWakeEnabled__DEVICE_EXTENSION:name;
+const unique T.SurpriseRemoved__DEVICE_EXTENSION:name;
+const unique T.Type__DEVICE_OBJECT:name;
+const unique T.Size__DEVICE_OBJECT:name;
+const unique T.ReferenceCount__DEVICE_OBJECT:name;
+const unique T.DriverObject__DEVICE_OBJECT:name;
+const unique T.NextDevice__DEVICE_OBJECT:name;
+const unique T.AttachedDevice__DEVICE_OBJECT:name;
+const unique T.CurrentIrp__DEVICE_OBJECT:name;
+const unique T.Timer__DEVICE_OBJECT:name;
+const unique T.Flags__DEVICE_OBJECT:name;
+const unique T.Characteristics__DEVICE_OBJECT:name;
+const unique T.Vpb__DEVICE_OBJECT:name;
+const unique T.DeviceExtension__DEVICE_OBJECT:name;
+const unique T.DeviceType__DEVICE_OBJECT:name;
+const unique T.StackSize__DEVICE_OBJECT:name;
+const unique T.Queue__DEVICE_OBJECT:name;
+const unique T.AlignmentRequirement__DEVICE_OBJECT:name;
+const unique T.DeviceQueue__DEVICE_OBJECT:name;
+const unique T.Dpc__DEVICE_OBJECT:name;
+const unique T.ActiveThreadCount__DEVICE_OBJECT:name;
+const unique T.SecurityDescriptor__DEVICE_OBJECT:name;
+const unique T.DeviceLock__DEVICE_OBJECT:name;
+const unique T.SectorSize__DEVICE_OBJECT:name;
+const unique T.Spare1__DEVICE_OBJECT:name;
+const unique T.DeviceObjectExtension__DEVICE_OBJECT:name;
+const unique T.Reserved__DEVICE_OBJECT:name;
+const unique T.Type__DEVOBJ_EXTENSION:name;
+const unique T.Size__DEVOBJ_EXTENSION:name;
+const unique T.DeviceObject__DEVOBJ_EXTENSION:name;
+const unique T.__unnamed_4_c9b2e921__DISPATCHER_HEADER:name;
+const unique T.SignalState__DISPATCHER_HEADER:name;
+const unique T.WaitListHead__DISPATCHER_HEADER:name;
+const unique T.DriverObject__DRIVER_EXTENSION:name;
+const unique T.AddDevice__DRIVER_EXTENSION:name;
+const unique T.Count__DRIVER_EXTENSION:name;
+const unique T.ServiceKeyName__DRIVER_EXTENSION:name;
+const unique T.Type__DRIVER_OBJECT:name;
+const unique T.Size__DRIVER_OBJECT:name;
+const unique T.DeviceObject__DRIVER_OBJECT:name;
+const unique T.Flags__DRIVER_OBJECT:name;
+const unique T.DriverStart__DRIVER_OBJECT:name;
+const unique T.DriverSize__DRIVER_OBJECT:name;
+const unique T.DriverSection__DRIVER_OBJECT:name;
+const unique T.DriverExtension__DRIVER_OBJECT:name;
+const unique T.DriverName__DRIVER_OBJECT:name;
+const unique T.HardwareDatabase__DRIVER_OBJECT:name;
+const unique T.FastIoDispatch__DRIVER_OBJECT:name;
+const unique T.DriverInit__DRIVER_OBJECT:name;
+const unique T.DriverStartIo__DRIVER_OBJECT:name;
+const unique T.DriverUnload__DRIVER_OBJECT:name;
+const unique T.MajorFunction__DRIVER_OBJECT:name;
+const unique T.SystemResourcesList__ERESOURCE:name;
+const unique T.OwnerTable__ERESOURCE:name;
+const unique T.ActiveCount__ERESOURCE:name;
+const unique T.Flag__ERESOURCE:name;
+const unique T.SharedWaiters__ERESOURCE:name;
+const unique T.ExclusiveWaiters__ERESOURCE:name;
+const unique T.OwnerEntry__ERESOURCE:name;
+const unique T.ActiveEntries__ERESOURCE:name;
+const unique T.ContentionCount__ERESOURCE:name;
+const unique T.NumberOfSharedWaiters__ERESOURCE:name;
+const unique T.NumberOfExclusiveWaiters__ERESOURCE:name;
+const unique T.__unnamed_4_46b62f69__ERESOURCE:name;
+const unique T.SpinLock__ERESOURCE:name;
+const unique T.SizeOfFastIoDispatch__FAST_IO_DISPATCH:name;
+const unique T.FastIoCheckIfPossible__FAST_IO_DISPATCH:name;
+const unique T.FastIoRead__FAST_IO_DISPATCH:name;
+const unique T.FastIoWrite__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryBasicInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryStandardInfo__FAST_IO_DISPATCH:name;
+const unique T.FastIoLock__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockSingle__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAll__FAST_IO_DISPATCH:name;
+const unique T.FastIoUnlockAllByKey__FAST_IO_DISPATCH:name;
+const unique T.FastIoDeviceControl__FAST_IO_DISPATCH:name;
+const unique T.AcquireFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.ReleaseFileForNtCreateSection__FAST_IO_DISPATCH:name;
+const unique T.FastIoDetachDevice__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryNetworkOpenInfo__FAST_IO_DISPATCH:name;
+const unique T.AcquireForModWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlRead__FAST_IO_DISPATCH:name;
+const unique T.MdlReadComplete__FAST_IO_DISPATCH:name;
+const unique T.PrepareMdlWrite__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteComplete__FAST_IO_DISPATCH:name;
+const unique T.FastIoReadCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoWriteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlReadCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.MdlWriteCompleteCompressed__FAST_IO_DISPATCH:name;
+const unique T.FastIoQueryOpen__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForModWrite__FAST_IO_DISPATCH:name;
+const unique T.AcquireForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.ReleaseForCcFlush__FAST_IO_DISPATCH:name;
+const unique T.Count__FAST_MUTEX:name;
+const unique T.Owner__FAST_MUTEX:name;
+const unique T.Contention__FAST_MUTEX:name;
+const unique T.Gate__FAST_MUTEX:name;
+const unique T.OldIrql__FAST_MUTEX:name;
+const unique T.CreationTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastAccessTime__FILE_BASIC_INFORMATION:name;
+const unique T.LastWriteTime__FILE_BASIC_INFORMATION:name;
+const unique T.ChangeTime__FILE_BASIC_INFORMATION:name;
+const unique T.FileAttributes__FILE_BASIC_INFORMATION:name;
+const unique T.CreationTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastAccessTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.LastWriteTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.ChangeTime__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.AllocationSize__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.EndOfFile__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.FileAttributes__FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.Type__FILE_OBJECT:name;
+const unique T.Size__FILE_OBJECT:name;
+const unique T.DeviceObject__FILE_OBJECT:name;
+const unique T.Vpb__FILE_OBJECT:name;
+const unique T.FsContext__FILE_OBJECT:name;
+const unique T.FsContext2__FILE_OBJECT:name;
+const unique T.SectionObjectPointer__FILE_OBJECT:name;
+const unique T.PrivateCacheMap__FILE_OBJECT:name;
+const unique T.FinalStatus__FILE_OBJECT:name;
+const unique T.RelatedFileObject__FILE_OBJECT:name;
+const unique T.LockOperation__FILE_OBJECT:name;
+const unique T.DeletePending__FILE_OBJECT:name;
+const unique T.ReadAccess__FILE_OBJECT:name;
+const unique T.WriteAccess__FILE_OBJECT:name;
+const unique T.DeleteAccess__FILE_OBJECT:name;
+const unique T.SharedRead__FILE_OBJECT:name;
+const unique T.SharedWrite__FILE_OBJECT:name;
+const unique T.SharedDelete__FILE_OBJECT:name;
+const unique T.Flags__FILE_OBJECT:name;
+const unique T.FileName__FILE_OBJECT:name;
+const unique T.CurrentByteOffset__FILE_OBJECT:name;
+const unique T.Waiters__FILE_OBJECT:name;
+const unique T.Busy__FILE_OBJECT:name;
+const unique T.LastLock__FILE_OBJECT:name;
+const unique T.Lock__FILE_OBJECT:name;
+const unique T.Event__FILE_OBJECT:name;
+const unique T.CompletionContext__FILE_OBJECT:name;
+const unique T.IrpListLock__FILE_OBJECT:name;
+const unique T.IrpList__FILE_OBJECT:name;
+const unique T.FileObjectExtension__FILE_OBJECT:name;
+const unique T.AllocationSize__FILE_STANDARD_INFORMATION:name;
+const unique T.EndOfFile__FILE_STANDARD_INFORMATION:name;
+const unique T.NumberOfLinks__FILE_STANDARD_INFORMATION:name;
+const unique T.DeletePending__FILE_STANDARD_INFORMATION:name;
+const unique T.Directory__FILE_STANDARD_INFORMATION:name;
+const unique T.Debug__GLOBALS:name;
+const unique T.GrandMaster__GLOBALS:name;
+const unique T.AssocClassList__GLOBALS:name;
+const unique T.NumAssocClass__GLOBALS:name;
+const unique T.Opens__GLOBALS:name;
+const unique T.NumberLegacyPorts__GLOBALS:name;
+const unique T.Mutex__GLOBALS:name;
+const unique T.ConnectOneClassToOnePort__GLOBALS:name;
+const unique T.PortsServiced__GLOBALS:name;
+const unique T.InitExtension__GLOBALS:name;
+const unique T.RegistryPath__GLOBALS:name;
+const unique T.BaseClassName__GLOBALS:name;
+const unique T.BaseClassBuffer__GLOBALS:name;
+const unique T.LegacyDeviceList__GLOBALS:name;
+const unique T.Data1__GUID:name;
+const unique T.Data2__GUID:name;
+const unique T.Data3__GUID:name;
+const unique T.Data4__GUID:name;
+const unique T.PrivilegeCount__INITIAL_PRIVILEGE_SET:name;
+const unique T.Control__INITIAL_PRIVILEGE_SET:name;
+const unique T.Privilege__INITIAL_PRIVILEGE_SET:name;
+const unique T.Size__INTERFACE:name;
+const unique T.Version__INTERFACE:name;
+const unique T.Context__INTERFACE:name;
+const unique T.InterfaceReference__INTERFACE:name;
+const unique T.InterfaceDereference__INTERFACE:name;
+const unique T.Port__IO_COMPLETION_CONTEXT:name;
+const unique T.Key__IO_COMPLETION_CONTEXT:name;
+const unique T.Common__IO_REMOVE_LOCK:name;
+const unique T.Dbg__IO_REMOVE_LOCK:name;
+const unique T.Removed__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Reserved__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.IoCount__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.RemoveEvent__IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T.Signature__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.HighWatermark__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.MaxLockedTicks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.AllocateTag__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LockList__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Spin__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.LowMemoryCount__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved1__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Reserved2__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Blocks__IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T.Option__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Type__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.ShareDisposition__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare1__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Flags__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Spare2__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.u__IO_RESOURCE_DESCRIPTOR:name;
+const unique T.Version__IO_RESOURCE_LIST:name;
+const unique T.Revision__IO_RESOURCE_LIST:name;
+const unique T.Count__IO_RESOURCE_LIST:name;
+const unique T.Descriptors__IO_RESOURCE_LIST:name;
+const unique T.ListSize__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.InterfaceType__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.BusNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SlotNumber__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.Reserved__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.AlternativeLists__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.List__IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.SecurityQos__IO_SECURITY_CONTEXT:name;
+const unique T.AccessState__IO_SECURITY_CONTEXT:name;
+const unique T.DesiredAccess__IO_SECURITY_CONTEXT:name;
+const unique T.FullCreateOptions__IO_SECURITY_CONTEXT:name;
+const unique T.MajorFunction__IO_STACK_LOCATION:name;
+const unique T.MinorFunction__IO_STACK_LOCATION:name;
+const unique T.Flags__IO_STACK_LOCATION:name;
+const unique T.Control__IO_STACK_LOCATION:name;
+const unique T.Parameters__IO_STACK_LOCATION:name;
+const unique T.DeviceObject__IO_STACK_LOCATION:name;
+const unique T.FileObject__IO_STACK_LOCATION:name;
+const unique T.CompletionRoutine__IO_STACK_LOCATION:name;
+const unique T.Context__IO_STACK_LOCATION:name;
+const unique T.__unnamed_4_16aff58e__IO_STATUS_BLOCK:name;
+const unique T.Information__IO_STATUS_BLOCK:name;
+const unique T.Type__IRP:name;
+const unique T.Size__IRP:name;
+const unique T.MdlAddress__IRP:name;
+const unique T.Flags__IRP:name;
+const unique T.AssociatedIrp__IRP:name;
+const unique T.ThreadListEntry__IRP:name;
+const unique T.IoStatus__IRP:name;
+const unique T.RequestorMode__IRP:name;
+const unique T.PendingReturned__IRP:name;
+const unique T.StackCount__IRP:name;
+const unique T.CurrentLocation__IRP:name;
+const unique T.Cancel__IRP:name;
+const unique T.CancelIrql__IRP:name;
+const unique T.ApcEnvironment__IRP:name;
+const unique T.AllocationFlags__IRP:name;
+const unique T.UserIosb__IRP:name;
+const unique T.UserEvent__IRP:name;
+const unique T.Overlay__IRP:name;
+const unique T.CancelRoutine__IRP:name;
+const unique T.UserBuffer__IRP:name;
+const unique T.Tail__IRP:name;
+const unique T.Type__KAPC:name;
+const unique T.SpareByte0__KAPC:name;
+const unique T.Size__KAPC:name;
+const unique T.SpareByte1__KAPC:name;
+const unique T.SpareLong0__KAPC:name;
+const unique T.Thread__KAPC:name;
+const unique T.ApcListEntry__KAPC:name;
+const unique T.KernelRoutine__KAPC:name;
+const unique T.RundownRoutine__KAPC:name;
+const unique T.NormalRoutine__KAPC:name;
+const unique T.NormalContext__KAPC:name;
+const unique T.SystemArgument1__KAPC:name;
+const unique T.SystemArgument2__KAPC:name;
+const unique T.ApcStateIndex__KAPC:name;
+const unique T.ApcMode__KAPC:name;
+const unique T.Inserted__KAPC:name;
+const unique T.Type__KDEVICE_QUEUE:name;
+const unique T.Size__KDEVICE_QUEUE:name;
+const unique T.DeviceListHead__KDEVICE_QUEUE:name;
+const unique T.Lock__KDEVICE_QUEUE:name;
+const unique T.Busy__KDEVICE_QUEUE:name;
+const unique T.DeviceListEntry__KDEVICE_QUEUE_ENTRY:name;
+const unique T.SortKey__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Inserted__KDEVICE_QUEUE_ENTRY:name;
+const unique T.Type__KDPC:name;
+const unique T.Importance__KDPC:name;
+const unique T.Number__KDPC:name;
+const unique T.DpcListEntry__KDPC:name;
+const unique T.DeferredRoutine__KDPC:name;
+const unique T.DeferredContext__KDPC:name;
+const unique T.SystemArgument1__KDPC:name;
+const unique T.SystemArgument2__KDPC:name;
+const unique T.DpcData__KDPC:name;
+const unique T.Header__KEVENT:name;
+const unique T.Header__KSEMAPHORE:name;
+const unique T.Limit__KSEMAPHORE:name;
+const unique T.__unnamed_8_8684a3e7__LARGE_INTEGER:name;
+const unique T.u__LARGE_INTEGER:name;
+const unique T.QuadPart__LARGE_INTEGER:name;
+const unique T.Flink__LIST_ENTRY:name;
+const unique T.Blink__LIST_ENTRY:name;
+const unique T.LowPart__LUID:name;
+const unique T.HighPart__LUID:name;
+const unique T.Luid__LUID_AND_ATTRIBUTES:name;
+const unique T.Attributes__LUID_AND_ATTRIBUTES:name;
+const unique T.Next__MDL:name;
+const unique T.Size__MDL:name;
+const unique T.MdlFlags__MDL:name;
+const unique T.Process__MDL:name;
+const unique T.MappedSystemVa__MDL:name;
+const unique T.StartVa__MDL:name;
+const unique T.ByteCount__MDL:name;
+const unique T.ByteOffset__MDL:name;
+const unique T.MouseIdentifier__MOUSE_ATTRIBUTES:name;
+const unique T.NumberOfButtons__MOUSE_ATTRIBUTES:name;
+const unique T.SampleRate__MOUSE_ATTRIBUTES:name;
+const unique T.InputDataQueueLength__MOUSE_ATTRIBUTES:name;
+const unique T.UnitId__MOUSE_INPUT_DATA:name;
+const unique T.Flags__MOUSE_INPUT_DATA:name;
+const unique T.__unnamed_4_9c11ed91__MOUSE_INPUT_DATA:name;
+const unique T.RawButtons__MOUSE_INPUT_DATA:name;
+const unique T.LastX__MOUSE_INPUT_DATA:name;
+const unique T.LastY__MOUSE_INPUT_DATA:name;
+const unique T.ExtraInformation__MOUSE_INPUT_DATA:name;
+const unique T.OwnerThread__OWNER_ENTRY:name;
+const unique T.__unnamed_4_c1e23b02__OWNER_ENTRY:name;
+const unique T.File__PORT:name;
+const unique T.Port__PORT:name;
+const unique T.Enabled__PORT:name;
+const unique T.Reserved__PORT:name;
+const unique T.Free__PORT:name;
+const unique T.SequenceD1__POWER_SEQUENCE:name;
+const unique T.SequenceD2__POWER_SEQUENCE:name;
+const unique T.SequenceD3__POWER_SEQUENCE:name;
+const unique T.SystemState__POWER_STATE:name;
+const unique T.DeviceState__POWER_STATE:name;
+const unique T.PrivilegeCount__PRIVILEGE_SET:name;
+const unique T.Control__PRIVILEGE_SET:name;
+const unique T.Privilege__PRIVILEGE_SET:name;
+const unique T.DataSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.SharedCacheMap__SECTION_OBJECT_POINTERS:name;
+const unique T.ImageSectionObject__SECTION_OBJECT_POINTERS:name;
+const unique T.Length__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ImpersonationLevel__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ContextTrackingMode__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.EffectiveOnly__SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.ClientToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ImpersonationLevel__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.PrimaryToken__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.ProcessAuditId__SECURITY_SUBJECT_CONTEXT:name;
+const unique T.__unnamed_4_b4f5a780__SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T.Length__UNICODE_STRING:name;
+const unique T.MaximumLength__UNICODE_STRING:name;
+const unique T.Buffer__UNICODE_STRING:name;
+const unique T.Type__VPB:name;
+const unique T.Size__VPB:name;
+const unique T.Flags__VPB:name;
+const unique T.VolumeLabelLength__VPB:name;
+const unique T.DeviceObject__VPB:name;
+const unique T.RealDevice__VPB:name;
+const unique T.SerialNumber__VPB:name;
+const unique T.ReferenceCount__VPB:name;
+const unique T.VolumeLabel__VPB:name;
+const unique T.WaitQueueEntry__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceRoutine__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceContext__WAIT_CONTEXT_BLOCK:name;
+const unique T.NumberOfMapRegisters__WAIT_CONTEXT_BLOCK:name;
+const unique T.DeviceObject__WAIT_CONTEXT_BLOCK:name;
+const unique T.CurrentIrp__WAIT_CONTEXT_BLOCK:name;
+const unique T.BufferChainingDpc__WAIT_CONTEXT_BLOCK:name;
+const unique T.GuidCount__WMILIB_CONTEXT:name;
+const unique T.GuidList__WMILIB_CONTEXT:name;
+const unique T.QueryWmiRegInfo__WMILIB_CONTEXT:name;
+const unique T.QueryWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataBlock__WMILIB_CONTEXT:name;
+const unique T.SetWmiDataItem__WMILIB_CONTEXT:name;
+const unique T.ExecuteWmiMethod__WMILIB_CONTEXT:name;
+const unique T.WmiFunctionControl__WMILIB_CONTEXT:name;
+const unique T.Start___unnamed_12_06b9ee6e:name;
+const unique T.Length48___unnamed_12_06b9ee6e:name;
+const unique T.Start___unnamed_12_0882bd02:name;
+const unique T.Length64___unnamed_12_0882bd02:name;
+const unique T.__unnamed_12_2e80217b___unnamed_12_264d0dab:name;
+const unique T.Raw___unnamed_12_2e80217b:name;
+const unique T.Translated___unnamed_12_2e80217b:name;
+const unique T.Data___unnamed_12_5cc7ace2:name;
+const unique T.Channel___unnamed_12_6374506e:name;
+const unique T.Port___unnamed_12_6374506e:name;
+const unique T.Reserved1___unnamed_12_6374506e:name;
+const unique T.Priority___unnamed_12_68a4278e:name;
+const unique T.Reserved1___unnamed_12_68a4278e:name;
+const unique T.Reserved2___unnamed_12_68a4278e:name;
+const unique T.Generic___unnamed_12_79ed2653:name;
+const unique T.Port___unnamed_12_79ed2653:name;
+const unique T.Interrupt___unnamed_12_79ed2653:name;
+const unique T.MessageInterrupt___unnamed_12_79ed2653:name;
+const unique T.Memory___unnamed_12_79ed2653:name;
+const unique T.Dma___unnamed_12_79ed2653:name;
+const unique T.DevicePrivate___unnamed_12_79ed2653:name;
+const unique T.BusNumber___unnamed_12_79ed2653:name;
+const unique T.DeviceSpecificData___unnamed_12_79ed2653:name;
+const unique T.Memory40___unnamed_12_79ed2653:name;
+const unique T.Memory48___unnamed_12_79ed2653:name;
+const unique T.Memory64___unnamed_12_79ed2653:name;
+const unique T.Start___unnamed_12_7da594c0:name;
+const unique T.Length40___unnamed_12_7da594c0:name;
+const unique T.Start___unnamed_12_9873e05d:name;
+const unique T.Length___unnamed_12_9873e05d:name;
+const unique T.DataSize___unnamed_12_9cc8cebc:name;
+const unique T.Reserved1___unnamed_12_9cc8cebc:name;
+const unique T.Reserved2___unnamed_12_9cc8cebc:name;
+const unique T.Start___unnamed_12_b98da82e:name;
+const unique T.Length___unnamed_12_b98da82e:name;
+const unique T.Level___unnamed_12_c2880e88:name;
+const unique T.Vector___unnamed_12_c2880e88:name;
+const unique T.Affinity___unnamed_12_c2880e88:name;
+const unique T.Start___unnamed_12_c49ab31a:name;
+const unique T.Length___unnamed_12_c49ab31a:name;
+const unique T.ListEntry___unnamed_12_c6ed93f3:name;
+const unique T.__unnamed_4_a7aa989c___unnamed_12_c6ed93f3:name;
+const unique T.Data___unnamed_12_ced61554:name;
+const unique T.Reserved___unnamed_12_d9c44df5:name;
+const unique T.MessageCount___unnamed_12_d9c44df5:name;
+const unique T.Vector___unnamed_12_d9c44df5:name;
+const unique T.Affinity___unnamed_12_d9c44df5:name;
+const unique T.Start___unnamed_12_db3dcbfc:name;
+const unique T.Length___unnamed_12_db3dcbfc:name;
+const unique T.Reserved___unnamed_12_db3dcbfc:name;
+const unique T.Level___unnamed_12_fb26b3fc:name;
+const unique T.Vector___unnamed_12_fb26b3fc:name;
+const unique T.Affinity___unnamed_12_fb26b3fc:name;
+const unique T.OutputBufferLength___unnamed_16_22e4d054:name;
+const unique T.InputBufferLength___unnamed_16_22e4d054:name;
+const unique T.IoControlCode___unnamed_16_22e4d054:name;
+const unique T.Type3InputBuffer___unnamed_16_22e4d054:name;
+const unique T.Create___unnamed_16_39b626ad:name;
+const unique T.Read___unnamed_16_39b626ad:name;
+const unique T.Write___unnamed_16_39b626ad:name;
+const unique T.QueryDirectory___unnamed_16_39b626ad:name;
+const unique T.NotifyDirectory___unnamed_16_39b626ad:name;
+const unique T.QueryFile___unnamed_16_39b626ad:name;
+const unique T.SetFile___unnamed_16_39b626ad:name;
+const unique T.QueryEa___unnamed_16_39b626ad:name;
+const unique T.SetEa___unnamed_16_39b626ad:name;
+const unique T.QueryVolume___unnamed_16_39b626ad:name;
+const unique T.SetVolume___unnamed_16_39b626ad:name;
+const unique T.FileSystemControl___unnamed_16_39b626ad:name;
+const unique T.LockControl___unnamed_16_39b626ad:name;
+const unique T.DeviceIoControl___unnamed_16_39b626ad:name;
+const unique T.QuerySecurity___unnamed_16_39b626ad:name;
+const unique T.SetSecurity___unnamed_16_39b626ad:name;
+const unique T.MountVolume___unnamed_16_39b626ad:name;
+const unique T.VerifyVolume___unnamed_16_39b626ad:name;
+const unique T.Scsi___unnamed_16_39b626ad:name;
+const unique T.QueryQuota___unnamed_16_39b626ad:name;
+const unique T.SetQuota___unnamed_16_39b626ad:name;
+const unique T.QueryDeviceRelations___unnamed_16_39b626ad:name;
+const unique T.QueryInterface___unnamed_16_39b626ad:name;
+const unique T.DeviceCapabilities___unnamed_16_39b626ad:name;
+const unique T.FilterResourceRequirements___unnamed_16_39b626ad:name;
+const unique T.ReadWriteConfig___unnamed_16_39b626ad:name;
+const unique T.SetLock___unnamed_16_39b626ad:name;
+const unique T.QueryId___unnamed_16_39b626ad:name;
+const unique T.QueryDeviceText___unnamed_16_39b626ad:name;
+const unique T.UsageNotification___unnamed_16_39b626ad:name;
+const unique T.WaitWake___unnamed_16_39b626ad:name;
+const unique T.PowerSequence___unnamed_16_39b626ad:name;
+const unique T.Power___unnamed_16_39b626ad:name;
+const unique T.StartDevice___unnamed_16_39b626ad:name;
+const unique T.WMI___unnamed_16_39b626ad:name;
+const unique T.Others___unnamed_16_39b626ad:name;
+const unique T.WhichSpace___unnamed_16_56c011d7:name;
+const unique T.Buffer___unnamed_16_56c011d7:name;
+const unique T.Offset___unnamed_16_56c011d7:name;
+const unique T.Length___unnamed_16_56c011d7:name;
+const unique T.DeviceQueueEntry___unnamed_16_5fed8f23:name;
+const unique T.__unnamed_16_ae643f17___unnamed_16_5fed8f23:name;
+const unique T.Length___unnamed_16_6be9abe0:name;
+const unique T.FileName___unnamed_16_6be9abe0:name;
+const unique T.FileInformationClass___unnamed_16_6be9abe0:name;
+const unique T.FileIndex___unnamed_16_6be9abe0:name;
+const unique T.InterfaceType___unnamed_16_78879a38:name;
+const unique T.Size___unnamed_16_78879a38:name;
+const unique T.Version___unnamed_16_78879a38:name;
+const unique T.Interface___unnamed_16_78879a38:name;
+const unique T.InterfaceSpecificData___unnamed_16_78879a38:name;
+const unique T.Length___unnamed_16_804a2f24:name;
+const unique T.StartSid___unnamed_16_804a2f24:name;
+const unique T.SidList___unnamed_16_804a2f24:name;
+const unique T.SidListLength___unnamed_16_804a2f24:name;
+const unique T.Argument1___unnamed_16_8586693f:name;
+const unique T.Argument2___unnamed_16_8586693f:name;
+const unique T.Argument3___unnamed_16_8586693f:name;
+const unique T.Argument4___unnamed_16_8586693f:name;
+const unique T.Length___unnamed_16_8831e65f:name;
+const unique T.Key___unnamed_16_8831e65f:name;
+const unique T.ByteOffset___unnamed_16_8831e65f:name;
+const unique T.SecurityContext___unnamed_16_8c2d663a:name;
+const unique T.Options___unnamed_16_8c2d663a:name;
+const unique T.FileAttributes___unnamed_16_8c2d663a:name;
+const unique T.ShareAccess___unnamed_16_8c2d663a:name;
+const unique T.EaLength___unnamed_16_8c2d663a:name;
+const unique T.Length___unnamed_16_913b9a7a:name;
+const unique T.Key___unnamed_16_913b9a7a:name;
+const unique T.ByteOffset___unnamed_16_913b9a7a:name;
+const unique T.OutputBufferLength___unnamed_16_94d1d1c7:name;
+const unique T.InputBufferLength___unnamed_16_94d1d1c7:name;
+const unique T.FsControlCode___unnamed_16_94d1d1c7:name;
+const unique T.Type3InputBuffer___unnamed_16_94d1d1c7:name;
+const unique T.Length___unnamed_16_a2fab4da:name;
+const unique T.FileInformationClass___unnamed_16_a2fab4da:name;
+const unique T.FileObject___unnamed_16_a2fab4da:name;
+const unique T.__unnamed_4_a7d0864c___unnamed_16_a2fab4da:name;
+const unique T.DriverContext___unnamed_16_ae643f17:name;
+const unique T.Length___unnamed_16_c1b29316:name;
+const unique T.Key___unnamed_16_c1b29316:name;
+const unique T.ByteOffset___unnamed_16_c1b29316:name;
+const unique T.ProviderId___unnamed_16_cbd53ed4:name;
+const unique T.DataPath___unnamed_16_cbd53ed4:name;
+const unique T.BufferSize___unnamed_16_cbd53ed4:name;
+const unique T.Buffer___unnamed_16_cbd53ed4:name;
+const unique T.Length___unnamed_16_db70db6e:name;
+const unique T.MinBusNumber___unnamed_16_db70db6e:name;
+const unique T.MaxBusNumber___unnamed_16_db70db6e:name;
+const unique T.Reserved___unnamed_16_db70db6e:name;
+const unique T.Length___unnamed_16_ef4b6307:name;
+const unique T.EaList___unnamed_16_ef4b6307:name;
+const unique T.EaListLength___unnamed_16_ef4b6307:name;
+const unique T.EaIndex___unnamed_16_ef4b6307:name;
+const unique T.__unnamed_4_b060dea6___unnamed_16_fdda1f62:name;
+const unique T.Type___unnamed_16_fdda1f62:name;
+const unique T.State___unnamed_16_fdda1f62:name;
+const unique T.ShutdownType___unnamed_16_fdda1f62:name;
+const unique T.Lock___unnamed_1_1394de4b:name;
+const unique T.Abandoned___unnamed_1_2bb39c56:name;
+const unique T.Absolute___unnamed_1_2bb39c56:name;
+const unique T.NpxIrql___unnamed_1_2bb39c56:name;
+const unique T.Signalling___unnamed_1_2bb39c56:name;
+const unique T.Inserted___unnamed_1_9fa0583a:name;
+const unique T.DebugActive___unnamed_1_9fa0583a:name;
+const unique T.DpcActive___unnamed_1_9fa0583a:name;
+const unique T.Size___unnamed_1_e30779f5:name;
+const unique T.Hand___unnamed_1_e30779f5:name;
+const unique T.MinimumVector___unnamed_20_83d468e4:name;
+const unique T.MaximumVector___unnamed_20_83d468e4:name;
+const unique T.AffinityPolicy___unnamed_20_83d468e4:name;
+const unique T.PriorityPolicy___unnamed_20_83d468e4:name;
+const unique T.TargetedProcessors___unnamed_20_83d468e4:name;
+const unique T.Length40___unnamed_24_035931da:name;
+const unique T.Alignment40___unnamed_24_035931da:name;
+const unique T.MinimumAddress___unnamed_24_035931da:name;
+const unique T.MaximumAddress___unnamed_24_035931da:name;
+const unique T.Length___unnamed_24_38e128db:name;
+const unique T.Alignment___unnamed_24_38e128db:name;
+const unique T.MinimumAddress___unnamed_24_38e128db:name;
+const unique T.MaximumAddress___unnamed_24_38e128db:name;
+const unique T.Length___unnamed_24_9500ea34:name;
+const unique T.Alignment___unnamed_24_9500ea34:name;
+const unique T.MinimumAddress___unnamed_24_9500ea34:name;
+const unique T.MaximumAddress___unnamed_24_9500ea34:name;
+const unique T.Length___unnamed_24_9734802c:name;
+const unique T.Alignment___unnamed_24_9734802c:name;
+const unique T.MinimumAddress___unnamed_24_9734802c:name;
+const unique T.MaximumAddress___unnamed_24_9734802c:name;
+const unique T.Length64___unnamed_24_af62813f:name;
+const unique T.Alignment64___unnamed_24_af62813f:name;
+const unique T.MinimumAddress___unnamed_24_af62813f:name;
+const unique T.MaximumAddress___unnamed_24_af62813f:name;
+const unique T.Length48___unnamed_24_c0555099:name;
+const unique T.Alignment48___unnamed_24_c0555099:name;
+const unique T.MinimumAddress___unnamed_24_c0555099:name;
+const unique T.MaximumAddress___unnamed_24_c0555099:name;
+const unique T.Port___unnamed_24_d7c4ec3a:name;
+const unique T.Memory___unnamed_24_d7c4ec3a:name;
+const unique T.Interrupt___unnamed_24_d7c4ec3a:name;
+const unique T.Dma___unnamed_24_d7c4ec3a:name;
+const unique T.Generic___unnamed_24_d7c4ec3a:name;
+const unique T.DevicePrivate___unnamed_24_d7c4ec3a:name;
+const unique T.BusNumber___unnamed_24_d7c4ec3a:name;
+const unique T.ConfigData___unnamed_24_d7c4ec3a:name;
+const unique T.Memory40___unnamed_24_d7c4ec3a:name;
+const unique T.Memory48___unnamed_24_d7c4ec3a:name;
+const unique T.Memory64___unnamed_24_d7c4ec3a:name;
+const unique T.ReplaceIfExists___unnamed_2_196a7f56:name;
+const unique T.AdvanceOnly___unnamed_2_196a7f56:name;
+const unique T.__unnamed_16_5fed8f23___unnamed_40_a0414182:name;
+const unique T.Thread___unnamed_40_a0414182:name;
+const unique T.AuxiliaryBuffer___unnamed_40_a0414182:name;
+const unique T.__unnamed_12_c6ed93f3___unnamed_40_a0414182:name;
+const unique T.OriginalFileObject___unnamed_40_a0414182:name;
+const unique T.ListEntry___unnamed_40_d90496f4:name;
+const unique T.Wcb___unnamed_40_d90496f4:name;
+const unique T.InitialPrivilegeSet___unnamed_44_a7026dca:name;
+const unique T.PrivilegeSet___unnamed_44_a7026dca:name;
+const unique T.Overlay___unnamed_48_c1da9fa5:name;
+const unique T.Apc___unnamed_48_c1da9fa5:name;
+const unique T.CompletionKey___unnamed_48_c1da9fa5:name;
+const unique T.PowerSequence___unnamed_4_0510b147:name;
+const unique T.Length___unnamed_4_0a569078:name;
+const unique T.Status___unnamed_4_16aff58e:name;
+const unique T.Pointer___unnamed_4_16aff58e:name;
+const unique T.IdType___unnamed_4_40bf8e34:name;
+const unique T.Address___unnamed_4_46b62f69:name;
+const unique T.CreatorBackTraceIndex___unnamed_4_46b62f69:name;
+const unique T.Capabilities___unnamed_4_73d46255:name;
+const unique T.Srb___unnamed_4_765e3037:name;
+const unique T.Type___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_2bb39c56___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_e30779f5___unnamed_4_846adf3f:name;
+const unique T.__unnamed_1_9fa0583a___unnamed_4_846adf3f:name;
+const unique T.PowerState___unnamed_4_8dd73d30:name;
+const unique T.Type___unnamed_4_957e0d74:name;
+const unique T.Buttons___unnamed_4_9c11ed91:name;
+const unique T.__unnamed_4_b5247f10___unnamed_4_9c11ed91:name;
+const unique T.IoResourceRequirementList___unnamed_4_a58d40c8:name;
+const unique T.CurrentStackLocation___unnamed_4_a7aa989c:name;
+const unique T.PacketType___unnamed_4_a7aa989c:name;
+const unique T.__unnamed_2_196a7f56___unnamed_4_a7d0864c:name;
+const unique T.ClusterCount___unnamed_4_a7d0864c:name;
+const unique T.DeleteHandle___unnamed_4_a7d0864c:name;
+const unique T.Length___unnamed_4_aa20b426:name;
+const unique T.UserApcRoutine___unnamed_4_ab87ddfd:name;
+const unique T.IssuingProcess___unnamed_4_ab87ddfd:name;
+const unique T.Reserved1___unnamed_4_b016b1e1:name;
+const unique T.TargetSystemState___unnamed_4_b016b1e1:name;
+const unique T.EffectiveSystemState___unnamed_4_b016b1e1:name;
+const unique T.CurrentSystemState___unnamed_4_b016b1e1:name;
+const unique T.IgnoreHibernationPath___unnamed_4_b016b1e1:name;
+const unique T.PseudoTransition___unnamed_4_b016b1e1:name;
+const unique T.Reserved2___unnamed_4_b016b1e1:name;
+const unique T.SystemContext___unnamed_4_b060dea6:name;
+const unique T.SystemPowerStateContext___unnamed_4_b060dea6:name;
+const unique T.__unnamed_4_b016b1e1___unnamed_4_b4f5a780:name;
+const unique T.ContextAsUlong___unnamed_4_b4f5a780:name;
+const unique T.ButtonFlags___unnamed_4_b5247f10:name;
+const unique T.ButtonData___unnamed_4_b5247f10:name;
+const unique T.OwnerCount___unnamed_4_c1e23b02:name;
+const unique T.TableSize___unnamed_4_c1e23b02:name;
+const unique T.__unnamed_4_846adf3f___unnamed_4_c9b2e921:name;
+const unique T.Lock___unnamed_4_c9b2e921:name;
+const unique T.MasterIrp___unnamed_4_fa7b96a7:name;
+const unique T.IrpCount___unnamed_4_fa7b96a7:name;
+const unique T.SystemBuffer___unnamed_4_fa7b96a7:name;
+const unique T.Vpb___unnamed_8_09ad2712:name;
+const unique T.DeviceObject___unnamed_8_09ad2712:name;
+const unique T.Length___unnamed_8_21ac1dba:name;
+const unique T.CompletionFilter___unnamed_8_21ac1dba:name;
+const unique T.Length___unnamed_8_27d3ab76:name;
+const unique T.FsInformationClass___unnamed_8_27d3ab76:name;
+const unique T.Vpb___unnamed_8_4289df81:name;
+const unique T.DeviceObject___unnamed_8_4289df81:name;
+const unique T.Length___unnamed_8_47b72724:name;
+const unique T.FileInformationClass___unnamed_8_47b72724:name;
+const unique T.DeviceTextType___unnamed_8_4b3e3ba3:name;
+const unique T.LocaleId___unnamed_8_4b3e3ba3:name;
+const unique T.__unnamed_4_ab87ddfd___unnamed_8_4f695993:name;
+const unique T.UserApcContext___unnamed_8_4f695993:name;
+const unique T.AllocatedResources___unnamed_8_5cfb6ca4:name;
+const unique T.AllocatedResourcesTranslated___unnamed_8_5cfb6ca4:name;
+const unique T.SecurityInformation___unnamed_8_606438c5:name;
+const unique T.Length___unnamed_8_606438c5:name;
+const unique T.MinimumChannel___unnamed_8_6ad774c0:name;
+const unique T.MaximumChannel___unnamed_8_6ad774c0:name;
+const unique T.Length___unnamed_8_805045cb:name;
+const unique T.FsInformationClass___unnamed_8_805045cb:name;
+const unique T.LowPart___unnamed_8_8684a3e7:name;
+const unique T.HighPart___unnamed_8_8684a3e7:name;
+const unique T.SecurityInformation___unnamed_8_8cc410da:name;
+const unique T.SecurityDescriptor___unnamed_8_8cc410da:name;
+const unique T.InPath___unnamed_8_a47253e0:name;
+const unique T.Reserved___unnamed_8_a47253e0:name;
+const unique T.Type___unnamed_8_a47253e0:name;
+const unique T.AsynchronousParameters___unnamed_8_bbd07f6c:name;
+const unique T.AllocationSize___unnamed_8_bbd07f6c:name;
+const unique T.LowPart___unnamed_8_c9ca8234:name;
+const unique T.HighPart___unnamed_8_c9ca8234:name;
+
+// Type declarations
+
+const unique T.A11CHAR:name;
+const unique T.A19CHAR:name;
+const unique T.A1_CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_DESCRIPTOR:name;
+const unique T.A1_IO_RESOURCE_LIST:name;
+const unique T.A1_LUID_AND_ATTRIBUTES:name;
+const unique T.A256UINT2:name;
+const unique T.A28PFDRIVER_DISPATCH:name;
+const unique T.A2UCHAR:name;
+const unique T.A32UINT2:name;
+const unique T.A33CHAR:name;
+const unique T.A34CHAR:name;
+const unique T.A39CHAR:name;
+const unique T.A3UCHAR:name;
+const unique T.A3UINT4:name;
+const unique T.A3_LUID_AND_ATTRIBUTES:name;
+const unique T.A43CHAR:name;
+const unique T.A4PVOID:name;
+const unique T.A4UINT4:name;
+const unique T.A5_DEVICE_POWER_STATE:name;
+const unique T.A74CHAR:name;
+const unique T.A7_DEVICE_POWER_STATE:name;
+const unique T.A8UCHAR:name;
+const unique T.BUS_QUERY_ID_TYPE:name;
+const unique T.CHAR:name;
+const unique T.DEVICE_TEXT_TYPE:name;
+const unique T.F0:name;
+const unique T.F1:name;
+const unique T.F10:name;
+const unique T.F11:name;
+const unique T.F12:name;
+const unique T.F13:name;
+const unique T.F14:name;
+const unique T.F15:name;
+const unique T.F16:name;
+const unique T.F17:name;
+const unique T.F18:name;
+const unique T.F19:name;
+const unique T.F2:name;
+const unique T.F20:name;
+const unique T.F21:name;
+const unique T.F22:name;
+const unique T.F23:name;
+const unique T.F24:name;
+const unique T.F25:name;
+const unique T.F26:name;
+const unique T.F27:name;
+const unique T.F28:name;
+const unique T.F29:name;
+const unique T.F3:name;
+const unique T.F30:name;
+const unique T.F31:name;
+const unique T.F32:name;
+const unique T.F33:name;
+const unique T.F34:name;
+const unique T.F35:name;
+const unique T.F36:name;
+const unique T.F37:name;
+const unique T.F38:name;
+const unique T.F4:name;
+const unique T.F5:name;
+const unique T.F6:name;
+const unique T.F7:name;
+const unique T.F8:name;
+const unique T.F9:name;
+const unique T.FDRIVER_ADD_DEVICE:name;
+const unique T.FDRIVER_CANCEL:name;
+const unique T.FDRIVER_CONTROL:name;
+const unique T.FDRIVER_DISPATCH:name;
+const unique T.FDRIVER_INITIALIZE:name;
+const unique T.FDRIVER_STARTIO:name;
+const unique T.FDRIVER_UNLOAD:name;
+const unique T.FFAST_IO_ACQUIRE_FILE:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.FFAST_IO_DETACH_DEVICE:name;
+const unique T.FFAST_IO_DEVICE_CONTROL:name;
+const unique T.FFAST_IO_LOCK:name;
+const unique T.FFAST_IO_MDL_READ:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.FFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.FFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.FFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.FFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.FFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.FFAST_IO_QUERY_OPEN:name;
+const unique T.FFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.FFAST_IO_READ:name;
+const unique T.FFAST_IO_READ_COMPRESSED:name;
+const unique T.FFAST_IO_RELEASE_FILE:name;
+const unique T.FFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.FFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.FFAST_IO_UNLOCK_ALL:name;
+const unique T.FFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.FFAST_IO_UNLOCK_SINGLE:name;
+const unique T.FFAST_IO_WRITE:name;
+const unique T.FFAST_IO_WRITE_COMPRESSED:name;
+const unique T.FIO_COMPLETION_ROUTINE:name;
+const unique T.FKDEFERRED_ROUTINE:name;
+const unique T.INT2:name;
+const unique T.INT4:name;
+const unique T.INT8:name;
+const unique T.PA11CHAR:name;
+const unique T.PA19CHAR:name;
+const unique T.PA33CHAR:name;
+const unique T.PA34CHAR:name;
+const unique T.PA39CHAR:name;
+const unique T.PA43CHAR:name;
+const unique T.PA74CHAR:name;
+const unique T.PCHAR:name;
+const unique T.PF19:name;
+const unique T.PF21:name;
+const unique T.PF23:name;
+const unique T.PF24:name;
+const unique T.PF25:name;
+const unique T.PF33:name;
+const unique T.PF34:name;
+const unique T.PF35:name;
+const unique T.PF36:name;
+const unique T.PF37:name;
+const unique T.PF38:name;
+const unique T.PFDRIVER_ADD_DEVICE:name;
+const unique T.PFDRIVER_CANCEL:name;
+const unique T.PFDRIVER_CONTROL:name;
+const unique T.PFDRIVER_DISPATCH:name;
+const unique T.PFDRIVER_INITIALIZE:name;
+const unique T.PFDRIVER_STARTIO:name;
+const unique T.PFDRIVER_UNLOAD:name;
+const unique T.PFFAST_IO_ACQUIRE_FILE:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_ACQUIRE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_CHECK_IF_POSSIBLE:name;
+const unique T.PFFAST_IO_DETACH_DEVICE:name;
+const unique T.PFFAST_IO_DEVICE_CONTROL:name;
+const unique T.PFFAST_IO_LOCK:name;
+const unique T.PFFAST_IO_MDL_READ:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_READ_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE:name;
+const unique T.PFFAST_IO_MDL_WRITE_COMPLETE_COMPRESSED:name;
+const unique T.PFFAST_IO_PREPARE_MDL_WRITE:name;
+const unique T.PFFAST_IO_QUERY_BASIC_INFO:name;
+const unique T.PFFAST_IO_QUERY_NETWORK_OPEN_INFO:name;
+const unique T.PFFAST_IO_QUERY_OPEN:name;
+const unique T.PFFAST_IO_QUERY_STANDARD_INFO:name;
+const unique T.PFFAST_IO_READ:name;
+const unique T.PFFAST_IO_READ_COMPRESSED:name;
+const unique T.PFFAST_IO_RELEASE_FILE:name;
+const unique T.PFFAST_IO_RELEASE_FOR_CCFLUSH:name;
+const unique T.PFFAST_IO_RELEASE_FOR_MOD_WRITE:name;
+const unique T.PFFAST_IO_UNLOCK_ALL:name;
+const unique T.PFFAST_IO_UNLOCK_ALL_BY_KEY:name;
+const unique T.PFFAST_IO_UNLOCK_SINGLE:name;
+const unique T.PFFAST_IO_WRITE:name;
+const unique T.PFFAST_IO_WRITE_COMPRESSED:name;
+const unique T.PFIO_COMPLETION_ROUTINE:name;
+const unique T.PFKDEFERRED_ROUTINE:name;
+const unique T.PINT4:name;
+const unique T.POWER_ACTION:name;
+const unique T.PPCHAR:name;
+const unique T.PPF24:name;
+const unique T.PPP_FILE_OBJECT:name;
+const unique T.PPVOID:name;
+const unique T.PP_DEVICE_EXTENSION:name;
+const unique T.PP_DEVICE_OBJECT:name;
+const unique T.PP_DRIVER_OBJECT:name;
+const unique T.PP_ERESOURCE:name;
+const unique T.PP_FILE_OBJECT:name;
+const unique T.PP_IRP:name;
+const unique T.PP_LIST_ENTRY:name;
+const unique T.PP_MDL:name;
+const unique T.PP_PORT:name;
+const unique T.PP_UNICODE_STRING:name;
+const unique T.PUCHAR:name;
+const unique T.PUINT2:name;
+const unique T.PUINT4:name;
+const unique T.PVOID:name;
+const unique T.PWMIGUIDREGINFO:name;
+const unique T.P_ACCESS_STATE:name;
+const unique T.P_CM_RESOURCE_LIST:name;
+const unique T.P_COMPRESSED_DATA_INFO:name;
+const unique T.P_DEVICE_CAPABILITIES:name;
+const unique T.P_DEVICE_EXTENSION:name;
+const unique T.P_DEVICE_OBJECT:name;
+const unique T.P_DEVOBJ_EXTENSION:name;
+const unique T.P_DRIVER_EXTENSION:name;
+const unique T.P_DRIVER_OBJECT:name;
+const unique T.P_EPROCESS:name;
+const unique T.P_ERESOURCE:name;
+const unique T.P_ETHREAD:name;
+const unique T.P_FAST_IO_DISPATCH:name;
+const unique T.P_FILE_BASIC_INFORMATION:name;
+const unique T.P_FILE_GET_QUOTA_INFORMATION:name;
+const unique T.P_FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T.P_FILE_OBJECT:name;
+const unique T.P_FILE_STANDARD_INFORMATION:name;
+const unique T.P_GLOBALS:name;
+const unique T.P_GUID:name;
+const unique T.P_INTERFACE:name;
+const unique T.P_IO_COMPLETION_CONTEXT:name;
+const unique T.P_IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T.P_IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T.P_IO_SECURITY_CONTEXT:name;
+const unique T.P_IO_STACK_LOCATION:name;
+const unique T.P_IO_STATUS_BLOCK:name;
+const unique T.P_IO_TIMER:name;
+const unique T.P_IRP:name;
+const unique T.P_KAPC:name;
+const unique T.P_KDPC:name;
+const unique T.P_KEVENT:name;
+const unique T.P_KSEMAPHORE:name;
+const unique T.P_KTHREAD:name;
+const unique T.P_LARGE_INTEGER:name;
+const unique T.P_LIST_ENTRY:name;
+const unique T.P_MDL:name;
+const unique T.P_MOUSE_INPUT_DATA:name;
+const unique T.P_OWNER_ENTRY:name;
+const unique T.P_PORT:name;
+const unique T.P_POWER_SEQUENCE:name;
+const unique T.P_SCSI_REQUEST_BLOCK:name;
+const unique T.P_SECTION_OBJECT_POINTERS:name;
+const unique T.P_SECURITY_QUALITY_OF_SERVICE:name;
+const unique T.P_UNICODE_STRING:name;
+const unique T.P_VPB:name;
+const unique T.UCHAR:name;
+const unique T.UINT2:name;
+const unique T.UINT4:name;
+const unique T.VOID:name;
+const unique T.WMIENABLEDISABLECONTROL:name;
+const unique T.WMIGUIDREGINFO:name;
+const unique T._ACCESS_STATE:name;
+const unique T._CM_FULL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_DESCRIPTOR:name;
+const unique T._CM_PARTIAL_RESOURCE_LIST:name;
+const unique T._CM_RESOURCE_LIST:name;
+const unique T._COMPRESSED_DATA_INFO:name;
+const unique T._DEVICE_CAPABILITIES:name;
+const unique T._DEVICE_EXTENSION:name;
+const unique T._DEVICE_OBJECT:name;
+const unique T._DEVICE_POWER_STATE:name;
+const unique T._DEVICE_RELATION_TYPE:name;
+const unique T._DEVICE_USAGE_NOTIFICATION_TYPE:name;
+const unique T._DEVOBJ_EXTENSION:name;
+const unique T._DISPATCHER_HEADER:name;
+const unique T._DRIVER_EXTENSION:name;
+const unique T._DRIVER_OBJECT:name;
+const unique T._EPROCESS:name;
+const unique T._ERESOURCE:name;
+const unique T._ETHREAD:name;
+const unique T._FAST_IO_DISPATCH:name;
+const unique T._FAST_MUTEX:name;
+const unique T._FILE_BASIC_INFORMATION:name;
+const unique T._FILE_GET_QUOTA_INFORMATION:name;
+const unique T._FILE_INFORMATION_CLASS:name;
+const unique T._FILE_NETWORK_OPEN_INFORMATION:name;
+const unique T._FILE_OBJECT:name;
+const unique T._FILE_STANDARD_INFORMATION:name;
+const unique T._FSINFOCLASS:name;
+const unique T._GLOBALS:name;
+const unique T._GUID:name;
+const unique T._INITIAL_PRIVILEGE_SET:name;
+const unique T._INTERFACE:name;
+const unique T._INTERFACE_TYPE:name;
+const unique T._IO_ALLOCATION_ACTION:name;
+const unique T._IO_COMPLETION_CONTEXT:name;
+const unique T._IO_REMOVE_LOCK:name;
+const unique T._IO_REMOVE_LOCK_COMMON_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_DBG_BLOCK:name;
+const unique T._IO_REMOVE_LOCK_TRACKING_BLOCK:name;
+const unique T._IO_RESOURCE_DESCRIPTOR:name;
+const unique T._IO_RESOURCE_LIST:name;
+const unique T._IO_RESOURCE_REQUIREMENTS_LIST:name;
+const unique T._IO_SECURITY_CONTEXT:name;
+const unique T._IO_STACK_LOCATION:name;
+const unique T._IO_STATUS_BLOCK:name;
+const unique T._IO_TIMER:name;
+const unique T._IRP:name;
+const unique T._IRQ_DEVICE_POLICY:name;
+const unique T._IRQ_PRIORITY:name;
+const unique T._KAPC:name;
+const unique T._KDEVICE_QUEUE:name;
+const unique T._KDEVICE_QUEUE_ENTRY:name;
+const unique T._KDPC:name;
+const unique T._KEVENT:name;
+const unique T._KSEMAPHORE:name;
+const unique T._KTHREAD:name;
+const unique T._LARGE_INTEGER:name;
+const unique T._LIST_ENTRY:name;
+const unique T._LUID:name;
+const unique T._LUID_AND_ATTRIBUTES:name;
+const unique T._MDL:name;
+const unique T._MOUSE_ATTRIBUTES:name;
+const unique T._MOUSE_INPUT_DATA:name;
+const unique T._OWNER_ENTRY:name;
+const unique T._PORT:name;
+const unique T._POWER_SEQUENCE:name;
+const unique T._POWER_STATE:name;
+const unique T._POWER_STATE_TYPE:name;
+const unique T._PRIVILEGE_SET:name;
+const unique T._SCSI_REQUEST_BLOCK:name;
+const unique T._SECTION_OBJECT_POINTERS:name;
+const unique T._SECURITY_IMPERSONATION_LEVEL:name;
+const unique T._SECURITY_QUALITY_OF_SERVICE:name;
+const unique T._SECURITY_SUBJECT_CONTEXT:name;
+const unique T._SYSTEM_POWER_STATE:name;
+const unique T._SYSTEM_POWER_STATE_CONTEXT:name;
+const unique T._UNICODE_STRING:name;
+const unique T._VPB:name;
+const unique T._WAIT_CONTEXT_BLOCK:name;
+const unique T._WMILIB_CONTEXT:name;
+const unique T.__unnamed_12_06b9ee6e:name;
+const unique T.__unnamed_12_0882bd02:name;
+const unique T.__unnamed_12_264d0dab:name;
+const unique T.__unnamed_12_2e80217b:name;
+const unique T.__unnamed_12_5cc7ace2:name;
+const unique T.__unnamed_12_6374506e:name;
+const unique T.__unnamed_12_68a4278e:name;
+const unique T.__unnamed_12_79ed2653:name;
+const unique T.__unnamed_12_7da594c0:name;
+const unique T.__unnamed_12_9873e05d:name;
+const unique T.__unnamed_12_9cc8cebc:name;
+const unique T.__unnamed_12_b98da82e:name;
+const unique T.__unnamed_12_c2880e88:name;
+const unique T.__unnamed_12_c49ab31a:name;
+const unique T.__unnamed_12_c6ed93f3:name;
+const unique T.__unnamed_12_ced61554:name;
+const unique T.__unnamed_12_d9c44df5:name;
+const unique T.__unnamed_12_db3dcbfc:name;
+const unique T.__unnamed_12_fb26b3fc:name;
+const unique T.__unnamed_16_22e4d054:name;
+const unique T.__unnamed_16_39b626ad:name;
+const unique T.__unnamed_16_56c011d7:name;
+const unique T.__unnamed_16_5fed8f23:name;
+const unique T.__unnamed_16_6be9abe0:name;
+const unique T.__unnamed_16_78879a38:name;
+const unique T.__unnamed_16_804a2f24:name;
+const unique T.__unnamed_16_8586693f:name;
+const unique T.__unnamed_16_8831e65f:name;
+const unique T.__unnamed_16_8c2d663a:name;
+const unique T.__unnamed_16_913b9a7a:name;
+const unique T.__unnamed_16_94d1d1c7:name;
+const unique T.__unnamed_16_a2fab4da:name;
+const unique T.__unnamed_16_ae643f17:name;
+const unique T.__unnamed_16_c1b29316:name;
+const unique T.__unnamed_16_cbd53ed4:name;
+const unique T.__unnamed_16_db70db6e:name;
+const unique T.__unnamed_16_ef4b6307:name;
+const unique T.__unnamed_16_fdda1f62:name;
+const unique T.__unnamed_1_1394de4b:name;
+const unique T.__unnamed_1_2bb39c56:name;
+const unique T.__unnamed_1_9fa0583a:name;
+const unique T.__unnamed_1_e30779f5:name;
+const unique T.__unnamed_20_83d468e4:name;
+const unique T.__unnamed_24_035931da:name;
+const unique T.__unnamed_24_38e128db:name;
+const unique T.__unnamed_24_9500ea34:name;
+const unique T.__unnamed_24_9734802c:name;
+const unique T.__unnamed_24_af62813f:name;
+const unique T.__unnamed_24_c0555099:name;
+const unique T.__unnamed_24_d7c4ec3a:name;
+const unique T.__unnamed_2_196a7f56:name;
+const unique T.__unnamed_40_a0414182:name;
+const unique T.__unnamed_40_d90496f4:name;
+const unique T.__unnamed_44_a7026dca:name;
+const unique T.__unnamed_48_c1da9fa5:name;
+const unique T.__unnamed_4_0510b147:name;
+const unique T.__unnamed_4_0a569078:name;
+const unique T.__unnamed_4_16aff58e:name;
+const unique T.__unnamed_4_40bf8e34:name;
+const unique T.__unnamed_4_46b62f69:name;
+const unique T.__unnamed_4_73d46255:name;
+const unique T.__unnamed_4_765e3037:name;
+const unique T.__unnamed_4_846adf3f:name;
+const unique T.__unnamed_4_8dd73d30:name;
+const unique T.__unnamed_4_957e0d74:name;
+const unique T.__unnamed_4_9c11ed91:name;
+const unique T.__unnamed_4_a58d40c8:name;
+const unique T.__unnamed_4_a7aa989c:name;
+const unique T.__unnamed_4_a7d0864c:name;
+const unique T.__unnamed_4_aa20b426:name;
+const unique T.__unnamed_4_ab87ddfd:name;
+const unique T.__unnamed_4_b016b1e1:name;
+const unique T.__unnamed_4_b060dea6:name;
+const unique T.__unnamed_4_b4f5a780:name;
+const unique T.__unnamed_4_b5247f10:name;
+const unique T.__unnamed_4_c1e23b02:name;
+const unique T.__unnamed_4_c9b2e921:name;
+const unique T.__unnamed_4_fa7b96a7:name;
+const unique T.__unnamed_8_09ad2712:name;
+const unique T.__unnamed_8_21ac1dba:name;
+const unique T.__unnamed_8_27d3ab76:name;
+const unique T.__unnamed_8_4289df81:name;
+const unique T.__unnamed_8_47b72724:name;
+const unique T.__unnamed_8_4b3e3ba3:name;
+const unique T.__unnamed_8_4f695993:name;
+const unique T.__unnamed_8_5cfb6ca4:name;
+const unique T.__unnamed_8_606438c5:name;
+const unique T.__unnamed_8_6ad774c0:name;
+const unique T.__unnamed_8_805045cb:name;
+const unique T.__unnamed_8_8684a3e7:name;
+const unique T.__unnamed_8_8cc410da:name;
+const unique T.__unnamed_8_a47253e0:name;
+const unique T.__unnamed_8_bbd07f6c:name;
+const unique T.__unnamed_8_c9ca8234:name;
+
+function AssocClassList__GLOBALS(int) returns (int);
+function AssocClassList__GLOBALSInv(int) returns (int);
+function _S_AssocClassList__GLOBALS([int]bool) returns ([int]bool);
+function _S_AssocClassList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(AssocClassList__GLOBALS(x))} AssocClassList__GLOBALSInv(AssocClassList__GLOBALS(x)) == x);
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(x)} AssocClassList__GLOBALS(AssocClassList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_AssocClassList__GLOBALS(S)[x]} _S_AssocClassList__GLOBALS(S)[x] <==> S[AssocClassList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_AssocClassList__GLOBALSInv(S)[x]} _S_AssocClassList__GLOBALSInv(S)[x] <==> S[AssocClassList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AssocClassList__GLOBALS(S)} S[x] ==> _S_AssocClassList__GLOBALS(S)[AssocClassList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_AssocClassList__GLOBALSInv(S)} S[x] ==> _S_AssocClassList__GLOBALSInv(S)[AssocClassList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {AssocClassList__GLOBALS(x)} AssocClassList__GLOBALS(x) == x + 8);
+axiom (forall x:int :: {AssocClassList__GLOBALSInv(x)} AssocClassList__GLOBALSInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == AssocClassList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == AssocClassList__GLOBALSInv(x));
+function Buffer__UNICODE_STRING(int) returns (int);
+function Buffer__UNICODE_STRINGInv(int) returns (int);
+function _S_Buffer__UNICODE_STRING([int]bool) returns ([int]bool);
+function _S_Buffer__UNICODE_STRINGInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x))} Buffer__UNICODE_STRINGInv(Buffer__UNICODE_STRING(x)) == x);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRING(Buffer__UNICODE_STRINGInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRING(S)[x]} _S_Buffer__UNICODE_STRING(S)[x] <==> S[Buffer__UNICODE_STRINGInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Buffer__UNICODE_STRINGInv(S)[x]} _S_Buffer__UNICODE_STRINGInv(S)[x] <==> S[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRING(S)} S[x] ==> _S_Buffer__UNICODE_STRING(S)[Buffer__UNICODE_STRING(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Buffer__UNICODE_STRINGInv(S)} S[x] ==> _S_Buffer__UNICODE_STRINGInv(S)[Buffer__UNICODE_STRINGInv(x)]);
+
+axiom (forall x:int :: {Buffer__UNICODE_STRING(x)} Buffer__UNICODE_STRING(x) == x + 4);
+axiom (forall x:int :: {Buffer__UNICODE_STRINGInv(x)} Buffer__UNICODE_STRINGInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Buffer__UNICODE_STRINGInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Buffer__UNICODE_STRINGInv(x));
+function DataIn__DEVICE_EXTENSION(int) returns (int);
+function DataIn__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataIn__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataIn__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x))} DataIn__DEVICE_EXTENSIONInv(DataIn__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSION(DataIn__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSION(S)[x]} _S_DataIn__DEVICE_EXTENSION(S)[x] <==> S[DataIn__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataIn__DEVICE_EXTENSIONInv(S)[x]} _S_DataIn__DEVICE_EXTENSIONInv(S)[x] <==> S[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSION(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSION(S)[DataIn__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataIn__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataIn__DEVICE_EXTENSIONInv(S)[DataIn__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSION(x)} DataIn__DEVICE_EXTENSION(x) == x + 132);
+axiom (forall x:int :: {DataIn__DEVICE_EXTENSIONInv(x)} DataIn__DEVICE_EXTENSIONInv(x) == x - 132);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 132, 1) == DataIn__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 132)} MINUS_LEFT_PTR(x, 1, 132) == DataIn__DEVICE_EXTENSIONInv(x));
+function DataOut__DEVICE_EXTENSION(int) returns (int);
+function DataOut__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_DataOut__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_DataOut__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x))} DataOut__DEVICE_EXTENSIONInv(DataOut__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSION(DataOut__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSION(S)[x]} _S_DataOut__DEVICE_EXTENSION(S)[x] <==> S[DataOut__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DataOut__DEVICE_EXTENSIONInv(S)[x]} _S_DataOut__DEVICE_EXTENSIONInv(S)[x] <==> S[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSION(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSION(S)[DataOut__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DataOut__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_DataOut__DEVICE_EXTENSIONInv(S)[DataOut__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSION(x)} DataOut__DEVICE_EXTENSION(x) == x + 136);
+axiom (forall x:int :: {DataOut__DEVICE_EXTENSIONInv(x)} DataOut__DEVICE_EXTENSIONInv(x) == x - 136);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 136, 1) == DataOut__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 136)} MINUS_LEFT_PTR(x, 1, 136) == DataOut__DEVICE_EXTENSIONInv(x));
+function DeviceExtension__DEVICE_OBJECT(int) returns (int);
+function DeviceExtension__DEVICE_OBJECTInv(int) returns (int);
+function _S_DeviceExtension__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_DeviceExtension__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x))} DeviceExtension__DEVICE_OBJECTInv(DeviceExtension__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECT(DeviceExtension__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECT(S)[x]} _S_DeviceExtension__DEVICE_OBJECT(S)[x] <==> S[DeviceExtension__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_DeviceExtension__DEVICE_OBJECTInv(S)[x]} _S_DeviceExtension__DEVICE_OBJECTInv(S)[x] <==> S[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECT(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECT(S)[DeviceExtension__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_DeviceExtension__DEVICE_OBJECTInv(S)} S[x] ==> _S_DeviceExtension__DEVICE_OBJECTInv(S)[DeviceExtension__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECT(x)} DeviceExtension__DEVICE_OBJECT(x) == x + 40);
+axiom (forall x:int :: {DeviceExtension__DEVICE_OBJECTInv(x)} DeviceExtension__DEVICE_OBJECTInv(x) == x - 40);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 40, 1) == DeviceExtension__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 40)} MINUS_LEFT_PTR(x, 1, 40) == DeviceExtension__DEVICE_OBJECTInv(x));
+function Enabled__DEVICE_EXTENSION(int) returns (int);
+function Enabled__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Enabled__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Enabled__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(Enabled__DEVICE_EXTENSION(x))} Enabled__DEVICE_EXTENSIONInv(Enabled__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(x)} Enabled__DEVICE_EXTENSION(Enabled__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__DEVICE_EXTENSION(S)[x]} _S_Enabled__DEVICE_EXTENSION(S)[x] <==> S[Enabled__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__DEVICE_EXTENSIONInv(S)[x]} _S_Enabled__DEVICE_EXTENSIONInv(S)[x] <==> S[Enabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__DEVICE_EXTENSION(S)} S[x] ==> _S_Enabled__DEVICE_EXTENSION(S)[Enabled__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Enabled__DEVICE_EXTENSIONInv(S)[Enabled__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSION(x)} Enabled__DEVICE_EXTENSION(x) == x + 264);
+axiom (forall x:int :: {Enabled__DEVICE_EXTENSIONInv(x)} Enabled__DEVICE_EXTENSIONInv(x) == x - 264);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 264, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 264, 1) == Enabled__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 264)} MINUS_LEFT_PTR(x, 1, 264) == Enabled__DEVICE_EXTENSIONInv(x));
+function Enabled__PORT(int) returns (int);
+function Enabled__PORTInv(int) returns (int);
+function _S_Enabled__PORT([int]bool) returns ([int]bool);
+function _S_Enabled__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Enabled__PORTInv(Enabled__PORT(x))} Enabled__PORTInv(Enabled__PORT(x)) == x);
+axiom (forall x:int :: {Enabled__PORTInv(x)} Enabled__PORT(Enabled__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__PORT(S)[x]} _S_Enabled__PORT(S)[x] <==> S[Enabled__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Enabled__PORTInv(S)[x]} _S_Enabled__PORTInv(S)[x] <==> S[Enabled__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__PORT(S)} S[x] ==> _S_Enabled__PORT(S)[Enabled__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Enabled__PORTInv(S)} S[x] ==> _S_Enabled__PORTInv(S)[Enabled__PORTInv(x)]);
+
+axiom (forall x:int :: {Enabled__PORT(x)} Enabled__PORT(x) == x + 8);
+axiom (forall x:int :: {Enabled__PORTInv(x)} Enabled__PORTInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == Enabled__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == Enabled__PORTInv(x));
+function File__DEVICE_EXTENSION(int) returns (int);
+function File__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_File__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_File__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x))} File__DEVICE_EXTENSIONInv(File__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSION(File__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSION(S)[x]} _S_File__DEVICE_EXTENSION(S)[x] <==> S[File__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__DEVICE_EXTENSIONInv(S)[x]} _S_File__DEVICE_EXTENSIONInv(S)[x] <==> S[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSION(S)} S[x] ==> _S_File__DEVICE_EXTENSION(S)[File__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_File__DEVICE_EXTENSIONInv(S)[File__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {File__DEVICE_EXTENSION(x)} File__DEVICE_EXTENSION(x) == x + 260);
+axiom (forall x:int :: {File__DEVICE_EXTENSIONInv(x)} File__DEVICE_EXTENSIONInv(x) == x - 260);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 260, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 260, 1) == File__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 260)} MINUS_LEFT_PTR(x, 1, 260) == File__DEVICE_EXTENSIONInv(x));
+function File__PORT(int) returns (int);
+function File__PORTInv(int) returns (int);
+function _S_File__PORT([int]bool) returns ([int]bool);
+function _S_File__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {File__PORTInv(File__PORT(x))} File__PORTInv(File__PORT(x)) == x);
+axiom (forall x:int :: {File__PORTInv(x)} File__PORT(File__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_File__PORT(S)[x]} _S_File__PORT(S)[x] <==> S[File__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_File__PORTInv(S)[x]} _S_File__PORTInv(S)[x] <==> S[File__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__PORT(S)} S[x] ==> _S_File__PORT(S)[File__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_File__PORTInv(S)} S[x] ==> _S_File__PORTInv(S)[File__PORTInv(x)]);
+
+axiom (forall x:int :: {File__PORT(x)} File__PORT(x) == x + 0);
+axiom (forall x:int :: {File__PORTInv(x)} File__PORTInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == File__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == File__PORTInv(x));
+function Flink__LIST_ENTRY(int) returns (int);
+function Flink__LIST_ENTRYInv(int) returns (int);
+function _S_Flink__LIST_ENTRY([int]bool) returns ([int]bool);
+function _S_Flink__LIST_ENTRYInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x))} Flink__LIST_ENTRYInv(Flink__LIST_ENTRY(x)) == x);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRY(Flink__LIST_ENTRYInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRY(S)[x]} _S_Flink__LIST_ENTRY(S)[x] <==> S[Flink__LIST_ENTRYInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Flink__LIST_ENTRYInv(S)[x]} _S_Flink__LIST_ENTRYInv(S)[x] <==> S[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRY(S)} S[x] ==> _S_Flink__LIST_ENTRY(S)[Flink__LIST_ENTRY(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Flink__LIST_ENTRYInv(S)} S[x] ==> _S_Flink__LIST_ENTRYInv(S)[Flink__LIST_ENTRYInv(x)]);
+
+axiom (forall x:int :: {Flink__LIST_ENTRY(x)} Flink__LIST_ENTRY(x) == x + 0);
+axiom (forall x:int :: {Flink__LIST_ENTRYInv(x)} Flink__LIST_ENTRYInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Flink__LIST_ENTRYInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Flink__LIST_ENTRYInv(x));
+function Free__PORT(int) returns (int);
+function Free__PORTInv(int) returns (int);
+function _S_Free__PORT([int]bool) returns ([int]bool);
+function _S_Free__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Free__PORTInv(Free__PORT(x))} Free__PORTInv(Free__PORT(x)) == x);
+axiom (forall x:int :: {Free__PORTInv(x)} Free__PORT(Free__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Free__PORT(S)[x]} _S_Free__PORT(S)[x] <==> S[Free__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Free__PORTInv(S)[x]} _S_Free__PORTInv(S)[x] <==> S[Free__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Free__PORT(S)} S[x] ==> _S_Free__PORT(S)[Free__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Free__PORTInv(S)} S[x] ==> _S_Free__PORTInv(S)[Free__PORTInv(x)]);
+
+axiom (forall x:int :: {Free__PORT(x)} Free__PORT(x) == x + 11);
+axiom (forall x:int :: {Free__PORTInv(x)} Free__PORTInv(x) == x - 11);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 11, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 11, 1) == Free__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 11)} MINUS_LEFT_PTR(x, 1, 11) == Free__PORTInv(x));
+function GrandMaster__GLOBALS(int) returns (int);
+function GrandMaster__GLOBALSInv(int) returns (int);
+function _S_GrandMaster__GLOBALS([int]bool) returns ([int]bool);
+function _S_GrandMaster__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x))} GrandMaster__GLOBALSInv(GrandMaster__GLOBALS(x)) == x);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALS(GrandMaster__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALS(S)[x]} _S_GrandMaster__GLOBALS(S)[x] <==> S[GrandMaster__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_GrandMaster__GLOBALSInv(S)[x]} _S_GrandMaster__GLOBALSInv(S)[x] <==> S[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALS(S)} S[x] ==> _S_GrandMaster__GLOBALS(S)[GrandMaster__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_GrandMaster__GLOBALSInv(S)} S[x] ==> _S_GrandMaster__GLOBALSInv(S)[GrandMaster__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {GrandMaster__GLOBALS(x)} GrandMaster__GLOBALS(x) == x + 4);
+axiom (forall x:int :: {GrandMaster__GLOBALSInv(x)} GrandMaster__GLOBALSInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == GrandMaster__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == GrandMaster__GLOBALSInv(x));
+function InputData__DEVICE_EXTENSION(int) returns (int);
+function InputData__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_InputData__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_InputData__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x))} InputData__DEVICE_EXTENSIONInv(InputData__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSION(InputData__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSION(S)[x]} _S_InputData__DEVICE_EXTENSION(S)[x] <==> S[InputData__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_InputData__DEVICE_EXTENSIONInv(S)[x]} _S_InputData__DEVICE_EXTENSIONInv(S)[x] <==> S[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSION(S)} S[x] ==> _S_InputData__DEVICE_EXTENSION(S)[InputData__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_InputData__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_InputData__DEVICE_EXTENSIONInv(S)[InputData__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {InputData__DEVICE_EXTENSION(x)} InputData__DEVICE_EXTENSION(x) == x + 128);
+axiom (forall x:int :: {InputData__DEVICE_EXTENSIONInv(x)} InputData__DEVICE_EXTENSIONInv(x) == x - 128);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 128, 1) == InputData__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 128)} MINUS_LEFT_PTR(x, 1, 128) == InputData__DEVICE_EXTENSIONInv(x));
+function LegacyDeviceList__GLOBALS(int) returns (int);
+function LegacyDeviceList__GLOBALSInv(int) returns (int);
+function _S_LegacyDeviceList__GLOBALS([int]bool) returns ([int]bool);
+function _S_LegacyDeviceList__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x))} LegacyDeviceList__GLOBALSInv(LegacyDeviceList__GLOBALS(x)) == x);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALS(LegacyDeviceList__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALS(S)[x]} _S_LegacyDeviceList__GLOBALS(S)[x] <==> S[LegacyDeviceList__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_LegacyDeviceList__GLOBALSInv(S)[x]} _S_LegacyDeviceList__GLOBALSInv(S)[x] <==> S[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALS(S)} S[x] ==> _S_LegacyDeviceList__GLOBALS(S)[LegacyDeviceList__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_LegacyDeviceList__GLOBALSInv(S)} S[x] ==> _S_LegacyDeviceList__GLOBALSInv(S)[LegacyDeviceList__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {LegacyDeviceList__GLOBALS(x)} LegacyDeviceList__GLOBALS(x) == x + 864);
+axiom (forall x:int :: {LegacyDeviceList__GLOBALSInv(x)} LegacyDeviceList__GLOBALSInv(x) == x - 864);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 864, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 864, 1) == LegacyDeviceList__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 864)} MINUS_LEFT_PTR(x, 1, 864) == LegacyDeviceList__GLOBALSInv(x));
+function Link__DEVICE_EXTENSION(int) returns (int);
+function Link__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Link__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Link__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x))} Link__DEVICE_EXTENSIONInv(Link__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSION(Link__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSION(S)[x]} _S_Link__DEVICE_EXTENSION(S)[x] <==> S[Link__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Link__DEVICE_EXTENSIONInv(S)[x]} _S_Link__DEVICE_EXTENSIONInv(S)[x] <==> S[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSION(S)} S[x] ==> _S_Link__DEVICE_EXTENSION(S)[Link__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Link__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Link__DEVICE_EXTENSIONInv(S)[Link__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Link__DEVICE_EXTENSION(x)} Link__DEVICE_EXTENSION(x) == x + 252);
+axiom (forall x:int :: {Link__DEVICE_EXTENSIONInv(x)} Link__DEVICE_EXTENSIONInv(x) == x - 252);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 252, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 252, 1) == Link__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 252)} MINUS_LEFT_PTR(x, 1, 252) == Link__DEVICE_EXTENSIONInv(x));
+function NumAssocClass__GLOBALS(int) returns (int);
+function NumAssocClass__GLOBALSInv(int) returns (int);
+function _S_NumAssocClass__GLOBALS([int]bool) returns ([int]bool);
+function _S_NumAssocClass__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {NumAssocClass__GLOBALSInv(NumAssocClass__GLOBALS(x))} NumAssocClass__GLOBALSInv(NumAssocClass__GLOBALS(x)) == x);
+axiom (forall x:int :: {NumAssocClass__GLOBALSInv(x)} NumAssocClass__GLOBALS(NumAssocClass__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_NumAssocClass__GLOBALS(S)[x]} _S_NumAssocClass__GLOBALS(S)[x] <==> S[NumAssocClass__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_NumAssocClass__GLOBALSInv(S)[x]} _S_NumAssocClass__GLOBALSInv(S)[x] <==> S[NumAssocClass__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumAssocClass__GLOBALS(S)} S[x] ==> _S_NumAssocClass__GLOBALS(S)[NumAssocClass__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_NumAssocClass__GLOBALSInv(S)} S[x] ==> _S_NumAssocClass__GLOBALSInv(S)[NumAssocClass__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {NumAssocClass__GLOBALS(x)} NumAssocClass__GLOBALS(x) == x + 12);
+axiom (forall x:int :: {NumAssocClass__GLOBALSInv(x)} NumAssocClass__GLOBALSInv(x) == x - 12);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 12, 1) == NumAssocClass__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 12)} MINUS_LEFT_PTR(x, 1, 12) == NumAssocClass__GLOBALSInv(x));
+function PnP__DEVICE_EXTENSION(int) returns (int);
+function PnP__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_PnP__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_PnP__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x))} PnP__DEVICE_EXTENSIONInv(PnP__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSION(PnP__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSION(S)[x]} _S_PnP__DEVICE_EXTENSION(S)[x] <==> S[PnP__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_PnP__DEVICE_EXTENSIONInv(S)[x]} _S_PnP__DEVICE_EXTENSIONInv(S)[x] <==> S[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSION(S)} S[x] ==> _S_PnP__DEVICE_EXTENSION(S)[PnP__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_PnP__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_PnP__DEVICE_EXTENSIONInv(S)[PnP__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {PnP__DEVICE_EXTENSION(x)} PnP__DEVICE_EXTENSION(x) == x + 104);
+axiom (forall x:int :: {PnP__DEVICE_EXTENSIONInv(x)} PnP__DEVICE_EXTENSIONInv(x) == x - 104);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 104, 1) == PnP__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 104)} MINUS_LEFT_PTR(x, 1, 104) == PnP__DEVICE_EXTENSIONInv(x));
+function Port__PORT(int) returns (int);
+function Port__PORTInv(int) returns (int);
+function _S_Port__PORT([int]bool) returns ([int]bool);
+function _S_Port__PORTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Port__PORTInv(Port__PORT(x))} Port__PORTInv(Port__PORT(x)) == x);
+axiom (forall x:int :: {Port__PORTInv(x)} Port__PORT(Port__PORTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Port__PORT(S)[x]} _S_Port__PORT(S)[x] <==> S[Port__PORTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Port__PORTInv(S)[x]} _S_Port__PORTInv(S)[x] <==> S[Port__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Port__PORT(S)} S[x] ==> _S_Port__PORT(S)[Port__PORT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Port__PORTInv(S)} S[x] ==> _S_Port__PORTInv(S)[Port__PORTInv(x)]);
+
+axiom (forall x:int :: {Port__PORT(x)} Port__PORT(x) == x + 4);
+axiom (forall x:int :: {Port__PORTInv(x)} Port__PORTInv(x) == x - 4);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 4, 1) == Port__PORTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 4)} MINUS_LEFT_PTR(x, 1, 4) == Port__PORTInv(x));
+function RegistryPath__GLOBALS(int) returns (int);
+function RegistryPath__GLOBALSInv(int) returns (int);
+function _S_RegistryPath__GLOBALS([int]bool) returns ([int]bool);
+function _S_RegistryPath__GLOBALSInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {RegistryPath__GLOBALSInv(RegistryPath__GLOBALS(x))} RegistryPath__GLOBALSInv(RegistryPath__GLOBALS(x)) == x);
+axiom (forall x:int :: {RegistryPath__GLOBALSInv(x)} RegistryPath__GLOBALS(RegistryPath__GLOBALSInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_RegistryPath__GLOBALS(S)[x]} _S_RegistryPath__GLOBALS(S)[x] <==> S[RegistryPath__GLOBALSInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_RegistryPath__GLOBALSInv(S)[x]} _S_RegistryPath__GLOBALSInv(S)[x] <==> S[RegistryPath__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RegistryPath__GLOBALS(S)} S[x] ==> _S_RegistryPath__GLOBALS(S)[RegistryPath__GLOBALS(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_RegistryPath__GLOBALSInv(S)} S[x] ==> _S_RegistryPath__GLOBALSInv(S)[RegistryPath__GLOBALSInv(x)]);
+
+axiom (forall x:int :: {RegistryPath__GLOBALS(x)} RegistryPath__GLOBALS(x) == x + 336);
+axiom (forall x:int :: {RegistryPath__GLOBALSInv(x)} RegistryPath__GLOBALSInv(x) == x - 336);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 336, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 336, 1) == RegistryPath__GLOBALSInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 336)} MINUS_LEFT_PTR(x, 1, 336) == RegistryPath__GLOBALSInv(x));
+function Self__DEVICE_EXTENSION(int) returns (int);
+function Self__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Self__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Self__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x))} Self__DEVICE_EXTENSIONInv(Self__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSION(Self__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSION(S)[x]} _S_Self__DEVICE_EXTENSION(S)[x] <==> S[Self__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Self__DEVICE_EXTENSIONInv(S)[x]} _S_Self__DEVICE_EXTENSIONInv(S)[x] <==> S[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSION(S)} S[x] ==> _S_Self__DEVICE_EXTENSION(S)[Self__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Self__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Self__DEVICE_EXTENSIONInv(S)[Self__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Self__DEVICE_EXTENSION(x)} Self__DEVICE_EXTENSION(x) == x + 0);
+axiom (forall x:int :: {Self__DEVICE_EXTENSIONInv(x)} Self__DEVICE_EXTENSIONInv(x) == x - 0);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 0, 1) == Self__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 0)} MINUS_LEFT_PTR(x, 1, 0) == Self__DEVICE_EXTENSIONInv(x));
+function SpinLock__DEVICE_EXTENSION(int) returns (int);
+function SpinLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_SpinLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_SpinLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(SpinLock__DEVICE_EXTENSION(x))} SpinLock__DEVICE_EXTENSIONInv(SpinLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(x)} SpinLock__DEVICE_EXTENSION(SpinLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_SpinLock__DEVICE_EXTENSION(S)[x]} _S_SpinLock__DEVICE_EXTENSION(S)[x] <==> S[SpinLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_SpinLock__DEVICE_EXTENSIONInv(S)[x]} _S_SpinLock__DEVICE_EXTENSIONInv(S)[x] <==> S[SpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SpinLock__DEVICE_EXTENSION(S)} S[x] ==> _S_SpinLock__DEVICE_EXTENSION(S)[SpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_SpinLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_SpinLock__DEVICE_EXTENSIONInv(S)[SpinLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSION(x)} SpinLock__DEVICE_EXTENSION(x) == x + 152);
+axiom (forall x:int :: {SpinLock__DEVICE_EXTENSIONInv(x)} SpinLock__DEVICE_EXTENSIONInv(x) == x - 152);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 152, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 152, 1) == SpinLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 152)} MINUS_LEFT_PTR(x, 1, 152) == SpinLock__DEVICE_EXTENSIONInv(x));
+function StackSize__DEVICE_OBJECT(int) returns (int);
+function StackSize__DEVICE_OBJECTInv(int) returns (int);
+function _S_StackSize__DEVICE_OBJECT([int]bool) returns ([int]bool);
+function _S_StackSize__DEVICE_OBJECTInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(StackSize__DEVICE_OBJECT(x))} StackSize__DEVICE_OBJECTInv(StackSize__DEVICE_OBJECT(x)) == x);
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(x)} StackSize__DEVICE_OBJECT(StackSize__DEVICE_OBJECTInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_StackSize__DEVICE_OBJECT(S)[x]} _S_StackSize__DEVICE_OBJECT(S)[x] <==> S[StackSize__DEVICE_OBJECTInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_StackSize__DEVICE_OBJECTInv(S)[x]} _S_StackSize__DEVICE_OBJECTInv(S)[x] <==> S[StackSize__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_StackSize__DEVICE_OBJECT(S)} S[x] ==> _S_StackSize__DEVICE_OBJECT(S)[StackSize__DEVICE_OBJECT(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_StackSize__DEVICE_OBJECTInv(S)} S[x] ==> _S_StackSize__DEVICE_OBJECTInv(S)[StackSize__DEVICE_OBJECTInv(x)]);
+
+axiom (forall x:int :: {StackSize__DEVICE_OBJECT(x)} StackSize__DEVICE_OBJECT(x) == x + 48);
+axiom (forall x:int :: {StackSize__DEVICE_OBJECTInv(x)} StackSize__DEVICE_OBJECTInv(x) == x - 48);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 48, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 48, 1) == StackSize__DEVICE_OBJECTInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 48)} MINUS_LEFT_PTR(x, 1, 48) == StackSize__DEVICE_OBJECTInv(x));
+function Started__DEVICE_EXTENSION(int) returns (int);
+function Started__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_Started__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_Started__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x))} Started__DEVICE_EXTENSIONInv(Started__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSION(Started__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSION(S)[x]} _S_Started__DEVICE_EXTENSION(S)[x] <==> S[Started__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_Started__DEVICE_EXTENSIONInv(S)[x]} _S_Started__DEVICE_EXTENSIONInv(S)[x] <==> S[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSION(S)} S[x] ==> _S_Started__DEVICE_EXTENSION(S)[Started__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_Started__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_Started__DEVICE_EXTENSIONInv(S)[Started__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {Started__DEVICE_EXTENSION(x)} Started__DEVICE_EXTENSION(x) == x + 105);
+axiom (forall x:int :: {Started__DEVICE_EXTENSIONInv(x)} Started__DEVICE_EXTENSIONInv(x) == x - 105);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 105, 1) == Started__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 105)} MINUS_LEFT_PTR(x, 1, 105) == Started__DEVICE_EXTENSIONInv(x));
+function TopPort__DEVICE_EXTENSION(int) returns (int);
+function TopPort__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_TopPort__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_TopPort__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x))} TopPort__DEVICE_EXTENSIONInv(TopPort__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSION(TopPort__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSION(S)[x]} _S_TopPort__DEVICE_EXTENSION(S)[x] <==> S[TopPort__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_TopPort__DEVICE_EXTENSIONInv(S)[x]} _S_TopPort__DEVICE_EXTENSIONInv(S)[x] <==> S[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSION(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSION(S)[TopPort__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_TopPort__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_TopPort__DEVICE_EXTENSIONInv(S)[TopPort__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSION(x)} TopPort__DEVICE_EXTENSION(x) == x + 8);
+axiom (forall x:int :: {TopPort__DEVICE_EXTENSIONInv(x)} TopPort__DEVICE_EXTENSIONInv(x) == x - 8);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 8, 1) == TopPort__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 8)} MINUS_LEFT_PTR(x, 1, 8) == TopPort__DEVICE_EXTENSIONInv(x));
+function UnitId__DEVICE_EXTENSION(int) returns (int);
+function UnitId__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_UnitId__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_UnitId__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x))} UnitId__DEVICE_EXTENSIONInv(UnitId__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSION(UnitId__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSION(S)[x]} _S_UnitId__DEVICE_EXTENSION(S)[x] <==> S[UnitId__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_UnitId__DEVICE_EXTENSIONInv(S)[x]} _S_UnitId__DEVICE_EXTENSIONInv(S)[x] <==> S[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSION(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSION(S)[UnitId__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_UnitId__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_UnitId__DEVICE_EXTENSIONInv(S)[UnitId__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSION(x)} UnitId__DEVICE_EXTENSION(x) == x + 176);
+axiom (forall x:int :: {UnitId__DEVICE_EXTENSIONInv(x)} UnitId__DEVICE_EXTENSIONInv(x) == x - 176);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 176, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 176, 1) == UnitId__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 176)} MINUS_LEFT_PTR(x, 1, 176) == UnitId__DEVICE_EXTENSIONInv(x));
+function WaitWakeSpinLock__DEVICE_EXTENSION(int) returns (int);
+function WaitWakeSpinLock__DEVICE_EXTENSIONInv(int) returns (int);
+function _S_WaitWakeSpinLock__DEVICE_EXTENSION([int]bool) returns ([int]bool);
+function _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv([int]bool) returns ([int]bool);
+
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(WaitWakeSpinLock__DEVICE_EXTENSION(x))} WaitWakeSpinLock__DEVICE_EXTENSIONInv(WaitWakeSpinLock__DEVICE_EXTENSION(x)) == x);
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)} WaitWakeSpinLock__DEVICE_EXTENSION(WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)) == x);
+
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[x]} _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[x] <==> S[WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)]);
+axiom (forall x:int, S:[int]bool :: {_S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[x]} _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[x] <==> S[WaitWakeSpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)} S[x] ==> _S_WaitWakeSpinLock__DEVICE_EXTENSION(S)[WaitWakeSpinLock__DEVICE_EXTENSION(x)]);
+axiom (forall x:int, S:[int]bool :: {S[x], _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)} S[x] ==> _S_WaitWakeSpinLock__DEVICE_EXTENSIONInv(S)[WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)]);
+
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSION(x)} WaitWakeSpinLock__DEVICE_EXTENSION(x) == x + 108);
+axiom (forall x:int :: {WaitWakeSpinLock__DEVICE_EXTENSIONInv(x)} WaitWakeSpinLock__DEVICE_EXTENSIONInv(x) == x - 108);
+axiom (forall x:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, 108, 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, 108, 1) == WaitWakeSpinLock__DEVICE_EXTENSIONInv(x));
+axiom (forall x:int :: {MINUS_LEFT_PTR(x, 1, 108)} MINUS_LEFT_PTR(x, 1, 108) == WaitWakeSpinLock__DEVICE_EXTENSIONInv(x));
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom (forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom (forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:int, b:int) returns (x:int);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == 0);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == 0 || b == 0 ==> BIT_BAND(a,b) == 0);
+
+function BIT_BOR(a:int, b:int) returns (x:int);
+
+function BIT_BXOR(a:int, b:int) returns (x:int);
+
+function BIT_BNOT(a:int) returns (int);
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+
+
+
+procedure havoc_assert(i:int);
+requires (i != 0);
+
+procedure havoc_assume(i:int);
+ensures (i != 0);
+
+procedure __HAVOC_free(a:int);
+modifies alloc;
+ensures (forall x:int :: {alloc[x]} x == a || old(alloc)[x] == alloc[x]);
+ensures (alloc[a] == FREED);
+// Additional checks guarded by tranlator flags
+// requires alloc[a] == ALLOCATED;
+// requires Base(a) == a;
+
+procedure __HAVOC_malloc(obj_size:int) returns (new:int);
+requires obj_size >= 0;
+modifies alloc;
+ensures (new > 0);
+ensures (forall x:int :: {Base(x)} new <= x && x < new+obj_size ==> Base(x) == new);
+ensures (forall x:int :: {alloc[x]} x == new || old(alloc)[x] == alloc[x]);
+ensures old(alloc)[new] == UNALLOCATED && alloc[new] == ALLOCATED;
+
+procedure nondet_choice() returns (x:int);
+
+procedure _strdup(str:int) returns (new:int);
+
+procedure _xstrcasecmp(a0:int, a1:int) returns (ret:int);
+
+procedure _xstrcmp(a0:int, a1:int) returns (ret:int);
+
+var Res_DEVICE_STACK:[int]int;
+var Res_DEV_EXTN:[int]int;
+var Res_DEV_OBJ_INIT:[int]int;
+var Res_SPIN_LOCK:[int]int;
+
+
+
+////////////////////
+// Between predicate
+////////////////////
+function ReachBetween(f: [int]int, x: int, y: int, z: int) returns (bool);
+function ReachAvoiding(f: [int]int, x: int, y: int, z: int) returns (bool);
+
+
+//////////////////////////
+// Between set constructor
+//////////////////////////
+function ReachBetweenSet(f: [int]int, x: int, z: int) returns ([int]bool);
+
+////////////////////////////////////////////////////
+// axioms relating ReachBetween and ReachBetweenSet
+////////////////////////////////////////////////////
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetweenSet(f, x, z)[y]} ReachBetweenSet(f, x, z)[y] <==> ReachBetween(f, x, y, z));
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z), ReachBetweenSet(f, x, z)} ReachBetween(f, x, y, z) ==> ReachBetweenSet(f, x, z)[y]);
+axiom(forall f: [int]int, x: int, z: int :: {ReachBetweenSet(f, x, z)} ReachBetween(f, x, x, x));
+
+
+//////////////////////////
+// Axioms for ReachBetween
+//////////////////////////
+
+// reflexive
+axiom(forall f: [int]int, x: int :: ReachBetween(f, x, x, x));
+
+// step
+//axiom(forall f: [int]int, x: int :: {f[x]} ReachBetween(f, x, f[x], f[x]));
+axiom(forall f: [int]int, x: int, y: int, z: int, w:int :: {ReachBetween(f, y, z, w), f[x]} ReachBetween(f, x, f[x], f[x]));
+
+// reach
+axiom(forall f: [int]int, x: int, y: int :: {f[x], ReachBetween(f, x, y, y)} ReachBetween(f, x, y, y) ==> x == y || ReachBetween(f, x, f[x], y));
+
+// cycle
+axiom(forall f: [int]int, x: int, y:int :: {f[x], ReachBetween(f, x, y, y)} f[x] == x && ReachBetween(f, x, y, y) ==> x == y);
+
+// sandwich
+axiom(forall f: [int]int, x: int, y: int :: {ReachBetween(f, x, y, x)} ReachBetween(f, x, y, x) ==> x == y);
+
+// order1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, x, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, x, z, z) ==> ReachBetween(f, x, y, z) || ReachBetween(f, x, z, y));
+
+// order2
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, z)} ReachBetween(f, x, y, z) ==> ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z));
+
+// transitive1
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachBetween(f, x, y, y), ReachBetween(f, y, z, z)} ReachBetween(f, x, y, y) && ReachBetween(f, y, z, z) ==> ReachBetween(f, x, z, z));
+
+// transitive2
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, y, w, z)} ReachBetween(f, x, y, z) && ReachBetween(f, y, w, z) ==> ReachBetween(f, x, y, w) && ReachBetween(f, x, w, z));
+
+// transitive3
+axiom(forall f: [int]int, x: int, y: int, z: int, w: int :: {ReachBetween(f, x, y, z), ReachBetween(f, x, w, y)} ReachBetween(f, x, y, z) && ReachBetween(f, x, w, y) ==> ReachBetween(f, x, w, z) && ReachBetween(f, w, y, z));
+
+// This axiom is required to deal with the incompleteness of the trigger for the reflexive axiom.
+// It cannot be proved using the rest of the axioms.
+axiom(forall f: [int]int, u:int, x: int :: {ReachBetween(f, u, x, x)} ReachBetween(f, u, x, x) ==> ReachBetween(f, u, u, x));
+
+// relation between ReachAvoiding and ReachBetween
+axiom(forall f: [int]int, x: int, y: int, z: int :: {ReachAvoiding(f, x, y, z)}{ReachBetween(f, x, y, z)} ReachAvoiding(f, x, y, z) <==> (ReachBetween(f, x, y, z) || (ReachBetween(f, x, y, y) && !ReachBetween(f, x, z, z))));
+
+// update
+axiom(forall f: [int]int, u: int, v: int, x: int, p: int, q: int :: {ReachAvoiding(f[p := q], u, v, x)} ReachAvoiding(f[p := q], u, v, x) <==> ((ReachAvoiding(f, u, v, p) && ReachAvoiding(f, u, v, x)) || (ReachAvoiding(f, u, p, x) && p != x && ReachAvoiding(f, q, v, p) && ReachAvoiding(f, q, v, x))));
+ ///////////////////////////////
+ // Shifts for linking fields
+ ///////////////////////////////
+function Shift_Flink__LIST_ENTRY(f: [int]int) returns ([int]int);
+axiom( forall f: [int]int, __x:int :: {f[Flink__LIST_ENTRY(__x)],Shift_Flink__LIST_ENTRY(f)} {Shift_Flink__LIST_ENTRY(f)[__x]} Shift_Flink__LIST_ENTRY(f)[__x] == f[Flink__LIST_ENTRY(__x)]);
+axiom(forall f: [int]int, __x:int, __v:int :: {Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v])} Shift_Flink__LIST_ENTRY(f[Flink__LIST_ENTRY(__x) := __v]) == Shift_Flink__LIST_ENTRY(f)[__x := __v]);
+
+const unique Globals : int;
+axiom(Globals != 0);
+
+
+procedure ExFreePoolWithTag($P$1$14901.35$ExFreePoolWithTag$81:int, $Tag$2$14902.15$ExFreePoolWithTag$81:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoAllocateIrp($StackSize$1$20453.15$IoAllocateIrp$81:int, $ChargeQuota$2$20454.17$IoAllocateIrp$81:int) returns ($result.IoAllocateIrp$20452.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoDeleteDevice($DeviceObject$1$21328.67$IoDeleteDevice$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: requires 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 1 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 1
+requires((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 1) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 1)));
+//TAG: ensures 1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == 0 && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == 0
+ensures((true) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == 0) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == 0)));
+//TAG: ensures 1 ==> __updates_resource("DEV_OBJ_INIT", DeviceObject, 0) && __updates_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension), 0)
+ensures((true) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41 := 0]) && (Res_DEV_EXTN == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] := 0])));
+//TAG: ensures !1 ==> __resource("DEV_OBJ_INIT", DeviceObject) == __old_resource("DEV_OBJ_INIT", DeviceObject) && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)) == __old_resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension))
+ensures((!(true)) ==> ((Res_DEV_OBJ_INIT[$DeviceObject$1$21328.67$IoDeleteDevice$41] == old(Res_DEV_OBJ_INIT)[$DeviceObject$1$21328.67$IoDeleteDevice$41]) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]] == old(Res_DEV_EXTN)[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]])));
+//TAG: ensures !1 ==> __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+free ensures((!(true)) ==> ((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN))));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)DeviceObject)->DeviceExtension)
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)]))) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT($DeviceObject$1$21328.67$IoDeleteDevice$41)] == r) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, DeviceObject
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Singleton($DeviceObject$1$21328.67$IoDeleteDevice$41))) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || ($DeviceObject$1$21328.67$IoDeleteDevice$41 == r) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure IoFreeIrp($Irp$1$21417.14$IoFreeIrp$41:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouEnableDisablePort($EnableFlag$1$504.15$MouEnableDisablePort$161:int, $Irp$2$505.15$MouEnableDisablePort$161:int, $Port$3$506.25$MouEnableDisablePort$161:int, $File$4$507.22$MouEnableDisablePort$161:int) returns ($result.MouEnableDisablePort$503.0$1$:int);
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+ensures((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouseClassCleanupQueue($DeviceObject$1$1052.28$MouseClassCleanupQueue$121:int, $DeviceExtension$2$1053.28$MouseClassCleanupQueue$121:int, $FileObject$3$1054.28$MouseClassCleanupQueue$121:int);
+
+//TAG: requires __resource("DEV_EXTN", DeviceExtension) == 1
+requires(Res_DEV_EXTN[$DeviceExtension$2$1053.28$MouseClassCleanupQueue$121] == 1);
+//TAG: requires __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)DeviceExtension)->WaitWakeSpinLock) == 0
+requires(Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION($DeviceExtension$2$1053.28$MouseClassCleanupQueue$121)] == 0);
+//TAG: requires __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)DeviceExtension)->SpinLock) == 0
+requires(Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION($DeviceExtension$2$1053.28$MouseClassCleanupQueue$121)] == 0);
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+requires((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+requires((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires __resource("DEV_OBJ_INIT", DeviceObject) == 1
+requires(Res_DEV_OBJ_INIT[$DeviceObject$1$1052.28$MouseClassCleanupQueue$121] == 1);
+//TAG: ensures __resource("DEV_EXTN", DeviceExtension) == 1
+ensures(Res_DEV_EXTN[$DeviceExtension$2$1053.28$MouseClassCleanupQueue$121] == 1);
+//TAG: ensures __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)DeviceExtension)->WaitWakeSpinLock) == 0
+ensures(Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION($DeviceExtension$2$1053.28$MouseClassCleanupQueue$121)] == 0);
+//TAG: ensures __resource("SPIN_LOCK", &((struct _DEVICE_EXTENSION *)DeviceExtension)->SpinLock) == 0
+ensures(Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION($DeviceExtension$2$1053.28$MouseClassCleanupQueue$121)] == 0);
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+ensures((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: ensures __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: ensures 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+ensures((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: ensures 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+ensures((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: ensures 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+ensures((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: ensures __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+ensures(Mem[T.Flink__LIST_ENTRY] == old(Mem)[T.Flink__LIST_ENTRY]);
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT")
+ensures(Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT));
+//TAG: ensures __preserves_resource("DEV_EXTN")
+ensures(Res_DEV_EXTN == old(Res_DEV_EXTN));
+//TAG: ensures __resource("DEV_OBJ_INIT", DeviceObject) == 1
+ensures(Res_DEV_OBJ_INIT[$DeviceObject$1$1052.28$MouseClassCleanupQueue$121] == 1);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure ObfDereferenceObject($Object$1$24931.15$ObfDereferenceObject$41:int) returns ($result.ObfDereferenceObject$24930.0$1$:int);
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure RemoveEntryList($Entry$1$6929.19$RemoveEntryList$41:int) returns ($result.RemoveEntryList$6928.0$1$:int);
+
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+//TAG: ensures __seteq(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __setminus(__old(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList)), __set(Entry)))
+ensures((Subset(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(old(Mem)[T.Flink__LIST_ENTRY]), old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(old(Globals)))], LegacyDeviceList__GLOBALS(old(Globals))), Singleton($Entry$1$6929.19$RemoveEntryList$41))) && Subset(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(old(Mem)[T.Flink__LIST_ENTRY]), old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(old(Globals)))], LegacyDeviceList__GLOBALS(old(Globals))), Singleton($Entry$1$6929.19$RemoveEntryList$41)), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)))));
+//TAG: ensures Entry->Flink == __old(Entry->Flink)
+ensures(Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($Entry$1$6929.19$RemoveEntryList$41)] == old(Mem)[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($Entry$1$6929.19$RemoveEntryList$41)]);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty, __set_empty
+ensures (Subset(Empty(), Union(Union(Empty(), Empty()), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure __PREfastPagedCode();
+
+//TAG: ensures __preserves_mem
+ensures(Mem == old(Mem));
+//TAG: ensures __preserves_resource("DEV_OBJ_INIT") && __preserves_resource("DEV_EXTN")
+ensures((Res_DEV_OBJ_INIT == old(Res_DEV_OBJ_INIT)) && (Res_DEV_EXTN == old(Res_DEV_EXTN)));
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || old(Res_DEVICE_STACK)[r] == Res_DEVICE_STACK[r]));
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || old(Res_DEV_EXTN)[r] == Res_DEV_EXTN[r]));
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || old(Res_DEV_OBJ_INIT)[r] == Res_DEV_OBJ_INIT[r]));
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || old(Res_SPIN_LOCK)[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == old(Mem)[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == old(Mem)[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == old(Mem)[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == old(Mem)[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == old(Mem)[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == old(Mem)[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+ensures (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == old(Mem)[T.P_DEVICE_OBJECT][_m]));
+
+//TAG: havoc memory locations by default
+modifies Mem;
+
+
+procedure MouseClassUnload($DriverObject$1$2789.24$MouseClassUnload$41:int)
+
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+requires((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z) && __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+requires(((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z)))) && ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0))))));
+//TAG: ensures __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+ensures((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: ensures __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z) && __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+ensures(((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z)))) && ((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0))))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+requires((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+requires((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+requires((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+requires((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+modifies alloc;
+free ensures(forall f:int :: {alloc[Base(f)]} old(alloc)[Base(f)] == UNALLOCATED || old(alloc)[Base(f)] == alloc[Base(f)]);
+
+modifies Res_DEVICE_STACK;
+
+//TAG: net change in resource DEVICE_STACK only for:
+modifies Res_DEV_EXTN;
+
+//TAG: net change in resource DEV_EXTN only for:
+modifies Res_DEV_OBJ_INIT;
+
+//TAG: net change in resource DEV_OBJ_INIT only for:
+modifies Res_SPIN_LOCK;
+
+//TAG: net change in resource SPIN_LOCK only for:
+
+//TAG: havoc memory locations by default
+modifies Mem;
+{
+var havoc_stringTemp:int;
+var condVal:int;
+var $DriverObject$1$2789.24$MouseClassUnload$4 : int;
+var $IoAllocateIrp.arg.1$9$ : int;
+var $MouDebugPrint.arg.2$1$ : int;
+var $MouDebugPrint.arg.2$19$ : int;
+var $RtlAssert.arg.1$14$ : int;
+var $RtlAssert.arg.1$16$ : int;
+var $RtlAssert.arg.1$18$ : int;
+var $RtlAssert.arg.1$3$ : int;
+var $RtlAssert.arg.1$5$ : int;
+var $RtlAssert.arg.1$7$ : int;
+var $RtlAssert.arg.2$13$ : int;
+var $RtlAssert.arg.2$15$ : int;
+var $RtlAssert.arg.2$17$ : int;
+var $RtlAssert.arg.2$2$ : int;
+var $RtlAssert.arg.2$4$ : int;
+var $RtlAssert.arg.2$6$ : int;
+var $data$3$2812.22$MouseClassUnload$4 : int;
+var $enabled$6$2829.16$MouseClassUnload$4 : int;
+var $entry$2$2811.16$MouseClassUnload$4 : int;
+var $file$7$2830.21$MouseClassUnload$4 : int;
+var $i$8$2898.14$MouseClassUnload$4 : int;
+var $irp$5$2814.9$MouseClassUnload$4 : int;
+var $port$4$2813.10$MouseClassUnload$4 : int;
+var $result.IoAllocateIrp$2854.31$8$ : int;
+var $result.MouEnableDisablePort$2856.37$10$ : int;
+var $result.ObfDereferenceObject$2867.12$11$ : int;
+var $result.RemoveEntryList$2878.24$12$ : int;
+var tempBoogie0:int;
+var tempBoogie1:int;
+var tempBoogie2:int;
+var tempBoogie3:int;
+var tempBoogie4:int;
+var tempBoogie5:int;
+var tempBoogie6:int;
+var tempBoogie7:int;
+var tempBoogie8:int;
+var tempBoogie9:int;
+var tempBoogie10:int;
+var tempBoogie11:int;
+var tempBoogie12:int;
+var tempBoogie13:int;
+var tempBoogie14:int;
+var tempBoogie15:int;
+var tempBoogie16:int;
+var tempBoogie17:int;
+var tempBoogie18:int;
+var tempBoogie19:int;
+var LOOP_15_alloc:[int]name;
+var LOOP_15_Mem:[name][int]int;
+var LOOP_15_Res_DEVICE_STACK:[int]int;
+var LOOP_15_Res_DEV_EXTN:[int]int;
+var LOOP_15_Res_DEV_OBJ_INIT:[int]int;
+var LOOP_15_Res_SPIN_LOCK:[int]int;
+var LOOP_108_alloc:[int]name;
+var LOOP_108_Mem:[name][int]int;
+var LOOP_108_Res_DEVICE_STACK:[int]int;
+var LOOP_108_Res_DEV_EXTN:[int]int;
+var LOOP_108_Res_DEV_OBJ_INIT:[int]int;
+var LOOP_108_Res_SPIN_LOCK:[int]int;
+
+
+start:
+
+assume (alloc[$DriverObject$1$2789.24$MouseClassUnload$41] != UNALLOCATED);
+call $file$7$2830.21$MouseClassUnload$4 := __HAVOC_malloc(4);
+$DriverObject$1$2789.24$MouseClassUnload$4 := $DriverObject$1$2789.24$MouseClassUnload$41;
+goto label_3;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2911)
+label_1:
+call __HAVOC_free($file$7$2830.21$MouseClassUnload$4);
+assume (forall m:int:: {Res_DEVICE_STACK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEVICE_STACK[m] == old(Res_DEVICE_STACK)[m]);
+assume (forall m:int:: {Res_DEV_EXTN[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_EXTN[m] == old(Res_DEV_EXTN)[m]);
+assume (forall m:int:: {Res_DEV_OBJ_INIT[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_DEV_OBJ_INIT[m] == old(Res_DEV_OBJ_INIT)[m]);
+assume (forall m:int:: {Res_SPIN_LOCK[m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Res_SPIN_LOCK[m] == old(Res_SPIN_LOCK)[m]);
+assume (forall m:int :: {Mem[T.A11CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A11CHAR][m] == old(Mem[T.A11CHAR])[m]);
+assume (forall m:int :: {Mem[T.A19CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A19CHAR][m] == old(Mem[T.A19CHAR])[m]);
+assume (forall m:int :: {Mem[T.A33CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A33CHAR][m] == old(Mem[T.A33CHAR])[m]);
+assume (forall m:int :: {Mem[T.A34CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A34CHAR][m] == old(Mem[T.A34CHAR])[m]);
+assume (forall m:int :: {Mem[T.A39CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A39CHAR][m] == old(Mem[T.A39CHAR])[m]);
+assume (forall m:int :: {Mem[T.A43CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A43CHAR][m] == old(Mem[T.A43CHAR])[m]);
+assume (forall m:int :: {Mem[T.A74CHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.A74CHAR][m] == old(Mem[T.A74CHAR])[m]);
+assume (forall m:int :: {Mem[T.AssocClassList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.AssocClassList__GLOBALS][m] == old(Mem[T.AssocClassList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Buffer__UNICODE_STRING][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Buffer__UNICODE_STRING][m] == old(Mem[T.Buffer__UNICODE_STRING])[m]);
+assume (forall m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][m] == old(Mem[T.CurrentStackLocation___unnamed_4_a7aa989c])[m]);
+assume (forall m:int :: {Mem[T.DataIn__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataIn__DEVICE_EXTENSION][m] == old(Mem[T.DataIn__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DataOut__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DataOut__DEVICE_EXTENSION][m] == old(Mem[T.DataOut__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.DeviceExtension__DEVICE_OBJECT][m] == old(Mem[T.DeviceExtension__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Enabled__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Enabled__DEVICE_EXTENSION][m] == old(Mem[T.Enabled__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Enabled__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Enabled__PORT][m] == old(Mem[T.Enabled__PORT])[m]);
+assume (forall m:int :: {Mem[T.File__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__DEVICE_EXTENSION][m] == old(Mem[T.File__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.File__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.File__PORT][m] == old(Mem[T.File__PORT])[m]);
+assume (forall m:int :: {Mem[T.Flink__LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Flink__LIST_ENTRY][m] == old(Mem[T.Flink__LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.Free__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Free__PORT][m] == old(Mem[T.Free__PORT])[m]);
+assume (forall m:int :: {Mem[T.GrandMaster__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.GrandMaster__GLOBALS][m] == old(Mem[T.GrandMaster__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.INT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.INT4][m] == old(Mem[T.INT4])[m]);
+assume (forall m:int :: {Mem[T.InputData__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.InputData__DEVICE_EXTENSION][m] == old(Mem[T.InputData__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.LegacyDeviceList__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.LegacyDeviceList__GLOBALS][m] == old(Mem[T.LegacyDeviceList__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Link__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Link__DEVICE_EXTENSION][m] == old(Mem[T.Link__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.MinorFunction__IO_STACK_LOCATION][m] == old(Mem[T.MinorFunction__IO_STACK_LOCATION])[m]);
+assume (forall m:int :: {Mem[T.NumAssocClass__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.NumAssocClass__GLOBALS][m] == old(Mem[T.NumAssocClass__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.PCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PCHAR][m] == old(Mem[T.PCHAR])[m]);
+assume (forall m:int :: {Mem[T.PP_FILE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PP_FILE_OBJECT][m] == old(Mem[T.PP_FILE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.PUINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PUINT4][m] == old(Mem[T.PUINT4])[m]);
+assume (forall m:int :: {Mem[T.PVOID][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PVOID][m] == old(Mem[T.PVOID])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_EXTENSION][m] == old(Mem[T.P_DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.P_DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_DEVICE_OBJECT][m] == old(Mem[T.P_DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_FILE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_FILE_OBJECT][m] == old(Mem[T.P_FILE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.P_IRP][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_IRP][m] == old(Mem[T.P_IRP])[m]);
+assume (forall m:int :: {Mem[T.P_LIST_ENTRY][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_LIST_ENTRY][m] == old(Mem[T.P_LIST_ENTRY])[m]);
+assume (forall m:int :: {Mem[T.P_MOUSE_INPUT_DATA][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_MOUSE_INPUT_DATA][m] == old(Mem[T.P_MOUSE_INPUT_DATA])[m]);
+assume (forall m:int :: {Mem[T.P_PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.P_PORT][m] == old(Mem[T.P_PORT])[m]);
+assume (forall m:int :: {Mem[T.PnP__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.PnP__DEVICE_EXTENSION][m] == old(Mem[T.PnP__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.Port__PORT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Port__PORT][m] == old(Mem[T.Port__PORT])[m]);
+assume (forall m:int :: {Mem[T.RegistryPath__GLOBALS][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.RegistryPath__GLOBALS][m] == old(Mem[T.RegistryPath__GLOBALS])[m]);
+assume (forall m:int :: {Mem[T.Self__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Self__DEVICE_EXTENSION][m] == old(Mem[T.Self__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.SpinLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.SpinLock__DEVICE_EXTENSION][m] == old(Mem[T.SpinLock__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.StackSize__DEVICE_OBJECT][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.StackSize__DEVICE_OBJECT][m] == old(Mem[T.StackSize__DEVICE_OBJECT])[m]);
+assume (forall m:int :: {Mem[T.Started__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.Started__DEVICE_EXTENSION][m] == old(Mem[T.Started__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.TopPort__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.TopPort__DEVICE_EXTENSION][m] == old(Mem[T.TopPort__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.UCHAR][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UCHAR][m] == old(Mem[T.UCHAR])[m]);
+assume (forall m:int :: {Mem[T.UINT4][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UINT4][m] == old(Mem[T.UINT4])[m]);
+assume (forall m:int :: {Mem[T.UnitId__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.UnitId__DEVICE_EXTENSION][m] == old(Mem[T.UnitId__DEVICE_EXTENSION])[m]);
+assume (forall m:int :: {Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION][m] == old(Mem[T.WaitWakeSpinLock__DEVICE_EXTENSION])[m]);
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2911)
+label_2:
+assume false;
+return;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2811)
+label_3:
+goto label_4;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2812)
+label_4:
+goto label_5;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2813)
+label_5:
+goto label_6;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2814)
+label_6:
+goto label_7;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2818)
+label_7:
+call __PREfastPagedCode ();
+goto label_13;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2820)
+label_10:
+// skip MouDebugPrint
+goto label_14;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2820)
+label_13:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$1$ := havoc_stringTemp ;
+goto label_10;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2825)
+label_14:
+$entry$2$2811.16$MouseClassUnload$4 := Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))] ;
+goto label_15;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2826)
+label_15:
+// loop entry initialization...
+LOOP_15_alloc := alloc;
+LOOP_15_Mem := Mem;
+LOOP_15_Res_DEVICE_STACK := Res_DEVICE_STACK;
+LOOP_15_Res_DEV_EXTN := Res_DEV_EXTN;
+LOOP_15_Res_DEV_OBJ_INIT := Res_DEV_OBJ_INIT;
+LOOP_15_Res_SPIN_LOCK := Res_SPIN_LOCK;
+goto label_15_head;
+
+
+label_15_head:
+// loop head assertions...
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+assert((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+assert((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+assert((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+assert((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+assert((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires 1 ==> !__setin(&Globals.GrandMaster->Link, __setminus(__btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), __set(&Globals.LegacyDeviceList)))
+assert((true) ==> (!(Difference(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals)), Singleton(LegacyDeviceList__GLOBALS(Globals)))[Link__DEVICE_EXTENSION(Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)])])));
+//TAG: requires __setin(entry, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert(ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[$entry$2$2811.16$MouseClassUnload$4]);
+assume(forall f:int :: {alloc[Base(f)]} LOOP_15_alloc[Base(f)] == UNALLOCATED || LOOP_15_alloc[Base(f)] == alloc[Base(f)]);
+
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || LOOP_15_Res_DEVICE_STACK[r] == Res_DEVICE_STACK[r]));
+
+//TAG: net change in resource DEV_EXTN only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_DEV_EXTN[r]} (SetTrue()[r]) || LOOP_15_Res_DEV_EXTN[r] == Res_DEV_EXTN[r]));
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_true
+assert (Subset(Empty(), Union(Empty(), SetTrue())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (SetTrue()[r]) || LOOP_15_Res_DEV_OBJ_INIT[r] == Res_DEV_OBJ_INIT[r]));
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || LOOP_15_Res_SPIN_LOCK[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == LOOP_15_Mem[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == LOOP_15_Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == LOOP_15_Mem[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == LOOP_15_Mem[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == LOOP_15_Mem[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == LOOP_15_Mem[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == LOOP_15_Mem[T.P_DEVICE_OBJECT][_m]));
+
+// end loop head assertions
+
+goto label_15_true , label_15_false ;
+
+
+label_15_true :
+assume ($entry$2$2811.16$MouseClassUnload$4 != LegacyDeviceList__GLOBALS(Globals));
+goto label_16;
+
+
+label_15_false :
+assume !($entry$2$2811.16$MouseClassUnload$4 != LegacyDeviceList__GLOBALS(Globals));
+goto label_85;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2829)
+label_16:
+goto label_17;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2829)
+label_17:
+$enabled$6$2829.16$MouseClassUnload$4 := 0 ;
+goto label_18;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2830)
+label_18:
+goto label_19;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2830)
+label_19:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$7$2830.21$MouseClassUnload$4 := 0];
+goto label_20;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2832)
+label_20:
+$data$3$2812.22$MouseClassUnload$4 := MINUS_LEFT_PTR($entry$2$2811.16$MouseClassUnload$4, 1, 252) ;
+goto label_21;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2833)
+label_21:
+goto label_21_true , label_21_false ;
+
+
+label_21_true :
+assume (Mem[T.PnP__DEVICE_EXTENSION][PnP__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] != 0);
+goto label_25;
+
+
+label_21_false :
+assume (Mem[T.PnP__DEVICE_EXTENSION][PnP__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] == 0);
+goto label_27;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2833)
+label_22:
+// skip RtlAssert
+goto label_27;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2833)
+label_25:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$2$ := havoc_stringTemp ;
+goto label_26;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2833)
+label_26:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$3$ := havoc_stringTemp ;
+goto label_22;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2835)
+label_27:
+goto label_27_true , label_27_false ;
+
+
+label_27_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_28;
+
+
+label_27_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_40;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2836)
+label_28:
+$port$4$2813.10$MouseClassUnload$4 := PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, Mem[T.UnitId__DEVICE_EXTENSION][UnitId__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)]) ;
+goto label_29;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2837)
+label_29:
+goto label_29_true , label_29_false ;
+
+
+label_29_true :
+assume (Mem[T.Port__PORT][Port__PORT($port$4$2813.10$MouseClassUnload$4)] == $data$3$2812.22$MouseClassUnload$4);
+goto label_35;
+
+
+label_29_false :
+assume !(Mem[T.Port__PORT][Port__PORT($port$4$2813.10$MouseClassUnload$4)] == $data$3$2812.22$MouseClassUnload$4);
+goto label_33;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2837)
+label_30:
+// skip RtlAssert
+goto label_35;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2837)
+label_33:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$4$ := havoc_stringTemp ;
+goto label_34;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2837)
+label_34:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$5$ := havoc_stringTemp ;
+goto label_30;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2839)
+label_35:
+$enabled$6$2829.16$MouseClassUnload$4 := Mem[T.Enabled__PORT][Enabled__PORT($port$4$2813.10$MouseClassUnload$4)] ;
+goto label_36;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2840)
+label_36:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$7$2830.21$MouseClassUnload$4 := Mem[T.File__PORT][File__PORT($port$4$2813.10$MouseClassUnload$4)]];
+goto label_37;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2842)
+label_37:
+Mem[T.Enabled__PORT] := Mem[T.Enabled__PORT][Enabled__PORT($port$4$2813.10$MouseClassUnload$4) := 0];
+goto label_38;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2843)
+label_38:
+Mem[T.File__PORT] := Mem[T.File__PORT][File__PORT($port$4$2813.10$MouseClassUnload$4) := 0];
+goto label_39;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2844)
+label_39:
+Mem[T.Free__PORT] := Mem[T.Free__PORT][Free__PORT($port$4$2813.10$MouseClassUnload$4) := 1];
+goto label_49;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2847)
+label_40:
+$enabled$6$2829.16$MouseClassUnload$4 := Mem[T.Enabled__DEVICE_EXTENSION][Enabled__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] ;
+goto label_41;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2848)
+label_41:
+Mem[T.P_FILE_OBJECT] := Mem[T.P_FILE_OBJECT][$file$7$2830.21$MouseClassUnload$4 := Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)]];
+goto label_42;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2849)
+label_42:
+goto label_42_true , label_42_false ;
+
+
+label_42_true :
+assume (Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] != 0);
+goto label_48;
+
+
+label_42_false :
+assume (Mem[T.File__DEVICE_EXTENSION][File__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] == 0);
+goto label_46;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2849)
+label_43:
+// skip RtlAssert
+goto label_48;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2849)
+label_46:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$6$ := havoc_stringTemp ;
+goto label_47;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2849)
+label_47:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$7$ := havoc_stringTemp ;
+goto label_43;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2850)
+label_48:
+Mem[T.Enabled__DEVICE_EXTENSION] := Mem[T.Enabled__DEVICE_EXTENSION][Enabled__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4) := 0];
+goto label_49;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2853)
+label_49:
+goto label_49_true , label_49_false ;
+
+
+label_49_true :
+assume ($enabled$6$2829.16$MouseClassUnload$4 != 0);
+goto label_53;
+
+
+label_49_false :
+assume ($enabled$6$2829.16$MouseClassUnload$4 == 0);
+goto label_62;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2854)
+label_50:
+call $result.IoAllocateIrp$2854.31$8$ := IoAllocateIrp ($IoAllocateIrp.arg.1$9$, 0);
+goto label_54;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2854)
+label_53:
+$IoAllocateIrp.arg.1$9$ := PLUS(Mem[T.StackSize__DEVICE_OBJECT][StackSize__DEVICE_OBJECT(Mem[T.TopPort__DEVICE_EXTENSION][TopPort__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)])], 1, 1) ;
+goto label_50;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2854)
+label_54:
+$irp$5$2814.9$MouseClassUnload$4 := $result.IoAllocateIrp$2854.31$8$ ;
+goto label_55;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2855)
+label_55:
+goto label_55_true , label_55_false ;
+
+
+label_55_true :
+assume ($irp$5$2814.9$MouseClassUnload$4 != 0);
+goto label_56;
+
+
+label_55_false :
+assume ($irp$5$2814.9$MouseClassUnload$4 == 0);
+goto label_62;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2856)
+label_56:
+call $result.MouEnableDisablePort$2856.37$10$ := MouEnableDisablePort (0, $irp$5$2814.9$MouseClassUnload$4, $data$3$2812.22$MouseClassUnload$4, $file$7$2830.21$MouseClassUnload$4);
+goto label_59;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2857)
+label_59:
+call IoFreeIrp ($irp$5$2814.9$MouseClassUnload$4);
+goto label_62;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2866)
+label_62:
+goto label_62_true , label_62_false ;
+
+
+label_62_true :
+assume (Mem[T.P_FILE_OBJECT][$file$7$2830.21$MouseClassUnload$4] != 0);
+goto label_63;
+
+
+label_62_false :
+assume (Mem[T.P_FILE_OBJECT][$file$7$2830.21$MouseClassUnload$4] == 0);
+goto label_66;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2867)
+label_63:
+call $result.ObfDereferenceObject$2867.12$11$ := ObfDereferenceObject (Mem[T.P_FILE_OBJECT][$file$7$2830.21$MouseClassUnload$4]);
+goto label_66;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2874)
+label_66:
+goto label_66_true , label_66_false ;
+
+
+label_66_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_70;
+
+
+label_66_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_67;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2875)
+label_67:
+call MouseClassCleanupQueue (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)], $data$3$2812.22$MouseClassUnload$4, 0);
+goto label_70;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2878)
+label_70:
+call $result.RemoveEntryList$2878.24$12$ := RemoveEntryList (Link__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4));
+goto label_73;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2879)
+label_73:
+$entry$2$2811.16$MouseClassUnload$4 := Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY($entry$2$2811.16$MouseClassUnload$4)] ;
+goto label_74;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2881)
+label_74:
+goto label_74_true , label_74_false ;
+
+
+label_74_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] != 0);
+goto label_75;
+
+
+label_74_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] == 0);
+goto label_81;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2881)
+label_75:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)], 0);
+goto label_78;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2881)
+label_78:
+Mem[T.DataOut__DEVICE_EXTENSION] := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4) := 0];
+goto label_79;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2881)
+label_79:
+Mem[T.DataIn__DEVICE_EXTENSION] := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4) := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)]];
+goto label_80;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2881)
+label_80:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4) := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)]];
+goto label_81;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2881)
+label_81:
+call IoDeleteDevice (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)]);
+goto label_84;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2881)
+label_84:
+$data$3$2812.22$MouseClassUnload$4 := 0 ;
+goto label_15_head;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2887)
+label_85:
+goto label_85_true , label_85_false ;
+
+
+label_85_true :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0);
+goto label_86;
+
+
+label_85_false :
+assume (Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] == 0);
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2888)
+label_86:
+$data$3$2812.22$MouseClassUnload$4 := Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] ;
+goto label_87;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2889)
+label_87:
+Mem[T.GrandMaster__GLOBALS] := Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals) := 0];
+goto label_88;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2891)
+label_88:
+call MouseClassCleanupQueue (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)], $data$3$2812.22$MouseClassUnload$4, 0);
+goto label_91;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2892)
+label_91:
+goto label_91_true , label_91_false ;
+
+
+label_91_true :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] != 0);
+goto label_92;
+
+
+label_91_false :
+assume (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)] == 0);
+goto label_98;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2892)
+label_92:
+call ExFreePoolWithTag (Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)], 0);
+goto label_95;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2892)
+label_95:
+Mem[T.DataOut__DEVICE_EXTENSION] := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4) := 0];
+goto label_96;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2892)
+label_96:
+Mem[T.DataIn__DEVICE_EXTENSION] := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4) := Mem[T.DataOut__DEVICE_EXTENSION][DataOut__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)]];
+goto label_97;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2892)
+label_97:
+Mem[T.InputData__DEVICE_EXTENSION] := Mem[T.InputData__DEVICE_EXTENSION][InputData__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4) := Mem[T.DataIn__DEVICE_EXTENSION][DataIn__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)]];
+goto label_98;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2892)
+label_98:
+call IoDeleteDevice (Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION($data$3$2812.22$MouseClassUnload$4)]);
+goto label_101;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2892)
+label_101:
+$data$3$2812.22$MouseClassUnload$4 := 0 ;
+goto label_102;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2895)
+label_102:
+call ExFreePoolWithTag (Mem[T.Buffer__UNICODE_STRING][Buffer__UNICODE_STRING(RegistryPath__GLOBALS(Globals))], 0);
+goto label_105;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2896)
+label_105:
+goto label_105_true , label_105_false ;
+
+
+label_105_true :
+assume (Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)] != 0);
+goto label_106;
+
+
+label_105_false :
+assume (Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)] == 0);
+goto label_134;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2898)
+label_106:
+goto label_107;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2900)
+label_107:
+$i$8$2898.14$MouseClassUnload$4 := 0 ;
+goto label_108;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2900)
+label_108:
+// loop entry initialization...
+LOOP_108_alloc := alloc;
+LOOP_108_Mem := Mem;
+LOOP_108_Res_DEVICE_STACK := Res_DEVICE_STACK;
+LOOP_108_Res_DEV_EXTN := Res_DEV_EXTN;
+LOOP_108_Res_DEV_OBJ_INIT := Res_DEV_OBJ_INIT;
+LOOP_108_Res_SPIN_LOCK := Res_SPIN_LOCK;
+goto label_108_head;
+
+
+label_108_head:
+// loop head assertions...
+//TAG: requires __pforall(_H_x, (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension), __inv_resource("DEV_OBJ_INIT", 1), ((struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension))->Self == _H_x && __resource("DEV_EXTN", (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)_H_x)->DeviceExtension)) == 1)
+assert((forall _H_x:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]} Inverse(Res_DEV_OBJ_INIT,1)[_H_x] ==> ((Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)])] == _H_x) && (Res_DEV_EXTN[Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(_H_x)]] == 1))));
+//TAG: requires __pforall(_H_z, _H_z->Self, __inv_resource("DEV_EXTN", 1), __resource("DEV_OBJ_INIT", _H_z->Self) == 1 && (struct _DEVICE_EXTENSION *)(((struct _DEVICE_OBJECT *)(_H_z->Self))->DeviceExtension) == _H_z)
+assert((forall _H_z:int :: {Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]} Inverse(Res_DEV_EXTN,1)[_H_z] ==> ((Res_DEV_OBJ_INIT[Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)]] == 1) && (Mem[T.DeviceExtension__DEVICE_OBJECT][DeviceExtension__DEVICE_OBJECT(Mem[T.Self__DEVICE_EXTENSION][Self__DEVICE_EXTENSION(_H_z)])] == _H_z))));
+//TAG: requires __forall(_H_z, __inv_resource("DEV_EXTN", 1), __resource("SPIN_LOCK", &_H_z->SpinLock) == 0 && __resource("SPIN_LOCK", &_H_z->WaitWakeSpinLock) == 0)
+assert((Subset(Empty(), Inverse(Res_DEV_EXTN,1)) && (forall _H_z : int :: {Inverse(Res_DEV_EXTN,1)[_H_z]} (Inverse(Res_DEV_EXTN,1)[_H_z]) ==> ((Res_SPIN_LOCK[SpinLock__DEVICE_EXTENSION(_H_z)] == 0) && (Res_SPIN_LOCK[WaitWakeSpinLock__DEVICE_EXTENSION(_H_z)] == 0)))));
+//TAG: requires 1 ==> (Globals.GrandMaster != (void *)0 ==> __resource("DEV_EXTN", Globals.GrandMaster) == 1)
+assert((true) ==> ((Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)] != 0) ==> (Res_DEV_EXTN[Mem[T.GrandMaster__GLOBALS][GrandMaster__GLOBALS(Globals)]] == 1)));
+//TAG: requires 1 ==> __setin(&Globals.LegacyDeviceList, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList))
+assert((true) ==> (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[LegacyDeviceList__GLOBALS(Globals)]));
+//TAG: requires 1 ==> __forall(_H_y, __btwn(__offset((*((struct _LIST_ENTRY *)0)).Flink), (&Globals.LegacyDeviceList)->Flink, &Globals.LegacyDeviceList), _H_y == &Globals.LegacyDeviceList || __resource("DEV_EXTN", CONTAINING_RECORD(_H_y, struct _DEVICE_EXTENSION , Link)) == 1)
+assert((true) ==> ((Subset(Empty(), ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))) && (forall _H_y : int :: {ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]} (ReachBetweenSet(Shift_Flink__LIST_ENTRY(Mem[T.Flink__LIST_ENTRY]), Mem[T.Flink__LIST_ENTRY][Flink__LIST_ENTRY(LegacyDeviceList__GLOBALS(Globals))], LegacyDeviceList__GLOBALS(Globals))[_H_y]) ==> ((_H_y == LegacyDeviceList__GLOBALS(Globals)) || (Res_DEV_EXTN[MINUS_LEFT_PTR(_H_y, 1, Link__DEVICE_EXTENSION(0))] == 1))))));
+//TAG: requires __preserves_resource("DEV_OBJ_INIT")
+assert(Res_DEV_OBJ_INIT == LOOP_108_Res_DEV_OBJ_INIT);
+//TAG: requires __preserves_resource("DEV_EXTN")
+assert(Res_DEV_EXTN == LOOP_108_Res_DEV_EXTN);
+//TAG: requires __preserves_field_map(__offset((*((struct _LIST_ENTRY *)0)).Flink))
+assert(Mem[T.Flink__LIST_ENTRY] == LOOP_108_Mem[T.Flink__LIST_ENTRY]);
+assume(forall f:int :: {alloc[Base(f)]} LOOP_108_alloc[Base(f)] == UNALLOCATED || LOOP_108_alloc[Base(f)] == alloc[Base(f)]);
+
+
+//TAG: net change in resource DEVICE_STACK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEVICE_STACK[r]} (Empty()[r]) || LOOP_108_Res_DEVICE_STACK[r] == Res_DEVICE_STACK[r]));
+
+//TAG: net change in resource DEV_EXTN only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_EXTN[r]} (Empty()[r]) || LOOP_108_Res_DEV_EXTN[r] == Res_DEV_EXTN[r]));
+
+//TAG: net change in resource DEV_OBJ_INIT only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_DEV_OBJ_INIT[r]} (Empty()[r]) || LOOP_108_Res_DEV_OBJ_INIT[r] == Res_DEV_OBJ_INIT[r]));
+
+//TAG: net change in resource SPIN_LOCK only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall r:int :: {Res_SPIN_LOCK[r]} (Empty()[r]) || LOOP_108_Res_SPIN_LOCK[r] == Res_SPIN_LOCK[r]));
+//TAG: updated memory locations at Mem[T.MinorFunction__IO_STACK_LOCATION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.MinorFunction__IO_STACK_LOCATION][_m]} (Empty()[_m]) || Mem[T.MinorFunction__IO_STACK_LOCATION][_m] == LOOP_108_Mem[T.MinorFunction__IO_STACK_LOCATION][_m]));
+//TAG: updated memory locations at Mem[T.CurrentStackLocation___unnamed_4_a7aa989c] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]} (Empty()[_m]) || Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m] == LOOP_108_Mem[T.CurrentStackLocation___unnamed_4_a7aa989c][_m]));
+//TAG: updated memory locations at Mem[T.DeviceExtension__DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.DeviceExtension__DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.DeviceExtension__DEVICE_OBJECT][_m] == LOOP_108_Mem[T.DeviceExtension__DEVICE_OBJECT][_m]));
+//TAG: updated memory locations at Mem[T.Self__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Self__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Self__DEVICE_EXTENSION][_m] == LOOP_108_Mem[T.Self__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.Started__DEVICE_EXTENSION] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.Started__DEVICE_EXTENSION][_m]} (Empty()[_m]) || Mem[T.Started__DEVICE_EXTENSION][_m] == LOOP_108_Mem[T.Started__DEVICE_EXTENSION][_m]));
+//TAG: updated memory locations at Mem[T.GrandMaster__GLOBALS] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.GrandMaster__GLOBALS][_m]} (Empty()[_m]) || Mem[T.GrandMaster__GLOBALS][_m] == LOOP_108_Mem[T.GrandMaster__GLOBALS][_m]));
+//TAG: updated memory locations at Mem[T.P_DEVICE_OBJECT] only for: __set_empty
+assert (Subset(Empty(), Union(Empty(), Empty())) && (forall _m:int :: {Mem[T.P_DEVICE_OBJECT][_m]} (Empty()[_m]) || Mem[T.P_DEVICE_OBJECT][_m] == LOOP_108_Mem[T.P_DEVICE_OBJECT][_m]));
+
+// end loop head assertions
+
+goto label_108_true , label_108_false ;
+
+
+label_108_true :
+assume ($i$8$2898.14$MouseClassUnload$4 < Mem[T.NumAssocClass__GLOBALS][NumAssocClass__GLOBALS(Globals)]);
+goto label_109;
+
+
+label_108_false :
+assume !($i$8$2898.14$MouseClassUnload$4 < Mem[T.NumAssocClass__GLOBALS][NumAssocClass__GLOBALS(Globals)]);
+goto label_128;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2901)
+label_109:
+goto label_109_true , label_109_false ;
+
+
+label_109_true :
+assume (Mem[T.Free__PORT][Free__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$2898.14$MouseClassUnload$4))] == 1);
+goto label_115;
+
+
+label_109_false :
+assume !(Mem[T.Free__PORT][Free__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$2898.14$MouseClassUnload$4))] == 1);
+goto label_113;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2901)
+label_110:
+// skip RtlAssert
+goto label_115;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2901)
+label_113:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$13$ := havoc_stringTemp ;
+goto label_114;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2901)
+label_114:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$14$ := havoc_stringTemp ;
+goto label_110;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2902)
+label_115:
+goto label_115_true , label_115_false ;
+
+
+label_115_true :
+assume (Mem[T.Enabled__PORT][Enabled__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$2898.14$MouseClassUnload$4))] != 0);
+goto label_119;
+
+
+label_115_false :
+assume (Mem[T.Enabled__PORT][Enabled__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$2898.14$MouseClassUnload$4))] == 0);
+goto label_121;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2902)
+label_116:
+// skip RtlAssert
+goto label_121;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2902)
+label_119:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$15$ := havoc_stringTemp ;
+goto label_120;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2902)
+label_120:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$16$ := havoc_stringTemp ;
+goto label_116;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2903)
+label_121:
+goto label_121_true , label_121_false ;
+
+
+label_121_true :
+assume (Mem[T.File__PORT][File__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$2898.14$MouseClassUnload$4))] != 0);
+goto label_125;
+
+
+label_121_false :
+assume (Mem[T.File__PORT][File__PORT(PLUS(Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 12, $i$8$2898.14$MouseClassUnload$4))] == 0);
+goto label_127;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2903)
+label_122:
+// skip RtlAssert
+goto label_127;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2903)
+label_125:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.2$17$ := havoc_stringTemp ;
+goto label_126;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2903)
+label_126:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$RtlAssert.arg.1$18$ := havoc_stringTemp ;
+goto label_122;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2900)
+label_127:
+$i$8$2898.14$MouseClassUnload$4 := PLUS($i$8$2898.14$MouseClassUnload$4, 1, 1) ;
+goto label_108_head;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2907)
+label_128:
+call ExFreePoolWithTag (Mem[T.AssocClassList__GLOBALS][AssocClassList__GLOBALS(Globals)], 0);
+goto label_134;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2910)
+label_131:
+// skip MouDebugPrint
+goto label_1;
+
+
+// e:\esp1\esp\tests\hvdrivers\houdini\mouclass_fbl_fbs_dev2_ntfs\mouclass.c(2910)
+label_134:
+call havoc_stringTemp := __HAVOC_malloc(1);
+$MouDebugPrint.arg.2$19$ := havoc_stringTemp ;
+goto label_131;
+
+}
+
diff --git a/Test/havoc0/Output b/Test/havoc0/Output
new file mode 100644
index 00000000..80fd4aa3
--- /dev/null
+++ b/Test/havoc0/Output
@@ -0,0 +1,12 @@
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/havoc0/runtest.bat b/Test/havoc0/runtest.bat
new file mode 100644
index 00000000..1be15364
--- /dev/null
+++ b/Test/havoc0/runtest.bat
@@ -0,0 +1,13 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+rem set BGEXE=mono ..\..\Binaries\Boogie.exe
+
+%BGEXE% %* /monomorphize KbdCreateClassObject.bpl
+%BGEXE% %* /monomorphize KeyboardClassFindMorePorts.bpl
+%BGEXE% %* /monomorphize KeyboardClassUnload.bpl
+%BGEXE% %* /monomorphize MouCreateClassObject.bpl
+%BGEXE% %* /monomorphize MouseClassFindMorePorts.bpl
+%BGEXE% %* /monomorphize MouseClassUnload.bpl
+
diff --git a/Test/houdini/Answer b/Test/houdini/Answer
new file mode 100644
index 00000000..8c0f30ea
--- /dev/null
+++ b/Test/houdini/Answer
@@ -0,0 +1,78 @@
+
+-------------------- houd1.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- houd2.bpl --------------------
+----------------------------------------
+Functions: Errors
+ bar
+----------------------------------------
+houd2.bpl(12,1): Error BP5003: A postcondition might not hold at this return statement.
+houd2.bpl(9,1): Related location: This is the postcondition that might not hold.
+Execution trace:
+ houd2.bpl(11,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+
+-------------------- houd3.bpl --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+-------------------- houd4.bpl --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+-------------------- houd5.bpl --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+-------------------- houd6.bpl --------------------
+
+Boogie program verifier finished with 3 verified, 0 errors
+
+-------------------- houd7.bpl --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+-------------------- houd8.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- houd9.bpl --------------------
+----------------------------------------
+Functions: Errors
+ foo
+----------------------------------------
+houd9.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ houd9.bpl(18,9): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- houd10.bpl --------------------
+----------------------------------------
+Functions: Errors
+ foo
+----------------------------------------
+houd10.bpl(15,3): Error BP5002: A precondition for this call might not hold.
+houd10.bpl(20,1): Related location: This is the precondition that might not hold.
+Execution trace:
+ houd10.bpl(14,9): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- houd11.bpl --------------------
+----------------------------------------
+Functions: Errors
+ foo
+----------------------------------------
+houd11.bpl(8,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ houd11.bpl(7,9): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- houd12.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/houdini/houd1.bpl b/Test/houdini/houd1.bpl
new file mode 100644
index 00000000..4acea845
--- /dev/null
+++ b/Test/houdini/houd1.bpl
@@ -0,0 +1,19 @@
+const {:existential true} b1:bool;
+
+var myVar: int;
+
+procedure foo (i:int)
+modifies myVar;
+// comment
+ensures b1 ==> myVar>0;
+ensures myVar!=-1;
+{
+ if (i>0) {
+ myVar := 5;
+ } else {
+ myVar := 0;
+ }
+}
+
+// expected output: Correct
+// expected end assigment: b1->False \ No newline at end of file
diff --git a/Test/houdini/houd10.bpl b/Test/houdini/houd10.bpl
new file mode 100644
index 00000000..1eea1691
--- /dev/null
+++ b/Test/houdini/houd10.bpl
@@ -0,0 +1,23 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+
+var fooVar: int;
+var xVar: int;
+
+procedure foo()
+modifies fooVar;
+modifies xVar;
+ensures b1 ==> fooVar==0;
+ensures b3 ==> xVar<0;
+{
+ fooVar:=5;
+ call bar();
+}
+
+procedure bar();
+modifies xVar;
+requires fooVar!=5;
+
+// expected outcome: Errors
+// expected assigment: b1->True,b2->True,b3->True \ No newline at end of file
diff --git a/Test/houdini/houd11.bpl b/Test/houdini/houd11.bpl
new file mode 100644
index 00000000..df9f9e3f
--- /dev/null
+++ b/Test/houdini/houd11.bpl
@@ -0,0 +1,13 @@
+
+var fooVar: int;
+
+procedure foo()
+modifies fooVar;
+{
+ fooVar:=5;
+ assert(fooVar==4);
+ assert(fooVar==3);
+}
+
+// expected outcome: Errors
+// expected assigment: [] \ No newline at end of file
diff --git a/Test/houdini/houd12.bpl b/Test/houdini/houd12.bpl
new file mode 100644
index 00000000..f3152720
--- /dev/null
+++ b/Test/houdini/houd12.bpl
@@ -0,0 +1,58 @@
+// Example to test candidate annotations on loops
+
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+const {:existential true} b4:bool;
+const {:existential true} b5:bool;
+const {:existential true} b6:bool;
+const {:existential true} b7:bool;
+
+var x: int;
+var y: int;
+
+
+procedure foo()
+modifies x;
+modifies y;
+ensures (b4 ==> x == 0);
+ensures (b5 ==> y == 10);
+ensures (b6 ==> x == 10);
+ensures (b7 ==> y == 11);
+
+{
+ x := 10;
+ y := 0;
+
+ goto Head;
+
+Head:
+
+ //loop invariants
+ assert (b1 ==> x < 0);
+ assert (b2 ==> x >= 0);
+ assert (b3 ==> x + y == 10);
+ goto Body, Exit;
+
+Body:
+ assume x > 0;
+ x := x - 1;
+ y := y + 1;
+
+
+ goto Head;
+
+Exit:
+ assume !(x > 0);
+ return;
+}
+
+// expected outcome: Correct
+// expected assigment: b1->False,b2->True,b3->True,b4->True, b5->True, b6->False,b7->False
+
+
+
+
+
+
+
diff --git a/Test/houdini/houd2.bpl b/Test/houdini/houd2.bpl
new file mode 100644
index 00000000..375f662e
--- /dev/null
+++ b/Test/houdini/houd2.bpl
@@ -0,0 +1,27 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+
+
+var myVar: int;
+
+procedure bar(i:int)
+modifies myVar;
+ensures myVar>0;
+{
+ call foo(5);
+}
+
+procedure foo (i:int)
+modifies myVar;
+ensures b1 ==> myVar>0;
+ensures myVar!=-1;
+{
+ if (i>0) {
+ myVar := 5;
+ } else {
+ myVar := 0;
+ }
+}
+
+// expected output: Errors
+// expected end assigment: b1->False b2->True
diff --git a/Test/houdini/houd3.bpl b/Test/houdini/houd3.bpl
new file mode 100644
index 00000000..4cff2cad
--- /dev/null
+++ b/Test/houdini/houd3.bpl
@@ -0,0 +1,27 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+
+
+var myVar: int;
+
+procedure bar(i:int)
+modifies myVar;
+ensures b2==>myVar>0;
+{
+ call foo(5);
+}
+
+procedure foo (i:int)
+modifies myVar;
+ensures b1 ==> myVar>0;
+ensures myVar!=-1;
+{
+ if (i>0) {
+ myVar := 5;
+ } else {
+ myVar := 0;
+ }
+}
+
+// expected output: Correct
+// expected end assigment: b1->False b2->False \ No newline at end of file
diff --git a/Test/houdini/houd4.bpl b/Test/houdini/houd4.bpl
new file mode 100644
index 00000000..9895d633
--- /dev/null
+++ b/Test/houdini/houd4.bpl
@@ -0,0 +1,27 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+const {:existential true} b4:bool;
+
+var array:[int]int;
+
+procedure foo (i:int)
+requires b2 ==> i > 0;
+ensures b3 ==> array[i] > 0;
+modifies array;
+ensures (forall x:int :: {array[x]} x == i || array[x] == old(array)[x]);
+{
+ array[i] := 2 * i;
+}
+
+procedure bar (j:int) returns (result:int)
+requires b4 ==> j > 0;
+modifies array;
+ensures (forall x:int :: {array[x]} (b1 && x == j) || array[x] == old(array)[x]);
+{
+ call foo(j);
+ result := array[j];
+}
+
+// expected outcome: Correct
+// expected assignment: b1->True,b2->True,b3->True,b4->True \ No newline at end of file
diff --git a/Test/houdini/houd5.bpl b/Test/houdini/houd5.bpl
new file mode 100644
index 00000000..9cd9363f
--- /dev/null
+++ b/Test/houdini/houd5.bpl
@@ -0,0 +1,29 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+const {:existential true} b4:bool;
+const {:existential true} b5:bool;
+
+var array:[int]int;
+
+procedure foo (i:int)
+requires b1 ==> i == 0;
+requires b2 ==> i > 0;
+requires b3 ==> i < 0;
+ensures b4 ==> array[i] > 0;
+modifies array;
+ensures (forall x:int :: {array[x]} x == i || array[x] == old(array)[x]);
+{
+ array[i] := 2 * i;
+}
+
+procedure bar (j:int) returns (result:int)
+requires b5 ==> j > 0;
+modifies array;
+{
+ call foo(j);
+ result := array[j];
+}
+
+// expected outcome: Correct
+// expected assigment: b1->False,b2->true,b3->False,b4->True,b5->True \ No newline at end of file
diff --git a/Test/houdini/houd6.bpl b/Test/houdini/houd6.bpl
new file mode 100644
index 00000000..09f2dd0e
--- /dev/null
+++ b/Test/houdini/houd6.bpl
@@ -0,0 +1,44 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+const {:existential true} b4:bool;
+const {:existential true} b5:bool;
+const {:existential true} b6:bool;
+const {:existential true} b7:bool;
+const {:existential true} b8:bool;
+
+var array:[int]int;
+
+procedure foo (i:int)
+requires b6 ==> i < 0;
+requires b5 ==> i == 0;
+requires b2 ==> i > 0;
+ensures b3 ==> array[i] > 0;
+modifies array;
+ensures (forall x:int :: {array[x]} x == i || array[x] == old(array)[x]);
+{
+ array[i] := 2 * i;
+}
+
+procedure bar (j:int) returns (result:int)
+requires b8 ==> j < 0;
+requires b7 ==> j == 0;
+requires b4 ==> j > 0;
+modifies array;
+ensures (forall x:int :: {array[x]} (x == j) || array[x] == old(array)[x]);
+ensures (b1 ==> array[j] == old(array)[j]);
+{
+ call foo(j);
+ result := array[j];
+}
+
+var p:int;
+
+procedure main() returns (result: int)
+modifies array;
+{
+ call result:= bar(p);
+}
+
+// expected outcome: Correct
+// expected assigment: bi->True forall i \ No newline at end of file
diff --git a/Test/houdini/houd7.bpl b/Test/houdini/houd7.bpl
new file mode 100644
index 00000000..aaa1971d
--- /dev/null
+++ b/Test/houdini/houd7.bpl
@@ -0,0 +1,35 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+
+var myVar: int;
+
+procedure foo(i:int)
+requires b1 ==> i>0;
+requires b2 ==> i==0;
+requires b3 ==> i<0;
+modifies myVar;
+ensures myVar>0;
+{
+ myVar:=5;
+}
+
+procedure bar(i:int)
+modifies myVar;
+{
+ call foo(5);
+}
+// expected outcome: Correct
+// expected Assigment: b1->True,b2->False,b3->False
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/Test/houdini/houd8.bpl b/Test/houdini/houd8.bpl
new file mode 100644
index 00000000..b57ef305
--- /dev/null
+++ b/Test/houdini/houd8.bpl
@@ -0,0 +1,30 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+
+var myVar: int;
+
+procedure foo(i:int)
+modifies myVar;
+ensures b1 ==> myVar>0;
+ensures b2 ==> myVar==0;
+ensures b3 ==> myVar<0;
+{
+ myVar:=5;
+}
+
+// expected outcome: Correct
+// expected assigment: b1->True,b2->False,b3->False
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/Test/houdini/houd9.bpl b/Test/houdini/houd9.bpl
new file mode 100644
index 00000000..a43a2bbb
--- /dev/null
+++ b/Test/houdini/houd9.bpl
@@ -0,0 +1,32 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+
+axiom(b1 && b2 && b3);
+
+var fooVar: int;
+var xVar: int;
+
+
+procedure foo()
+modifies fooVar;
+modifies xVar;
+ensures b1 ==> fooVar>0;
+ensures b2 ==> fooVar==0;
+ensures b3 ==> xVar<0;
+{
+ fooVar:=5;
+ assert(fooVar>5);
+ xVar:=0;
+ assert(xVar>0);
+}
+
+// expected outcome: Errors
+// expected assigment: b1->True,b2->True,b3->True
+
+
+
+
+
+
+
diff --git a/Test/houdini/runtest.bat b/Test/houdini/runtest.bat
new file mode 100644
index 00000000..ae82455a
--- /dev/null
+++ b/Test/houdini/runtest.bat
@@ -0,0 +1,11 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+
+for %%f in (houd1.bpl houd2.bpl houd3.bpl houd4.bpl houd5.bpl houd6.bpl houd7.bpl houd8.bpl houd9.bpl houd10.bpl houd11.bpl houd12.bpl) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %BGEXE% %* /nologo /prover:z3 /Houdini:ci %%f
+rem %BGEXE% %* /nologo /prover:z3api /Houdini:ci %%f
+)
diff --git a/Test/inline/Answer b/Test/inline/Answer
new file mode 100644
index 00000000..39d5a5b4
--- /dev/null
+++ b/Test/inline/Answer
@@ -0,0 +1,983 @@
+-------------------- test1.bpl --------------------
+
+procedure Main();
+
+
+
+implementation Main()
+{
+ var x: int;
+ var y: int;
+
+ anon0:
+ x := 1;
+ y := 0;
+ call x := inc(x, 5);
+ call y := incdec(x, 2);
+ assert x - 1 == y;
+ return;
+}
+
+
+
+procedure {:inline 1} incdec(x: int, y: int) returns (z: int);
+ ensures z == x + 1 - y;
+
+
+
+implementation incdec(x: int, y: int) returns (z: int)
+{
+
+ anon0:
+ z := x;
+ z := x + 1;
+ call z := dec(z, y);
+ return;
+}
+
+
+
+procedure {:inline 1} inc(x: int, i: int) returns (y: int);
+ ensures y == x + i;
+
+
+
+implementation inc(x: int, i: int) returns (y: int)
+{
+
+ anon0:
+ y := x;
+ y := x + i;
+ return;
+}
+
+
+
+procedure {:inline 1} dec(x: int, i: int) returns (y: int);
+ ensures y == x - i;
+
+
+
+implementation dec(x: int, i: int) returns (y: int)
+{
+
+ anon0:
+ y := x;
+ y := x - i;
+ return;
+}
+
+
+after inlining procedure calls
+procedure Main();
+
+
+implementation Main()
+{
+ var x: int;
+ var y: int;
+ var inline$inc$0$x: int;
+ var inline$inc$0$i: int;
+ var inline$inc$0$y: int;
+ var inline$incdec$0$x: int;
+ var inline$incdec$0$y: int;
+ var inline$incdec$0$z: int;
+ var inline$dec$0$x: int;
+ var inline$dec$0$i: int;
+ var inline$dec$0$y: int;
+
+ anon0:
+ x := 1;
+ y := 0;
+ goto inline$inc$0$Entry;
+
+ inline$inc$0$Entry:
+ inline$inc$0$x := x;
+ inline$inc$0$i := 5;
+ goto inline$inc$0$anon0;
+
+ inline$inc$0$anon0:
+ inline$inc$0$y := inline$inc$0$x;
+ inline$inc$0$y := inline$inc$0$x + inline$inc$0$i;
+ goto inline$inc$0$Return;
+
+ inline$inc$0$Return:
+ assert inline$inc$0$y == inline$inc$0$x + inline$inc$0$i;
+ x := inline$inc$0$y;
+ goto anon0$1;
+
+ anon0$1:
+ goto inline$incdec$0$Entry;
+
+ inline$incdec$0$Entry:
+ inline$incdec$0$x := x;
+ inline$incdec$0$y := 2;
+ goto inline$incdec$0$anon0;
+
+ inline$incdec$0$anon0:
+ inline$incdec$0$z := inline$incdec$0$x;
+ inline$incdec$0$z := inline$incdec$0$x + 1;
+ goto inline$dec$0$Entry;
+
+ inline$dec$0$Entry:
+ inline$dec$0$x := inline$incdec$0$z;
+ inline$dec$0$i := inline$incdec$0$y;
+ goto inline$dec$0$anon0;
+
+ inline$dec$0$anon0:
+ inline$dec$0$y := inline$dec$0$x;
+ inline$dec$0$y := inline$dec$0$x - inline$dec$0$i;
+ goto inline$dec$0$Return;
+
+ inline$dec$0$Return:
+ assert inline$dec$0$y == inline$dec$0$x - inline$dec$0$i;
+ inline$incdec$0$z := inline$dec$0$y;
+ goto inline$incdec$0$anon0$1;
+
+ inline$incdec$0$anon0$1:
+ goto inline$incdec$0$Return;
+
+ inline$incdec$0$Return:
+ assert inline$incdec$0$z == inline$incdec$0$x + 1 - inline$incdec$0$y;
+ y := inline$incdec$0$z;
+ goto anon0$2;
+
+ anon0$2:
+ assert x - 1 == y;
+ return;
+}
+
+
+after inlining procedure calls
+procedure {:inline 1} incdec(x: int, y: int) returns (z: int);
+ ensures z == x + 1 - y;
+
+
+implementation incdec(x: int, y: int) returns (z: int)
+{
+ var inline$dec$0$x: int;
+ var inline$dec$0$i: int;
+ var inline$dec$0$y: int;
+
+ anon0:
+ z := x;
+ z := x + 1;
+ goto inline$dec$0$Entry;
+
+ inline$dec$0$Entry:
+ inline$dec$0$x := z;
+ inline$dec$0$i := y;
+ goto inline$dec$0$anon0;
+
+ inline$dec$0$anon0:
+ inline$dec$0$y := inline$dec$0$x;
+ inline$dec$0$y := inline$dec$0$x - inline$dec$0$i;
+ goto inline$dec$0$Return;
+
+ inline$dec$0$Return:
+ assert inline$dec$0$y == inline$dec$0$x - inline$dec$0$i;
+ z := inline$dec$0$y;
+ goto anon0$1;
+
+ anon0$1:
+ return;
+}
+
+
+
+Boogie program verifier finished with 4 verified, 0 errors
+-------------------- test2.bpl --------------------
+
+var glb: int;
+
+procedure calculate();
+ modifies glb;
+
+
+
+implementation calculate()
+{
+ var x: int;
+ var y: int;
+
+ anon0:
+ y := 5;
+ call x := increase(y);
+ return;
+}
+
+
+
+procedure {:inline 1} increase(i: int) returns (k: int);
+ modifies glb;
+
+
+
+implementation increase(i: int) returns (k: int)
+{
+ var j: int;
+
+ anon0:
+ j := i;
+ j := j + 1;
+ glb := glb + j;
+ k := j;
+ return;
+}
+
+
+after inlining procedure calls
+procedure calculate();
+ modifies glb;
+
+
+implementation calculate()
+{
+ var x: int;
+ var y: int;
+ var inline$increase$0$j: int;
+ var inline$increase$0$i: int;
+ var inline$increase$0$k: int;
+ var inline$increase$0$glb: int;
+
+ anon0:
+ y := 5;
+ goto inline$increase$0$Entry;
+
+ inline$increase$0$Entry:
+ inline$increase$0$i := y;
+ inline$increase$0$glb := glb;
+ goto inline$increase$0$anon0;
+
+ inline$increase$0$anon0:
+ inline$increase$0$j := inline$increase$0$i;
+ inline$increase$0$j := inline$increase$0$j + 1;
+ glb := glb + inline$increase$0$j;
+ inline$increase$0$k := inline$increase$0$j;
+ goto inline$increase$0$Return;
+
+ inline$increase$0$Return:
+ x := inline$increase$0$k;
+ goto anon0$1;
+
+ anon0$1:
+ return;
+}
+
+
+
+Boogie program verifier finished with 2 verified, 0 errors
+-------------------- test3.bpl --------------------
+
+var glb: int;
+
+procedure recursivetest();
+ modifies glb;
+
+
+
+implementation recursivetest()
+{
+
+ anon0:
+ glb := 5;
+ call glb := recursive(glb);
+ return;
+}
+
+
+
+procedure {:inline 3} recursive(x: int) returns (y: int);
+
+
+
+implementation recursive(x: int) returns (y: int)
+{
+ var k: int;
+
+ anon0:
+ goto anon3_Then, anon3_Else;
+
+ anon3_Then:
+ assume x == 0;
+ y := 1;
+ return;
+
+ anon3_Else:
+ assume x != 0;
+ goto anon2;
+
+ anon2:
+ call k := recursive(x - 1);
+ y := y + k;
+ return;
+}
+
+
+after inlining procedure calls
+procedure recursivetest();
+ modifies glb;
+
+
+implementation recursivetest()
+{
+ var inline$recursive$0$k: int;
+ var inline$recursive$0$x: int;
+ var inline$recursive$0$y: int;
+ var inline$recursive$1$k: int;
+ var inline$recursive$1$x: int;
+ var inline$recursive$1$y: int;
+ var inline$recursive$2$k: int;
+ var inline$recursive$2$x: int;
+ var inline$recursive$2$y: int;
+
+ anon0:
+ glb := 5;
+ goto inline$recursive$0$Entry;
+
+ inline$recursive$0$Entry:
+ inline$recursive$0$x := glb;
+ goto inline$recursive$0$anon0;
+
+ inline$recursive$0$anon0:
+ goto inline$recursive$0$anon3_Then, inline$recursive$0$anon3_Else;
+
+ inline$recursive$0$anon3_Then:
+ assume inline$recursive$0$x == 0;
+ inline$recursive$0$y := 1;
+ goto inline$recursive$0$Return;
+
+ inline$recursive$0$anon3_Else:
+ assume inline$recursive$0$x != 0;
+ goto inline$recursive$0$anon2;
+
+ inline$recursive$0$anon2:
+ goto inline$recursive$1$Entry;
+
+ inline$recursive$1$Entry:
+ inline$recursive$1$x := inline$recursive$0$x - 1;
+ goto inline$recursive$1$anon0;
+
+ inline$recursive$1$anon0:
+ goto inline$recursive$1$anon3_Then, inline$recursive$1$anon3_Else;
+
+ inline$recursive$1$anon3_Then:
+ assume inline$recursive$1$x == 0;
+ inline$recursive$1$y := 1;
+ goto inline$recursive$1$Return;
+
+ inline$recursive$1$anon3_Else:
+ assume inline$recursive$1$x != 0;
+ goto inline$recursive$1$anon2;
+
+ inline$recursive$1$anon2:
+ goto inline$recursive$2$Entry;
+
+ inline$recursive$2$Entry:
+ inline$recursive$2$x := inline$recursive$1$x - 1;
+ goto inline$recursive$2$anon0;
+
+ inline$recursive$2$anon0:
+ goto inline$recursive$2$anon3_Then, inline$recursive$2$anon3_Else;
+
+ inline$recursive$2$anon3_Then:
+ assume inline$recursive$2$x == 0;
+ inline$recursive$2$y := 1;
+ goto inline$recursive$2$Return;
+
+ inline$recursive$2$anon3_Else:
+ assume inline$recursive$2$x != 0;
+ goto inline$recursive$2$anon2;
+
+ inline$recursive$2$anon2:
+ call inline$recursive$2$k := recursive(inline$recursive$2$x - 1);
+ inline$recursive$2$y := inline$recursive$2$y + inline$recursive$2$k;
+ goto inline$recursive$2$Return;
+
+ inline$recursive$2$Return:
+ inline$recursive$1$k := inline$recursive$2$y;
+ goto inline$recursive$1$anon2$1;
+
+ inline$recursive$1$anon2$1:
+ inline$recursive$1$y := inline$recursive$1$y + inline$recursive$1$k;
+ goto inline$recursive$1$Return;
+
+ inline$recursive$1$Return:
+ inline$recursive$0$k := inline$recursive$1$y;
+ goto inline$recursive$0$anon2$1;
+
+ inline$recursive$0$anon2$1:
+ inline$recursive$0$y := inline$recursive$0$y + inline$recursive$0$k;
+ goto inline$recursive$0$Return;
+
+ inline$recursive$0$Return:
+ glb := inline$recursive$0$y;
+ goto anon0$1;
+
+ anon0$1:
+ return;
+}
+
+
+after inlining procedure calls
+procedure {:inline 3} recursive(x: int) returns (y: int);
+
+
+implementation recursive(x: int) returns (y: int)
+{
+ var k: int;
+ var inline$recursive$0$k: int;
+ var inline$recursive$0$x: int;
+ var inline$recursive$0$y: int;
+ var inline$recursive$1$k: int;
+ var inline$recursive$1$x: int;
+ var inline$recursive$1$y: int;
+ var inline$recursive$2$k: int;
+ var inline$recursive$2$x: int;
+ var inline$recursive$2$y: int;
+
+ anon0:
+ goto anon3_Then, anon3_Else;
+
+ anon3_Then:
+ assume x == 0;
+ y := 1;
+ return;
+
+ anon3_Else:
+ assume x != 0;
+ goto anon2;
+
+ anon2:
+ goto inline$recursive$0$Entry;
+
+ inline$recursive$0$Entry:
+ inline$recursive$0$x := x - 1;
+ goto inline$recursive$0$anon0;
+
+ inline$recursive$0$anon0:
+ goto inline$recursive$0$anon3_Then, inline$recursive$0$anon3_Else;
+
+ inline$recursive$0$anon3_Then:
+ assume inline$recursive$0$x == 0;
+ inline$recursive$0$y := 1;
+ goto inline$recursive$0$Return;
+
+ inline$recursive$0$anon3_Else:
+ assume inline$recursive$0$x != 0;
+ goto inline$recursive$0$anon2;
+
+ inline$recursive$0$anon2:
+ goto inline$recursive$1$Entry;
+
+ inline$recursive$1$Entry:
+ inline$recursive$1$x := inline$recursive$0$x - 1;
+ goto inline$recursive$1$anon0;
+
+ inline$recursive$1$anon0:
+ goto inline$recursive$1$anon3_Then, inline$recursive$1$anon3_Else;
+
+ inline$recursive$1$anon3_Then:
+ assume inline$recursive$1$x == 0;
+ inline$recursive$1$y := 1;
+ goto inline$recursive$1$Return;
+
+ inline$recursive$1$anon3_Else:
+ assume inline$recursive$1$x != 0;
+ goto inline$recursive$1$anon2;
+
+ inline$recursive$1$anon2:
+ goto inline$recursive$2$Entry;
+
+ inline$recursive$2$Entry:
+ inline$recursive$2$x := inline$recursive$1$x - 1;
+ goto inline$recursive$2$anon0;
+
+ inline$recursive$2$anon0:
+ goto inline$recursive$2$anon3_Then, inline$recursive$2$anon3_Else;
+
+ inline$recursive$2$anon3_Then:
+ assume inline$recursive$2$x == 0;
+ inline$recursive$2$y := 1;
+ goto inline$recursive$2$Return;
+
+ inline$recursive$2$anon3_Else:
+ assume inline$recursive$2$x != 0;
+ goto inline$recursive$2$anon2;
+
+ inline$recursive$2$anon2:
+ call inline$recursive$2$k := recursive(inline$recursive$2$x - 1);
+ inline$recursive$2$y := inline$recursive$2$y + inline$recursive$2$k;
+ goto inline$recursive$2$Return;
+
+ inline$recursive$2$Return:
+ inline$recursive$1$k := inline$recursive$2$y;
+ goto inline$recursive$1$anon2$1;
+
+ inline$recursive$1$anon2$1:
+ inline$recursive$1$y := inline$recursive$1$y + inline$recursive$1$k;
+ goto inline$recursive$1$Return;
+
+ inline$recursive$1$Return:
+ inline$recursive$0$k := inline$recursive$1$y;
+ goto inline$recursive$0$anon2$1;
+
+ inline$recursive$0$anon2$1:
+ inline$recursive$0$y := inline$recursive$0$y + inline$recursive$0$k;
+ goto inline$recursive$0$Return;
+
+ inline$recursive$0$Return:
+ k := inline$recursive$0$y;
+ goto anon2$1;
+
+ anon2$1:
+ y := y + k;
+ return;
+}
+
+
+
+Boogie program verifier finished with 2 verified, 0 errors
+-------------------- test4.bpl --------------------
+
+procedure main(x: int);
+
+
+
+implementation main(x: int)
+{
+ var A: [int]int;
+ var i: int;
+ var b: bool;
+ var size: int;
+
+ anon0:
+ call i, b := find(A, size, x);
+ goto anon3_Then, anon3_Else;
+
+ anon3_Then:
+ assume b;
+ assert i > 0 && A[i] == x;
+ goto anon2;
+
+ anon3_Else:
+ assume !b;
+ goto anon2;
+
+ anon2:
+ return;
+}
+
+
+
+procedure {:inline 1} find(A: [int]int, size: int, x: int) returns (ret: int, found: bool);
+
+
+
+implementation find(A: [int]int, size: int, x: int) returns (ret: int, found: bool)
+{
+ var i: int;
+ var b: bool;
+
+ anon0:
+ ret := 0 - 1;
+ b := false;
+ found := b;
+ i := 0;
+ goto anon4_LoopHead;
+
+ anon4_LoopHead:
+ goto anon4_LoopDone, anon4_LoopBody;
+
+ anon4_LoopBody:
+ assume i < size;
+ call b := check(A, i, x);
+ goto anon5_Then, anon5_Else;
+
+ anon5_Then:
+ assume b;
+ ret := i;
+ found := b;
+ goto anon3;
+
+ anon5_Else:
+ assume !b;
+ goto anon4_LoopHead;
+
+ anon4_LoopDone:
+ assume i >= size;
+ goto anon3;
+
+ anon3:
+ return;
+}
+
+
+
+procedure {:inline 3} check(A: [int]int, i: int, c: int) returns (ret: bool);
+ requires i >= 0;
+ ensures old(A[i]) > c ==> ret == true;
+
+
+
+implementation check(A: [int]int, i: int, c: int) returns (ret: bool)
+{
+
+ anon0:
+ goto anon4_Then, anon4_Else;
+
+ anon4_Then:
+ assume A[i] == c;
+ ret := true;
+ goto anon3;
+
+ anon4_Else:
+ assume A[i] != c;
+ ret := false;
+ goto anon3;
+
+ anon3:
+ return;
+}
+
+
+after inlining procedure calls
+procedure main(x: int);
+
+
+implementation main(x: int)
+{
+ var A: [int]int;
+ var i: int;
+ var b: bool;
+ var size: int;
+ var inline$find$0$i: int;
+ var inline$find$0$b: bool;
+ var inline$find$0$A: [int]int;
+ var inline$find$0$size: int;
+ var inline$find$0$x: int;
+ var inline$find$0$ret: int;
+ var inline$find$0$found: bool;
+ var inline$check$0$A: [int]int;
+ var inline$check$0$i: int;
+ var inline$check$0$c: int;
+ var inline$check$0$ret: bool;
+
+ anon0:
+ goto inline$find$0$Entry;
+
+ inline$find$0$Entry:
+ inline$find$0$A := A;
+ inline$find$0$size := size;
+ inline$find$0$x := x;
+ goto inline$find$0$anon0;
+
+ inline$find$0$anon0:
+ inline$find$0$ret := 0 - 1;
+ inline$find$0$b := false;
+ inline$find$0$found := inline$find$0$b;
+ inline$find$0$i := 0;
+ goto inline$find$0$anon4_LoopHead;
+
+ inline$find$0$anon4_LoopHead:
+ goto inline$find$0$anon4_LoopDone, inline$find$0$anon4_LoopBody;
+
+ inline$find$0$anon4_LoopBody:
+ assume inline$find$0$i < inline$find$0$size;
+ goto inline$check$0$Entry;
+
+ inline$check$0$Entry:
+ inline$check$0$A := inline$find$0$A;
+ inline$check$0$i := inline$find$0$i;
+ inline$check$0$c := inline$find$0$x;
+ assert inline$check$0$i >= 0;
+ goto inline$check$0$anon0;
+
+ inline$check$0$anon0:
+ goto inline$check$0$anon4_Then, inline$check$0$anon4_Else;
+
+ inline$check$0$anon4_Then:
+ assume inline$check$0$A[inline$check$0$i] == inline$check$0$c;
+ inline$check$0$ret := true;
+ goto inline$check$0$anon3;
+
+ inline$check$0$anon4_Else:
+ assume inline$check$0$A[inline$check$0$i] != inline$check$0$c;
+ inline$check$0$ret := false;
+ goto inline$check$0$anon3;
+
+ inline$check$0$anon3:
+ goto inline$check$0$Return;
+
+ inline$check$0$Return:
+ assert inline$check$0$A[inline$check$0$i] > inline$check$0$c ==> (inline$check$0$ret <==> true);
+ inline$find$0$b := inline$check$0$ret;
+ goto inline$find$0$anon4_LoopBody$1;
+
+ inline$find$0$anon4_LoopBody$1:
+ goto inline$find$0$anon5_Then, inline$find$0$anon5_Else;
+
+ inline$find$0$anon5_Then:
+ assume inline$find$0$b;
+ inline$find$0$ret := inline$find$0$i;
+ inline$find$0$found := inline$find$0$b;
+ goto inline$find$0$anon3;
+
+ inline$find$0$anon5_Else:
+ assume !inline$find$0$b;
+ goto inline$find$0$anon4_LoopHead;
+
+ inline$find$0$anon4_LoopDone:
+ assume inline$find$0$i >= inline$find$0$size;
+ goto inline$find$0$anon3;
+
+ inline$find$0$anon3:
+ goto inline$find$0$Return;
+
+ inline$find$0$Return:
+ i := inline$find$0$ret;
+ b := inline$find$0$found;
+ goto anon0$1;
+
+ anon0$1:
+ goto anon3_Then, anon3_Else;
+
+ anon3_Then:
+ assume b;
+ assert i > 0 && A[i] == x;
+ goto anon2;
+
+ anon3_Else:
+ assume !b;
+ goto anon2;
+
+ anon2:
+ return;
+}
+
+
+after inlining procedure calls
+procedure {:inline 1} find(A: [int]int, size: int, x: int) returns (ret: int, found: bool);
+
+
+implementation find(A: [int]int, size: int, x: int) returns (ret: int, found: bool)
+{
+ var i: int;
+ var b: bool;
+ var inline$check$0$A: [int]int;
+ var inline$check$0$i: int;
+ var inline$check$0$c: int;
+ var inline$check$0$ret: bool;
+
+ anon0:
+ ret := 0 - 1;
+ b := false;
+ found := b;
+ i := 0;
+ goto anon4_LoopHead;
+
+ anon4_LoopHead:
+ goto anon4_LoopDone, anon4_LoopBody;
+
+ anon4_LoopBody:
+ assume i < size;
+ goto inline$check$0$Entry;
+
+ inline$check$0$Entry:
+ inline$check$0$A := A;
+ inline$check$0$i := i;
+ inline$check$0$c := x;
+ assert inline$check$0$i >= 0;
+ goto inline$check$0$anon0;
+
+ inline$check$0$anon0:
+ goto inline$check$0$anon4_Then, inline$check$0$anon4_Else;
+
+ inline$check$0$anon4_Then:
+ assume inline$check$0$A[inline$check$0$i] == inline$check$0$c;
+ inline$check$0$ret := true;
+ goto inline$check$0$anon3;
+
+ inline$check$0$anon4_Else:
+ assume inline$check$0$A[inline$check$0$i] != inline$check$0$c;
+ inline$check$0$ret := false;
+ goto inline$check$0$anon3;
+
+ inline$check$0$anon3:
+ goto inline$check$0$Return;
+
+ inline$check$0$Return:
+ assert inline$check$0$A[inline$check$0$i] > inline$check$0$c ==> (inline$check$0$ret <==> true);
+ b := inline$check$0$ret;
+ goto anon4_LoopBody$1;
+
+ anon4_LoopBody$1:
+ goto anon5_Then, anon5_Else;
+
+ anon5_Then:
+ assume b;
+ ret := i;
+ found := b;
+ goto anon3;
+
+ anon5_Else:
+ assume !b;
+ goto anon4_LoopHead;
+
+ anon4_LoopDone:
+ assume i >= size;
+ goto anon3;
+
+ anon3:
+ return;
+}
+
+
+<console>(68,4): Error BP5003: A postcondition might not hold at this return statement.
+<console>(78,2): Related location: This is the postcondition that might not hold.
+Execution trace:
+ <console>(19,0): anon0
+ <console>(22,0): inline$find$0$Entry
+ <console>(28,0): inline$find$0$anon0
+ <console>(38,0): inline$find$0$anon4_LoopBody
+ <console>(42,0): inline$check$0$Entry
+ <console>(57,0): inline$check$0$anon4_Else
+ <console>(62,0): inline$check$0$anon3
+ <console>(65,0): inline$check$0$Return
+<console>(100,4): Error BP5001: This assertion might not hold.
+Execution trace:
+ <console>(19,0): anon0
+ <console>(22,0): inline$find$0$Entry
+ <console>(28,0): inline$find$0$anon0
+ <console>(38,0): inline$find$0$anon4_LoopBody
+ <console>(42,0): inline$check$0$Entry
+ <console>(52,0): inline$check$0$anon4_Then
+ <console>(65,0): inline$check$0$Return
+ <console>(73,0): inline$find$0$anon5_Then
+ <console>(87,0): inline$find$0$anon3
+ <console>(90,0): inline$find$0$Return
+ <console>(95,0): anon0$1
+ <console>(98,0): anon3_Then
+<console>(50,4): Error BP5003: A postcondition might not hold at this return statement.
+<console>(78,2): Related location: This is the postcondition that might not hold.
+Execution trace:
+ <console>(10,0): anon0
+ <console>(20,0): anon4_LoopBody
+ <console>(24,0): inline$check$0$Entry
+ <console>(39,0): inline$check$0$anon4_Else
+ <console>(44,0): inline$check$0$anon3
+ <console>(47,0): inline$check$0$Return
+<console>(99,0): Error BP5003: A postcondition might not hold at this return statement.
+<console>(78,2): Related location: This is the postcondition that might not hold.
+Execution trace:
+ <console>(85,0): anon0
+ <console>(93,0): anon4_Else
+ <console>(98,0): anon3
+
+Boogie program verifier finished with 0 verified, 4 errors
+-------------------- test5.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+-------------------- test6.bpl --------------------
+test6.bpl(1,22): Error: the inlined procedure is recursive, call stack: foo -> foo
+test6.bpl(15,22): Error: the inlined procedure is recursive, call stack: foo2 -> foo3 -> foo1 -> foo2
+test6.bpl(22,22): Error: the inlined procedure is recursive, call stack: foo3 -> foo1 -> foo2 -> foo3
+test6.bpl(8,22): Error: the inlined procedure is recursive, call stack: foo1 -> foo2 -> foo3 -> foo1
+test6.bpl(1,22): Error: the inlined procedure is recursive, call stack: foo -> foo
+test6.bpl(8,22): Error: the inlined procedure is recursive, call stack: foo1 -> foo2 -> foo3 -> foo1
+6 type checking errors detected in test6.bpl
+-------------------- expansion.bpl --------------------
+expansion.bpl(29,14): Error: invalid type for argument 0 in application of foo1: bool (expected: int)
+expansion.bpl(13,16): Error: expansion: {:inline ...} expects either true or false as the argument
+expansion.bpl(14,22): Error: expansion: identifier was not quantified over
+expansion.bpl(15,22): Error: expansion: identifier was not quantified over
+expansion.bpl(16,22): Error: expansion: more variables quantified over, than used in function
+expansion.bpl(18,21): Error: expansion: axiom to be expanded must have form (forall VARS :: f(VARS) == expr(VARS))
+expansion.bpl(19,53): Error: expansion: only identifiers supported as function arguments
+expansion.bpl(33,22): Error: expansion: an identifier was used more than once
+8 type checking errors detected in expansion.bpl
+-------------------- expansion3.bpl --------------------
+*** detected expansion loop on foo3
+*** detected expansion loop on foo3
+*** detected expansion loop on foo3
+*** more than one possible expansion for x1
+expansion3.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ expansion3.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+-------------------- Elevator.bpl --------------------
+Elevator.bpl(17,5): Error BP5005: This loop invariant might not be maintained by the loop.
+Execution trace:
+ Elevator.bpl(15,3): anon0
+ Elevator.bpl(68,23): inline$Initialize$0$Entry
+ Elevator.bpl(71,13): inline$Initialize$0$anon0
+ Elevator.bpl(68,23): inline$Initialize$0$Return
+ Elevator.bpl(15,3): anon0$1
+ Elevator.bpl(16,3): anon10_LoopHead
+ Elevator.bpl(19,5): anon10_LoopBody
+ Elevator.bpl(19,5): anon11_Else
+ Elevator.bpl(19,5): anon12_Else
+ Elevator.bpl(24,7): anon13_Then
+ Elevator.bpl(94,23): inline$MoveDown_Error$0$Entry
+ Elevator.bpl(99,3): inline$MoveDown_Error$0$anon0
+ Elevator.bpl(94,23): inline$MoveDown_Error$0$Return
+ Elevator.bpl(24,7): anon13_Then$1
+
+Boogie program verifier finished with 1 verified, 1 error
+-------------------- expansion2.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+---------- EXPANSION2.SX: 0
+
+---------- EXPANSION2.SX: 0
+-------------------- expansion4.bpl --------------------
+
+Boogie program verifier finished with 3 verified, 0 errors
+-------------------- fundef.bpl --------------------
+
+function {:inline true} foo(x: int) returns (bool)
+{
+ x > 0
+}
+
+function {:inline false} foo2(x: int) returns (bool);
+
+// autogenerated definition axiom
+axiom (forall x: int :: {:inline false} { foo2(x):bool } foo2(x):bool == (x > 0));
+
+function foo3(x: int) returns (bool);
+
+// autogenerated definition axiom
+axiom (forall x: int :: { foo3(x):bool } foo3(x):bool == (x > 0));
+
+Boogie program verifier finished with 0 verified, 0 errors
+fundef2.bpl(6,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ fundef2.bpl(5,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+-------------------- polyInline.bpl --------------------
+polyInline.bpl(27,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(31,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(35,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ polyInline.bpl(20,3): anon0
+polyInline.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ polyInline.bpl(27,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+polyInline.bpl(27,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(31,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(35,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ polyInline.bpl(20,3): anon0
+polyInline.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ polyInline.bpl(27,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
diff --git a/Test/inline/Elevator.asml b/Test/inline/Elevator.asml
new file mode 100644
index 00000000..02a58d10
--- /dev/null
+++ b/Test/inline/Elevator.asml
@@ -0,0 +1,56 @@
+var floors as Set of Integer
+var DoorsOpen as Set of Integer = {}
+var liftDoorOpen as Boolean = false
+var liftLevel as Integer = 1
+var moving as Boolean = false
+var headingTo as Integer = 0
+
+[Action]
+ButtonPress(i as Integer)
+ require i in floors
+ headingTo := i
+
+[Action]
+MoveUp()
+ require liftDoorOpen = false and liftLevel < headingTo
+ require not (liftLevel in DoorsOpen)
+ moving := true
+ liftLevel:= liftLevel + 1
+
+[Action]
+MoveDown()
+ //bug, should require that liftDoorOpen = false
+ require liftLevel > headingTo and headingTo > 0
+ require not (liftLevel in DoorsOpen)
+ moving := true
+ liftLevel := liftLevel - 1
+
+[Action]
+Stop()
+ require liftLevel = headingTo
+ moving := false
+
+[Action]
+OpenLiftDoor()
+ require moving = false
+ liftDoorOpen := true
+
+[Action]
+CloseLiftDoor()
+ liftDoorOpen := false
+
+[Action]
+OpenFloorDoor(i as Integer)
+ require liftLevel = i
+ DoorsOpen := DoorsOpen union {i}
+
+[Action]
+CloseFloorDoor(i as Integer)
+ DoorsOpen := DoorsOpen - {i}
+
+
+Invariant ()
+ require not (liftDoorOpen = true and moving = true)
+
+
+ \ No newline at end of file
diff --git a/Test/inline/Elevator.bpl b/Test/inline/Elevator.bpl
new file mode 100644
index 00000000..4ee1e997
--- /dev/null
+++ b/Test/inline/Elevator.bpl
@@ -0,0 +1,153 @@
+// A Boogie version of Elevator.asml (see Boogie/Test/inline/Elevator.asml)
+
+var floors: [int]bool; // set of integer
+var DoorsOpen: [int]bool;
+var liftDoorOpen: bool;
+var liftLevel: int;
+var moving: bool;
+var headingTo: int;
+
+procedure Main_Error()
+ modifies floors, DoorsOpen, liftDoorOpen, liftLevel, moving, headingTo;
+{
+ var i: int;
+
+ call Initialize();
+ while (true)
+ invariant !(liftDoorOpen && moving);
+ {
+ if (*) {
+ havoc i; call ButtonPress(i);
+ } else if (*) {
+ call MoveUp();
+ } else if (*) {
+ call MoveDown_Error();
+ } else if (*) {
+ call Stop();
+ } else if (*) {
+ call OpenLiftDoor();
+ } else if (*) {
+ call CloseLiftDoor();
+ } else if (*) {
+ havoc i; call OpenFloorDoor(i);
+ } else {
+ havoc i; call CloseFloorDoor(i);
+ }
+ }
+}
+
+procedure Main_Correct()
+ modifies floors, DoorsOpen, liftDoorOpen, liftLevel, moving, headingTo;
+{
+ var i: int;
+
+ call Initialize();
+ while (true)
+ invariant !(liftDoorOpen && moving);
+ {
+ if (*) {
+ havoc i; call ButtonPress(i);
+ } else if (*) {
+ call MoveUp();
+ } else if (*) {
+ call MoveDown_Correct();
+ } else if (*) {
+ call Stop();
+ } else if (*) {
+ call OpenLiftDoor();
+ } else if (*) {
+ call CloseLiftDoor();
+ } else if (*) {
+ havoc i; call OpenFloorDoor(i);
+ } else {
+ havoc i; call CloseFloorDoor(i);
+ }
+ }
+}
+
+procedure {:inline 1} Initialize()
+ modifies floors, DoorsOpen, liftDoorOpen, liftLevel, moving, headingTo;
+{
+ DoorsOpen := EmptySet;
+ liftDoorOpen := false;
+ liftLevel := 1;
+ moving := false;
+ headingTo := 0;
+}
+
+procedure {:inline 1} ButtonPress(i: int)
+ modifies headingTo;
+{
+ assume floors[i];
+ headingTo := i;
+}
+
+procedure {:inline 1} MoveUp()
+ modifies moving, liftLevel;
+{
+ assume !liftDoorOpen && liftLevel < headingTo;
+ assume !DoorsOpen[liftLevel];
+ moving := true;
+ liftLevel:= liftLevel + 1;
+}
+
+procedure {:inline 1} MoveDown_Error()
+ modifies moving, liftLevel;
+{
+ //bug, should require that liftDoorOpen = false
+ // assume !liftDoorOpen;
+ assume liftLevel > headingTo && headingTo > 0;
+ assume !DoorsOpen[liftLevel];
+ moving := true;
+ liftLevel := liftLevel - 1;
+}
+
+procedure {:inline 1} MoveDown_Correct()
+ modifies moving, liftLevel;
+{
+ assume !liftDoorOpen;
+ assume liftLevel > headingTo && headingTo > 0;
+ assume !DoorsOpen[liftLevel];
+ moving := true;
+ liftLevel := liftLevel - 1;
+}
+
+procedure {:inline 1} Stop()
+ modifies moving;
+{
+ assume liftLevel == headingTo;
+ moving := false;
+}
+
+procedure {:inline 1} OpenLiftDoor()
+ modifies liftDoorOpen;
+{
+ assume !moving;
+ liftDoorOpen := true;
+}
+
+procedure {:inline 1} CloseLiftDoor()
+ modifies liftDoorOpen;
+{
+ liftDoorOpen := false;
+}
+
+procedure {:inline 1} OpenFloorDoor(i: int)
+ modifies DoorsOpen;
+{
+ assume liftLevel == i;
+ DoorsOpen[i] := true; // DoorsOpen := DoorsOpen union {i};
+}
+
+procedure {:inline 1} CloseFloorDoor(i: int)
+ modifies DoorsOpen;
+{
+ DoorsOpen[i] := false; // DoorsOpen := DoorsOpen - {i}
+}
+
+// ---------------------------------------------------------------
+
+const EmptySet: [int]bool;
+axiom (forall o: int :: { EmptySet[o] } !EmptySet[o]);
+
+// ---------------------------------------------------------------
diff --git a/Test/inline/Output b/Test/inline/Output
new file mode 100644
index 00000000..39d5a5b4
--- /dev/null
+++ b/Test/inline/Output
@@ -0,0 +1,983 @@
+-------------------- test1.bpl --------------------
+
+procedure Main();
+
+
+
+implementation Main()
+{
+ var x: int;
+ var y: int;
+
+ anon0:
+ x := 1;
+ y := 0;
+ call x := inc(x, 5);
+ call y := incdec(x, 2);
+ assert x - 1 == y;
+ return;
+}
+
+
+
+procedure {:inline 1} incdec(x: int, y: int) returns (z: int);
+ ensures z == x + 1 - y;
+
+
+
+implementation incdec(x: int, y: int) returns (z: int)
+{
+
+ anon0:
+ z := x;
+ z := x + 1;
+ call z := dec(z, y);
+ return;
+}
+
+
+
+procedure {:inline 1} inc(x: int, i: int) returns (y: int);
+ ensures y == x + i;
+
+
+
+implementation inc(x: int, i: int) returns (y: int)
+{
+
+ anon0:
+ y := x;
+ y := x + i;
+ return;
+}
+
+
+
+procedure {:inline 1} dec(x: int, i: int) returns (y: int);
+ ensures y == x - i;
+
+
+
+implementation dec(x: int, i: int) returns (y: int)
+{
+
+ anon0:
+ y := x;
+ y := x - i;
+ return;
+}
+
+
+after inlining procedure calls
+procedure Main();
+
+
+implementation Main()
+{
+ var x: int;
+ var y: int;
+ var inline$inc$0$x: int;
+ var inline$inc$0$i: int;
+ var inline$inc$0$y: int;
+ var inline$incdec$0$x: int;
+ var inline$incdec$0$y: int;
+ var inline$incdec$0$z: int;
+ var inline$dec$0$x: int;
+ var inline$dec$0$i: int;
+ var inline$dec$0$y: int;
+
+ anon0:
+ x := 1;
+ y := 0;
+ goto inline$inc$0$Entry;
+
+ inline$inc$0$Entry:
+ inline$inc$0$x := x;
+ inline$inc$0$i := 5;
+ goto inline$inc$0$anon0;
+
+ inline$inc$0$anon0:
+ inline$inc$0$y := inline$inc$0$x;
+ inline$inc$0$y := inline$inc$0$x + inline$inc$0$i;
+ goto inline$inc$0$Return;
+
+ inline$inc$0$Return:
+ assert inline$inc$0$y == inline$inc$0$x + inline$inc$0$i;
+ x := inline$inc$0$y;
+ goto anon0$1;
+
+ anon0$1:
+ goto inline$incdec$0$Entry;
+
+ inline$incdec$0$Entry:
+ inline$incdec$0$x := x;
+ inline$incdec$0$y := 2;
+ goto inline$incdec$0$anon0;
+
+ inline$incdec$0$anon0:
+ inline$incdec$0$z := inline$incdec$0$x;
+ inline$incdec$0$z := inline$incdec$0$x + 1;
+ goto inline$dec$0$Entry;
+
+ inline$dec$0$Entry:
+ inline$dec$0$x := inline$incdec$0$z;
+ inline$dec$0$i := inline$incdec$0$y;
+ goto inline$dec$0$anon0;
+
+ inline$dec$0$anon0:
+ inline$dec$0$y := inline$dec$0$x;
+ inline$dec$0$y := inline$dec$0$x - inline$dec$0$i;
+ goto inline$dec$0$Return;
+
+ inline$dec$0$Return:
+ assert inline$dec$0$y == inline$dec$0$x - inline$dec$0$i;
+ inline$incdec$0$z := inline$dec$0$y;
+ goto inline$incdec$0$anon0$1;
+
+ inline$incdec$0$anon0$1:
+ goto inline$incdec$0$Return;
+
+ inline$incdec$0$Return:
+ assert inline$incdec$0$z == inline$incdec$0$x + 1 - inline$incdec$0$y;
+ y := inline$incdec$0$z;
+ goto anon0$2;
+
+ anon0$2:
+ assert x - 1 == y;
+ return;
+}
+
+
+after inlining procedure calls
+procedure {:inline 1} incdec(x: int, y: int) returns (z: int);
+ ensures z == x + 1 - y;
+
+
+implementation incdec(x: int, y: int) returns (z: int)
+{
+ var inline$dec$0$x: int;
+ var inline$dec$0$i: int;
+ var inline$dec$0$y: int;
+
+ anon0:
+ z := x;
+ z := x + 1;
+ goto inline$dec$0$Entry;
+
+ inline$dec$0$Entry:
+ inline$dec$0$x := z;
+ inline$dec$0$i := y;
+ goto inline$dec$0$anon0;
+
+ inline$dec$0$anon0:
+ inline$dec$0$y := inline$dec$0$x;
+ inline$dec$0$y := inline$dec$0$x - inline$dec$0$i;
+ goto inline$dec$0$Return;
+
+ inline$dec$0$Return:
+ assert inline$dec$0$y == inline$dec$0$x - inline$dec$0$i;
+ z := inline$dec$0$y;
+ goto anon0$1;
+
+ anon0$1:
+ return;
+}
+
+
+
+Boogie program verifier finished with 4 verified, 0 errors
+-------------------- test2.bpl --------------------
+
+var glb: int;
+
+procedure calculate();
+ modifies glb;
+
+
+
+implementation calculate()
+{
+ var x: int;
+ var y: int;
+
+ anon0:
+ y := 5;
+ call x := increase(y);
+ return;
+}
+
+
+
+procedure {:inline 1} increase(i: int) returns (k: int);
+ modifies glb;
+
+
+
+implementation increase(i: int) returns (k: int)
+{
+ var j: int;
+
+ anon0:
+ j := i;
+ j := j + 1;
+ glb := glb + j;
+ k := j;
+ return;
+}
+
+
+after inlining procedure calls
+procedure calculate();
+ modifies glb;
+
+
+implementation calculate()
+{
+ var x: int;
+ var y: int;
+ var inline$increase$0$j: int;
+ var inline$increase$0$i: int;
+ var inline$increase$0$k: int;
+ var inline$increase$0$glb: int;
+
+ anon0:
+ y := 5;
+ goto inline$increase$0$Entry;
+
+ inline$increase$0$Entry:
+ inline$increase$0$i := y;
+ inline$increase$0$glb := glb;
+ goto inline$increase$0$anon0;
+
+ inline$increase$0$anon0:
+ inline$increase$0$j := inline$increase$0$i;
+ inline$increase$0$j := inline$increase$0$j + 1;
+ glb := glb + inline$increase$0$j;
+ inline$increase$0$k := inline$increase$0$j;
+ goto inline$increase$0$Return;
+
+ inline$increase$0$Return:
+ x := inline$increase$0$k;
+ goto anon0$1;
+
+ anon0$1:
+ return;
+}
+
+
+
+Boogie program verifier finished with 2 verified, 0 errors
+-------------------- test3.bpl --------------------
+
+var glb: int;
+
+procedure recursivetest();
+ modifies glb;
+
+
+
+implementation recursivetest()
+{
+
+ anon0:
+ glb := 5;
+ call glb := recursive(glb);
+ return;
+}
+
+
+
+procedure {:inline 3} recursive(x: int) returns (y: int);
+
+
+
+implementation recursive(x: int) returns (y: int)
+{
+ var k: int;
+
+ anon0:
+ goto anon3_Then, anon3_Else;
+
+ anon3_Then:
+ assume x == 0;
+ y := 1;
+ return;
+
+ anon3_Else:
+ assume x != 0;
+ goto anon2;
+
+ anon2:
+ call k := recursive(x - 1);
+ y := y + k;
+ return;
+}
+
+
+after inlining procedure calls
+procedure recursivetest();
+ modifies glb;
+
+
+implementation recursivetest()
+{
+ var inline$recursive$0$k: int;
+ var inline$recursive$0$x: int;
+ var inline$recursive$0$y: int;
+ var inline$recursive$1$k: int;
+ var inline$recursive$1$x: int;
+ var inline$recursive$1$y: int;
+ var inline$recursive$2$k: int;
+ var inline$recursive$2$x: int;
+ var inline$recursive$2$y: int;
+
+ anon0:
+ glb := 5;
+ goto inline$recursive$0$Entry;
+
+ inline$recursive$0$Entry:
+ inline$recursive$0$x := glb;
+ goto inline$recursive$0$anon0;
+
+ inline$recursive$0$anon0:
+ goto inline$recursive$0$anon3_Then, inline$recursive$0$anon3_Else;
+
+ inline$recursive$0$anon3_Then:
+ assume inline$recursive$0$x == 0;
+ inline$recursive$0$y := 1;
+ goto inline$recursive$0$Return;
+
+ inline$recursive$0$anon3_Else:
+ assume inline$recursive$0$x != 0;
+ goto inline$recursive$0$anon2;
+
+ inline$recursive$0$anon2:
+ goto inline$recursive$1$Entry;
+
+ inline$recursive$1$Entry:
+ inline$recursive$1$x := inline$recursive$0$x - 1;
+ goto inline$recursive$1$anon0;
+
+ inline$recursive$1$anon0:
+ goto inline$recursive$1$anon3_Then, inline$recursive$1$anon3_Else;
+
+ inline$recursive$1$anon3_Then:
+ assume inline$recursive$1$x == 0;
+ inline$recursive$1$y := 1;
+ goto inline$recursive$1$Return;
+
+ inline$recursive$1$anon3_Else:
+ assume inline$recursive$1$x != 0;
+ goto inline$recursive$1$anon2;
+
+ inline$recursive$1$anon2:
+ goto inline$recursive$2$Entry;
+
+ inline$recursive$2$Entry:
+ inline$recursive$2$x := inline$recursive$1$x - 1;
+ goto inline$recursive$2$anon0;
+
+ inline$recursive$2$anon0:
+ goto inline$recursive$2$anon3_Then, inline$recursive$2$anon3_Else;
+
+ inline$recursive$2$anon3_Then:
+ assume inline$recursive$2$x == 0;
+ inline$recursive$2$y := 1;
+ goto inline$recursive$2$Return;
+
+ inline$recursive$2$anon3_Else:
+ assume inline$recursive$2$x != 0;
+ goto inline$recursive$2$anon2;
+
+ inline$recursive$2$anon2:
+ call inline$recursive$2$k := recursive(inline$recursive$2$x - 1);
+ inline$recursive$2$y := inline$recursive$2$y + inline$recursive$2$k;
+ goto inline$recursive$2$Return;
+
+ inline$recursive$2$Return:
+ inline$recursive$1$k := inline$recursive$2$y;
+ goto inline$recursive$1$anon2$1;
+
+ inline$recursive$1$anon2$1:
+ inline$recursive$1$y := inline$recursive$1$y + inline$recursive$1$k;
+ goto inline$recursive$1$Return;
+
+ inline$recursive$1$Return:
+ inline$recursive$0$k := inline$recursive$1$y;
+ goto inline$recursive$0$anon2$1;
+
+ inline$recursive$0$anon2$1:
+ inline$recursive$0$y := inline$recursive$0$y + inline$recursive$0$k;
+ goto inline$recursive$0$Return;
+
+ inline$recursive$0$Return:
+ glb := inline$recursive$0$y;
+ goto anon0$1;
+
+ anon0$1:
+ return;
+}
+
+
+after inlining procedure calls
+procedure {:inline 3} recursive(x: int) returns (y: int);
+
+
+implementation recursive(x: int) returns (y: int)
+{
+ var k: int;
+ var inline$recursive$0$k: int;
+ var inline$recursive$0$x: int;
+ var inline$recursive$0$y: int;
+ var inline$recursive$1$k: int;
+ var inline$recursive$1$x: int;
+ var inline$recursive$1$y: int;
+ var inline$recursive$2$k: int;
+ var inline$recursive$2$x: int;
+ var inline$recursive$2$y: int;
+
+ anon0:
+ goto anon3_Then, anon3_Else;
+
+ anon3_Then:
+ assume x == 0;
+ y := 1;
+ return;
+
+ anon3_Else:
+ assume x != 0;
+ goto anon2;
+
+ anon2:
+ goto inline$recursive$0$Entry;
+
+ inline$recursive$0$Entry:
+ inline$recursive$0$x := x - 1;
+ goto inline$recursive$0$anon0;
+
+ inline$recursive$0$anon0:
+ goto inline$recursive$0$anon3_Then, inline$recursive$0$anon3_Else;
+
+ inline$recursive$0$anon3_Then:
+ assume inline$recursive$0$x == 0;
+ inline$recursive$0$y := 1;
+ goto inline$recursive$0$Return;
+
+ inline$recursive$0$anon3_Else:
+ assume inline$recursive$0$x != 0;
+ goto inline$recursive$0$anon2;
+
+ inline$recursive$0$anon2:
+ goto inline$recursive$1$Entry;
+
+ inline$recursive$1$Entry:
+ inline$recursive$1$x := inline$recursive$0$x - 1;
+ goto inline$recursive$1$anon0;
+
+ inline$recursive$1$anon0:
+ goto inline$recursive$1$anon3_Then, inline$recursive$1$anon3_Else;
+
+ inline$recursive$1$anon3_Then:
+ assume inline$recursive$1$x == 0;
+ inline$recursive$1$y := 1;
+ goto inline$recursive$1$Return;
+
+ inline$recursive$1$anon3_Else:
+ assume inline$recursive$1$x != 0;
+ goto inline$recursive$1$anon2;
+
+ inline$recursive$1$anon2:
+ goto inline$recursive$2$Entry;
+
+ inline$recursive$2$Entry:
+ inline$recursive$2$x := inline$recursive$1$x - 1;
+ goto inline$recursive$2$anon0;
+
+ inline$recursive$2$anon0:
+ goto inline$recursive$2$anon3_Then, inline$recursive$2$anon3_Else;
+
+ inline$recursive$2$anon3_Then:
+ assume inline$recursive$2$x == 0;
+ inline$recursive$2$y := 1;
+ goto inline$recursive$2$Return;
+
+ inline$recursive$2$anon3_Else:
+ assume inline$recursive$2$x != 0;
+ goto inline$recursive$2$anon2;
+
+ inline$recursive$2$anon2:
+ call inline$recursive$2$k := recursive(inline$recursive$2$x - 1);
+ inline$recursive$2$y := inline$recursive$2$y + inline$recursive$2$k;
+ goto inline$recursive$2$Return;
+
+ inline$recursive$2$Return:
+ inline$recursive$1$k := inline$recursive$2$y;
+ goto inline$recursive$1$anon2$1;
+
+ inline$recursive$1$anon2$1:
+ inline$recursive$1$y := inline$recursive$1$y + inline$recursive$1$k;
+ goto inline$recursive$1$Return;
+
+ inline$recursive$1$Return:
+ inline$recursive$0$k := inline$recursive$1$y;
+ goto inline$recursive$0$anon2$1;
+
+ inline$recursive$0$anon2$1:
+ inline$recursive$0$y := inline$recursive$0$y + inline$recursive$0$k;
+ goto inline$recursive$0$Return;
+
+ inline$recursive$0$Return:
+ k := inline$recursive$0$y;
+ goto anon2$1;
+
+ anon2$1:
+ y := y + k;
+ return;
+}
+
+
+
+Boogie program verifier finished with 2 verified, 0 errors
+-------------------- test4.bpl --------------------
+
+procedure main(x: int);
+
+
+
+implementation main(x: int)
+{
+ var A: [int]int;
+ var i: int;
+ var b: bool;
+ var size: int;
+
+ anon0:
+ call i, b := find(A, size, x);
+ goto anon3_Then, anon3_Else;
+
+ anon3_Then:
+ assume b;
+ assert i > 0 && A[i] == x;
+ goto anon2;
+
+ anon3_Else:
+ assume !b;
+ goto anon2;
+
+ anon2:
+ return;
+}
+
+
+
+procedure {:inline 1} find(A: [int]int, size: int, x: int) returns (ret: int, found: bool);
+
+
+
+implementation find(A: [int]int, size: int, x: int) returns (ret: int, found: bool)
+{
+ var i: int;
+ var b: bool;
+
+ anon0:
+ ret := 0 - 1;
+ b := false;
+ found := b;
+ i := 0;
+ goto anon4_LoopHead;
+
+ anon4_LoopHead:
+ goto anon4_LoopDone, anon4_LoopBody;
+
+ anon4_LoopBody:
+ assume i < size;
+ call b := check(A, i, x);
+ goto anon5_Then, anon5_Else;
+
+ anon5_Then:
+ assume b;
+ ret := i;
+ found := b;
+ goto anon3;
+
+ anon5_Else:
+ assume !b;
+ goto anon4_LoopHead;
+
+ anon4_LoopDone:
+ assume i >= size;
+ goto anon3;
+
+ anon3:
+ return;
+}
+
+
+
+procedure {:inline 3} check(A: [int]int, i: int, c: int) returns (ret: bool);
+ requires i >= 0;
+ ensures old(A[i]) > c ==> ret == true;
+
+
+
+implementation check(A: [int]int, i: int, c: int) returns (ret: bool)
+{
+
+ anon0:
+ goto anon4_Then, anon4_Else;
+
+ anon4_Then:
+ assume A[i] == c;
+ ret := true;
+ goto anon3;
+
+ anon4_Else:
+ assume A[i] != c;
+ ret := false;
+ goto anon3;
+
+ anon3:
+ return;
+}
+
+
+after inlining procedure calls
+procedure main(x: int);
+
+
+implementation main(x: int)
+{
+ var A: [int]int;
+ var i: int;
+ var b: bool;
+ var size: int;
+ var inline$find$0$i: int;
+ var inline$find$0$b: bool;
+ var inline$find$0$A: [int]int;
+ var inline$find$0$size: int;
+ var inline$find$0$x: int;
+ var inline$find$0$ret: int;
+ var inline$find$0$found: bool;
+ var inline$check$0$A: [int]int;
+ var inline$check$0$i: int;
+ var inline$check$0$c: int;
+ var inline$check$0$ret: bool;
+
+ anon0:
+ goto inline$find$0$Entry;
+
+ inline$find$0$Entry:
+ inline$find$0$A := A;
+ inline$find$0$size := size;
+ inline$find$0$x := x;
+ goto inline$find$0$anon0;
+
+ inline$find$0$anon0:
+ inline$find$0$ret := 0 - 1;
+ inline$find$0$b := false;
+ inline$find$0$found := inline$find$0$b;
+ inline$find$0$i := 0;
+ goto inline$find$0$anon4_LoopHead;
+
+ inline$find$0$anon4_LoopHead:
+ goto inline$find$0$anon4_LoopDone, inline$find$0$anon4_LoopBody;
+
+ inline$find$0$anon4_LoopBody:
+ assume inline$find$0$i < inline$find$0$size;
+ goto inline$check$0$Entry;
+
+ inline$check$0$Entry:
+ inline$check$0$A := inline$find$0$A;
+ inline$check$0$i := inline$find$0$i;
+ inline$check$0$c := inline$find$0$x;
+ assert inline$check$0$i >= 0;
+ goto inline$check$0$anon0;
+
+ inline$check$0$anon0:
+ goto inline$check$0$anon4_Then, inline$check$0$anon4_Else;
+
+ inline$check$0$anon4_Then:
+ assume inline$check$0$A[inline$check$0$i] == inline$check$0$c;
+ inline$check$0$ret := true;
+ goto inline$check$0$anon3;
+
+ inline$check$0$anon4_Else:
+ assume inline$check$0$A[inline$check$0$i] != inline$check$0$c;
+ inline$check$0$ret := false;
+ goto inline$check$0$anon3;
+
+ inline$check$0$anon3:
+ goto inline$check$0$Return;
+
+ inline$check$0$Return:
+ assert inline$check$0$A[inline$check$0$i] > inline$check$0$c ==> (inline$check$0$ret <==> true);
+ inline$find$0$b := inline$check$0$ret;
+ goto inline$find$0$anon4_LoopBody$1;
+
+ inline$find$0$anon4_LoopBody$1:
+ goto inline$find$0$anon5_Then, inline$find$0$anon5_Else;
+
+ inline$find$0$anon5_Then:
+ assume inline$find$0$b;
+ inline$find$0$ret := inline$find$0$i;
+ inline$find$0$found := inline$find$0$b;
+ goto inline$find$0$anon3;
+
+ inline$find$0$anon5_Else:
+ assume !inline$find$0$b;
+ goto inline$find$0$anon4_LoopHead;
+
+ inline$find$0$anon4_LoopDone:
+ assume inline$find$0$i >= inline$find$0$size;
+ goto inline$find$0$anon3;
+
+ inline$find$0$anon3:
+ goto inline$find$0$Return;
+
+ inline$find$0$Return:
+ i := inline$find$0$ret;
+ b := inline$find$0$found;
+ goto anon0$1;
+
+ anon0$1:
+ goto anon3_Then, anon3_Else;
+
+ anon3_Then:
+ assume b;
+ assert i > 0 && A[i] == x;
+ goto anon2;
+
+ anon3_Else:
+ assume !b;
+ goto anon2;
+
+ anon2:
+ return;
+}
+
+
+after inlining procedure calls
+procedure {:inline 1} find(A: [int]int, size: int, x: int) returns (ret: int, found: bool);
+
+
+implementation find(A: [int]int, size: int, x: int) returns (ret: int, found: bool)
+{
+ var i: int;
+ var b: bool;
+ var inline$check$0$A: [int]int;
+ var inline$check$0$i: int;
+ var inline$check$0$c: int;
+ var inline$check$0$ret: bool;
+
+ anon0:
+ ret := 0 - 1;
+ b := false;
+ found := b;
+ i := 0;
+ goto anon4_LoopHead;
+
+ anon4_LoopHead:
+ goto anon4_LoopDone, anon4_LoopBody;
+
+ anon4_LoopBody:
+ assume i < size;
+ goto inline$check$0$Entry;
+
+ inline$check$0$Entry:
+ inline$check$0$A := A;
+ inline$check$0$i := i;
+ inline$check$0$c := x;
+ assert inline$check$0$i >= 0;
+ goto inline$check$0$anon0;
+
+ inline$check$0$anon0:
+ goto inline$check$0$anon4_Then, inline$check$0$anon4_Else;
+
+ inline$check$0$anon4_Then:
+ assume inline$check$0$A[inline$check$0$i] == inline$check$0$c;
+ inline$check$0$ret := true;
+ goto inline$check$0$anon3;
+
+ inline$check$0$anon4_Else:
+ assume inline$check$0$A[inline$check$0$i] != inline$check$0$c;
+ inline$check$0$ret := false;
+ goto inline$check$0$anon3;
+
+ inline$check$0$anon3:
+ goto inline$check$0$Return;
+
+ inline$check$0$Return:
+ assert inline$check$0$A[inline$check$0$i] > inline$check$0$c ==> (inline$check$0$ret <==> true);
+ b := inline$check$0$ret;
+ goto anon4_LoopBody$1;
+
+ anon4_LoopBody$1:
+ goto anon5_Then, anon5_Else;
+
+ anon5_Then:
+ assume b;
+ ret := i;
+ found := b;
+ goto anon3;
+
+ anon5_Else:
+ assume !b;
+ goto anon4_LoopHead;
+
+ anon4_LoopDone:
+ assume i >= size;
+ goto anon3;
+
+ anon3:
+ return;
+}
+
+
+<console>(68,4): Error BP5003: A postcondition might not hold at this return statement.
+<console>(78,2): Related location: This is the postcondition that might not hold.
+Execution trace:
+ <console>(19,0): anon0
+ <console>(22,0): inline$find$0$Entry
+ <console>(28,0): inline$find$0$anon0
+ <console>(38,0): inline$find$0$anon4_LoopBody
+ <console>(42,0): inline$check$0$Entry
+ <console>(57,0): inline$check$0$anon4_Else
+ <console>(62,0): inline$check$0$anon3
+ <console>(65,0): inline$check$0$Return
+<console>(100,4): Error BP5001: This assertion might not hold.
+Execution trace:
+ <console>(19,0): anon0
+ <console>(22,0): inline$find$0$Entry
+ <console>(28,0): inline$find$0$anon0
+ <console>(38,0): inline$find$0$anon4_LoopBody
+ <console>(42,0): inline$check$0$Entry
+ <console>(52,0): inline$check$0$anon4_Then
+ <console>(65,0): inline$check$0$Return
+ <console>(73,0): inline$find$0$anon5_Then
+ <console>(87,0): inline$find$0$anon3
+ <console>(90,0): inline$find$0$Return
+ <console>(95,0): anon0$1
+ <console>(98,0): anon3_Then
+<console>(50,4): Error BP5003: A postcondition might not hold at this return statement.
+<console>(78,2): Related location: This is the postcondition that might not hold.
+Execution trace:
+ <console>(10,0): anon0
+ <console>(20,0): anon4_LoopBody
+ <console>(24,0): inline$check$0$Entry
+ <console>(39,0): inline$check$0$anon4_Else
+ <console>(44,0): inline$check$0$anon3
+ <console>(47,0): inline$check$0$Return
+<console>(99,0): Error BP5003: A postcondition might not hold at this return statement.
+<console>(78,2): Related location: This is the postcondition that might not hold.
+Execution trace:
+ <console>(85,0): anon0
+ <console>(93,0): anon4_Else
+ <console>(98,0): anon3
+
+Boogie program verifier finished with 0 verified, 4 errors
+-------------------- test5.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+-------------------- test6.bpl --------------------
+test6.bpl(1,22): Error: the inlined procedure is recursive, call stack: foo -> foo
+test6.bpl(15,22): Error: the inlined procedure is recursive, call stack: foo2 -> foo3 -> foo1 -> foo2
+test6.bpl(22,22): Error: the inlined procedure is recursive, call stack: foo3 -> foo1 -> foo2 -> foo3
+test6.bpl(8,22): Error: the inlined procedure is recursive, call stack: foo1 -> foo2 -> foo3 -> foo1
+test6.bpl(1,22): Error: the inlined procedure is recursive, call stack: foo -> foo
+test6.bpl(8,22): Error: the inlined procedure is recursive, call stack: foo1 -> foo2 -> foo3 -> foo1
+6 type checking errors detected in test6.bpl
+-------------------- expansion.bpl --------------------
+expansion.bpl(29,14): Error: invalid type for argument 0 in application of foo1: bool (expected: int)
+expansion.bpl(13,16): Error: expansion: {:inline ...} expects either true or false as the argument
+expansion.bpl(14,22): Error: expansion: identifier was not quantified over
+expansion.bpl(15,22): Error: expansion: identifier was not quantified over
+expansion.bpl(16,22): Error: expansion: more variables quantified over, than used in function
+expansion.bpl(18,21): Error: expansion: axiom to be expanded must have form (forall VARS :: f(VARS) == expr(VARS))
+expansion.bpl(19,53): Error: expansion: only identifiers supported as function arguments
+expansion.bpl(33,22): Error: expansion: an identifier was used more than once
+8 type checking errors detected in expansion.bpl
+-------------------- expansion3.bpl --------------------
+*** detected expansion loop on foo3
+*** detected expansion loop on foo3
+*** detected expansion loop on foo3
+*** more than one possible expansion for x1
+expansion3.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ expansion3.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+-------------------- Elevator.bpl --------------------
+Elevator.bpl(17,5): Error BP5005: This loop invariant might not be maintained by the loop.
+Execution trace:
+ Elevator.bpl(15,3): anon0
+ Elevator.bpl(68,23): inline$Initialize$0$Entry
+ Elevator.bpl(71,13): inline$Initialize$0$anon0
+ Elevator.bpl(68,23): inline$Initialize$0$Return
+ Elevator.bpl(15,3): anon0$1
+ Elevator.bpl(16,3): anon10_LoopHead
+ Elevator.bpl(19,5): anon10_LoopBody
+ Elevator.bpl(19,5): anon11_Else
+ Elevator.bpl(19,5): anon12_Else
+ Elevator.bpl(24,7): anon13_Then
+ Elevator.bpl(94,23): inline$MoveDown_Error$0$Entry
+ Elevator.bpl(99,3): inline$MoveDown_Error$0$anon0
+ Elevator.bpl(94,23): inline$MoveDown_Error$0$Return
+ Elevator.bpl(24,7): anon13_Then$1
+
+Boogie program verifier finished with 1 verified, 1 error
+-------------------- expansion2.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+---------- EXPANSION2.SX: 0
+
+---------- EXPANSION2.SX: 0
+-------------------- expansion4.bpl --------------------
+
+Boogie program verifier finished with 3 verified, 0 errors
+-------------------- fundef.bpl --------------------
+
+function {:inline true} foo(x: int) returns (bool)
+{
+ x > 0
+}
+
+function {:inline false} foo2(x: int) returns (bool);
+
+// autogenerated definition axiom
+axiom (forall x: int :: {:inline false} { foo2(x):bool } foo2(x):bool == (x > 0));
+
+function foo3(x: int) returns (bool);
+
+// autogenerated definition axiom
+axiom (forall x: int :: { foo3(x):bool } foo3(x):bool == (x > 0));
+
+Boogie program verifier finished with 0 verified, 0 errors
+fundef2.bpl(6,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ fundef2.bpl(5,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+-------------------- polyInline.bpl --------------------
+polyInline.bpl(27,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(31,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(35,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ polyInline.bpl(20,3): anon0
+polyInline.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ polyInline.bpl(27,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+polyInline.bpl(27,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(31,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(35,9): Warning: type parameter alpha is ambiguous, instantiating to int
+polyInline.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ polyInline.bpl(20,3): anon0
+polyInline.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ polyInline.bpl(27,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
diff --git a/Test/inline/expansion.bpl b/Test/inline/expansion.bpl
new file mode 100644
index 00000000..41acfb44
--- /dev/null
+++ b/Test/inline/expansion.bpl
@@ -0,0 +1,33 @@
+const q : int;
+const p : bool;
+function foo(x:int, y:bool) returns(bool);
+function foo1(x:int, y:bool) returns(bool);
+function foo2(x:int, y:bool) returns(bool);
+function foo3(x:int, y:bool) returns(bool);
+// OK
+axiom {:inline false} (forall x:int, y:bool :: foo(x,p) <==> x > 10 && y);
+axiom {:inline true} (forall x:int, y:bool :: foo1(x,y) == (x > 10 && y));
+axiom {:inline true} (forall x:int, y:bool :: foo2(x,y) == (q > 10 && y));
+axiom {:inline true} (forall y:bool, x:int :: foo3(x,y) == foo3(x,y));
+// fail
+axiom {:inline 1} (forall x:int, y:bool :: foo(x,y) <==> x > 10 && y);
+axiom {:inline true} (forall x:int, y:bool :: foo(x,p) <==> x > 10 && y);
+axiom {:inline true} (forall y:bool :: foo(q,y) == (q > 10 && y));
+axiom {:inline true} (forall x:int, y:bool, z:int :: foo(x,y) == (q > 10 && y));
+axiom {:inline true} (forall y:bool, x:int :: foo3(x,y) == (q > 10 && y));
+axiom {:inline true} true;
+axiom {:inline true} (forall y:bool, x:int :: foo3(x,true) == (q > 10 && y));
+
+
+procedure baz1()
+{
+ assert foo3(1,true);
+}
+
+procedure baz2()
+{
+ assert foo1(true,true);
+}
+
+function foo4(x:int, y:int) returns(bool);
+axiom {:inline true} (forall x:int,z:int :: foo4(x,x) == (x > 0));
diff --git a/Test/inline/expansion2.bpl b/Test/inline/expansion2.bpl
new file mode 100644
index 00000000..fc14a0eb
--- /dev/null
+++ b/Test/inline/expansion2.bpl
@@ -0,0 +1,14 @@
+function xxgz(x:int) returns(bool);
+function xxf1(x:int,y:bool) returns(int);
+axiom {:inline true} (forall x:int :: xxgz(x) <==> x > 0);
+axiom {:inline true} (forall x:int, y:bool :: xxf1(x,y) == x+1);
+
+axiom (forall z:int :: z>12 ==> xxgz(z));
+axiom (forall y:int, x:bool :: xxf1(y, x) > 1 ==> y > 0);
+
+procedure foo()
+{
+ assert xxgz(12);
+ assert xxf1(3,true) == 4;
+}
+
diff --git a/Test/inline/expansion2.sx b/Test/inline/expansion2.sx
new file mode 100644
index 00000000..7417aab2
--- /dev/null
+++ b/Test/inline/expansion2.sx
@@ -0,0 +1,178 @@
+; Boogie program verifier version 2.00, Copyright (c) 2003-2009, Microsoft.
+; Command Line Options: -nologo -logPrefix:inline /proverLog:expansion2.sx expansion2.bpl
+; Proof obligation: foo
+; Z3 command line: c:\Program Files\Microsoft Research\Z3-2.0\bin\z3.exe /si /@ /cex:5 /t:0
+; User supplied Z3 options:
+; Prover options:
+;
+(SETPARAMETER MODEL_PARTIAL true)
+(SETPARAMETER MODEL_VALUE_COMPLETION false)
+(SETPARAMETER MODEL_HIDE_UNUSED_PARTITIONS false)
+(SETPARAMETER MODEL_V1 true)
+(SETPARAMETER ASYNC_COMMANDS false)
+(SETPARAMETER PHASE_SELECTION 0)
+(SETPARAMETER RESTART_STRATEGY 0)
+(SETPARAMETER RESTART_FACTOR |1.5|)
+(SETPARAMETER NNF_SK_HACK true)
+(SETPARAMETER QI_EAGER_THRESHOLD 100)
+(SETPARAMETER ARITH_RANDOM_INITIAL_VALUE true)
+(SETPARAMETER SORT_AND_OR false)
+(SETPARAMETER CASE_SPLIT 3)
+(SETPARAMETER DELAY_UNITS true)
+(SETPARAMETER DELAY_UNITS_THRESHOLD 16)
+(SETPARAMETER TYPE_CHECK true)
+(SETPARAMETER BV_REFLECT true)
+; -------------------------------------------------------------------------
+; Boogie 2 universal background predicate for Z3 (Simplify notation with types)
+; Copyright (c) 2004-2009, Microsoft Corp.
+
+(DEFTYPE $int :BUILTIN Int)
+(DEFTYPE $bool :BUILTIN bool)
+(DEFTYPE U)
+(DEFTYPE T)
+
+(DEFOP <: U U $bool) ; used for translation with type premisses
+(DEFOP <:: T U U $bool) ; used for translation with type arguments
+
+(BG_PUSH (AND
+
+ ; false is not true
+
+ (DISTINCT |@false| |@true|)
+
+ ; we assume type correctness of the operations here
+ ; a-l>=0 ==> (v ++ w:l)[a:b] = v[a-l:b-l]
+ (FORALL (v lv w lw lvw a b)
+ (QID bv:e:c1)
+ (PATS ($bv_extract ($bv_concat v lv w lw) lvw a b))
+ (IMPLIES
+ (>= (- a lw) 0)
+ (EQ ($bv_extract ($bv_concat v lv w lw) lvw a b) ($bv_extract v lv (- a lw) (- b lw)))))
+
+ ; b<=l ==> (v ++ w:l)[a:b] = w[a:b]
+ (FORALL (v lv w lw lvw a b)
+ (QID bv:e:c2)
+ (PATS ($bv_extract ($bv_concat v lv w lw) lvw a b))
+ (IMPLIES
+ (<= b lw)
+ (EQ ($bv_extract ($bv_concat v lv w lw) lvw a b) ($bv_extract w lw a b))))
+
+ ; v:l
+ ; a>=x || b<=y ==> (v[x:l] ++ w ++ v[0:y])[a:b] = v[a:b]
+ (FORALL (v lv x lxv w lw lwy y a b)
+ (QID bv:e:c3)
+ (PATS
+ ($bv_extract
+ ($bv_concat
+ ($bv_extract v lv x lv) lxv
+ ($bv_concat
+ w lw
+ ($bv_extract v lv 0 y) y) lwy) lv a b))
+ (IMPLIES
+ (AND
+ (EQ lw (- x y))
+ (EQ lxv (- lv x))
+ (EQ lwy (+ w y))
+ (OR (>= a x) (<= b y)))
+ (EQ
+ ($bv_extract
+ ($bv_concat
+ ($bv_extract v lv x lv) lxv
+ ($bv_concat
+ w lw
+ ($bv_extract v lv 0 y) y) lwy) lv a b)
+ ($bv_extract v lv a b))))
+
+ ; a>=x ==> (v[x:l] ++ w)[a:b] = v[a:b]
+ (FORALL (v lv x lxv w a b)
+ (QID bv:e:c4)
+ (PATS
+ ($bv_extract
+ ($bv_concat
+ ($bv_extract v lv x lv) lxv
+ w x)
+ lv a b))
+ (IMPLIES
+ (AND
+ (EQ lxv (- lv x))
+ (>= a x))
+ (EQ
+ ($bv_extract
+ ($bv_concat
+ ($bv_extract v lv x lv) lxv
+ w x)
+ lv a b)
+ ($bv_extract v lv a b))))
+
+ (FORALL (v l)
+ (QID bv:e:0)
+ (PATS ($bv_extract v l 0 l))
+ (EQ ($bv_extract v l 0 l) v))
+
+ (FORALL (n)
+ (QID bv:pow)
+ (PATS ($pow2 n))
+ (IMPLIES (> n 0) (EQ ($pow2 n) (* 2 ($pow2 (- n 1))))))
+
+ (EQ ($pow2 0) 1)
+
+ ; 0 <= v < 2^Y ==> 0bvX ++ v[0:Y] == v
+ (FORALL (v l a b)
+ (QID bv:e:pow)
+ (PATS ($bv_concat 0 b ($bv_extract v l 0 a) a))
+ (IMPLIES
+ (AND
+ (<= 0 v)
+ (< v ($pow2 a))
+ (EQ l (+ a b)))
+ (EQ ($bv_concat 0 b ($bv_extract v l 0 a) a) v)))
+
+ ; X > 0 ==> 0bvX ++ v >= 0
+ (FORALL (v a b)
+ (QID bv:e:pos)
+ (PATS ($bv_concat 0 b v a))
+ (IMPLIES
+ (> b 0)
+ (>= ($bv_concat 0 b v a) 0)))
+
+ ;; unsound?
+; (FORALL (lv w lw)
+; (QID bv:c:0)
+; (PATS ($bv_concat 0 lv w lw))
+; (EQ ($bv_concat 0 lv w lw) w))
+ ;; matching loop
+; (FORALL (v l1 a b l2 c d)
+; (QID bv:e:e)
+; (PATS ($bv_extract ($bv_extract v l1 a b) l2 c d))
+; (EQ ($bv_extract ($bv_extract v l1 a b) l2 c d) ($bv_extract v l1 (+ c a) (+ d a))))
+
+
+ ; Reflect plus
+ (FORALL (a b) (PATS (Reflect$Add a b)) (EQ (Reflect$Add a b) (+ a b)))
+
+)) ;; AND, BG_PUSH
+; End Boogie universal background predicate
+; -------------------------------------------------------------------------
+
+
+
+(DEFOP Ctor T $int)
+(DEFOP intType T)
+(DEFOP boolType T)
+(DEFOP int_2_U $int U)
+(DEFOP U_2_int U $int)
+(DEFOP type U T)
+(DEFOP bool_2_U $bool U)
+(DEFOP U_2_bool U $bool)
+(BG_PUSH
+(AND (EQ (Ctor (intType)) 0) (EQ (Ctor (boolType)) 1) (FORALL (arg0 :TYPE $int) (PATS (int_2_U arg0)) (QID typeInv:U_2_int) (EQ (U_2_int (int_2_U arg0)) arg0)) (FORALL (x :TYPE U) (PATS (int_2_U (U_2_int x))) (QID cast:U_2_int) (IMPLIES (EQ (type x) (intType)) (EQ (int_2_U (U_2_int x)) x))) (FORALL (arg0@@0 :TYPE $int) (PATS (int_2_U arg0@@0)) (QID funType:int_2_U) (EQ (type (int_2_U arg0@@0)) (intType))) (FORALL (arg0@@1 :TYPE $bool) (PATS (bool_2_U arg0@@1)) (QID typeInv:U_2_bool) (IFF (U_2_bool (bool_2_U arg0@@1)) arg0@@1)) (FORALL (x@@0 :TYPE U) (PATS (bool_2_U (U_2_bool x@@0))) (QID cast:U_2_bool) (IMPLIES (EQ (type x@@0) (boolType)) (EQ (bool_2_U (U_2_bool x@@0)) x@@0))) (FORALL (arg0@@2 :TYPE $bool) (PATS (bool_2_U arg0@@2)) (QID funType:bool_2_U) (EQ (type (bool_2_U arg0@@2)) (boolType))))
+)
+(BG_PUSH
+(AND (FORALL (x@@1 :TYPE U) (NOPATS (U_2_int x@@1) (U_2_bool x@@1)) (QID bg:subtype-refl) (<: x@@1 x@@1)) (FORALL (x@@2 :TYPE U y :TYPE U z :TYPE U) (PATS (MPAT (<: x@@2 y) (<: y z))) (QID bg:subtype-trans) (LET ((TERM alpha (type x@@2))) (IMPLIES (AND (EQ (type y) alpha) (EQ (type z) alpha)) (IMPLIES (AND (<: x@@2 y) (<: y z)) (<: x@@2 z))))) (FORALL (x@@3 :TYPE U y@@0 :TYPE U) (PATS (MPAT (<: x@@3 y@@0) (<: y@@0 x@@3))) (QID bg:subtype-antisymm) (LET ((TERM alpha@@0 (type x@@3))) (IMPLIES (EQ (type y@@0) alpha@@0) (IMPLIES (AND (<: x@@3 y@@0) (<: y@@0 x@@3)) (EQ x@@3 y@@0))))) (FORALL (z@@0 :TYPE $int) (QID expansio.6:15) (SKOLEMID 2) (IMPLIES (> z@@0 12) (> z@@0 0))) (FORALL (y@@1 :TYPE $int) (QID expansio.7:15) (SKOLEMID 3) (IMPLIES (> (+ y@@1 1) 1) (> y@@1 0))))
+)
+; Initialized all axioms.
+(BG_PUSH
+TRUE
+)
+(LET ((FORMULA anon0_correct (IMPLIES (LBLPOS |+107| TRUE) (IMPLIES TRUE (AND (LBLNEG |@164| (> 12 0)) (IMPLIES (> 12 0) (AND (LBLNEG |@168| (EQ (+ 3 1) 4)) (IMPLIES (EQ (+ 3 1) 4) (IMPLIES TRUE TRUE))))))))) anon0_correct)
+; Valid
diff --git a/Test/inline/expansion3.bpl b/Test/inline/expansion3.bpl
new file mode 100644
index 00000000..1fd3d853
--- /dev/null
+++ b/Test/inline/expansion3.bpl
@@ -0,0 +1,19 @@
+function foo3(x:int, y:bool) returns(bool);
+axiom {:inline true} (forall y:bool, x:int :: foo3(x,y) == foo3(x,y));
+
+axiom foo3(1,false);
+
+procedure baz1()
+ requires foo3(2,false);
+{
+ assume foo3(1,true);
+}
+
+function x1(x:int) returns(bool);
+axiom {:inline true} (forall x:int :: x1(x) <==> x > 0);
+axiom {:inline true} (forall x:int :: x1(x) <==> x >= 1);
+
+procedure bar()
+{
+ assert x1(3);
+}
diff --git a/Test/inline/expansion4.bpl b/Test/inline/expansion4.bpl
new file mode 100644
index 00000000..593fa9fb
--- /dev/null
+++ b/Test/inline/expansion4.bpl
@@ -0,0 +1,31 @@
+function f(x:int) returns(bool);
+axiom {:ignore "bvInt"} {:inline true} (forall x:int :: f(x) <==> true);
+axiom {:ignore "bvDefSem"} {:inline true} (forall x:int :: f(x) <==> false);
+
+procedure {:forceBvZ3Native true} foo()
+{
+ assert f(3);
+}
+
+procedure {:forceBvInt true} foo2()
+{
+ assert !f(3);
+}
+
+axiom (forall x: bv64, y: bv64 :: { $sub.unchk.u8(x, y) } $check.sub.u8(x, y) ==> $sub.u8(x, y) == $sub.unchk.u8(x, y));
+axiom {:inline true} {:ignore "bvDefSem"} (forall x: bv64, y: bv64 :: { $check.sub.u8(x, y) }
+$check.sub.u8(x, y) <==> $_inrange.u8($sub.i8(x, y)));
+
+function $check.sub.u8(x: bv64, y: bv64) returns (bool);
+function $_inrange.u8(bv64) returns (bool);
+function {:bvbuiltin "bvsub"} $sub.unchk.u8(x: bv64, y: bv64) returns (bv64);
+function {:bvbuiltin "bvsub"} {:bvint "-"} $sub.i8(x: bv64, y: bv64) returns (bv64);
+function {:bvbuiltin "bvsub"} {:bvint "-"} $sub.u8(x: bv64, y: bv64) returns (bv64);
+
+
+procedure {:forceBvZ3Native true} baz()
+{
+ return;
+}
+
+
diff --git a/Test/inline/fundef.bpl b/Test/inline/fundef.bpl
new file mode 100644
index 00000000..46ce65bd
--- /dev/null
+++ b/Test/inline/fundef.bpl
@@ -0,0 +1,6 @@
+function {:inline true} foo(x:int) returns(bool)
+ { x > 0 }
+function {:inline false} foo2(x:int) returns(bool)
+ { x > 0 }
+function foo3(x:int) returns(bool)
+ { x > 0 }
diff --git a/Test/inline/fundef2.bpl b/Test/inline/fundef2.bpl
new file mode 100644
index 00000000..2e005fcc
--- /dev/null
+++ b/Test/inline/fundef2.bpl
@@ -0,0 +1,7 @@
+function {:inline true} foo(x:int) returns(bool)
+ { x > 0 }
+
+procedure P() {
+ assert foo(13);
+ assert foo(-5); // error
+} \ No newline at end of file
diff --git a/Test/inline/polyInline.bpl b/Test/inline/polyInline.bpl
new file mode 100644
index 00000000..320259bd
--- /dev/null
+++ b/Test/inline/polyInline.bpl
@@ -0,0 +1,40 @@
+
+const C:int;
+const D:bool;
+
+function empty<alpha>() returns (alpha);
+
+function eqC<alpha>(x:alpha) returns (bool) { x == C }
+function giveEmpty<alpha>() returns (alpha) { empty() }
+
+function {:inline true} eqC2<alpha>(x:alpha) returns (bool) { x == C }
+function {:inline true} giveEmpty2<alpha>() returns (alpha) { empty() }
+
+function eqC3<alpha>(x:alpha) returns (bool);
+axiom {:inline true} (forall<alpha> x:alpha :: eqC3(x) == (x == C));
+
+function giveEmpty3<alpha>() returns (alpha);
+axiom {:inline true} (forall<alpha> :: giveEmpty3():alpha == empty());
+
+procedure P() {
+ assert eqC(C);
+ assert eqC2(C);
+ assert eqC3(C);
+ assert eqC2(D); // should not be provable
+}
+
+procedure Q() {
+ assert giveEmpty() == empty();
+ assert giveEmpty() == empty():int;
+ assert giveEmpty():bool == empty();
+
+ assert giveEmpty2() == empty();
+ assert giveEmpty2() == empty():int;
+ assert giveEmpty2():bool == empty();
+
+ assert giveEmpty3() == empty();
+ assert giveEmpty3() == empty():int;
+ assert giveEmpty3():bool == empty();
+
+ assert giveEmpty3() == C; // should not be provable
+} \ No newline at end of file
diff --git a/Test/inline/runtest.bat b/Test/inline/runtest.bat
new file mode 100644
index 00000000..3040d5b0
--- /dev/null
+++ b/Test/inline/runtest.bat
@@ -0,0 +1,30 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+
+for %%f in (test1.bpl test2.bpl test3.bpl test4.bpl) do (
+ echo -------------------- %%f --------------------
+ %BGEXE% %* /inline:b /print:- /env:0 /printInlined /noinfer %%f
+)
+
+for %%f in (test5.bpl test6.bpl expansion.bpl expansion3.bpl Elevator.bpl) do (
+ echo -------------------- %%f --------------------
+ %BGEXE% %* %%f
+)
+
+echo -------------------- expansion2.bpl --------------------
+%BGEXE% %* /proverLog:expansion2.sx expansion2.bpl
+%SystemRoot%\system32\find.exe /C "xxgz" expansion2.sx
+%SystemRoot%\system32\find.exe /C "xxf1" expansion2.sx
+
+echo -------------------- expansion4.bpl --------------------
+%BGEXE% %* /bv:i expansion4.bpl
+
+echo -------------------- fundef.bpl --------------------
+%BGEXE% %* /print:- /env:0 fundef.bpl
+%BGEXE% %* fundef2.bpl
+
+echo -------------------- polyInline.bpl --------------------
+%BGEXE% %* /typeEncoding:predicates /logPrefix:p polyInline.bpl
+%BGEXE% %* /typeEncoding:arguments /logPrefix:a polyInline.bpl
diff --git a/Test/inline/test1.bpl b/Test/inline/test1.bpl
new file mode 100644
index 00000000..db847b25
--- /dev/null
+++ b/Test/inline/test1.bpl
@@ -0,0 +1,45 @@
+
+procedure Main()
+{
+
+ var x:int;
+ var y:int;
+
+ x := 1;
+ y := 0;
+
+ call x := inc(x, 5);
+ call y := incdec(x, 2);
+
+ assert(x - 1 == y);
+
+}
+
+procedure {:inline 1} incdec(x:int, y:int) returns (z:int)
+ ensures z == x + 1 - y;
+{
+ z := x;
+ z := x + 1;
+ call z := dec(z, y);
+
+ return;
+
+}
+
+procedure {:inline 1} inc(x:int, i:int) returns (y:int)
+ ensures y == x + i;
+{
+ y := x;
+ y := x + i;
+ return;
+
+}
+
+procedure {:inline 1} dec(x:int, i:int) returns (y:int)
+ ensures y == x - i;
+{
+ y := x;
+ y := x - i;
+ return;
+
+} \ No newline at end of file
diff --git a/Test/inline/test2.bpl b/Test/inline/test2.bpl
new file mode 100644
index 00000000..a45e86d5
--- /dev/null
+++ b/Test/inline/test2.bpl
@@ -0,0 +1,31 @@
+
+var glb:int;
+
+procedure calculate()
+modifies glb;
+{
+ var x:int;
+ var y:int;
+
+ y := 5;
+
+ call x := increase(y);
+
+ return;
+}
+
+
+procedure {:inline 1} increase (i:int) returns (k:int)
+modifies glb;
+{
+ var j:int;
+
+ j := i;
+ j := j + 1;
+
+ glb := glb + j;
+
+ k := j;
+
+ return;
+}
diff --git a/Test/inline/test3.bpl b/Test/inline/test3.bpl
new file mode 100644
index 00000000..f705e7b0
--- /dev/null
+++ b/Test/inline/test3.bpl
@@ -0,0 +1,28 @@
+
+var glb:int;
+
+procedure recursivetest()
+modifies glb;
+{
+ glb := 5;
+ call glb := recursive(glb);
+
+ return;
+
+}
+
+procedure {:inline 3} recursive(x:int) returns (y:int)
+{
+
+ var k: int;
+
+ if(x == 0) {
+ y := 1;
+ return;
+ }
+
+ call k := recursive(x-1);
+ y := y + k;
+ return;
+
+} \ No newline at end of file
diff --git a/Test/inline/test4.bpl b/Test/inline/test4.bpl
new file mode 100644
index 00000000..4a740bbc
--- /dev/null
+++ b/Test/inline/test4.bpl
@@ -0,0 +1,53 @@
+
+procedure main(x:int)
+{
+ var A:[int]int;
+ var i:int;
+ var b:bool;
+ var size:int;
+
+ call i,b := find(A, size, x);
+
+ if(b) {
+ assert(i > 0 && A[i] == x);
+ }
+
+ return;
+}
+
+procedure {:inline 1} find(A:[int]int, size:int, x:int) returns (ret:int, found:bool)
+{
+ var i:int;
+ var b:bool;
+
+ ret := -1;
+ b := false;
+ found := b;
+ i := 0;
+
+ while(i < size) {
+ call b := check(A, i, x);
+ if(b) {
+ ret := i;
+ found := b;
+ break;
+ }
+
+ }
+
+ return;
+
+}
+
+
+procedure {:inline 3} check (A:[int]int, i:int, c:int) returns (ret:bool)
+ requires i >= 0;
+ ensures (old(A[i]) > c) ==> ret == true;
+{
+ if(A[i] == c) {
+ ret := true;
+ } else {
+ ret := false;
+ }
+ return;
+} \ No newline at end of file
diff --git a/Test/inline/test5.bpl b/Test/inline/test5.bpl
new file mode 100644
index 00000000..0132f60a
--- /dev/null
+++ b/Test/inline/test5.bpl
@@ -0,0 +1,20 @@
+// test a case, where the inlined proc comes before the caller
+
+procedure {:inline 2} foo()
+ modifies x;
+{
+ x := x + 1;
+}
+
+var x:int;
+
+procedure bar()
+ modifies x;
+{
+ x := 3;
+ call foo();
+ assert x == 4;
+ call foo();
+ assert x == 5;
+}
+
diff --git a/Test/inline/test6.bpl b/Test/inline/test6.bpl
new file mode 100644
index 00000000..394be89e
--- /dev/null
+++ b/Test/inline/test6.bpl
@@ -0,0 +1,37 @@
+procedure {:inline 2} foo()
+ modifies x;
+{
+ x := x + 1;
+ call foo();
+}
+
+procedure {:inline 2} foo1()
+ modifies x;
+{
+ x := x + 1;
+ call foo2();
+}
+
+procedure {:inline 2} foo2()
+ modifies x;
+{
+ x := x + 1;
+ call foo3();
+}
+
+procedure {:inline 2} foo3()
+ modifies x;
+{
+ x := x + 1;
+ call foo1();
+}
+
+var x:int;
+
+procedure bar()
+ modifies x;
+{
+ call foo();
+ call foo1();
+}
+
diff --git a/Test/lock/Answer b/Test/lock/Answer
new file mode 100644
index 00000000..bcfc9f1c
--- /dev/null
+++ b/Test/lock/Answer
@@ -0,0 +1,8 @@
+
+Boogie program verifier finished with 3 verified, 0 errors
+LockIncorrect.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LockIncorrect.bpl(9,1): start
+ LockIncorrect.bpl(14,1): LoopHead
+
+Boogie program verifier finished with 0 verified, 1 error
diff --git a/Test/lock/Lock.bpl b/Test/lock/Lock.bpl
new file mode 100644
index 00000000..ed24a710
--- /dev/null
+++ b/Test/lock/Lock.bpl
@@ -0,0 +1,122 @@
+procedure LockingExample();
+
+implementation LockingExample()
+{
+var x: int;
+var y: int;
+var held: int;
+
+start:
+ held := 0;
+ x := 0;
+ goto LoopHead;
+
+LoopHead:
+ // Lock
+ assert held == 0;
+ held := 1;
+
+ y := x;
+ goto UnlockNow, LoopEnd;
+
+UnlockNow:
+ // Unlock
+ assert held == 1;
+ held := 0;
+
+ x := x + 1;
+ goto LoopEnd;
+
+LoopEnd:
+ goto ContinueIteration, EndIteration;
+
+ContinueIteration:
+ assume x != y;
+ goto LoopHead;
+
+EndIteration:
+ assume x == y;
+ goto AfterLoop;
+
+AfterLoop:
+ // Unlock
+ assert held == 1;
+ held := 0;
+
+ return;
+
+}
+
+
+procedure StructuredLockingExample()
+{
+ var x: int;
+ var y: int;
+ var held: bool;
+
+ held := false;
+ x := 0;
+
+ while (true)
+ invariant !held;
+ {
+ // Lock
+ assert !held;
+ held := true;
+
+ y := x;
+ if (*) {
+ // Unlock
+ assert held;
+ held := false;
+
+ x := x + 1;
+ }
+
+ if (x == y) { break; }
+ }
+
+ // Unlock
+ assert held;
+ held := false;
+}
+
+procedure StructuredLockingExampleWithCalls()
+{
+ var x: int;
+ var y: int;
+ var mutex: Mutex;
+
+ call mutex := Initialize();
+ x := 0;
+
+ while (true)
+ invariant !IsHeld(mutex);
+ {
+ call mutex := Acquire(mutex);
+
+ y := x;
+ if (*) {
+ call mutex := Release(mutex);
+ x := x + 1;
+ }
+
+ if (x == y) { break; }
+ }
+
+ call mutex := Release(mutex);
+}
+
+type Mutex;
+function IsHeld(Mutex) returns (bool);
+
+procedure Initialize() returns (post: Mutex);
+ ensures !IsHeld(post);
+
+procedure Acquire(pre: Mutex) returns (post: Mutex);
+ requires !IsHeld(pre);
+ ensures IsHeld(post);
+
+procedure Release(pre: Mutex) returns (post: Mutex);
+ requires IsHeld(pre);
+ ensures !IsHeld(post);
diff --git a/Test/lock/LockIncorrect.bpl b/Test/lock/LockIncorrect.bpl
new file mode 100644
index 00000000..776f8af6
--- /dev/null
+++ b/Test/lock/LockIncorrect.bpl
@@ -0,0 +1,51 @@
+procedure LockingExample();
+
+implementation LockingExample()
+{
+var x: int;
+var y: int;
+var held: int;
+
+start:
+ held := 0;
+ x := 0;
+ goto LoopHead;
+
+LoopHead:
+ // Lock
+ held := held + 6;
+ assert held == 0;
+ held := 1;
+
+ y := x;
+ goto UnlockNow, LoopEnd;
+
+UnlockNow:
+ // Unlock
+ assert held == 1;
+ held := 0;
+
+ x := x + 1;
+ goto LoopEnd;
+
+LoopEnd:
+ goto ContinueIteration, EndIteration;
+
+ContinueIteration:
+ assume x != y;
+ goto LoopHead;
+
+EndIteration:
+ assume x == y;
+ goto AfterLoop;
+
+AfterLoop:
+ // Unlock
+ assert held == 1;
+ held := 0;
+
+ return;
+
+}
+
+
diff --git a/Test/lock/Output b/Test/lock/Output
new file mode 100644
index 00000000..bcfc9f1c
--- /dev/null
+++ b/Test/lock/Output
@@ -0,0 +1,8 @@
+
+Boogie program verifier finished with 3 verified, 0 errors
+LockIncorrect.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LockIncorrect.bpl(9,1): start
+ LockIncorrect.bpl(14,1): LoopHead
+
+Boogie program verifier finished with 0 verified, 1 error
diff --git a/Test/lock/runtest.bat b/Test/lock/runtest.bat
new file mode 100644
index 00000000..a90972c9
--- /dev/null
+++ b/Test/lock/runtest.bat
@@ -0,0 +1,7 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+
+%BGEXE% %* Lock.bpl
+%BGEXE% %* LockIncorrect.bpl
diff --git a/Test/rtest b/Test/rtest
new file mode 100644
index 00000000..55386bf0
--- /dev/null
+++ b/Test/rtest
@@ -0,0 +1,25 @@
+#!/usr/bin/bash
+
+if [ $# -eq 0 ] ; then
+ echo "rtest: Error: Syntax: rtest testDirectory [ additionalTestArguments ... ]"
+ exit 1
+elif [ ! -d $1 ] ; then
+ echo rtest: Error: There is no test directory $1
+ exit 1
+fi
+
+TESTDIR=$1
+echo ----- Running regression test $TESTDIR
+cd $TESTDIR
+
+shift
+cmd /c .\\runtest.bat -nologo -logPrefix:$TESTDIR "$@" > Output
+# perl ../filter.pl Output Output.filtered
+# perl ../filter.pl Answer Answer.filtered
+# diff -w Answer.filtered Output.filtered > Diffs
+if c:/Windows/system32/fc /W Answer Output > /dev/null ; then
+ echo Succeeded
+else
+ echo FAILED
+fi
+cd ..
diff --git a/Test/rtestall b/Test/rtestall
new file mode 100644
index 00000000..eecb5fda
--- /dev/null
+++ b/Test/rtestall
@@ -0,0 +1,32 @@
+#!/usr/bin/bash
+
+if [ "$1" == "short" ] ; then
+ shift
+ ALL_TESTS=`cat alltests.txt | grep -E "^[^[:space:]]+[[:space:]]+Use[[:space:]]" | awk '{print $1}'`
+elif [ "$1" == "long" ] ; then
+ shift
+ ALL_TESTS=`cat alltests.txt | grep -E "^[^[:space:]]+[[:space:]]+Long[[:space:]]" | awk '{print $1}'`
+else
+ ALL_TESTS=`cat alltests.txt | grep -E "^[^[:space:]]+[[:space:]]+(Use|Long)[[:space:]]" | awk '{print $1}'`
+fi
+
+if [ "$1" == "time" ] ; then
+ shift
+ TIME_CMD="time -p"
+else
+ TIME_CMD=""
+fi
+
+if [ "$1" == "reverse" ] || [ "$1" == "rev" ]; then
+ shift
+ ALL_TESTS=`echo ${ALL_TESTS} | sed -e 's/ /\n/g' | awk '{a[NR] = $0} END { for(i=NR; i; --i) print a[i]}'`
+fi
+
+for t in ${ALL_TESTS} ; do
+ # ${TIME_CMD} bash rtest $t "$@"
+ if [ "${TIME_CMD}" == "" ] ; then
+ ./runtest.bat $t "$@"
+ else
+ time -p ./runtest.bat $t "$@"
+ fi
+done
diff --git a/Test/runtest.bat b/Test/runtest.bat
new file mode 100644
index 00000000..424ede10
--- /dev/null
+++ b/Test/runtest.bat
@@ -0,0 +1,36 @@
+@echo off
+rem Usage: runtest.bat <dir>
+if "%1" == "" goto noDirSpecified
+if not exist %1\nul goto noDirExists
+echo ----- Running regression test %1
+pushd %1
+if not exist runtest.bat goto noRunTest
+call runtest.bat -nologo -logPrefix:%1 %2 %3 %4 %5 %6 %7 %8 %9 > Output
+fc /W Answer Output > nul
+if not errorlevel 1 goto passTest
+echo FAILED
+goto errorEnd
+
+:passTest
+echo Succeeded
+goto end
+
+:noDirSpecified
+echo runtest: Error: Syntax: runtest testDirectory [ additionalTestArguments ... ]
+goto errorEnd
+
+:noDirExists
+echo runtest: Error: There is no test directory %1
+goto errorEnd
+
+:noRunTest
+echo runtest: Error: no runtest.bat found in test directory %1
+goto errorEnd
+
+:errorEnd
+popd
+exit /b 1
+
+:end
+popd
+exit /b 0
diff --git a/Test/runtestall.bat b/Test/runtestall.bat
new file mode 100644
index 00000000..207bb030
--- /dev/null
+++ b/Test/runtestall.bat
@@ -0,0 +1,24 @@
+@echo off
+setlocal
+
+set errors=0
+
+if "%1" == "short" goto UseShort
+
+set IncludeLong=True
+goto Loop
+
+:UseShort
+set IncludeLong=False
+shift
+goto Loop
+
+:Loop
+for /F "eol=; tokens=1,2,3*" %%i in (alltests.txt) do if %%j==Use call runtest.bat %%i %1 %2 %3 %4 %5 %6 %7 %8 %9 || set errors=1
+
+if not %IncludeLong%==True goto End
+
+for /F "eol=; tokens=1,2,3*" %%i in (alltests.txt) do if %%j==Long call runtest.bat %%i %1 %2 %3 %4 %5 %6 %7 %8 %9 || set errors=1
+
+:End
+exit /b %errors% \ No newline at end of file
diff --git a/Test/smoke/Answer b/Test/smoke/Answer
new file mode 100644
index 00000000..4141bdb0
--- /dev/null
+++ b/Test/smoke/Answer
@@ -0,0 +1,25 @@
+-------------------- smoke0.bpl --------------------
+found unreachable code:
+implementation b(x: int)
+{
+ var y: int;
+ var y@0: int;
+
+
+ anon0:
+ assume true;
+ assume true;
+ goto anon3_Then;
+
+ anon3_Then:
+ assume true;
+ assume x < 0;
+ y := 1;
+ assume 1 <= y && y <= 1;
+ assert false;
+ return;
+}
+
+
+
+Boogie program verifier finished with 4 verified, 0 errors
diff --git a/Test/smoke/Output b/Test/smoke/Output
new file mode 100644
index 00000000..4141bdb0
--- /dev/null
+++ b/Test/smoke/Output
@@ -0,0 +1,25 @@
+-------------------- smoke0.bpl --------------------
+found unreachable code:
+implementation b(x: int)
+{
+ var y: int;
+ var y@0: int;
+
+
+ anon0:
+ assume true;
+ assume true;
+ goto anon3_Then;
+
+ anon3_Then:
+ assume true;
+ assume x < 0;
+ y := 1;
+ assume 1 <= y && y <= 1;
+ assert false;
+ return;
+}
+
+
+
+Boogie program verifier finished with 4 verified, 0 errors
diff --git a/Test/smoke/runtest.bat b/Test/smoke/runtest.bat
new file mode 100644
index 00000000..7728d5ef
--- /dev/null
+++ b/Test/smoke/runtest.bat
@@ -0,0 +1,11 @@
+@echo off
+setlocal
+
+set BOOGIEDIR=..\..\Binaries
+set BGEXE=%BOOGIEDIR%\Boogie.exe
+
+for %%f in (smoke0.bpl) do (
+ echo -------------------- %%f --------------------
+ %BGEXE% /smoke %* %%f
+)
+
diff --git a/Test/smoke/smoke0.bpl b/Test/smoke/smoke0.bpl
new file mode 100644
index 00000000..85deb324
--- /dev/null
+++ b/Test/smoke/smoke0.bpl
@@ -0,0 +1,53 @@
+procedure a(x:int)
+{
+ var y : int;
+
+ if(x<0) {
+ y := 1;
+ } else {
+ y := 2;
+ }
+}
+
+
+procedure b(x:int)
+ requires x>0;
+{
+ var y : int;
+
+ if(x<0) {
+ y := 1;
+ } else {
+ y := 2;
+ }
+}
+
+
+
+procedure c(x:int)
+ requires x>0;
+{
+ var y : int;
+
+ if(x<0) {
+ y := 1;
+ assert false;
+ } else {
+ y := 2;
+ }
+}
+
+procedure d(x:int)
+ requires x>0;
+{
+ var y : int;
+
+ if(x<0) {
+ assert false;
+ y := 1;
+ } else {
+ y := 2;
+ }
+}
+
+
diff --git a/Test/test0/Answer b/Test/test0/Answer
new file mode 100644
index 00000000..e8ea231e
--- /dev/null
+++ b/Test/test0/Answer
@@ -0,0 +1,252 @@
+
+Boogie program verifier finished with 0 verified, 0 errors
+
+Boogie program verifier finished with 0 verified, 0 errors
+Triggers0.bpl(14,31): Error: the 'nopats' quantifier attribute expects a string-literal parameter
+1 parse errors detected in Triggers0.bpl
+Triggers1.bpl(7,17): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(11,21): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(15,9): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(19,10): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(23,17): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(27,17): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(32,17): Error: equality is not allowed in triggers
+Triggers1.bpl(36,17): Error: arithmetic comparisons are not allowed in triggers
+Triggers1.bpl(45,10): Error: quantifiers are not allowed in triggers
+Triggers1.bpl(53,7): Error: trigger must mention all quantified variables, but does not mention: x
+Triggers1.bpl(61,7): Error: trigger must mention all quantified variables, but does not mention: y
+Triggers1.bpl(62,7): Error: trigger must mention all quantified variables, but does not mention: x
+Triggers1.bpl(70,9): Error: a matching pattern must be more than just a variable by itself: x
+Triggers1.bpl(82,7): Error: trigger must mention all quantified variables, but does not mention: z
+Triggers1.bpl(94,16): Error: a matching pattern must be more than just a variable by itself: x
+Triggers1.bpl(95,16): Error: a matching pattern must be more than just a variable by itself: g
+Triggers1.bpl(105,40): Error: trigger must mention all quantified variables, but does not mention: y
+Triggers1.bpl(106,40): Error: trigger must mention all quantified variables, but does not mention: x
+Triggers1.bpl(109,57): Error: trigger must mention all quantified variables, but does not mention: z
+Triggers1.bpl(110,57): Error: trigger must mention all quantified variables, but does not mention: y
+Triggers1.bpl(111,57): Error: trigger must mention all quantified variables, but does not mention: x
+Triggers1.bpl(119,33): Error: cannot refer to a global variable in this context: h1
+Triggers1.bpl(120,33): Error: cannot refer to a global variable in this context: h0
+23 name resolution errors detected in Triggers1.bpl
+const x: int;
+
+const y: int;
+
+const z: int;
+
+const P: bool;
+
+const Q: bool;
+
+const R: bool;
+
+axiom x * (y + z) == x + y * z;
+
+axiom x * y + z == (x + y) * z;
+
+axiom x * y * z == x * y * z;
+
+axiom x * y * z * x == x * y * z;
+
+axiom x / y / z == x / (y / z);
+
+axiom x / y / (z / x) == x / y / z;
+
+axiom x - y - z == x - (y - z);
+
+axiom x - y - (z - x) == x - y - z;
+
+axiom x + y - z - x + y == 0;
+
+axiom x + y - z - x + y == x + y - (z - (x + y));
+
+axiom P ==> Q ==> R <==> P ==> Q ==> R;
+
+axiom (P ==> Q) ==> R ==> P <==> (P ==> Q) ==> R;
+
+axiom P <==> Q <==> R;
+
+axiom P ==> Q <==> Q ==> R <==> R ==> P;
+
+axiom (P && Q) || (Q && R);
+
+axiom (P || Q) && (Q || R);
+
+axiom P || Q || Q || R;
+
+axiom P && Q && Q && R;
+
+function f(int) returns (int);
+
+axiom (forall x: int :: {:xname "hello"} {:weight 5} {:ValueFunc f(x + 1)} { f(x + x) } { f(x) * f(x) } {:nopats f(x + x + x) } f(f(x)) < 200);
+
+Boogie program verifier finished with 0 verified, 0 errors
+
+Boogie program verifier finished with 0 verified, 0 errors
+Arrays1.bpl(11,11): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: Q
+Arrays1.bpl(14,15): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: Q
+2 type checking errors detected in Arrays1.bpl
+Types0.bpl(6,18): Error: expected identifier before ':'
+1 parse errors detected in Types0.bpl
+Types1.bpl(6,11): Error: undeclared type: x
+Types1.bpl(7,18): Error: undeclared type: x
+2 name resolution errors detected in Types1.bpl
+WhereParsing.bpl(14,37): Error: where clause not allowed here
+WhereParsing.bpl(15,33): Error: where clause not allowed here
+2 parse errors detected in WhereParsing.bpl
+WhereParsing0.bpl(17,38): Error: where clause not allowed here
+WhereParsing0.bpl(18,38): Error: where clause not allowed here
+2 parse errors detected in WhereParsing0.bpl
+WhereParsing1.bpl(14,27): syntax error: ) expected
+1 parse errors detected in WhereParsing1.bpl
+WhereParsing2.bpl(1,14): syntax error: ; expected
+1 parse errors detected in WhereParsing2.bpl
+WhereResolution.bpl(28,38): Error: undeclared identifier: alpha
+WhereResolution.bpl(32,30): Error: old expressions allowed only in two-state contexts
+2 name resolution errors detected in WhereResolution.bpl
+BadLabels0.bpl(4,2): Error: more than one declaration of block name: X
+BadLabels0.bpl(11,4): Error: more than one declaration of block name: Y
+2 name resolution errors detected in BadLabels0.bpl
+BadLabels1.bpl(4,3): Error: Error: goto label 'X' is undefined or out of reach
+BadLabels1.bpl(5,3): Error: Error: goto label 'Y' is undefined or out of reach
+BadLabels1.bpl(10,3): Error: Error: goto label 'X' is undefined or out of reach
+BadLabels1.bpl(24,5): Error: Error: goto label 'K' is undefined or out of reach
+BadLabels1.bpl(30,5): Error: Error: goto label 'A' is undefined or out of reach
+BadLabels1.bpl(38,7): Error: Error: goto label 'M' is undefined or out of reach
+BadLabels1.bpl(41,3): Error: Error: goto label 'B' is undefined or out of reach
+BadLabels1.bpl(47,3): Error: Error: break statement is not inside a loop
+BadLabels1.bpl(49,5): Error: Error: break statement is not inside a loop
+BadLabels1.bpl(60,5): Error: Error: break label 'B' must designate an enclosing statement
+BadLabels1.bpl(63,5): Error: Error: break label 'A' must designate an enclosing statement
+BadLabels1.bpl(64,5): Error: Error: break label 'C' must designate an enclosing statement
+BadLabels1.bpl(65,8): Error: Error: break label 'F' must designate an enclosing statement
+13 parse errors detected in BadLabels1.bpl
+LineParse.bpl(1,0): Error: Malformed (#line num [filename]) pragma: #line
+LineParse.bpl(2,0): Error: Malformed (#line num [filename]) pragma: #line
+LineParse.bpl(1,0): Error: Unrecognized pragma: #dontknow what this is No, I don't well, it's an error is what it is
+LineParse.bpl(3,0): Error: Unrecognized pragma: #define ASSERT(x) {if (!(x)) { crash(); }} // error: A B C . txt(12,0)
+LineParse.bpl(6,2): syntax error: EOF expected
+5 parse errors detected in LineParse.bpl
+LineResolve.bpl(5,1): Error: undeclared identifier: a
+LineResolve.bpl(7,2): Error: undeclared identifier: b
+LineResolve.bpl(12,0): Error: undeclared identifier: c
+LineResolve.bpl(13,10): Error: undeclared identifier: d
+LineResolve.bpl(12,0): Error: undeclared identifier: e
+LineResolve.bpl(2,0): Error: undeclared identifier: f
+LineResolve.bpl(900,0): Error: undeclared identifier: g
+Abc.txt(11,3): Error: undeclared identifier: h
+Abc.txt(13,0): Error: undeclared identifier: i
+Abc.txt(99,0): Error: undeclared identifier: j
+c:\Users\leino\Documents\Programs\MyClass.ssc(104,0): Error: undeclared identifier: k
+A B C . txt(12,0): Error: undeclared identifier: l
+12 name resolution errors detected in LineResolve.bpl
+AttributeParsingErr.bpl(1,33): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(3,33): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(5,52): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(7,37): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(9,31): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(11,29): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(13,13): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(15,18): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(20,26): Error: only attributes, not triggers, allowed here
+9 parse errors detected in AttributeParsingErr.bpl
+
+type {:sourcefile "test.ssc"} T;
+
+function {:source "test.scc"} f(int) returns (int);
+
+const {:description "The largest integer value"} unique MAXINT: int;
+
+axiom {:naming "MyFavoriteAxiom"} (forall i: int :: { f(i) } f(i) == i + 1);
+
+var {:description "memory"} $Heap: [ref,name]any;
+
+var {:sort_of_like_a_trigger (forall i: int :: true)} Bla: [ref,name]any;
+
+procedure {:use_impl 1} foo(x: int) returns (n: int);
+
+
+
+implementation {:id 1} foo(x: int) returns (n: int)
+{
+ block1:
+ return;
+}
+
+
+
+implementation {:id 2} foo(x: int) returns (n: int)
+{
+ block1:
+ return;
+}
+
+
+
+type ref;
+
+type any;
+
+type name;
+
+Boogie program verifier finished with 0 verified, 0 errors
+AttributeResolution.bpl(1,18): Error: undeclared identifier: foo
+AttributeResolution.bpl(3,18): Error: undeclared identifier: bar
+AttributeResolution.bpl(7,15): Error: undeclared identifier: qux
+AttributeResolution.bpl(7,41): Error: undeclared identifier: ij
+AttributeResolution.bpl(13,21): Error: undeclared identifier: bzzt
+AttributeResolution.bpl(15,20): Error: undeclared identifier: blt
+AttributeResolution.bpl(5,20): Error: undeclared identifier: baz
+AttributeResolution.bpl(9,18): Error: undeclared identifier: mux
+AttributeResolution.bpl(11,29): Error: undeclared identifier: fux
+9 name resolution errors detected in AttributeResolution.bpl
+
+function \true() returns (bool);
+
+type \procedure;
+
+procedure \old(any: \procedure) returns (\var: \procedure);
+
+
+
+implementation \old(any: \procedure) returns (\var: \procedure)
+{
+ var \modifies: \procedure;
+
+ \modifies := any;
+ \var := \modifies;
+}
+
+
+
+procedure qux(a: \procedure);
+
+
+
+implementation qux(a: \procedure)
+{
+ var \var: \procedure;
+ var x: bool;
+
+ call \var := \old(a);
+ x := \true();
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+
+Boogie program verifier finished with 0 verified, 0 errors
+MapsResolutionErrors.bpl(6,9): Error: type variable must occur in map arguments: b
+MapsResolutionErrors.bpl(20,10): Error: type variable must occur in procedure arguments: a
+2 name resolution errors detected in MapsResolutionErrors.bpl
+Orderings.bpl(12,20): Error: undeclared identifier: x
+Orderings.bpl(15,23): Error: c0 occurs more than once as parent
+Orderings.bpl(16,19): Error: constant cannot be its own parent
+Orderings.bpl(18,20): Error: the parent of a constant has to be a constant
+4 name resolution errors detected in Orderings.bpl
+BadQuantifier.bpl(3,15): syntax error: invalid QuantifierBody
+1 parse errors detected in BadQuantifier.bpl
+EmptyCallArgs.bpl(31,2): Error: type variable must occur in types of given arguments: a
+EmptyCallArgs.bpl(32,2): Error: type variable must occur in types of given arguments: a
+2 name resolution errors detected in EmptyCallArgs.bpl
diff --git a/Test/test0/Arrays0.bpl b/Test/test0/Arrays0.bpl
new file mode 100644
index 00000000..0098c4a8
--- /dev/null
+++ b/Test/test0/Arrays0.bpl
@@ -0,0 +1,3 @@
+var one: [int]int;
+var two: [int,int]int;
+var three: [int,int,int]int; // three's a crowd
diff --git a/Test/test0/Arrays1.bpl b/Test/test0/Arrays1.bpl
new file mode 100644
index 00000000..db12ecb3
--- /dev/null
+++ b/Test/test0/Arrays1.bpl
@@ -0,0 +1,16 @@
+var Q: [int,int][int]int;
+
+procedure P()
+{
+ var q: [int]int;
+
+ start:
+ // here's how to do it:
+ q := Q[5,8];
+ q[13] := 21;
+ Q[5,8] := q;
+
+ // not like this:
+ Q[5,8][13] := 21; // error: the updated array must be an identifier
+ return;
+}
diff --git a/Test/test0/AttributeParsing.bpl b/Test/test0/AttributeParsing.bpl
new file mode 100644
index 00000000..a6a8418b
--- /dev/null
+++ b/Test/test0/AttributeParsing.bpl
@@ -0,0 +1,25 @@
+type {:sourcefile "test.ssc"} T;
+
+function {:source "test.scc"} f(int) returns (int);
+
+const {:description "The largest integer value"} unique MAXINT: int;
+
+axiom {:naming "MyFavoriteAxiom"} (forall i: int :: {f(i)} f(i) == i+1);
+
+var {:description "memory"} $Heap: [ref, name]any;
+
+var {:sort_of_like_a_trigger (forall i: int :: true)} Bla: [ref, name]any;
+
+procedure {:use_impl 1} foo(x : int) returns(n : int);
+
+implementation {:id 1} foo(x : int) returns(n : int)
+{
+ block1: return;
+}
+
+implementation {:id 2} foo(x : int) returns(n : int)
+{
+ block1: return;
+}
+
+type ref, any, name;
diff --git a/Test/test0/AttributeParsingErr.bpl b/Test/test0/AttributeParsingErr.bpl
new file mode 100644
index 00000000..cdf8646f
--- /dev/null
+++ b/Test/test0/AttributeParsingErr.bpl
@@ -0,0 +1,23 @@
+type {:sourcefile "test.ssc"} {1} T;
+
+function {:source "test.scc"} {1} f(int) returns (int);
+
+const {:description "The largest integer value"} {1} unique MAXINT: int;
+
+axiom {:naming "MyFavoriteAxiom"} {1} (forall i: int :: {f(i)} f(i) == i+1);
+
+var {:description "memory"} {1} $Heap: [ref, name]any;
+
+var {(forall i: int :: true)} Bla: [ref, name]any;
+
+procedure {1} {:use_impl 1} foo(x : int) returns(n : int);
+
+implementation {1} {:id 1} foo(x : int) returns(n : int)
+{
+ block1: return;
+}
+
+implementation {:id 2} {1} foo(x : int) returns(n : int)
+{
+ block1: return;
+}
diff --git a/Test/test0/AttributeResolution.bpl b/Test/test0/AttributeResolution.bpl
new file mode 100644
index 00000000..c667b530
--- /dev/null
+++ b/Test/test0/AttributeResolution.bpl
@@ -0,0 +1,38 @@
+type {:sourcefile foo} T;
+
+function {:source bar} f(int) returns (int);
+
+const {:description baz} unique MAXINT: int;
+
+axiom {:naming qux} (forall i: int :: {f(ij)} f(i) == i+1);
+
+var {:description mux} $Heap: [ref, int]bool;
+
+var {:sort_of_like_a_trigger fux} Bla: [ref, int]bool;
+
+procedure {:use_impl bzzt} foo(x : int) returns(n : int);
+
+implementation {:id blt} foo(x : int) returns(n : int)
+{
+ block1: return;
+}
+
+// ------ and here are various correct things
+
+
+
+const {:Correct hux0 + F(hux1)} hux0: int;
+
+function {:Correct F(hux0) + hux1} F(int) returns (int);
+
+axiom {:Correct F(hux0 + hux1)} true;
+
+var {:Correct hux0*hux1} hux1: int;
+
+procedure {:Correct hux0 - hux1} P();
+
+implementation {:Correct hux0 + hux1} {:AlsoCorrect "hello"} P()
+{
+}
+
+type ref;
diff --git a/Test/test0/BadLabels0.bpl b/Test/test0/BadLabels0.bpl
new file mode 100644
index 00000000..89cf7a36
--- /dev/null
+++ b/Test/test0/BadLabels0.bpl
@@ -0,0 +1,13 @@
+procedure Dup(y: int)
+{
+ X:
+ X: // error: duplicate label
+ while (y < 100)
+ {
+ Y:
+ }
+ while (y < 1000)
+ {
+ Y: // error: duplicate label (labels must be unique in entire procedure body)
+ }
+}
diff --git a/Test/test0/BadLabels1.bpl b/Test/test0/BadLabels1.bpl
new file mode 100644
index 00000000..b4bb6948
--- /dev/null
+++ b/Test/test0/BadLabels1.bpl
@@ -0,0 +1,81 @@
+procedure P0()
+{
+ // these labels don't exist at all
+ goto X; // error: undefined label
+ goto Y; // error: undefined label
+}
+
+procedure P1(y: int)
+{
+ goto X; // error: label out of reach
+ while (y < 100)
+ {
+ X:
+ }
+
+ Q:
+ if (y == 102) {
+ A:
+ goto Q;
+ } else if (y == 104) {
+ B:
+ } else {
+ C:
+ goto K; // error: label out of reach
+ }
+
+ while (y < 1000)
+ {
+ K:
+ goto A; // error: label out of reach
+ if (y % 2 == 0) {
+ goto L;
+ M:
+ }
+ goto K, L;
+ L:
+ if (*) {
+ goto M; // error: label out of reach
+ }
+ }
+ goto B; // error: label out of reach
+}
+
+
+procedure Break(n: int)
+{
+ break; // error: break not inside a loop
+ if (*) {
+ break; // error: label-less break not inside a loop
+ }
+
+ A:
+ if (*) {
+ break A; // this is fine, since the break statement uses a label
+ }
+
+ B:
+ assert 2 <= n;
+ while (*) {
+ break B; // error: B does not label a loop
+ break;
+ C: while (*) { assert n < 100; }
+ break A; // error: A does not label a loop
+ break C; // error: A does not label an enclosing loop
+ F: break F; // error: F does not label an enclosing loop
+ }
+
+ D:
+ while (*) {
+ E:
+ while (*) {
+ if (*) {
+ break;
+ } else if (*) {
+ if (*) { break E; }
+ } else {
+ break D;
+ }
+ }
+ }
+}
diff --git a/Test/test0/BadQuantifier.bpl b/Test/test0/BadQuantifier.bpl
new file mode 100644
index 00000000..b06ab0d9
--- /dev/null
+++ b/Test/test0/BadQuantifier.bpl
@@ -0,0 +1,3 @@
+
+function f(int) returns (bool);
+axiom (forall int x :: f(x) <== x >= 0);
diff --git a/Test/test0/EmptyCallArgs.bpl b/Test/test0/EmptyCallArgs.bpl
new file mode 100644
index 00000000..eb1c43b7
--- /dev/null
+++ b/Test/test0/EmptyCallArgs.bpl
@@ -0,0 +1,33 @@
+type C;
+
+procedure P(x:int, y:bool) returns (z:C);
+procedure Q<a>(x:int, y:a) returns (z:a);
+
+procedure CallP() {
+ var x:int;
+ var y:bool;
+ var z:C;
+
+ call z := P(x, y);
+ call * := P(x, y);
+ call z := P(*, y);
+ call z := P(x, *);
+ call * := P(*, y);
+ call * := P(x, *);
+ call z := P(*, *);
+ call * := P(*, *);
+}
+
+procedure CallQ() {
+ var x:int;
+ var y:bool;
+ var z:bool;
+
+ call z := Q(x, y);
+ call * := Q(x, y);
+ call z := Q(*, y);
+ call z := Q(x, *);
+ call * := Q(*, y);
+ call * := Q(x, *); // problem: type parameter cannot be inferred
+ call * := Q(*, *); // problem: type parameter cannot be inferred
+} \ No newline at end of file
diff --git a/Test/test0/LargeLiterals0.bpl b/Test/test0/LargeLiterals0.bpl
new file mode 100644
index 00000000..be459bf5
--- /dev/null
+++ b/Test/test0/LargeLiterals0.bpl
@@ -0,0 +1,7 @@
+// Test to parse large integer literals
+
+axiom 1234567890987654321 == 1234567890987654321;
+
+function f(int) returns (int);
+
+axiom f(1234567890987654321) == 0;
diff --git a/Test/test0/LineParse.bpl b/Test/test0/LineParse.bpl
new file mode 100644
index 00000000..a64eed0b
--- /dev/null
+++ b/Test/test0/LineParse.bpl
@@ -0,0 +1,12 @@
+#line
+#line
+#line 0
+#line 0
+
+#dontknow what this is No, I don't well, it's an error is what it is
+
+#define ASSERT(x) {if (!(x)) { crash(); }} // error: A B C . txt(12,0)
+
+// this is line 5; an error occurs on line 6:
+ #line 10 // this is not even scanned like a pragma, because the # is not in column 0
+
diff --git a/Test/test0/LineResolve.bpl b/Test/test0/LineResolve.bpl
new file mode 100644
index 00000000..b0c578c7
--- /dev/null
+++ b/Test/test0/LineResolve.bpl
@@ -0,0 +1,38 @@
+procedure P() {
+var x: int;
+x :=
+
+ a+ // error: LineResolve.bpl(5,1)
+
+ b+ // error: LineResolve.bpl(7,2)
+#line 12
+c+ // error: LineResolve.bpl(12,0)
+ d+ // error: LineResolve.bpl(13,10)
+#line 12
+e+ // error: LineResolve.bpl(12,0)
+#line 2
+f+ // error: LineResolve.bpl(2,0)
+#line 1000
+#line 900
+g+ // error: LineResolve.bpl(900,0)
+
+#line 10 Abc.txt
+
+ h+ // error: Abc.txt(11,3)
+
+i+ // error: Abc.txt(13,0)
+#line 98
+
+j+ // error: Abc.txt(99,0)
+
+#line 103 c:\Users\leino\Documents\Programs\MyClass.ssc
+
+k+ // error: c:\Users\leino\Documents\Programs\MyClass.ssc(104,0)
+
+#line -58
+
+#line 12 A B C . txt
+l+ // error: A B C . txt(12,0)
+
+0;
+}
diff --git a/Test/test0/MapsResolutionErrors.bpl b/Test/test0/MapsResolutionErrors.bpl
new file mode 100644
index 00000000..d529cb9c
--- /dev/null
+++ b/Test/test0/MapsResolutionErrors.bpl
@@ -0,0 +1,28 @@
+
+var m: []int;
+var p: <a>[]a;
+
+type C _;
+var bad: <a,b>[]C a; // error: b is not used
+
+function F<a>(a, int) returns (bool) { true }
+
+type Set _;
+function EmptySet<a>() returns (Set a);
+function G<a>(a, int) returns (Set a) { EmptySet() }
+
+function H<a>(int) returns (Set a);
+
+function {:inline true} K<a>(int) returns (Set a)
+{ EmptySet() }
+
+
+procedure P<a>(x: int, y: bool) returns (z: int, w: bool); // error: "a" is not used
+
+procedure Q<a>(x: int, y: bool) returns (z: int, w: a);
+procedure R<a>(x: int, y: bool) returns (z: int, w: Set a);
+procedure S<a>(x: a, y: bool) returns (z: int, w: Set a);
+
+
+function K2<a>(int) returns (Set a) // now ok
+{ EmptySet() }
diff --git a/Test/test0/ModifiedBag.bpl b/Test/test0/ModifiedBag.bpl
new file mode 100644
index 00000000..09edbd12
--- /dev/null
+++ b/Test/test0/ModifiedBag.bpl
@@ -0,0 +1,371 @@
+// ----------- BEGIN PRELUDE
+type real;
+
+type elements;
+
+type name;
+
+const $CALL: name;
+
+const $REQ: name;
+
+const $ENS: name;
+
+const $PACK: name;
+
+const $UNPACK: name;
+
+const $HEAD: name;
+
+const $THROW: name;
+
+var $RefHeap: [ref, name]ref;
+
+var $IntHeap: [ref, name]int;
+
+var $RealHeap: [ref, name]real;
+
+var $BoolHeap: [ref, name]bool;
+
+var $ArrayHeap: [ref, name]elements;
+
+const $allocated: name;
+
+const $elements: name;
+
+function $ArrayLength(ref) returns (int);
+
+function $RefArrayGet(elements, int) returns (ref);
+
+function $RefArraySet(elements, int, ref) returns (elements);
+
+function $IntArrayGet(elements, int) returns (value: int);
+
+function $IntArraySet(elements, int, value: int) returns (elements);
+
+function $RealArrayGet(elements, int) returns (value: real);
+
+function $RealArraySet(elements, int, value: real) returns (elements);
+
+function $BoolArrayGet(elements, int) returns (value: bool);
+
+function $BoolArraySet(elements, int, value: bool) returns (elements);
+
+function $ArrayArrayGet(elements, int) returns (value: elements);
+
+function $ArrayArraySet(elements, int, value: elements) returns (elements);
+
+axiom (forall A: elements, i: int, x: ref :: $RefArrayGet($RefArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: ref :: i != j ==> $RefArrayGet($RefArraySet(A, i, x), j) == $RefArrayGet(A, j));
+
+axiom (forall A: elements, i: int, x: int :: $IntArrayGet($IntArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: int :: i != j ==> $IntArrayGet($IntArraySet(A, i, x), j) == $IntArrayGet(A, j));
+
+axiom (forall A: elements, i: int, x: real :: $RealArrayGet($RealArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: real :: i != j ==> $RealArrayGet($RealArraySet(A, i, x), j) == $RealArrayGet(A, j));
+
+axiom (forall A: elements, i: int, x: bool :: $BoolArrayGet($BoolArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: bool :: i != j ==> $BoolArrayGet($BoolArraySet(A, i, x), j) == $BoolArrayGet(A, j));
+
+axiom (forall A: elements, i: int, x: elements :: $ArrayArrayGet($ArrayArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: elements :: i != j ==> $ArrayArrayGet($ArrayArraySet(A, i, x), j) == $ArrayArrayGet(A, j));
+
+axiom (forall a: ref :: 0 <= $ArrayLength(a));
+
+function $typeof(ref) returns (name);
+
+function $BoolIs(bool, name) returns (bool);
+
+function $RealIs(real, name) returns (bool);
+
+function $IntIs(int, name) returns (bool);
+
+const System.Int16: name;
+
+const System.Int32: name;
+
+const System.Int64: name;
+
+const System.Int16.MinValue: int;
+
+const System.Int16.MaxValue: int;
+
+const System.Int32.MinValue: int;
+
+const System.Int32.MaxValue: int;
+
+const System.Int64.MinValue: int;
+
+const System.Int64.MaxValue: int;
+
+axiom System.Int64.MinValue < System.Int32.MinValue;
+
+axiom System.Int32.MinValue < System.Int16.MinValue;
+
+axiom System.Int16.MinValue < System.Int16.MaxValue;
+
+axiom System.Int16.MaxValue < System.Int32.MaxValue;
+
+axiom System.Int32.MaxValue < System.Int64.MaxValue;
+
+axiom (forall i: int :: $IntIs(i, System.Int16) <==> System.Int16.MinValue <= i && i <= System.Int16.MaxValue);
+
+axiom (forall i: int :: $IntIs(i, System.Int32) <==> System.Int32.MinValue <= i && i <= System.Int32.MaxValue);
+
+axiom (forall i: int :: $IntIs(i, System.Int64) <==> System.Int64.MinValue <= i && i <= System.Int64.MaxValue);
+
+function $RefIs(ref, name) returns (bool);
+
+axiom (forall o: ref, T: name :: $RefIs(o, T) <==> o == null || $typeof(o) <: T);
+
+axiom (forall o: ref, T: name :: $RefIs(o, $NotNull(T)) <==> o != null && $RefIs(o, T));
+
+axiom (forall a: ref, T: name, i: int, $ArrayHeap: [ref, name]elements :: $RefIs(a, $IntArray(T)) && a != null ==> $IntIs($IntArrayGet($ArrayHeap[a, $elements], i), T));
+
+axiom (forall a: ref, T: name, i: int, $ArrayHeap: [ref, name]elements :: $RefIs(a, $RealArray(T)) && a != null ==> $RealIs($RealArrayGet($ArrayHeap[a, $elements], i), T));
+
+axiom (forall a: ref, T: name, i: int, $ArrayHeap: [ref, name]elements :: $RefIs(a, $BoolArray(T)) && a != null ==> $BoolIs($BoolArrayGet($ArrayHeap[a, $elements], i), T));
+
+axiom (forall a: ref, T: name, i: int, $ArrayHeap: [ref, name]elements :: $RefIs(a, $RefArray(T)) && a != null ==> $RefIs($RefArrayGet($ArrayHeap[a, $elements], i), T));
+
+function $NotNull(name) returns (name);
+
+function $IntArray(name) returns (name);
+
+function $BoolArray(name) returns (name);
+
+function $RealArray(name) returns (name);
+
+function $RefArray(name) returns (name);
+// ----------- END PRELUDE
+const Bag.a: name;
+
+const Bag.n: name;
+
+const Bag: name;
+
+
+
+
+
+procedure Bag..ctor$(this: ref, initialElements$in: ref);
+
+
+
+
+
+
+procedure System.Object..ctor(this: ref);
+
+
+
+procedure System.Array.CopyTo$System.Array$System.Int32(this: ref, array$in: ref, index$in: int);
+
+
+
+procedure Bag..ctor$$System.Int32$System.Int32(this: ref, initialElements$in: ref, start$in: int, howMany$in: int);
+ requires 0 <= howMany$in;
+ requires start$in + howMany$in <= $ArrayLength(initialElements$in);
+ modifies $IntHeap, $RefHeap;
+
+
+
+implementation Bag..ctor$$System.Int32$System.Int32(this: ref, initialElements$in: ref, start$in: int, howMany$in: int)
+{
+ var initialElements: ref, start: int, howMany: int, stack0i: int, stack0o: ref, stack1i: int, stack2i: int;
+
+ entry:
+ assume $RefIs(this, $NotNull(Bag));
+ initialElements := initialElements$in;
+ assume $RefIs(initialElements, $NotNull($IntArray(System.Int32)));
+ start := start$in;
+ assume $IntIs(start, System.Int32);
+ howMany := howMany$in;
+ assume $IntIs(howMany, System.Int32);
+ goto block165;
+
+ block165:
+ call System.Object..ctor(this);
+ $IntHeap[this, Bag.n] := howMany;
+ stack0i := howMany;
+ havoc stack0o;
+ assume $BoolHeap[stack0o, $allocated] == true && $ArrayLength(stack0o) == stack0i;
+ $RefHeap[this, Bag.a] := stack0o;
+ stack0o := $RefHeap[this, Bag.a];
+ stack1i := 0;
+ stack2i := start + howMany;
+ call System.Array.Copy$System.Array$System.Int32$System.Array$System.Int32$System.Int32(initialElements, start, stack0o, stack1i, stack2i);
+ assert this != null;
+ assert 0 <= $IntHeap[this, Bag.n] && $IntHeap[this, Bag.n] <= $ArrayLength($RefHeap[this, Bag.a]);
+ return;
+}
+
+
+
+procedure System.Array.Copy$System.Array$System.Int32$System.Array$System.Int32$System.Int32(sourceArray$in: ref, sourceIndex$in: int, destinationArray$in: ref, destinationIndex$in: int, length$in: int);
+
+
+
+procedure Bag.Add$System.Int32(this: ref, x$in: int);
+ modifies $ArrayHeap, $IntHeap;
+
+
+
+implementation Bag.Add$System.Int32(this: ref, x$in: int)
+{
+ var x: int, stack0i: int, stack1o: ref, stack1i: int, stack0b: bool, stack0o: ref, stack2i: int, b: ref;
+
+ entry:
+ assume $RefIs(this, $NotNull(Bag));
+ x := x$in;
+ assume $IntIs(x, System.Int32);
+ assert this != null;
+ assume 0 <= $IntHeap[this, Bag.n] && $IntHeap[this, Bag.n] <= $ArrayLength($RefHeap[this, Bag.a]);
+ goto block205;
+
+ block205:
+ stack0i := $IntHeap[this, Bag.n];
+ stack1o := $RefHeap[this, Bag.a];
+ stack1i := $ArrayLength(stack1o);
+ stack1i := stack1i;
+ stack0b := stack0i != stack1i;
+ goto trueblock208, falseblock206;
+
+ trueblock208:
+ assume stack0b == true;
+assume false;
+// goto block208;
+return;
+
+ falseblock206:
+ assume stack0b == false;
+ goto block206;
+
+ block206:
+// assert label-([$PACK@0:3:4425:0], $IntHeap[this, Bag.n] <= 2 * $ArrayLength($RefHeap[this, Bag.a]));
+ stack0i := 2;
+ stack1o := $RefHeap[this, Bag.a];
+ stack1i := $ArrayLength(stack1o);
+ stack1i := stack1i;
+ stack0i := stack0i * stack1i;
+ stack0i := stack0i;
+ assert $IntHeap[this, Bag.n] <= stack0i;
+// havoc b;
+// assume $BoolHeap[b, $allocated] == true && $ArrayLength(b) == stack0i;
+// assert label-([$PACK@0:3:4427:0], $IntHeap[this, Bag.n] <= $ArrayLength(b));
+// stack0o := $RefHeap[this, Bag.a];
+// stack1i := 0;
+// call [$CALL@0:7:39:0] System.Array.CopyTo$System.Array$System.Int32(stack0o, b, stack1i);
+// $RefHeap[this, Bag.a] := b;
+// assert label-([$PACK@0:3:4428:0], $IntHeap[this, Bag.n] <= $ArrayLength($RefHeap[this, Bag.a]));
+// goto block208;
+ return;
+
+ block208:
+ stack0o := $RefHeap[this, Bag.a];
+ stack1i := $IntHeap[this, Bag.n];
+ $ArrayHeap[stack0o, $elements] := $IntArraySet($ArrayHeap[stack0o, $elements], stack1i, x);
+ stack0o := this;
+ stack1o := stack0o;
+ stack1i := $IntHeap[stack1o, Bag.n];
+ stack2i := 1;
+ stack1i := stack1i + stack2i;
+ $IntHeap[stack0o, Bag.n] := stack1i;
+ assert this != null;
+ assert 0 <= $IntHeap[this, Bag.n];
+ assert $IntHeap[this, Bag.n] <= $ArrayLength($RefHeap[this, Bag.a]);
+ return;
+
+}
+
+
+
+procedure Bag.ExtractMin(this: ref) returns ($result: int);
+ modifies $IntHeap, $ArrayHeap;
+
+
+
+implementation Bag.ExtractMin(this: ref) returns ($result: int)
+{
+ var m: int, mindex: int, i: int, stack0i: int, stack0b: bool, stack0o: ref, stack1o: ref, stack1i: int, stack2i: int, CS$00000003$00000000: int;
+
+ entry:
+ assume $RefIs(this, $NotNull(Bag));
+ assert this != null;
+ assume 0 <= $IntHeap[this, Bag.n] && $IntHeap[this, Bag.n] <= $ArrayLength($RefHeap[this, Bag.a]);
+ goto block282;
+
+ block282:
+ m := 2147483647;
+ mindex := 0;
+ i := 1;
+ goto block286;
+
+ block285:
+ stack0i := 1;
+ stack0i := i + stack0i;
+ i := stack0i;
+ goto block286;
+
+ block286:
+ stack0i := $IntHeap[this, Bag.n];
+ stack0b := i <= stack0i;
+ goto trueblock283, falseblock287;
+
+ trueblock283:
+ assume stack0b == true;
+ goto block283;
+
+ falseblock287:
+ assume stack0b == false;
+ goto block287;
+
+ block283:
+ stack0o := $RefHeap[this, Bag.a];
+ stack0i := $IntArrayGet($ArrayHeap[stack0o, $elements], i);
+ stack0b := stack0i >= m;
+ goto trueblock285, falseblock284;
+
+ block287:
+ stack0o := this;
+ stack1o := stack0o;
+ stack1i := $IntHeap[stack1o, Bag.n];
+ stack2i := 1;
+ stack1i := stack1i - stack2i;
+ $IntHeap[stack0o, Bag.n] := stack1i;
+ stack0o := $RefHeap[this, Bag.a];
+ stack1o := $RefHeap[this, Bag.a];
+ stack2i := $IntHeap[this, Bag.n];
+ stack1i := $IntArrayGet($ArrayHeap[stack1o, $elements], stack2i);
+ $ArrayHeap[stack0o, $elements] := $IntArraySet($ArrayHeap[stack0o, $elements], mindex, stack1i);
+ CS$00000003$00000000 := m;
+ goto block289;
+
+ trueblock285:
+ assume stack0b == true;
+ goto block285;
+
+ falseblock284:
+ assume stack0b == false;
+ goto block284;
+
+ block284:
+ mindex := i;
+ stack0o := $RefHeap[this, Bag.a];
+ m := $IntArrayGet($ArrayHeap[stack0o, $elements], i);
+ goto block285;
+
+ block289:
+ $result := CS$00000003$00000000;
+ assert this != null;
+ assert 0 <= $IntHeap[this, Bag.n] && $IntHeap[this, Bag.n] <= $ArrayLength($RefHeap[this, Bag.a]);
+ return;
+}
+
+type ref;
+const null : ref;
diff --git a/Test/test0/Orderings.bpl b/Test/test0/Orderings.bpl
new file mode 100644
index 00000000..0ba6c69c
--- /dev/null
+++ b/Test/test0/Orderings.bpl
@@ -0,0 +1,20 @@
+
+type C;
+
+const c:int extends a;
+const d:int extends a complete;
+const e:int extends unique a, b;
+const f:int extends complete;
+
+const a:int;
+const b:int;
+
+const g:int extends x; // error: undeclared parent
+
+const c0:C;
+const c1:C extends c0, c0; // error: parent mentioned twice
+const c2:C extends c2; // error: constant as its own parent
+
+const h:int extends y; // error: variable cannot be parent
+
+var y:int; \ No newline at end of file
diff --git a/Test/test0/Output b/Test/test0/Output
new file mode 100644
index 00000000..e8ea231e
--- /dev/null
+++ b/Test/test0/Output
@@ -0,0 +1,252 @@
+
+Boogie program verifier finished with 0 verified, 0 errors
+
+Boogie program verifier finished with 0 verified, 0 errors
+Triggers0.bpl(14,31): Error: the 'nopats' quantifier attribute expects a string-literal parameter
+1 parse errors detected in Triggers0.bpl
+Triggers1.bpl(7,17): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(11,21): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(15,9): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(19,10): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(23,17): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(27,17): Error: boolean operators are not allowed in triggers
+Triggers1.bpl(32,17): Error: equality is not allowed in triggers
+Triggers1.bpl(36,17): Error: arithmetic comparisons are not allowed in triggers
+Triggers1.bpl(45,10): Error: quantifiers are not allowed in triggers
+Triggers1.bpl(53,7): Error: trigger must mention all quantified variables, but does not mention: x
+Triggers1.bpl(61,7): Error: trigger must mention all quantified variables, but does not mention: y
+Triggers1.bpl(62,7): Error: trigger must mention all quantified variables, but does not mention: x
+Triggers1.bpl(70,9): Error: a matching pattern must be more than just a variable by itself: x
+Triggers1.bpl(82,7): Error: trigger must mention all quantified variables, but does not mention: z
+Triggers1.bpl(94,16): Error: a matching pattern must be more than just a variable by itself: x
+Triggers1.bpl(95,16): Error: a matching pattern must be more than just a variable by itself: g
+Triggers1.bpl(105,40): Error: trigger must mention all quantified variables, but does not mention: y
+Triggers1.bpl(106,40): Error: trigger must mention all quantified variables, but does not mention: x
+Triggers1.bpl(109,57): Error: trigger must mention all quantified variables, but does not mention: z
+Triggers1.bpl(110,57): Error: trigger must mention all quantified variables, but does not mention: y
+Triggers1.bpl(111,57): Error: trigger must mention all quantified variables, but does not mention: x
+Triggers1.bpl(119,33): Error: cannot refer to a global variable in this context: h1
+Triggers1.bpl(120,33): Error: cannot refer to a global variable in this context: h0
+23 name resolution errors detected in Triggers1.bpl
+const x: int;
+
+const y: int;
+
+const z: int;
+
+const P: bool;
+
+const Q: bool;
+
+const R: bool;
+
+axiom x * (y + z) == x + y * z;
+
+axiom x * y + z == (x + y) * z;
+
+axiom x * y * z == x * y * z;
+
+axiom x * y * z * x == x * y * z;
+
+axiom x / y / z == x / (y / z);
+
+axiom x / y / (z / x) == x / y / z;
+
+axiom x - y - z == x - (y - z);
+
+axiom x - y - (z - x) == x - y - z;
+
+axiom x + y - z - x + y == 0;
+
+axiom x + y - z - x + y == x + y - (z - (x + y));
+
+axiom P ==> Q ==> R <==> P ==> Q ==> R;
+
+axiom (P ==> Q) ==> R ==> P <==> (P ==> Q) ==> R;
+
+axiom P <==> Q <==> R;
+
+axiom P ==> Q <==> Q ==> R <==> R ==> P;
+
+axiom (P && Q) || (Q && R);
+
+axiom (P || Q) && (Q || R);
+
+axiom P || Q || Q || R;
+
+axiom P && Q && Q && R;
+
+function f(int) returns (int);
+
+axiom (forall x: int :: {:xname "hello"} {:weight 5} {:ValueFunc f(x + 1)} { f(x + x) } { f(x) * f(x) } {:nopats f(x + x + x) } f(f(x)) < 200);
+
+Boogie program verifier finished with 0 verified, 0 errors
+
+Boogie program verifier finished with 0 verified, 0 errors
+Arrays1.bpl(11,11): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: Q
+Arrays1.bpl(14,15): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: Q
+2 type checking errors detected in Arrays1.bpl
+Types0.bpl(6,18): Error: expected identifier before ':'
+1 parse errors detected in Types0.bpl
+Types1.bpl(6,11): Error: undeclared type: x
+Types1.bpl(7,18): Error: undeclared type: x
+2 name resolution errors detected in Types1.bpl
+WhereParsing.bpl(14,37): Error: where clause not allowed here
+WhereParsing.bpl(15,33): Error: where clause not allowed here
+2 parse errors detected in WhereParsing.bpl
+WhereParsing0.bpl(17,38): Error: where clause not allowed here
+WhereParsing0.bpl(18,38): Error: where clause not allowed here
+2 parse errors detected in WhereParsing0.bpl
+WhereParsing1.bpl(14,27): syntax error: ) expected
+1 parse errors detected in WhereParsing1.bpl
+WhereParsing2.bpl(1,14): syntax error: ; expected
+1 parse errors detected in WhereParsing2.bpl
+WhereResolution.bpl(28,38): Error: undeclared identifier: alpha
+WhereResolution.bpl(32,30): Error: old expressions allowed only in two-state contexts
+2 name resolution errors detected in WhereResolution.bpl
+BadLabels0.bpl(4,2): Error: more than one declaration of block name: X
+BadLabels0.bpl(11,4): Error: more than one declaration of block name: Y
+2 name resolution errors detected in BadLabels0.bpl
+BadLabels1.bpl(4,3): Error: Error: goto label 'X' is undefined or out of reach
+BadLabels1.bpl(5,3): Error: Error: goto label 'Y' is undefined or out of reach
+BadLabels1.bpl(10,3): Error: Error: goto label 'X' is undefined or out of reach
+BadLabels1.bpl(24,5): Error: Error: goto label 'K' is undefined or out of reach
+BadLabels1.bpl(30,5): Error: Error: goto label 'A' is undefined or out of reach
+BadLabels1.bpl(38,7): Error: Error: goto label 'M' is undefined or out of reach
+BadLabels1.bpl(41,3): Error: Error: goto label 'B' is undefined or out of reach
+BadLabels1.bpl(47,3): Error: Error: break statement is not inside a loop
+BadLabels1.bpl(49,5): Error: Error: break statement is not inside a loop
+BadLabels1.bpl(60,5): Error: Error: break label 'B' must designate an enclosing statement
+BadLabels1.bpl(63,5): Error: Error: break label 'A' must designate an enclosing statement
+BadLabels1.bpl(64,5): Error: Error: break label 'C' must designate an enclosing statement
+BadLabels1.bpl(65,8): Error: Error: break label 'F' must designate an enclosing statement
+13 parse errors detected in BadLabels1.bpl
+LineParse.bpl(1,0): Error: Malformed (#line num [filename]) pragma: #line
+LineParse.bpl(2,0): Error: Malformed (#line num [filename]) pragma: #line
+LineParse.bpl(1,0): Error: Unrecognized pragma: #dontknow what this is No, I don't well, it's an error is what it is
+LineParse.bpl(3,0): Error: Unrecognized pragma: #define ASSERT(x) {if (!(x)) { crash(); }} // error: A B C . txt(12,0)
+LineParse.bpl(6,2): syntax error: EOF expected
+5 parse errors detected in LineParse.bpl
+LineResolve.bpl(5,1): Error: undeclared identifier: a
+LineResolve.bpl(7,2): Error: undeclared identifier: b
+LineResolve.bpl(12,0): Error: undeclared identifier: c
+LineResolve.bpl(13,10): Error: undeclared identifier: d
+LineResolve.bpl(12,0): Error: undeclared identifier: e
+LineResolve.bpl(2,0): Error: undeclared identifier: f
+LineResolve.bpl(900,0): Error: undeclared identifier: g
+Abc.txt(11,3): Error: undeclared identifier: h
+Abc.txt(13,0): Error: undeclared identifier: i
+Abc.txt(99,0): Error: undeclared identifier: j
+c:\Users\leino\Documents\Programs\MyClass.ssc(104,0): Error: undeclared identifier: k
+A B C . txt(12,0): Error: undeclared identifier: l
+12 name resolution errors detected in LineResolve.bpl
+AttributeParsingErr.bpl(1,33): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(3,33): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(5,52): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(7,37): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(9,31): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(11,29): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(13,13): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(15,18): Error: only attributes, not triggers, allowed here
+AttributeParsingErr.bpl(20,26): Error: only attributes, not triggers, allowed here
+9 parse errors detected in AttributeParsingErr.bpl
+
+type {:sourcefile "test.ssc"} T;
+
+function {:source "test.scc"} f(int) returns (int);
+
+const {:description "The largest integer value"} unique MAXINT: int;
+
+axiom {:naming "MyFavoriteAxiom"} (forall i: int :: { f(i) } f(i) == i + 1);
+
+var {:description "memory"} $Heap: [ref,name]any;
+
+var {:sort_of_like_a_trigger (forall i: int :: true)} Bla: [ref,name]any;
+
+procedure {:use_impl 1} foo(x: int) returns (n: int);
+
+
+
+implementation {:id 1} foo(x: int) returns (n: int)
+{
+ block1:
+ return;
+}
+
+
+
+implementation {:id 2} foo(x: int) returns (n: int)
+{
+ block1:
+ return;
+}
+
+
+
+type ref;
+
+type any;
+
+type name;
+
+Boogie program verifier finished with 0 verified, 0 errors
+AttributeResolution.bpl(1,18): Error: undeclared identifier: foo
+AttributeResolution.bpl(3,18): Error: undeclared identifier: bar
+AttributeResolution.bpl(7,15): Error: undeclared identifier: qux
+AttributeResolution.bpl(7,41): Error: undeclared identifier: ij
+AttributeResolution.bpl(13,21): Error: undeclared identifier: bzzt
+AttributeResolution.bpl(15,20): Error: undeclared identifier: blt
+AttributeResolution.bpl(5,20): Error: undeclared identifier: baz
+AttributeResolution.bpl(9,18): Error: undeclared identifier: mux
+AttributeResolution.bpl(11,29): Error: undeclared identifier: fux
+9 name resolution errors detected in AttributeResolution.bpl
+
+function \true() returns (bool);
+
+type \procedure;
+
+procedure \old(any: \procedure) returns (\var: \procedure);
+
+
+
+implementation \old(any: \procedure) returns (\var: \procedure)
+{
+ var \modifies: \procedure;
+
+ \modifies := any;
+ \var := \modifies;
+}
+
+
+
+procedure qux(a: \procedure);
+
+
+
+implementation qux(a: \procedure)
+{
+ var \var: \procedure;
+ var x: bool;
+
+ call \var := \old(a);
+ x := \true();
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+
+Boogie program verifier finished with 0 verified, 0 errors
+MapsResolutionErrors.bpl(6,9): Error: type variable must occur in map arguments: b
+MapsResolutionErrors.bpl(20,10): Error: type variable must occur in procedure arguments: a
+2 name resolution errors detected in MapsResolutionErrors.bpl
+Orderings.bpl(12,20): Error: undeclared identifier: x
+Orderings.bpl(15,23): Error: c0 occurs more than once as parent
+Orderings.bpl(16,19): Error: constant cannot be its own parent
+Orderings.bpl(18,20): Error: the parent of a constant has to be a constant
+4 name resolution errors detected in Orderings.bpl
+BadQuantifier.bpl(3,15): syntax error: invalid QuantifierBody
+1 parse errors detected in BadQuantifier.bpl
+EmptyCallArgs.bpl(31,2): Error: type variable must occur in types of given arguments: a
+EmptyCallArgs.bpl(32,2): Error: type variable must occur in types of given arguments: a
+2 name resolution errors detected in EmptyCallArgs.bpl
diff --git a/Test/test0/PrettyPrint.bpl b/Test/test0/PrettyPrint.bpl
new file mode 100644
index 00000000..a1f941d8
--- /dev/null
+++ b/Test/test0/PrettyPrint.bpl
@@ -0,0 +1,40 @@
+const x: int;
+const y: int;
+const z: int;
+const P: bool;
+const Q: bool;
+const R: bool;
+
+axiom x * (y + z) == x + (y * z);
+axiom (x * y) + z == (x + y) * z;
+
+axiom x * y * z == (x * (y * z));
+axiom (x * y) * (z * x) == (x * y) * z;
+
+axiom x / y / z == (x / (y / z));
+axiom (x / y) / (z / x) == (x / y) / z;
+
+axiom x - y - z == (x - (y - z));
+axiom (x - y) - (z - x) == (x - y) - z;
+
+axiom x + y - z - x + y == 0;
+axiom ((((x + y) - z) - x) + y) == (x + (y - (z - (x + y))));
+
+axiom P ==> Q ==> R <==> (P ==> (Q ==> R));
+axiom ((P ==> Q) ==> (R ==> P)) == ((P ==> Q) ==> R);
+
+axiom P <==> Q <==> R;
+axiom P ==> Q <==> Q ==> R <==> R ==> P;
+
+axiom (P && Q) || (Q && R);
+axiom (P || Q) && (Q || R);
+axiom (P || Q) || (Q || R);
+axiom (P && Q) && (Q && R);
+
+// -------------- quantifier key-value decorations
+
+function f(int) returns (int);
+
+axiom (forall x: int :: {:xname "hello"}
+ { :weight 5} {f(x+x)} {:ValueFunc f(x+1) } {f(x)*f(x)} {:nopats f(x+x+x)}
+ f(f(x)) < 200);
diff --git a/Test/test0/Prog0.bpl b/Test/test0/Prog0.bpl
new file mode 100644
index 00000000..ac87476f
--- /dev/null
+++ b/Test/test0/Prog0.bpl
@@ -0,0 +1,51 @@
+// BoogiePL Examples
+type real;
+type elements;
+
+var x:int; var y:real; var z:ref; // Variables
+var x.3:bool; var $ar:ref; // Names can have glyphs
+
+const a, b, c:int; // Consts
+
+function f (int, int) returns (int); // Function with arity 2
+function g ( int , int) returns (int); // Function with arity 2
+function h(int,int) returns (int); // Function with arity 2
+
+function m (int) returns (int); // Function with arity 1
+function k(int) returns (int); // Function with arity 1
+
+
+axiom
+ (forall x : int :: f(g(h(a,b),c),x) > 100) ;
+
+procedure p (x:int, y:ref) returns (z:int, w:[int,ref]ref, q:int);
+
+
+procedure q(x:int, y:ref) returns (z:int) // Procedure with output params
+ requires x > 0; // as many req/ens/mod you want
+ ensures z > 3;
+ ensures old(x) == 1; // old only in ensures..
+ modifies z,y,$ar;
+{
+ var t, s: int;
+ var r: [int,ref]ref;
+
+ start: // one label per block
+ t := x;
+ s := t;
+ z := x + t;
+ call s, r,z := p(t,r[3,null]); // procedure call with mutiple returns
+ goto continue, end ; // as many labels as you like
+
+ continue:
+ return; // ends control flow
+
+ end:
+ goto start;
+}
+
+procedure s(e: elements) { L: return; }
+procedure r (x:int, y:ref) returns (z:int);
+
+type ref;
+const null : ref;
diff --git a/Test/test0/Quoting.bpl b/Test/test0/Quoting.bpl
new file mode 100644
index 00000000..eaf8fe7a
--- /dev/null
+++ b/Test/test0/Quoting.bpl
@@ -0,0 +1,16 @@
+function \true() returns(bool);
+
+type \procedure;
+procedure \old(\any : \procedure) returns(\var : \procedure)
+{
+ var \modifies : \procedure;
+ \modifies := \any;
+ \var := \modifies;
+}
+
+procedure qux(a : \procedure)
+{
+ var \var : \procedure; var x : bool;
+ call \var := \old(a);
+ x := \true();
+}
diff --git a/Test/test0/Triggers0.bpl b/Test/test0/Triggers0.bpl
new file mode 100644
index 00000000..6750d77d
--- /dev/null
+++ b/Test/test0/Triggers0.bpl
@@ -0,0 +1,15 @@
+// Trigger errors
+
+function f(int, int) returns (int);
+function P(int, int) returns (bool);
+
+// -------------- tests specific to pattern exclusions
+
+axiom (forall x: int ::
+ {:nopats f(x,10) }
+ { : nopats f(x,10) }
+ f(x,10) == 3);
+
+axiom (forall x: int ::
+ {:nopats f(x,10), f(x,x) } // error: a pattern exclusion can only mention one expression
+ f(x,10) == 3);
diff --git a/Test/test0/Triggers1.bpl b/Test/test0/Triggers1.bpl
new file mode 100644
index 00000000..02c63406
--- /dev/null
+++ b/Test/test0/Triggers1.bpl
@@ -0,0 +1,127 @@
+// Trigger errors
+
+function f(int, int) returns (int);
+function P(int, int) returns (bool);
+
+axiom (forall x: int ::
+ { f(x,10) && f(x,9) } // error: && not allowed
+ f(x,10) == 3);
+
+axiom (forall x: int ::
+ { ((((f(x,10) || f(x,9))))) } // error: || not allowed
+ f(x,10) == 3);
+
+axiom (forall x: int ::
+ { !f(x,10) } // error: ! not allowed
+ f(x,10) == 3);
+
+axiom (forall x: int ::
+ { (!f(x,10)) } // error: ! not allowed
+ f(x,10) == 3);
+
+axiom (forall x: int ::
+ { P(x,10) ==> P(20,x) } // error: ==> not allowed
+ f(x,10) == 3);
+
+axiom (forall x: int ::
+ { P(x,10) <==> P(20,x) } // error: <==> not allowed
+ f(x,10) == 3);
+
+
+axiom (forall x: int ::
+ { f(x,10) == 3 } // error: == not allowed
+ f(x,10) == 3);
+
+axiom (forall x: int ::
+ { f(x,10) < 3 } // error: < not allowed
+ f(x,10) == 3);
+
+
+axiom (forall x: int ::
+ { f(x,10) + f(x,x) != 3 } // yes, != is allowed
+ f(x,10) == 3);
+
+axiom (forall b: bool ::
+ { (forall y: int :: b) } // error: quantifiers not allowed
+ b);
+
+// -------------- tests of free variables
+
+const g: int;
+
+axiom (forall x: int ::
+ { false, 6 } // error: does not mention "x"
+ x < x + 1);
+
+axiom (forall x: int ::
+ { false, x+1, 6 } // allowed
+ x < x + 1);
+
+axiom (forall x: int, y: int ::
+ { x+1 } // error: does not mention "y"
+ { y+1 } // error: does not mention "x"
+ x < y + 1);
+
+axiom (forall x: int ::
+ { g+x != 65 } // allowed
+ x < x + 1);
+
+axiom (forall x: int ::
+ { x } // "x" by itself is not a good trigger
+ x < x + 1);
+
+//axiom (forall x: any :: // PR: removed for the time being
+// { cast(x,int) } // can't fool me, still not allowed
+// x == x );
+
+// --- multiple triggers
+
+axiom (forall x: int, y: int, z: int ::
+ { x+y+z } // good
+ { x+y, y+z } // also good
+ { f(f(x,y),y) } // error: does not mention z
+ x == x );
+
+// --- multi-triggers
+
+axiom (forall x: int, y: int, z: int ::
+ { f(x,x), f(y,y), f(z,z) } // good
+ f(x,y) < f(y,z) );
+
+// --- pattern exclusion
+
+axiom (forall x: int, y: int ::
+ {:nopats x } // error: "x" by itself is not allowed here either
+ {:nopats g } // error: "g" by itself is not allowed here either
+ x < y);
+
+axiom (forall x: int, y: int ::
+ {:nopats f(g,g) } // but it is okay not to mention the bound variables (in a pattern exclusion)
+ x < y);
+
+// --- merging of nested quantifiers
+
+axiom (forall x:int :: (forall y:int :: { f(x,y) } f(x,y) > 0)); // OK
+axiom (forall x:int :: (forall y:int :: { f(x,x) } f(x,x) > 0)); // error
+axiom (forall x:int :: (forall y:int :: { f(y,y) } f(y,y) > 0)); // error
+
+// three levels
+axiom (forall x:int :: (forall y:int :: (forall z:int :: { f(x,y) } f(y,y) > 0))); // error
+axiom (forall x:int :: (forall y:int :: (forall z:int :: { f(x,z) } f(y,y) > 0))); // error
+axiom (forall x:int :: (forall y:int :: (forall z:int :: { f(y,z) } f(y,y) > 0))); // error
+axiom (forall x:int :: (forall y:int :: (forall z:int :: { f(x,y), f(y,z) } f(y,y) > 0))); // OK
+
+// --- no free variables
+
+var h0: int;
+var h1: [ref,ref]int;
+
+axiom (forall o: ref, f: ref :: h1[o,f] // error: cannot mention free variable "h1"
+ < h0); // error: cannot mention free variable "h0"
+
+const c0: int;
+const c1: [ref,ref]int;
+
+axiom (forall o: ref, f: ref :: c1[o,f] < c0);
+
+type ref;
diff --git a/Test/test0/Types0.bpl b/Test/test0/Types0.bpl
new file mode 100644
index 00000000..7bb1dcef
--- /dev/null
+++ b/Test/test0/Types0.bpl
@@ -0,0 +1,8 @@
+type T, U;
+type V;
+
+function f([U,V]T, int) returns (U);
+function g(x: [U,V]T, y: int) returns (z: U);
+function h([U,V]T: int, y: int) returns (z: U); // parse error
+function k(T: int, y: int) returns (U: [any]int);
+function l(x) returns (int); // resolve error
diff --git a/Test/test0/Types1.bpl b/Test/test0/Types1.bpl
new file mode 100644
index 00000000..f743be85
--- /dev/null
+++ b/Test/test0/Types1.bpl
@@ -0,0 +1,7 @@
+type T, U;
+type V;
+
+function h(T) returns (int);
+function k(x:T) returns (int);
+function l(x) returns (int); // resolve error
+function m(x:int, x) returns (bool); // resolve error
diff --git a/Test/test0/WhereParsing.bpl b/Test/test0/WhereParsing.bpl
new file mode 100644
index 00000000..ec18dc3b
--- /dev/null
+++ b/Test/test0/WhereParsing.bpl
@@ -0,0 +1,25 @@
+const x: int;
+
+function R(int) returns (bool);
+function Even(int) returns (bool);
+
+var y: int where R(y);
+var g: int where g == 12;
+
+procedure P(x: int where x > 0) returns (y: int where y < 0);
+ requires x < 100;
+ modifies g;
+ ensures -100 < y;
+
+implementation P(xx: int where xx > 0) // error: where not allowed in implementation decl
+ returns (yy: int where yy < 0) // error: where not allowed in implementation decl
+{
+ var a: int where a == b; // b is not allowed to be mentioned here, but this test is only
+ var b: int; // for parsing, so no complaint will be issued
+
+ start:
+ a := xx;
+ call b := P(a);
+ yy := b;
+ return;
+}
diff --git a/Test/test0/WhereParsing0.bpl b/Test/test0/WhereParsing0.bpl
new file mode 100644
index 00000000..84f92741
--- /dev/null
+++ b/Test/test0/WhereParsing0.bpl
@@ -0,0 +1,28 @@
+const x: int;
+
+function R(int) returns (bool);
+function Even(int) returns (bool);
+
+var y: int where R(y);
+var g: int where g == 12;
+
+procedure P(x: int where x > 0) returns (y: int where y < 0);
+ requires x < 100;
+ modifies g;
+ ensures -100 < y;
+
+procedure Q(x: int where x > 0) returns (y: int where y < 0)
+ requires x < 100;
+ modifies g;
+ ensures (forall t: int where Even(t) :: -100 < y + t) || // error: where not allowed in quant
+ (exists t: int where Even(t) :: -100 < y + t); // error: where not allowed in quant
+{
+ var a: int;
+ var b: int;
+
+ start:
+ a := x;
+ call b := P(a);
+ y := b;
+ return;
+}
diff --git a/Test/test0/WhereParsing1.bpl b/Test/test0/WhereParsing1.bpl
new file mode 100644
index 00000000..402071bf
--- /dev/null
+++ b/Test/test0/WhereParsing1.bpl
@@ -0,0 +1,15 @@
+const x: int;
+
+function R(int) returns (bool);
+function Even(int) returns (bool);
+
+var y: int where R(y);
+var g: int where g == 12;
+
+procedure P(x: int where x > 0) returns (y: int where y < 0);
+ requires x < 100;
+ modifies g;
+ ensures -100 < y;
+
+function f(a: int, b: int where b < 0) // error: where not allowed among function parameters
+ returns (bool);
diff --git a/Test/test0/WhereParsing2.bpl b/Test/test0/WhereParsing2.bpl
new file mode 100644
index 00000000..d85287f3
--- /dev/null
+++ b/Test/test0/WhereParsing2.bpl
@@ -0,0 +1,2 @@
+const x: int where x < 0; // error: where clauses not allowed on constants
+
diff --git a/Test/test0/WhereResolution.bpl b/Test/test0/WhereResolution.bpl
new file mode 100644
index 00000000..6b28a035
--- /dev/null
+++ b/Test/test0/WhereResolution.bpl
@@ -0,0 +1,62 @@
+type double;
+
+function R(int) returns (bool);
+function K(double, bool) returns (bool);
+
+var y: int where R(y);
+var g: int where h ==> g == 12;
+var h: bool where g < 100;
+var k: double where K(k, h);
+
+procedure P(x: int where x > 0) returns (y: int where y < 0);
+ requires x < 100;
+ modifies g;
+ ensures -100 < y;
+
+implementation P(xx: int) returns (yy: int)
+{
+ var a: int where a == 10;
+ var b: int where a == b && b < g;
+
+ start:
+ a := xx;
+ call b := P(a);
+ yy := b;
+ return;
+}
+
+procedure Q(w: int where x < w || x > alpha/*error: out-parameter alpha is not in scope*/, x: int where x + w > 0)
+ returns (v: bool where v,
+ y: int where x + y + z < 0,
+ z: int where g == 12,
+ alpha: ref where old(alpha) != null, // error: cannot use old in where clause
+ beta: ref where (forall r: ref :: r == beta ==> beta == null))
+ requires x < 100;
+ modifies g;
+ ensures -100 < y;
+{
+ var a: int;
+ var b: int;
+
+ start:
+ a := x;
+ call b := P(a);
+ y := b;
+ return;
+}
+
+const SomeConstant: ref;
+
+procedure Cnst(n: ref where n != SomeConstant) returns (SomeConstant: int)
+{
+ var m: ref where m != SomeConstant;
+ var k: int where k != SomeConstant;
+ var r: ref where (forall abc: ref :: abc == SomeConstant);
+ var b: bool;
+ start:
+ b := (forall l: ref :: l == SomeConstant);
+ return;
+}
+
+type ref;
+const null : ref;
diff --git a/Test/test0/runtest.bat b/Test/test0/runtest.bat
new file mode 100644
index 00000000..c7c6ee3d
--- /dev/null
+++ b/Test/test0/runtest.bat
@@ -0,0 +1,33 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+rem set BGEXE=mono ..\..\Binaries\Boogie.exe
+
+%BGEXE% %* /noVerify Prog0.bpl
+%BGEXE% %* /noVerify ModifiedBag.bpl
+%BGEXE% %* /noVerify Triggers0.bpl
+%BGEXE% %* /noVerify Triggers1.bpl
+%BGEXE% %* /noVerify /printInstrumented PrettyPrint.bpl
+%BGEXE% %* /noVerify Arrays0.bpl
+%BGEXE% %* /noVerify Arrays1.bpl
+%BGEXE% %* /noVerify Types0.bpl
+%BGEXE% %* /noVerify Types1.bpl
+%BGEXE% %* /noVerify WhereParsing.bpl
+%BGEXE% %* /noVerify WhereParsing0.bpl
+%BGEXE% %* /noVerify WhereParsing1.bpl
+%BGEXE% %* /noVerify WhereParsing2.bpl
+%BGEXE% %* /noVerify WhereResolution.bpl
+%BGEXE% %* /noVerify BadLabels0.bpl
+%BGEXE% %* /noVerify BadLabels1.bpl
+%BGEXE% %* /noVerify LineParse.bpl
+%BGEXE% %* /noVerify LineResolve.bpl
+%BGEXE% %* /noVerify AttributeParsingErr.bpl
+%BGEXE% %* /noVerify /print:- /env:0 AttributeParsing.bpl
+%BGEXE% %* /noVerify AttributeResolution.bpl
+%BGEXE% %* /noVerify /print:- /env:0 Quoting.bpl
+%BGEXE% %* /noVerify LargeLiterals0.bpl
+%BGEXE% %* /noVerify MapsResolutionErrors.bpl
+%BGEXE% %* /noVerify Orderings.bpl
+%BGEXE% %* /noVerify BadQuantifier.bpl
+%BGEXE% %* /noVerify EmptyCallArgs.bpl
diff --git a/Test/test1/Answer b/Test/test1/Answer
new file mode 100644
index 00000000..b0f4aac3
--- /dev/null
+++ b/Test/test1/Answer
@@ -0,0 +1,137 @@
+Frame0.bpl(10,11): Error: undeclared identifier: a
+Frame0.bpl(12,11): Error: undeclared identifier: b
+2 name resolution errors detected in Frame0.bpl
+Frame1.bpl(16,7): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g1
+Frame1.bpl(17,6): Error: command assigns to an immutable variable: a
+Frame1.bpl(22,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g1
+Frame1.bpl(23,4): Error: command assigns to an immutable variable: a
+Frame1.bpl(27,12): Error: command assigns to an immutable variable: hh
+Frame1.bpl(28,12): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: h0
+Frame1.bpl(30,7): Error: command assigns to an immutable variable: hh
+Frame1.bpl(31,7): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: h0
+Frame1.bpl(33,4): Error: command assigns to an immutable variable: hh
+Frame1.bpl(34,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: h0
+Frame1.bpl(55,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g0
+Frame1.bpl(68,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g0
+Frame1.bpl(68,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g1
+Frame1.bpl(68,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: h0
+Frame1.bpl(84,15): Error: mismatched type of in-parameter in implementation MismatchedTypes: x
+Frame1.bpl(89,15): Error: mismatched type of in-parameter in implementation MismatchedTypes: x (named y in implementation)
+16 type checking errors detected in Frame1.bpl
+
+Boogie program verifier finished with 0 verified, 0 errors
+Arrays.bpl(15,14): Error: wrong number of arguments in map select: 2 instead of 1
+Arrays.bpl(16,14): Error: wrong number of arguments in map select: 1 instead of 2
+Arrays.bpl(20,7): Error: wrong number of arguments in map assignment: 2 instead of 1
+Arrays.bpl(21,7): Error: wrong number of arguments in map assignment: 1 instead of 2
+Arrays.bpl(41,13): Error: invalid type for argument 0 in map select: bool (expected: int)
+Arrays.bpl(42,16): Error: invalid argument types (bool and int) to binary operator ==
+Arrays.bpl(43,13): Error: invalid type for argument 0 in map select: int (expected: bool)
+Arrays.bpl(43,15): Error: invalid type for argument 1 in map select: int (expected: ref)
+Arrays.bpl(44,15): Error: invalid type for argument 1 in map select: bool (expected: ref)
+Arrays.bpl(44,23): Error: invalid type for argument 0 in map select: ref (expected: bool)
+Arrays.bpl(45,13): Error: invalid type for argument 0 in map select: ref (expected: bool)
+Arrays.bpl(45,18): Error: invalid type for argument 1 in map select: int (expected: ref)
+Arrays.bpl(45,2): Error: preconditions must be of type bool
+Arrays.bpl(46,13): Error: invalid type for argument 0 in map select: int (expected: bool)
+Arrays.bpl(46,15): Error: invalid type for argument 1 in map select: int (expected: ref)
+Arrays.bpl(50,6): Error: invalid type for argument 0 in map assignment: bool (expected: int)
+Arrays.bpl(51,6): Error: invalid type for argument 0 in map assignment: int (expected: bool)
+Arrays.bpl(51,8): Error: invalid type for argument 1 in map assignment: int (expected: ref)
+Arrays.bpl(51,5): Error: mismatched types in assignment command (cannot assign ref to int)
+Arrays.bpl(52,7): Error: invalid type for argument 0 in map assignment: bool (expected: int)
+Arrays.bpl(52,5): Error: mismatched types in assignment command (cannot assign int to bool)
+Arrays.bpl(53,12): Error: invalid type for argument 1 in map assignment: bool (expected: ref)
+Arrays.bpl(113,11): Error: invalid type for argument 0 in map select: name (expected: [int,int]bool)
+Arrays.bpl(114,4): Error: mismatched types in assignment command (cannot assign [int,int]bool to [[int,int]bool,[name]name]int)
+Arrays.bpl(115,4): Error: mismatched types in assignment command (cannot assign name to [int,int]bool)
+Arrays.bpl(116,5): Error: mismatched types in assignment command (cannot assign name to bool)
+Arrays.bpl(117,8): Error: invalid type for argument 1 in map assignment: name (expected: [name]name)
+Arrays.bpl(118,4): Error: mismatched types in assignment command (cannot assign [int,int][int]int to [[int,int]bool,[name]name]int)
+Arrays.bpl(123,10): Error: wrong number of arguments in map select: 1 instead of 2
+Arrays.bpl(124,14): Error: wrong number of arguments in map select: 1 instead of 2
+Arrays.bpl(125,6): Error: invalid type for argument 0 in map assignment: bool (expected: int)
+Arrays.bpl(126,4): Error: mismatched types in assignment command (cannot assign [int,int][int]int to [int,int][name]int)
+Arrays.bpl(127,4): Error: mismatched types in assignment command (cannot assign [int,int][name]int to [int,int][int]int)
+Arrays.bpl(130,21): Error: wrong number of arguments in map select: 2 instead of 1
+Arrays.bpl(131,5): Error: wrong number of arguments in map assignment: 2 instead of 1
+Arrays.bpl(132,13): Error: wrong number of arguments in map select: 2 instead of 1
+Arrays.bpl(133,17): Error: wrong number of arguments in map select: 1 instead of 2
+Arrays.bpl(134,14): Error: wrong number of arguments in map select: 2 instead of 1
+Arrays.bpl(166,12): Error: invalid type for argument 0 in application of Sf: [int,int]bool (expected: any)
+Arrays.bpl(176,4): Error: mismatched types in assignment command (cannot assign [int,int]bool to <a>[int,a]bool)
+Arrays.bpl(177,4): Error: mismatched types in assignment command (cannot assign <a>[int,a]bool to [int,int]bool)
+Arrays.bpl(178,4): Error: mismatched types in assignment command (cannot assign [any,any]bool to <a>[int,a]bool)
+Arrays.bpl(179,4): Error: mismatched types in assignment command (cannot assign <a>[int,a]bool to [any,any]bool)
+Arrays.bpl(180,4): Error: mismatched types in assignment command (cannot assign [ref]bool to [any]bool)
+Arrays.bpl(191,18): Error: invalid type for argument 0 in map select: any (expected: int)
+Arrays.bpl(198,11): Error: invalid type for argument 0 in map assignment: any (expected: int)
+Arrays.bpl(214,24): Error: invalid type for argument 0 in call to IntMethod: int (expected: any)
+Arrays.bpl(214,9): Error: invalid type for out-parameter 0 in call to IntMethod: any (expected: int)
+Arrays.bpl(215,4): Error: mismatched types in assignment command (cannot assign int to any)
+Arrays.bpl(216,4): Error: mismatched types in assignment command (cannot assign any to int)
+Arrays.bpl(218,24): Error: invalid type for argument 0 in call to AnyMethod: any (expected: int)
+Arrays.bpl(218,9): Error: invalid type for out-parameter 0 in call to AnyMethod: int (expected: any)
+52 type checking errors detected in Arrays.bpl
+WhereTyping.bpl(25,34): Error: invalid argument types (double and int) to binary operator +
+WhereTyping.bpl(26,12): Error: where clauses must be of type bool
+WhereTyping.bpl(36,22): Error: invalid argument types (name and int) to binary operator !=
+WhereTyping.bpl(41,30): Error: invalid argument types (name and int) to binary operator ==
+4 type checking errors detected in WhereTyping.bpl
+Family.bpl(30,4): Error: mismatched types in assignment command (cannot assign int to bool)
+Family.bpl(31,8): Error: mismatched types in assignment command (cannot assign bool to int)
+Family.bpl(33,8): Error: mismatched types in assignment command (cannot assign int to y)
+Family.bpl(34,15): Error: invalid type for argument 1 in map assignment: any (expected: Field x)
+Family.bpl(35,15): Error: invalid type for argument 1 in map assignment: any (expected: Field x)
+Family.bpl(37,8): Error: mismatched types in assignment command (cannot assign bool to any)
+Family.bpl(38,8): Error: mismatched types in assignment command (cannot assign Field any to any)
+Family.bpl(39,8): Error: mismatched types in assignment command (cannot assign Field y to any)
+8 type checking errors detected in Family.bpl
+AttributeTyping.bpl(3,23): Error: ++ operands need to be bitvectors (got int, int)
+AttributeTyping.bpl(5,29): Error: invalid type for argument 0 in application of F0: bool (expected: int)
+AttributeTyping.bpl(7,26): Error: invalid type for argument 0 in application of F0: bool (expected: int)
+AttributeTyping.bpl(9,21): Error: invalid argument types (int and int) to binary operator &&
+AttributeTyping.bpl(11,22): Error: invalid argument type (int) to unary operator !
+AttributeTyping.bpl(13,32): Error: invalid argument types (int and int) to binary operator ==>
+6 type checking errors detected in AttributeTyping.bpl
+UpdateExprTyping.bpl(3,11): Error: invalid argument types ([int]bool and [int]ref) to binary operator ==
+UpdateExprTyping.bpl(4,11): Error: invalid argument types ([int]bool and [bool]bool) to binary operator ==
+UpdateExprTyping.bpl(7,16): Error: invalid type for argument 0 in map store: bool (expected: int)
+UpdateExprTyping.bpl(8,21): Error: right-hand side in map store with wrong type: int (expected: bool)
+UpdateExprTyping.bpl(9,11): Error: invalid argument types ([int]bool and [int]ref) to binary operator ==
+UpdateExprTyping.bpl(15,18): Error: invalid type for argument 0 in map store: ref (expected: int)
+UpdateExprTyping.bpl(16,20): Error: invalid type for argument 1 in map store: bool (expected: ref)
+UpdateExprTyping.bpl(17,28): Error: right-hand side in map store with wrong type: ref (expected: bool)
+UpdateExprTyping.bpl(32,2): Error: mismatched types in assignment command (cannot assign int to any)
+UpdateExprTyping.bpl(36,28): Error: right-hand side in map store with wrong type: ref (expected: any)
+UpdateExprTyping.bpl(38,27): Error: right-hand side in map store with wrong type: ref (expected: int)
+UpdateExprTyping.bpl(39,27): Error: right-hand side in map store with wrong type: int (expected: ref)
+12 type checking errors detected in UpdateExprTyping.bpl
+CallForallResolve.bpl(15,2): Error: call forall is allowed only on procedures with no modifies clause: Q
+1 type checking errors detected in CallForallResolve.bpl
+MapsTypeErrors.bpl(26,6): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: m
+MapsTypeErrors.bpl(32,2): Error: mismatched types in assignment command (cannot assign int to []int)
+MapsTypeErrors.bpl(33,3): Error: mismatched types in assignment command (cannot assign []int to int)
+MapsTypeErrors.bpl(39,3): Error: mismatched types in assignment command (cannot assign bool to int)
+MapsTypeErrors.bpl(67,14): Error: invalid argument types (Field int and Field bool) to binary operator ==
+MapsTypeErrors.bpl(70,27): Error: invalid type for argument 1 in application of StrictEqual: Field bool (expected: a)
+MapsTypeErrors.bpl(75,33): Error: invalid type for argument 1 in application of StrictEqual: Field int (expected: a)
+MapsTypeErrors.bpl(77,31): Error: invalid type for argument 1 in application of IntEqual: Field alpha (expected: Field int)
+MapsTypeErrors.bpl(90,8): Error: extract operand must be a bitvector of at least 32 bits (got bv31)
+MapsTypeErrors.bpl(91,8): Error: extract operand must be a bitvector of at least 32 bits (got int)
+MapsTypeErrors.bpl(95,2): Error: mismatched types in assignment command (cannot assign bv33 to bv32)
+MapsTypeErrors.bpl(104,2): Error: mismatched types in assignment command (cannot assign bv20 to bv32)
+MapsTypeErrors.bpl(110,56): Error: invalid type for argument 1 in application of Same: bv18 (expected: T)
+MapsTypeErrors.bpl(120,4): Error: mismatched types in assignment command (cannot assign [?, ?]? to [int,int]bool)
+MapsTypeErrors.bpl(122,4): Error: mismatched types in assignment command (cannot assign [?, ?]? to HeapType)
+15 type checking errors detected in MapsTypeErrors.bpl
+Orderings.bpl(6,19): Error: parent of constant has incompatible type (int instead of C)
+1 type checking errors detected in Orderings.bpl
+EmptyCallArgs.bpl(15,17): Error: invalid type for argument 0 in call to P: int (expected: bool)
+EmptyCallArgs.bpl(26,7): Error: invalid type for out-parameter 0 in call to Q: int (expected: bool)
+EmptyCallArgs.bpl(28,7): Error: invalid type for out-parameter 0 in call to Q: int (expected: bool)
+3 type checking errors detected in EmptyCallArgs.bpl
+FunBody.bpl(6,45): Error: function body with invalid type: bool (expected: int)
+FunBody.bpl(8,61): Error: function body with invalid type: int (expected: alpha)
+FunBody.bpl(10,58): Error: function body with invalid type: int (expected: alpha)
+3 type checking errors detected in FunBody.bpl
diff --git a/Test/test1/Arrays.bpl b/Test/test1/Arrays.bpl
new file mode 100644
index 00000000..85ee783b
--- /dev/null
+++ b/Test/test1/Arrays.bpl
@@ -0,0 +1,224 @@
+var one: [int]int;
+var two: [int, int]int;
+
+procedure Good0(x: int, y: int)
+ requires one[x] == two[x,y];
+ modifies one, two;
+{
+ start:
+ one[x] := two[x,y];
+ two[x,y] := one[x];
+ return;
+}
+
+procedure Bad0(x: int, y: int)
+ requires one[x,y] == 7;
+ requires two[x] == 8;
+ modifies one, two;
+{
+ start:
+ one[x,y] := 10;
+ two[x] := 11;
+ return;
+}
+
+var A: [int]bool;
+var B: [bool, ref]int;
+
+procedure Good1(x: int, b: bool, o: ref)
+ requires A[x] && B[b,o] == 18;
+ modifies A, B;
+{
+ start:
+ A[x] := true;
+ B[b,o] := 19;
+ A[100] := false;
+ B[false,null] := 70;
+ return;
+}
+
+procedure Bad1(x: int, b: bool, o: ref)
+ requires A[b];
+ requires A[x] == 7;
+ requires B[x,x] < 12;
+ requires B[b,b] == B[o,o];
+ requires B[null,5];
+ requires B[7,7] == A[7];
+ modifies A, B;
+{
+ start:
+ A[b] := true;
+ B[3,14] := null;
+ A[A[x]] := 9;
+ B[false,false] := 70;
+ return;
+}
+
+var M: [ [int,int]bool, [name]name ]int;
+var Q: [int,int][int]int;
+var R: [int][int,int]int;
+
+procedure Good2(k: [int,int]bool, l: [name]name) returns (n: int)
+ modifies M, Q, R;
+{
+ var m: [ [int,int]bool, [name]name ]int;
+ var p: [int,int]bool;
+ var q: [int]int;
+ var qq: [int,int][int]int;
+ var r: [int,int]int;
+
+ start:
+ n := M[k,l];
+ m := M;
+ p := k;
+ p[5,8] := true;
+ m[p,l] := 13;
+ M := m;
+ goto next;
+
+ next:
+ qq := Q;
+ q := Q[13,21];
+ n := n + Q[34,55][89];
+ R[1] := R[2];
+ n := n + R[1][2,3];
+ Q[144,233] := q;
+ goto deepUpdate;
+
+ deepUpdate:
+ // To effectively do:
+ // Q[5,8][13] := 21;
+ // do:
+ q := Q[5,8];
+ q[13] := 21;
+ Q[5,8] := q;
+ return;
+}
+
+const Sven: name;
+const Mia: name;
+const Tryggve: name;
+const Gunnel: name;
+
+procedure Bad2(k: [int,int]bool, l: [name]name) returns (n: int)
+ modifies M, Q, R;
+{
+ var m: [ [int,int]bool, [name]name ]int;
+ var p: [int,int]bool;
+ var q: [int]int;
+ var qq: [int,int][int]int;
+ var qqx: [int,int][name]int;
+
+ start:
+ n := M[Sven,l];
+ m := p;
+ p := l[Mia];
+ p[5,8] := Tryggve;
+ m[p,Gunnel] := 13;
+ M := qq;
+ goto next;
+
+ next:
+ qq := Q; // okay
+ q := Q[13];
+ n := n - Q[89][34,55];
+ Q[true,233] := q;
+ qqx := qq;
+ Q := qqx;
+ qqx := qqx; // okay
+ Q := Q; // okay
+ n := n + Q[34,55][144,169];
+ R[1,2] := 0;
+ R[1] := R[2,3];
+ n := n + R[1][2];
+ n := n + R[1,2];
+ return;
+}
+
+type MyType;
+var S0: bool;
+var S1: [ref]bool;
+var S2: [ref,int]bool;
+var S3: [[ref,int]bool,MyType]MyType;
+var S4: <a>[int,a]bool;
+var S5: [int,int]bool;
+var S6: [any,any]bool;
+var S7: [int,any]any;
+var S8: [any]bool;
+
+function Sf(any) returns (bool);
+
+procedure SubtypesGood(a: any)
+ modifies S0;
+{
+ var t: MyType;
+ var b: bool;
+
+ start:
+ S0 := S1[null]; // bool := bool
+ S0 := S2[null,0]; // bool := bool
+ t := S3[S2,t];
+ goto next;
+ next:
+ b := S4[4,a];
+ b := S4[5,null]; // any := ref
+ b := S4[6,S4]; // any := [int,any]bool
+ b := Sf(S5);
+ return;
+}
+
+procedure SubtypesBad()
+ modifies S4,S5,S6;
+ modifies S8;
+{
+ start:
+ S4 := S4;
+ S4 := S5; // no
+ S5 := S4; // no
+ S4 := S6; // no
+ S6 := S4; // no
+ S8 := S1; // no
+ return;
+}
+
+// ----------------------------------------------------
+
+var ArrayA: [int]bool;
+var ArrayB: <a>[a]bool;
+
+procedure ArrayP(x: int, y: any)
+ requires ArrayA[x];
+ requires ArrayA[y]; // error
+ requires ArrayB[x];
+ requires ArrayB[y];
+ modifies ArrayA, ArrayB;
+{
+ start:
+ ArrayA[x] := true;
+ ArrayA[y] := true; // error
+ ArrayB[x] := true;
+ ArrayB[y] := true;
+ return;
+}
+
+// ----------------------------------------------------
+
+procedure IntMethod(p: any) returns (r: int);
+procedure AnyMethod(p: int) returns (r: any);
+
+procedure IntMethodCaller()
+{
+ var x: any, y: int;
+ entry:
+ call x := AnyMethod(y); // types are exact
+ call x := IntMethod(y); // error: type mismatch for out-parameter
+ x := y;
+ y := x; // error: cannot assign any to int
+ call y := IntMethod(x); // types are exact
+ call y := AnyMethod(x); // type error on both in-parameter and out-parameter
+ return;
+}
+
+
+type ref, any, name;
+const null : ref;
diff --git a/Test/test1/AttributeTyping.bpl b/Test/test1/AttributeTyping.bpl
new file mode 100644
index 00000000..204ac2ac
--- /dev/null
+++ b/Test/test1/AttributeTyping.bpl
@@ -0,0 +1,36 @@
+
+
+const {:Incorrect pux0 ++ F0(pux1)} pux0: int;
+
+function {:Incorrect F0(pux0 < 0) + pux1} F0(int) returns (int);
+
+axiom {:Incorrect F0(pux0 == pux1)} true;
+
+var {:Incorrect pux0 && pux1} pux1: int;
+
+procedure {:Incorrect !(pux0 - pux1)} P();
+
+implementation {:Incorrect pux0 ==> pux1} P()
+{
+}
+
+// ------ and here are various correct things
+
+
+
+const {:Correct hux0 + F1(hux1)} hux0: int;
+
+function {:Correct F1(hux0) + hux1} F1(int) returns (int);
+
+axiom {:Correct F1(hux0 + hux1)} true;
+
+var {:Correct hux0*hux1} hux1: int;
+
+procedure {:Correct hux0 - hux1} H();
+
+implementation {:Correct hux0 + hux1} {:AlsoCorrect "hello"} H()
+{
+}
+
+
+type any; \ No newline at end of file
diff --git a/Test/test1/CallForallResolve.bpl b/Test/test1/CallForallResolve.bpl
new file mode 100644
index 00000000..374db174
--- /dev/null
+++ b/Test/test1/CallForallResolve.bpl
@@ -0,0 +1,23 @@
+procedure P(x: int) returns (y: int);
+
+procedure CallP()
+{
+ call forall P(5); // P is allowed here, even if it has out parameters
+}
+
+var global: bool;
+
+procedure Q(x: int);
+ modifies global;
+
+procedure CallQ()
+{
+ call forall Q(5); // error: P is not allowed here, because it has a modifies clause
+}
+
+procedure R(x: int);
+
+procedure CallR()
+{
+ call forall R(5); // no problem that R has no body, though
+}
diff --git a/Test/test1/EmptyCallArgs.bpl b/Test/test1/EmptyCallArgs.bpl
new file mode 100644
index 00000000..18d837a9
--- /dev/null
+++ b/Test/test1/EmptyCallArgs.bpl
@@ -0,0 +1,31 @@
+type C;
+
+procedure P(x:int, y:bool) returns (z:C);
+procedure Q<a>(x:int, y:a) returns (z:a);
+
+procedure CallP() {
+ var x:int;
+ var y:bool;
+ var z:C;
+
+ call z := P(x, y);
+ call * := P(x, y);
+ call z := P(*, y);
+ call z := P(x, *);
+ call * := P(*, x); // type error
+ call * := P(x, *);
+ call z := P(*, *);
+ call * := P(*, *);
+}
+
+procedure CallQ() {
+ var x:int;
+ var y:bool;
+ var z:bool;
+
+ call x := Q(x, y); // type error
+ call * := Q(x, y);
+ call x := Q(*, y); // type error
+ call x := Q(x, *);
+ call * := Q(*, y);
+} \ No newline at end of file
diff --git a/Test/test1/Family.bpl b/Test/test1/Family.bpl
new file mode 100644
index 00000000..1c650d3d
--- /dev/null
+++ b/Test/test1/Family.bpl
@@ -0,0 +1,47 @@
+type T;
+
+var Heap: <x>[ref,Field x]x;
+
+function IsHeap(<x>[ref,Field x]x) returns (bool);
+
+const alloc: Field bool;
+const C.x: Field int;
+
+axiom (forall h: <x>[ref,Field x]x, f: Field ref, o: ref :: IsHeap(h) && o != null ==> h[h[o,f], alloc]);
+
+procedure P(this: ref) returns (r: int)
+ modifies Heap;
+{
+ start:
+ r := Heap[this, C.x];
+ Heap[this, C.x] := r;
+ return;
+}
+
+// -----------------
+
+procedure R(this: ref)
+ modifies Heap;
+{
+ var field: any, refField: Field ref, yField: Field y, anyField: Field any;
+ var b: bool, a: any;
+
+ start:
+ b := Heap[this, C.x]; // type error
+ Heap[this, C.x] := true; // type error
+ Heap[this, refField] := this;
+ Heap[this, yField] := 2; // type error
+ Heap[this, field] := a; // type error
+ Heap[this, field] := b; // type error
+ Heap[this, anyField] := a;
+ Heap[this, anyField] := b;
+ Heap[this, anyField] := anyField;
+ Heap[this, anyField] := yField;
+ Heap[this, anyField] := field;
+ return;
+}
+
+type Field a;
+type y;
+type ref, any;
+const null : ref;
diff --git a/Test/test1/Frame0.bpl b/Test/test1/Frame0.bpl
new file mode 100644
index 00000000..02a5af46
--- /dev/null
+++ b/Test/test1/Frame0.bpl
@@ -0,0 +1,15 @@
+var g0: int;
+var g1: int;
+
+var h0: [ref, name]any;
+var h1: [ref, name]any;
+
+const X: name;
+
+procedure P(a: ref, hh: [ref, name]any) returns (b: int, hout: [ref, name]any);
+ modifies a; // in-parameters are not mutable
+ modifies h1, g0;
+ modifies b; // out-parameters are not allowed explicitly in modifies clause
+
+
+type ref, name, any;
diff --git a/Test/test1/Frame1.bpl b/Test/test1/Frame1.bpl
new file mode 100644
index 00000000..469f43ba
--- /dev/null
+++ b/Test/test1/Frame1.bpl
@@ -0,0 +1,97 @@
+var g0: int;
+var g1: int;
+
+var h0: [ref, name]int;
+var h1: [ref, name]int;
+
+const X: name;
+
+procedure P(a: ref, hh: [ref, name]int) returns (b: int, hout: [ref, name]any);
+ modifies h1, g0;
+
+implementation P(a: ref, hh: [ref, name]int)
+ returns (b: int, hout: [ref, name]any) {
+ start:
+ g0 := 5;
+ g1 := 6; // error: g1 is not in modifies clause
+ a := null; // error: in-parameters are not mutable
+ b := 12;
+ goto next;
+ next:
+ havoc g0;
+ havoc g1; // error: g1 is not in modifies clause
+ havoc a; // error: in-parameters are not mutable
+ havoc b;
+ goto more;
+ more:
+ hh[a,X] := 101; // error: in-parameter (hh) is not mutable
+ h0[a,X] := 102; // error: h0 is not in modifies clause
+ h1[a,X] := 103;
+ hh := h0; // error: in-parameter is not mutable
+ h0 := h1; // error: h0 is not in modifies clause
+ h1 := hh;
+ havoc hh; // error: in-parameter is not mutable
+ havoc h0; // error: h0 is not in modifies clause
+ havoc h1;
+ return;
+}
+
+procedure PX();
+ modifies h1, g0;
+
+procedure PY()
+ modifies h1, g0;
+{
+ start:
+ call PX();
+ call PY();
+ return;
+}
+
+procedure PZ()
+ modifies h1;
+{
+ start:
+ call PX(); // error: PX has larger frame than PZ
+ return;
+}
+
+procedure Q() returns (x: int, y: int, h: [ref, name]int)
+{
+ start:
+ return;
+}
+
+procedure QCallerBad()
+{
+ start:
+ call g0, g1, h0 := Q();
+ return;
+}
+
+procedure QCallerGood()
+ modifies g0, h0;
+{
+ var t: int;
+
+ start:
+ call t, g0, h0 := Q();
+ return;
+}
+
+procedure MismatchedTypes(x: int);
+
+implementation MismatchedTypes(x: bool) // error
+{
+ start:
+ return;
+}
+implementation MismatchedTypes(y: bool) // error (this time with a different name for the formal)
+{
+ start:
+ return;
+}
+
+
+type ref, name, any;
+const null : ref;
diff --git a/Test/test1/FunBody.bpl b/Test/test1/FunBody.bpl
new file mode 100644
index 00000000..867942ff
--- /dev/null
+++ b/Test/test1/FunBody.bpl
@@ -0,0 +1,13 @@
+
+function g0<beta>(x:beta) returns (beta);
+function g1<beta>() returns (beta);
+
+function {:inline true} f1() returns (int) { 13 }
+function {:inline true} f2() returns (int) { true } // wrong type
+function {:inline true} f3<alpha>(x:alpha) returns (alpha) { g0(x) }
+function {:inline true} f4<alpha>(x:alpha) returns (alpha) { g0(5) } // wrong type
+function {:inline true} f5<alpha>() returns (alpha) { g1() }
+function {:inline true} f6<alpha>() returns (alpha) { g1():int } // wrong type
+
+
+
diff --git a/Test/test1/LogicalExprs.bpl b/Test/test1/LogicalExprs.bpl
new file mode 100644
index 00000000..028d18f4
--- /dev/null
+++ b/Test/test1/LogicalExprs.bpl
@@ -0,0 +1,6 @@
+const P: bool;
+const Q: bool;
+
+axiom (forall x: int :: x < 0);
+axiom Q ==> P;
+axiom (forall x: int :: x < 0) ==> P;
diff --git a/Test/test1/MapsTypeErrors.bpl b/Test/test1/MapsTypeErrors.bpl
new file mode 100644
index 00000000..0e68440d
--- /dev/null
+++ b/Test/test1/MapsTypeErrors.bpl
@@ -0,0 +1,127 @@
+var m: []int;
+var p: <a>[]a;
+
+type ref;
+const null: ref;
+
+procedure P()
+ requires m[] == 5;
+ modifies m;
+ modifies p;
+ ensures m[] == 30;
+ ensures p[] + p[] == 24;
+ ensures p[] == null;
+{
+ m[] := 12;
+ p[] := 12;
+ p[] := true;
+ assert p[] == m[];
+ assert p[];
+ m := m[:= 30];
+ p := p[:=null];
+}
+
+procedure A()
+{
+ m[] := 12; // error: illegal assignment, because m is not in modifies clause
+}
+
+procedure B()
+ modifies m;
+{
+ m := m[]; // type error
+ m[] := m; // type error
+}
+
+procedure C()
+ modifies m;
+{
+ m[] := true; // type error
+}
+
+// -----
+
+procedure Genrc<T>(x: int) returns (t: T);
+
+procedure Caller() returns (b: bool)
+{
+ var y: ref;
+ call y := Genrc(5);
+ b := y == null;
+}
+
+// ----
+
+type Field a;
+type HeapType = <a>[ref, Field a]a;
+const F0: Field int;
+const F1: Field bool;
+const alloc: Field bool;
+var Heap: HeapType;
+
+function LiberalEqual<a,b>(a, b) returns (bool);
+function StrictEqual<a>(a,a) returns (bool);
+function IntEqual(Field int,Field int) returns (bool);
+
+procedure FrameCondition(this: ref)
+ requires F0 == F1; // error
+ requires LiberalEqual(F0, F1);
+ requires StrictEqual(F0, F0);
+ requires StrictEqual(F0, F1); // error
+ modifies Heap;
+ ensures (forall<alpha> o: ref, f: Field alpha ::
+ Heap[o,f] == old(Heap)[o,f] ||
+ !old(Heap)[o,alloc] ||
+ (o == this && StrictEqual(f, F0)) || // error: f and F0 don't have the same type
+ (o == this && LiberalEqual(f, f)) ||
+ (o == this && IntEqual(F0, f)) // error: f and F0 don't have the same type
+ );
+{
+}
+
+// ---- bitvector inference ----
+
+function Gimmie<T>() returns (T);
+function Same<T>(T,T) returns (T);
+procedure ConsumeAnything<T>(t: T);
+
+procedure Bvs(x: bv31, y: int) returns (a: bv32)
+{
+ a := x[50 : 18]; // error
+ a := y[50 : 18]; // error
+
+ a := Gimmie(); // fine, this can be made to have at least 32 bits
+ a := Gimmie()[50 : 18]; // fine, result is always 32 bits and Gimmie() can be made to have at least 50 bits
+ a := Gimmie()[50 : 17]; // error, result is 33 bits (but there's nothing wrong with Gimmie())
+
+ a := Gimmie() ++ Gimmie() ++ Gimmie();
+ a := Gimmie() ++ Gimmie()[20:0];
+ a := 0bv0 ++ Gimmie()[6:6] ++ Gimmie()[17:12] ++ Gimmie() ++ Gimmie() ++ Gimmie()[27:0];
+ a := 0bv0 ++ Gimmie()[6:6] ++ Gimmie()[17:12] ++ Gimmie() ++ Gimmie() ++ Gimmie()[22:0];
+ a := 0bv0 ++ Gimmie()[6:6] ++ Gimmie()[17:12] ++ Gimmie() ++ Gimmie()[22:0] ++ Gimmie();
+ a := Gimmie() ++ 0bv0 ++ Gimmie()[6:6] ++ Gimmie()[17:12] ++ Gimmie() ++ Gimmie()[22:0];
+ a := Same(Gimmie(), Gimmie());
+ a := Same(Gimmie()[20:0], Gimmie()); // error, have only bv20, need bv32
+
+ a := Same(Gimmie() ++ Gimmie()[20:0], 0bv32);
+ a := Same(Gimmie() ++ Gimmie()[20:0], Gimmie());
+ a := Same(Gimmie() ++ Gimmie()[20:0], Gimmie() ++ Gimmie());
+ a := Same(Gimmie() ++ Gimmie()[20:0], Gimmie()[40:30] ++ Gimmie());
+ call ConsumeAnything(Same(Gimmie() ++ Gimmie()[20:0], 0bv18)); // error, can't make things smaller
+}
+
+// ---- maps again ----
+
+procedure Mmm() returns (a: [int,int]bool, b: HeapType, c: int)
+{
+ if (Gimmie()[null] == Gimmie()) {
+ a := Same(Gimmie()[Gimmie(), Gimmie() := Gimmie()], Gimmie());
+ b := Same(Gimmie()[Gimmie(), Gimmie() := Gimmie()], Gimmie());
+ a := Same(Gimmie()[Gimmie(), Gimmie() := 4], Gimmie()); // error
+ b := Same(Gimmie()[Gimmie(), Gimmie() := 5], Gimmie());
+ b := Same(Gimmie()[Gimmie(), 6 := Gimmie()], Gimmie()); // error
+ }
+ c := Gimmie()[Gimmie() := 10][null];
+ c := Gimmie()[Gimmie() := Gimmie()][null];
+ c := Gimmie()[Gimmie() := false][null];
+}
diff --git a/Test/test1/Orderings.bpl b/Test/test1/Orderings.bpl
new file mode 100644
index 00000000..be0502fa
--- /dev/null
+++ b/Test/test1/Orderings.bpl
@@ -0,0 +1,8 @@
+
+type C;
+
+const c1:C;
+const c2:C extends c1;
+const c0:C extends a; // error: parent of wrong type
+
+const a:int;
diff --git a/Test/test1/Output b/Test/test1/Output
new file mode 100644
index 00000000..b0f4aac3
--- /dev/null
+++ b/Test/test1/Output
@@ -0,0 +1,137 @@
+Frame0.bpl(10,11): Error: undeclared identifier: a
+Frame0.bpl(12,11): Error: undeclared identifier: b
+2 name resolution errors detected in Frame0.bpl
+Frame1.bpl(16,7): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g1
+Frame1.bpl(17,6): Error: command assigns to an immutable variable: a
+Frame1.bpl(22,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g1
+Frame1.bpl(23,4): Error: command assigns to an immutable variable: a
+Frame1.bpl(27,12): Error: command assigns to an immutable variable: hh
+Frame1.bpl(28,12): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: h0
+Frame1.bpl(30,7): Error: command assigns to an immutable variable: hh
+Frame1.bpl(31,7): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: h0
+Frame1.bpl(33,4): Error: command assigns to an immutable variable: hh
+Frame1.bpl(34,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: h0
+Frame1.bpl(55,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g0
+Frame1.bpl(68,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g0
+Frame1.bpl(68,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: g1
+Frame1.bpl(68,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: h0
+Frame1.bpl(84,15): Error: mismatched type of in-parameter in implementation MismatchedTypes: x
+Frame1.bpl(89,15): Error: mismatched type of in-parameter in implementation MismatchedTypes: x (named y in implementation)
+16 type checking errors detected in Frame1.bpl
+
+Boogie program verifier finished with 0 verified, 0 errors
+Arrays.bpl(15,14): Error: wrong number of arguments in map select: 2 instead of 1
+Arrays.bpl(16,14): Error: wrong number of arguments in map select: 1 instead of 2
+Arrays.bpl(20,7): Error: wrong number of arguments in map assignment: 2 instead of 1
+Arrays.bpl(21,7): Error: wrong number of arguments in map assignment: 1 instead of 2
+Arrays.bpl(41,13): Error: invalid type for argument 0 in map select: bool (expected: int)
+Arrays.bpl(42,16): Error: invalid argument types (bool and int) to binary operator ==
+Arrays.bpl(43,13): Error: invalid type for argument 0 in map select: int (expected: bool)
+Arrays.bpl(43,15): Error: invalid type for argument 1 in map select: int (expected: ref)
+Arrays.bpl(44,15): Error: invalid type for argument 1 in map select: bool (expected: ref)
+Arrays.bpl(44,23): Error: invalid type for argument 0 in map select: ref (expected: bool)
+Arrays.bpl(45,13): Error: invalid type for argument 0 in map select: ref (expected: bool)
+Arrays.bpl(45,18): Error: invalid type for argument 1 in map select: int (expected: ref)
+Arrays.bpl(45,2): Error: preconditions must be of type bool
+Arrays.bpl(46,13): Error: invalid type for argument 0 in map select: int (expected: bool)
+Arrays.bpl(46,15): Error: invalid type for argument 1 in map select: int (expected: ref)
+Arrays.bpl(50,6): Error: invalid type for argument 0 in map assignment: bool (expected: int)
+Arrays.bpl(51,6): Error: invalid type for argument 0 in map assignment: int (expected: bool)
+Arrays.bpl(51,8): Error: invalid type for argument 1 in map assignment: int (expected: ref)
+Arrays.bpl(51,5): Error: mismatched types in assignment command (cannot assign ref to int)
+Arrays.bpl(52,7): Error: invalid type for argument 0 in map assignment: bool (expected: int)
+Arrays.bpl(52,5): Error: mismatched types in assignment command (cannot assign int to bool)
+Arrays.bpl(53,12): Error: invalid type for argument 1 in map assignment: bool (expected: ref)
+Arrays.bpl(113,11): Error: invalid type for argument 0 in map select: name (expected: [int,int]bool)
+Arrays.bpl(114,4): Error: mismatched types in assignment command (cannot assign [int,int]bool to [[int,int]bool,[name]name]int)
+Arrays.bpl(115,4): Error: mismatched types in assignment command (cannot assign name to [int,int]bool)
+Arrays.bpl(116,5): Error: mismatched types in assignment command (cannot assign name to bool)
+Arrays.bpl(117,8): Error: invalid type for argument 1 in map assignment: name (expected: [name]name)
+Arrays.bpl(118,4): Error: mismatched types in assignment command (cannot assign [int,int][int]int to [[int,int]bool,[name]name]int)
+Arrays.bpl(123,10): Error: wrong number of arguments in map select: 1 instead of 2
+Arrays.bpl(124,14): Error: wrong number of arguments in map select: 1 instead of 2
+Arrays.bpl(125,6): Error: invalid type for argument 0 in map assignment: bool (expected: int)
+Arrays.bpl(126,4): Error: mismatched types in assignment command (cannot assign [int,int][int]int to [int,int][name]int)
+Arrays.bpl(127,4): Error: mismatched types in assignment command (cannot assign [int,int][name]int to [int,int][int]int)
+Arrays.bpl(130,21): Error: wrong number of arguments in map select: 2 instead of 1
+Arrays.bpl(131,5): Error: wrong number of arguments in map assignment: 2 instead of 1
+Arrays.bpl(132,13): Error: wrong number of arguments in map select: 2 instead of 1
+Arrays.bpl(133,17): Error: wrong number of arguments in map select: 1 instead of 2
+Arrays.bpl(134,14): Error: wrong number of arguments in map select: 2 instead of 1
+Arrays.bpl(166,12): Error: invalid type for argument 0 in application of Sf: [int,int]bool (expected: any)
+Arrays.bpl(176,4): Error: mismatched types in assignment command (cannot assign [int,int]bool to <a>[int,a]bool)
+Arrays.bpl(177,4): Error: mismatched types in assignment command (cannot assign <a>[int,a]bool to [int,int]bool)
+Arrays.bpl(178,4): Error: mismatched types in assignment command (cannot assign [any,any]bool to <a>[int,a]bool)
+Arrays.bpl(179,4): Error: mismatched types in assignment command (cannot assign <a>[int,a]bool to [any,any]bool)
+Arrays.bpl(180,4): Error: mismatched types in assignment command (cannot assign [ref]bool to [any]bool)
+Arrays.bpl(191,18): Error: invalid type for argument 0 in map select: any (expected: int)
+Arrays.bpl(198,11): Error: invalid type for argument 0 in map assignment: any (expected: int)
+Arrays.bpl(214,24): Error: invalid type for argument 0 in call to IntMethod: int (expected: any)
+Arrays.bpl(214,9): Error: invalid type for out-parameter 0 in call to IntMethod: any (expected: int)
+Arrays.bpl(215,4): Error: mismatched types in assignment command (cannot assign int to any)
+Arrays.bpl(216,4): Error: mismatched types in assignment command (cannot assign any to int)
+Arrays.bpl(218,24): Error: invalid type for argument 0 in call to AnyMethod: any (expected: int)
+Arrays.bpl(218,9): Error: invalid type for out-parameter 0 in call to AnyMethod: int (expected: any)
+52 type checking errors detected in Arrays.bpl
+WhereTyping.bpl(25,34): Error: invalid argument types (double and int) to binary operator +
+WhereTyping.bpl(26,12): Error: where clauses must be of type bool
+WhereTyping.bpl(36,22): Error: invalid argument types (name and int) to binary operator !=
+WhereTyping.bpl(41,30): Error: invalid argument types (name and int) to binary operator ==
+4 type checking errors detected in WhereTyping.bpl
+Family.bpl(30,4): Error: mismatched types in assignment command (cannot assign int to bool)
+Family.bpl(31,8): Error: mismatched types in assignment command (cannot assign bool to int)
+Family.bpl(33,8): Error: mismatched types in assignment command (cannot assign int to y)
+Family.bpl(34,15): Error: invalid type for argument 1 in map assignment: any (expected: Field x)
+Family.bpl(35,15): Error: invalid type for argument 1 in map assignment: any (expected: Field x)
+Family.bpl(37,8): Error: mismatched types in assignment command (cannot assign bool to any)
+Family.bpl(38,8): Error: mismatched types in assignment command (cannot assign Field any to any)
+Family.bpl(39,8): Error: mismatched types in assignment command (cannot assign Field y to any)
+8 type checking errors detected in Family.bpl
+AttributeTyping.bpl(3,23): Error: ++ operands need to be bitvectors (got int, int)
+AttributeTyping.bpl(5,29): Error: invalid type for argument 0 in application of F0: bool (expected: int)
+AttributeTyping.bpl(7,26): Error: invalid type for argument 0 in application of F0: bool (expected: int)
+AttributeTyping.bpl(9,21): Error: invalid argument types (int and int) to binary operator &&
+AttributeTyping.bpl(11,22): Error: invalid argument type (int) to unary operator !
+AttributeTyping.bpl(13,32): Error: invalid argument types (int and int) to binary operator ==>
+6 type checking errors detected in AttributeTyping.bpl
+UpdateExprTyping.bpl(3,11): Error: invalid argument types ([int]bool and [int]ref) to binary operator ==
+UpdateExprTyping.bpl(4,11): Error: invalid argument types ([int]bool and [bool]bool) to binary operator ==
+UpdateExprTyping.bpl(7,16): Error: invalid type for argument 0 in map store: bool (expected: int)
+UpdateExprTyping.bpl(8,21): Error: right-hand side in map store with wrong type: int (expected: bool)
+UpdateExprTyping.bpl(9,11): Error: invalid argument types ([int]bool and [int]ref) to binary operator ==
+UpdateExprTyping.bpl(15,18): Error: invalid type for argument 0 in map store: ref (expected: int)
+UpdateExprTyping.bpl(16,20): Error: invalid type for argument 1 in map store: bool (expected: ref)
+UpdateExprTyping.bpl(17,28): Error: right-hand side in map store with wrong type: ref (expected: bool)
+UpdateExprTyping.bpl(32,2): Error: mismatched types in assignment command (cannot assign int to any)
+UpdateExprTyping.bpl(36,28): Error: right-hand side in map store with wrong type: ref (expected: any)
+UpdateExprTyping.bpl(38,27): Error: right-hand side in map store with wrong type: ref (expected: int)
+UpdateExprTyping.bpl(39,27): Error: right-hand side in map store with wrong type: int (expected: ref)
+12 type checking errors detected in UpdateExprTyping.bpl
+CallForallResolve.bpl(15,2): Error: call forall is allowed only on procedures with no modifies clause: Q
+1 type checking errors detected in CallForallResolve.bpl
+MapsTypeErrors.bpl(26,6): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: m
+MapsTypeErrors.bpl(32,2): Error: mismatched types in assignment command (cannot assign int to []int)
+MapsTypeErrors.bpl(33,3): Error: mismatched types in assignment command (cannot assign []int to int)
+MapsTypeErrors.bpl(39,3): Error: mismatched types in assignment command (cannot assign bool to int)
+MapsTypeErrors.bpl(67,14): Error: invalid argument types (Field int and Field bool) to binary operator ==
+MapsTypeErrors.bpl(70,27): Error: invalid type for argument 1 in application of StrictEqual: Field bool (expected: a)
+MapsTypeErrors.bpl(75,33): Error: invalid type for argument 1 in application of StrictEqual: Field int (expected: a)
+MapsTypeErrors.bpl(77,31): Error: invalid type for argument 1 in application of IntEqual: Field alpha (expected: Field int)
+MapsTypeErrors.bpl(90,8): Error: extract operand must be a bitvector of at least 32 bits (got bv31)
+MapsTypeErrors.bpl(91,8): Error: extract operand must be a bitvector of at least 32 bits (got int)
+MapsTypeErrors.bpl(95,2): Error: mismatched types in assignment command (cannot assign bv33 to bv32)
+MapsTypeErrors.bpl(104,2): Error: mismatched types in assignment command (cannot assign bv20 to bv32)
+MapsTypeErrors.bpl(110,56): Error: invalid type for argument 1 in application of Same: bv18 (expected: T)
+MapsTypeErrors.bpl(120,4): Error: mismatched types in assignment command (cannot assign [?, ?]? to [int,int]bool)
+MapsTypeErrors.bpl(122,4): Error: mismatched types in assignment command (cannot assign [?, ?]? to HeapType)
+15 type checking errors detected in MapsTypeErrors.bpl
+Orderings.bpl(6,19): Error: parent of constant has incompatible type (int instead of C)
+1 type checking errors detected in Orderings.bpl
+EmptyCallArgs.bpl(15,17): Error: invalid type for argument 0 in call to P: int (expected: bool)
+EmptyCallArgs.bpl(26,7): Error: invalid type for out-parameter 0 in call to Q: int (expected: bool)
+EmptyCallArgs.bpl(28,7): Error: invalid type for out-parameter 0 in call to Q: int (expected: bool)
+3 type checking errors detected in EmptyCallArgs.bpl
+FunBody.bpl(6,45): Error: function body with invalid type: bool (expected: int)
+FunBody.bpl(8,61): Error: function body with invalid type: int (expected: alpha)
+FunBody.bpl(10,58): Error: function body with invalid type: int (expected: alpha)
+3 type checking errors detected in FunBody.bpl
diff --git a/Test/test1/UpdateExprTyping.bpl b/Test/test1/UpdateExprTyping.bpl
new file mode 100644
index 00000000..e495cb51
--- /dev/null
+++ b/Test/test1/UpdateExprTyping.bpl
@@ -0,0 +1,43 @@
+procedure P(a: [int]bool, b: [int]ref, c: [bool]bool)
+{
+ assert a == b; // type error
+ assert a == c; // type error
+
+ assert a == a[5 := true];
+ assert a == a[true := true]; // type error
+ assert a == a[5 := 5]; // type error in RHS
+ assert a == b[5 := null]; // type error
+}
+
+procedure Q(aa: [int,ref]bool)
+{
+ assert aa[5,null := true] != aa[2,null := false];
+ assert aa == aa[null,null := true]; // type error, index 0
+ assert aa == aa[5,true := true]; // type error, index 1
+ assert aa == aa[5,null := null]; // type error, RHS
+}
+
+type Field a;
+const unique IntField: Field int;
+const unique RefField: Field ref;
+const unique SomeField: Field any;
+
+procedure R(H: <x>[ref,Field x]x, this: ref)
+{
+ var i: int, r: ref, y: any;
+ var K: <wz>[ref,Field wz]wz;
+
+ i := H[this, IntField];
+ r := H[this, RefField];
+ y := H[this, IntField]; // type error, wrong LHS
+ y := H[this, SomeField];
+
+ K := H[this, IntField := i][this, RefField := r][this, SomeField := y];
+ K := H[this, SomeField := r]; // type error, wrong RHS
+
+ K := K[this, IntField := r]; // RHS has wrong type (ref, expecting int)
+ K := K[this, RefField := i]; // RHS has wrong type (int, expecting ref)
+}
+
+type ref, any;
+const null : ref;
diff --git a/Test/test1/WhereTyping.bpl b/Test/test1/WhereTyping.bpl
new file mode 100644
index 00000000..dba628ee
--- /dev/null
+++ b/Test/test1/WhereTyping.bpl
@@ -0,0 +1,45 @@
+var g: int where g == 12;
+
+procedure P(x: int where x > 0) returns (y: int where y < 0);
+ requires x < 100;
+ modifies g;
+ ensures -100 < y;
+
+implementation P(xx: int) returns (yy: int)
+{
+ var a: int;
+ var b: int;
+
+ start:
+ a := xx;
+ call b := P(a);
+ yy := b;
+ return;
+}
+
+type double;
+function F(double) returns (double);
+function G(double) returns (bool);
+
+procedure Q(omega: double where omega == F(omega),
+ psi: double where psi + 1 == 0, // error: psi doesn't have right type for +
+ pi: double where F(pi), // error: F has wrong return type
+ sigma: double where G(sigma));
+
+
+const SomeConstant: name;
+function fgh(int) returns (int);
+
+procedure Cnst(n: name where n <: SomeConstant /*this SomeConstant refers to the const*/) returns (SomeConstant: int)
+{
+ var k: int where k != SomeConstant; // fine, since SomeConstants refers to the out parameter
+ var m: name where m != SomeConstant; // error: types don't match up
+ var r: ref where (forall abc: int :: abc == SomeConstant);
+ var b: bool;
+ start:
+ b := (forall x: int :: fgh(x) < SomeConstant);
+ b := (forall l: name :: l == SomeConstant); // error: SomeConstant here refers to the out parameter
+ return;
+}
+
+type ref, name;
diff --git a/Test/test1/runtest.bat b/Test/test1/runtest.bat
new file mode 100644
index 00000000..c6881263
--- /dev/null
+++ b/Test/test1/runtest.bat
@@ -0,0 +1,19 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+rem set BGEXE=mono ..\..\Binaries\Boogie.exe
+
+%BGEXE% %* /noVerify Frame0.bpl
+%BGEXE% %* /noVerify Frame1.bpl
+%BGEXE% %* /noVerify LogicalExprs.bpl
+%BGEXE% %* /noVerify Arrays.bpl
+%BGEXE% %* /noVerify WhereTyping.bpl
+%BGEXE% %* /noVerify Family.bpl
+%BGEXE% %* /noVerify AttributeTyping.bpl
+%BGEXE% %* /noVerify UpdateExprTyping.bpl
+%BGEXE% %* /noVerify CallForallResolve.bpl
+%BGEXE% %* /noVerify MapsTypeErrors.bpl
+%BGEXE% %* /noVerify Orderings.bpl
+%BGEXE% %* /noVerify EmptyCallArgs.bpl
+%BGEXE% %* /noVerify FunBody.bpl
diff --git a/Test/test13/Answer b/Test/test13/Answer
new file mode 100644
index 00000000..c8263ac1
--- /dev/null
+++ b/Test/test13/Answer
@@ -0,0 +1,15 @@
+
+-------------------- ErrorTraceTestLoopInvViolationBPL --------------------
+ErrorTraceTestLoopInvViolationBPL.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ErrorTraceTestLoopInvViolationBPL.bpl(5,5): anon0
+ErrorTraceTestLoopInvViolationBPL.bpl(16,16): Error BP5004: This loop invariant might not hold on entry.
+Execution trace:
+ ErrorTraceTestLoopInvViolationBPL.bpl(14,5): anon0
+ErrorTraceTestLoopInvViolationBPL.bpl(27,17): Error BP5005: This loop invariant might not be maintained by the loop.
+Execution trace:
+ ErrorTraceTestLoopInvViolationBPL.bpl(25,5): anon0
+ ErrorTraceTestLoopInvViolationBPL.bpl(27,3): anon2_LoopHead
+ ErrorTraceTestLoopInvViolationBPL.bpl(28,7): anon2_LoopBody
+
+Boogie program verifier finished with 0 verified, 3 errors
diff --git a/Test/test13/ErrorTraceTestLoopInvViolationBPL.bpl b/Test/test13/ErrorTraceTestLoopInvViolationBPL.bpl
new file mode 100644
index 00000000..f1be4414
--- /dev/null
+++ b/Test/test13/ErrorTraceTestLoopInvViolationBPL.bpl
@@ -0,0 +1,30 @@
+// simple assert
+procedure asserting() {
+ var x: int;
+
+ x := 0;
+
+ assert x == 1;
+}
+
+// invariant failing initially
+procedure loopInvInitiallyViolated(y: int) {
+ var x: int;
+
+ x := y;
+
+ while (true) invariant (x == 1); {
+ x := 1;
+ }
+}
+
+// invariant failing after iteration
+procedure loopInvMaintenanceViolated() {
+ var x: int;
+
+ x := 0;
+
+ while (true) invariant x == 0; {
+ x := 1;
+ }
+}
diff --git a/Test/test13/Output b/Test/test13/Output
new file mode 100644
index 00000000..c8263ac1
--- /dev/null
+++ b/Test/test13/Output
@@ -0,0 +1,15 @@
+
+-------------------- ErrorTraceTestLoopInvViolationBPL --------------------
+ErrorTraceTestLoopInvViolationBPL.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ErrorTraceTestLoopInvViolationBPL.bpl(5,5): anon0
+ErrorTraceTestLoopInvViolationBPL.bpl(16,16): Error BP5004: This loop invariant might not hold on entry.
+Execution trace:
+ ErrorTraceTestLoopInvViolationBPL.bpl(14,5): anon0
+ErrorTraceTestLoopInvViolationBPL.bpl(27,17): Error BP5005: This loop invariant might not be maintained by the loop.
+Execution trace:
+ ErrorTraceTestLoopInvViolationBPL.bpl(25,5): anon0
+ ErrorTraceTestLoopInvViolationBPL.bpl(27,3): anon2_LoopHead
+ ErrorTraceTestLoopInvViolationBPL.bpl(28,7): anon2_LoopBody
+
+Boogie program verifier finished with 0 verified, 3 errors
diff --git a/Test/test13/runtest.bat b/Test/test13/runtest.bat
new file mode 100644
index 00000000..e394fb2c
--- /dev/null
+++ b/Test/test13/runtest.bat
@@ -0,0 +1,11 @@
+@echo off
+setlocal
+
+set BOOGIEDIR=..\..\Binaries
+set BPLEXE=%BOOGIEDIR%\Boogie.exe
+
+for %%f in (ErrorTraceTestLoopInvViolationBPL) do (
+ echo.
+ echo -------------------- %%f --------------------
+ "%BPLEXE%" %* %%f.bpl
+)
diff --git a/Test/test15/Answer b/Test/test15/Answer
new file mode 100644
index 00000000..2054998f
--- /dev/null
+++ b/Test/test15/Answer
@@ -0,0 +1,177 @@
+
+-------------------- NullInModel --------------------
+Z3 error model:
+partitions:
+*0 -> true
+*1 -> false
+*2 {@true} -> 3:int
+*3 {@false} -> 4:int
+*4 {intType}
+*5 {boolType}
+*6 {refType}
+*7 {s null}
+*8 -> 0:int
+*9 -> 1:int
+*10 -> 2:int
+*11
+function interpretations:
+$pow2 -> {
+ *8 -> *9
+ else -> #unspecified
+}
+Ctor -> {
+ *4 -> *8
+ *5 -> *9
+ *6 -> *10
+ else -> #unspecified
+}
+type -> {
+ *7 -> *6
+ else -> #unspecified
+}
+END_OF_MODEL
+.
+identifierToPartition:
+@true : *2
+@false : *3
+intType : *4
+boolType : *5
+refType : *6
+s : *7
+null : *7
+valueToPartition:
+True : *0
+False : *1
+3 : *2
+4 : *3
+0 : *8
+1 : *9
+2 : *10
+End of model.
+NullInModel.bpl(2,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NullInModel.bpl(2,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- IntInModel --------------------
+Z3 error model:
+partitions:
+*0 -> true
+*1 -> false
+*2 {@true} -> 2:int
+*3 {@false} -> 3:int
+*4 {intType}
+*5 {boolType}
+*6 {i} -> 0:int
+*7 -> 1:int
+*8
+function interpretations:
+$pow2 -> {
+ *6 -> *7
+ else -> #unspecified
+}
+Ctor -> {
+ *4 -> *6
+ *5 -> *7
+ else -> #unspecified
+}
+END_OF_MODEL
+.
+identifierToPartition:
+@true : *2
+@false : *3
+intType : *4
+boolType : *5
+i : *6
+valueToPartition:
+True : *0
+False : *1
+2 : *2
+3 : *3
+0 : *6
+1 : *7
+End of model.
+IntInModel.bpl(2,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ IntInModel.bpl(2,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- ModelTest --------------------
+Z3 error model:
+partitions:
+*0 -> true
+*1 -> false
+*2 {@true} -> 5:int
+*3 {@false} -> 6:int
+*4 {intType}
+*5 {boolType}
+*6 {refType}
+*7 {s}
+*8 {r}
+*9 {i@0} -> 1:int
+*10 {j@0} -> 2:int
+*11 {j@1} -> 3:int
+*12 {j@2} -> 4:int
+*13 -> 0:int
+*14
+function interpretations:
+$pow2 -> {
+ *13 -> *9
+ else -> #unspecified
+}
+Ctor -> {
+ *4 -> *13
+ *5 -> *9
+ *6 -> *10
+ else -> #unspecified
+}
+type -> {
+ *7 -> *6
+ *8 -> *6
+ else -> #unspecified
+}
+END_OF_MODEL
+.
+identifierToPartition:
+@true : *2
+@false : *3
+intType : *4
+boolType : *5
+refType : *6
+s : *7
+r : *8
+i@0 : *9
+j@0 : *10
+j@1 : *11
+j@2 : *12
+valueToPartition:
+True : *0
+False : *1
+5 : *2
+6 : *3
+1 : *9
+2 : *10
+3 : *11
+4 : *12
+0 : *13
+End of model.
+ModelTest.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ModelTest.bpl(3,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- InterpretedFunctionTests --------------------
+InterpretedFunctionTests.bpl(4,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterpretedFunctionTests.bpl(2,3): anon0
+InterpretedFunctionTests.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterpretedFunctionTests.bpl(8,3): anon0
+InterpretedFunctionTests.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterpretedFunctionTests.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
diff --git a/Test/test15/IntInModel.bpl b/Test/test15/IntInModel.bpl
new file mode 100644
index 00000000..09fc1436
--- /dev/null
+++ b/Test/test15/IntInModel.bpl
@@ -0,0 +1,3 @@
+procedure M (i: int) {
+ assert i != 0;
+}
diff --git a/Test/test15/InterpretedFunctionTests.bpl b/Test/test15/InterpretedFunctionTests.bpl
new file mode 100644
index 00000000..ec57ae8e
--- /dev/null
+++ b/Test/test15/InterpretedFunctionTests.bpl
@@ -0,0 +1,17 @@
+procedure addition(x: int, y: int) {
+ assume x == 1;
+ assume y == 2;
+ assert x + y == 4;
+}
+
+procedure subtraction(x: int, y: int) {
+ assume x == 1;
+ assume y == 2;
+ assert x - y == 4; //only shows x-y == -1 when run with /method:subtraction, WHY???
+}
+
+procedure multiplication(x: int, y: int) {
+ assume x == 1;
+ assume y == 2;
+ assert x * y == 4;
+}
diff --git a/Test/test15/ModelTest.bpl b/Test/test15/ModelTest.bpl
new file mode 100644
index 00000000..6f03d0bd
--- /dev/null
+++ b/Test/test15/ModelTest.bpl
@@ -0,0 +1,10 @@
+procedure M (s : ref, r : ref) {
+ var i : int, j : int;
+ i := 0 + 1;
+ j := i + 1;
+ j := j + 1;
+ j := j + 1;
+ assert i == j;
+ assert s == r;
+}
+type ref;
diff --git a/Test/test15/NullInModel.bpl b/Test/test15/NullInModel.bpl
new file mode 100644
index 00000000..67c34e3d
--- /dev/null
+++ b/Test/test15/NullInModel.bpl
@@ -0,0 +1,5 @@
+procedure M (s: ref) {
+ assert s != null;
+}
+type ref;
+const null: ref;
diff --git a/Test/test15/Output b/Test/test15/Output
new file mode 100644
index 00000000..2054998f
--- /dev/null
+++ b/Test/test15/Output
@@ -0,0 +1,177 @@
+
+-------------------- NullInModel --------------------
+Z3 error model:
+partitions:
+*0 -> true
+*1 -> false
+*2 {@true} -> 3:int
+*3 {@false} -> 4:int
+*4 {intType}
+*5 {boolType}
+*6 {refType}
+*7 {s null}
+*8 -> 0:int
+*9 -> 1:int
+*10 -> 2:int
+*11
+function interpretations:
+$pow2 -> {
+ *8 -> *9
+ else -> #unspecified
+}
+Ctor -> {
+ *4 -> *8
+ *5 -> *9
+ *6 -> *10
+ else -> #unspecified
+}
+type -> {
+ *7 -> *6
+ else -> #unspecified
+}
+END_OF_MODEL
+.
+identifierToPartition:
+@true : *2
+@false : *3
+intType : *4
+boolType : *5
+refType : *6
+s : *7
+null : *7
+valueToPartition:
+True : *0
+False : *1
+3 : *2
+4 : *3
+0 : *8
+1 : *9
+2 : *10
+End of model.
+NullInModel.bpl(2,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NullInModel.bpl(2,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- IntInModel --------------------
+Z3 error model:
+partitions:
+*0 -> true
+*1 -> false
+*2 {@true} -> 2:int
+*3 {@false} -> 3:int
+*4 {intType}
+*5 {boolType}
+*6 {i} -> 0:int
+*7 -> 1:int
+*8
+function interpretations:
+$pow2 -> {
+ *6 -> *7
+ else -> #unspecified
+}
+Ctor -> {
+ *4 -> *6
+ *5 -> *7
+ else -> #unspecified
+}
+END_OF_MODEL
+.
+identifierToPartition:
+@true : *2
+@false : *3
+intType : *4
+boolType : *5
+i : *6
+valueToPartition:
+True : *0
+False : *1
+2 : *2
+3 : *3
+0 : *6
+1 : *7
+End of model.
+IntInModel.bpl(2,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ IntInModel.bpl(2,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- ModelTest --------------------
+Z3 error model:
+partitions:
+*0 -> true
+*1 -> false
+*2 {@true} -> 5:int
+*3 {@false} -> 6:int
+*4 {intType}
+*5 {boolType}
+*6 {refType}
+*7 {s}
+*8 {r}
+*9 {i@0} -> 1:int
+*10 {j@0} -> 2:int
+*11 {j@1} -> 3:int
+*12 {j@2} -> 4:int
+*13 -> 0:int
+*14
+function interpretations:
+$pow2 -> {
+ *13 -> *9
+ else -> #unspecified
+}
+Ctor -> {
+ *4 -> *13
+ *5 -> *9
+ *6 -> *10
+ else -> #unspecified
+}
+type -> {
+ *7 -> *6
+ *8 -> *6
+ else -> #unspecified
+}
+END_OF_MODEL
+.
+identifierToPartition:
+@true : *2
+@false : *3
+intType : *4
+boolType : *5
+refType : *6
+s : *7
+r : *8
+i@0 : *9
+j@0 : *10
+j@1 : *11
+j@2 : *12
+valueToPartition:
+True : *0
+False : *1
+5 : *2
+6 : *3
+1 : *9
+2 : *10
+3 : *11
+4 : *12
+0 : *13
+End of model.
+ModelTest.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ModelTest.bpl(3,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- InterpretedFunctionTests --------------------
+InterpretedFunctionTests.bpl(4,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterpretedFunctionTests.bpl(2,3): anon0
+InterpretedFunctionTests.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterpretedFunctionTests.bpl(8,3): anon0
+InterpretedFunctionTests.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterpretedFunctionTests.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
diff --git a/Test/test15/runtest.bat b/Test/test15/runtest.bat
new file mode 100644
index 00000000..90771065
--- /dev/null
+++ b/Test/test15/runtest.bat
@@ -0,0 +1,16 @@
+@echo off
+setlocal
+
+set BOOGIEDIR=..\..\Binaries
+set BGEXE=%BOOGIEDIR%\boogie.exe
+
+for %%f in (NullInModel IntInModel ModelTest) do (
+ echo.
+ echo -------------------- %%f --------------------
+ "%BGEXE%" %* %%f.bpl /printModel:2
+)
+for %%f in (InterpretedFunctionTests) do (
+ echo.
+ echo -------------------- %%f --------------------
+ "%BGEXE%" %* %%f.bpl
+)
diff --git a/Test/test16/Answer b/Test/test16/Answer
new file mode 100644
index 00000000..5fac425b
--- /dev/null
+++ b/Test/test16/Answer
@@ -0,0 +1,23 @@
+-------------------- LoopUnroll.bpl /loopUnroll:1 --------------------
+LoopUnroll.bpl(56,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ LoopUnroll.bpl(52,5): anon0#1
+ LoopUnroll.bpl(53,3): anon2_LoopHead#1
+ LoopUnroll.bpl(55,5): anon2_LoopBody#1
+
+Boogie program verifier finished with 2 verified, 1 error
+-------------------- LoopUnroll.bpl /loopUnroll:2 --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+-------------------- LoopUnroll.bpl /loopUnroll:3 --------------------
+LoopUnroll.bpl(74,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ LoopUnroll.bpl(68,5): anon0#3
+ LoopUnroll.bpl(69,3): anon2_LoopHead#3
+ LoopUnroll.bpl(71,5): anon2_LoopBody#3
+ LoopUnroll.bpl(69,3): anon2_LoopHead#2
+ LoopUnroll.bpl(71,5): anon2_LoopBody#2
+ LoopUnroll.bpl(69,3): anon2_LoopHead#1
+ LoopUnroll.bpl(71,5): anon2_LoopBody#1
+
+Boogie program verifier finished with 0 verified, 1 error
diff --git a/Test/test16/LoopUnroll.bpl b/Test/test16/LoopUnroll.bpl
new file mode 100644
index 00000000..83bf2686
--- /dev/null
+++ b/Test/test16/LoopUnroll.bpl
@@ -0,0 +1,79 @@
+procedure P()
+{
+ var x: int;
+
+ A:
+ x := 0;
+ goto B, Goner, C;
+
+ B:
+ x := 1;
+ goto D;
+
+ C:
+ x := 2;
+ goto D;
+
+ Goner:
+ x := 5;
+ assume false;
+ x := 6;
+ goto B;
+
+ D:
+ x := 3;
+ goto LoopHead;
+
+ LoopHead:
+ assert x < 100;
+ goto LoopBody, LoopDone;
+
+ LoopBody:
+ x := x + 1;
+ goto LoopHead, LoopBodyMore;
+
+ LoopBodyMore:
+ x := x + 2;
+ goto LoopHead;
+
+ LoopDone:
+ x := 88;
+ return;
+}
+
+type MyValue;
+const SpecialValue: MyValue;
+
+procedure WrongRange(a: [int]MyValue, N: int)
+ requires 0 <= N;
+{
+ var i: int, v: MyValue;
+
+ i := 1; // bad idea
+ while (i <= N) // also a bad idea
+ {
+ assert 0 <= i; // lower bounds check
+ assert i < N; // error: upper bounds check
+ v := a[i];
+ i := i + 1;
+ }
+}
+
+procedure ManyIterations(a: [int]MyValue, N: int)
+ requires 0 <= N;
+ requires a[0] != SpecialValue && a[1] != SpecialValue;
+{
+ var i: int, v: MyValue;
+
+ i := 0;
+ while (i < N)
+ {
+ assert 0 <= i; // lower bounds check
+ assert i < N; // upper bounds check
+ v := a[i];
+ assert a[i] != SpecialValue; // error: after more than 2 loop unrollings
+ i := i + 1;
+ }
+}
+
+// ERROR: /printInstrumented seems to erase filename source-location information
diff --git a/Test/test16/Output b/Test/test16/Output
new file mode 100644
index 00000000..5fac425b
--- /dev/null
+++ b/Test/test16/Output
@@ -0,0 +1,23 @@
+-------------------- LoopUnroll.bpl /loopUnroll:1 --------------------
+LoopUnroll.bpl(56,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ LoopUnroll.bpl(52,5): anon0#1
+ LoopUnroll.bpl(53,3): anon2_LoopHead#1
+ LoopUnroll.bpl(55,5): anon2_LoopBody#1
+
+Boogie program verifier finished with 2 verified, 1 error
+-------------------- LoopUnroll.bpl /loopUnroll:2 --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+-------------------- LoopUnroll.bpl /loopUnroll:3 --------------------
+LoopUnroll.bpl(74,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ LoopUnroll.bpl(68,5): anon0#3
+ LoopUnroll.bpl(69,3): anon2_LoopHead#3
+ LoopUnroll.bpl(71,5): anon2_LoopBody#3
+ LoopUnroll.bpl(69,3): anon2_LoopHead#2
+ LoopUnroll.bpl(71,5): anon2_LoopBody#2
+ LoopUnroll.bpl(69,3): anon2_LoopHead#1
+ LoopUnroll.bpl(71,5): anon2_LoopBody#1
+
+Boogie program verifier finished with 0 verified, 1 error
diff --git a/Test/test16/runtest.bat b/Test/test16/runtest.bat
new file mode 100644
index 00000000..069ecd63
--- /dev/null
+++ b/Test/test16/runtest.bat
@@ -0,0 +1,13 @@
+@echo off
+setlocal
+
+set BOOGIEDIR=..\..\Binaries
+set BPLEXE=%BOOGIEDIR%\Boogie.exe
+
+echo -------------------- LoopUnroll.bpl /loopUnroll:1 --------------------
+"%BPLEXE%" %* /loopUnroll:1 /logPrefix:-lu1 LoopUnroll.bpl
+echo -------------------- LoopUnroll.bpl /loopUnroll:2 --------------------
+"%BPLEXE%" %* LoopUnroll.bpl /logPrefix:-lu2 /proc:ManyIterations /loopUnroll:2
+echo -------------------- LoopUnroll.bpl /loopUnroll:3 --------------------
+"%BPLEXE%" %* LoopUnroll.bpl /logPrefix:-lu3 /proc:ManyIterations /loopUnroll:3
+
diff --git a/Test/test17/Answer b/Test/test17/Answer
new file mode 100644
index 00000000..8a1a816b
--- /dev/null
+++ b/Test/test17/Answer
@@ -0,0 +1,8 @@
+
+-------------------- contractinfer --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+-------------------- flpydisk --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
diff --git a/Test/test17/contractinfer.bpl b/Test/test17/contractinfer.bpl
new file mode 100644
index 00000000..aeec020a
--- /dev/null
+++ b/Test/test17/contractinfer.bpl
@@ -0,0 +1,24 @@
+const {:existential true} b1:bool;
+const {:existential true} b2:bool;
+const {:existential true} b3:bool;
+const {:existential true} b4:bool;
+
+var array:[int]int;
+
+procedure foo (i:int)
+requires b2 ==> i > 0;
+ensures b3 ==> array[i] > 0;
+modifies array;
+ensures (forall x:int :: {array[x]} x == i || array[x] == old(array)[x]);
+{
+ array[i] := 2 * i;
+}
+
+procedure bar (j:int) returns (result:int)
+requires b4 ==> j > 0;
+modifies array;
+ensures (forall x:int :: {array[x]} (b1 && x == j) || array[x] == old(array)[x]);
+{
+ call foo(j);
+ result := array[j];
+} \ No newline at end of file
diff --git a/Test/test17/flpydisk.bpl b/Test/test17/flpydisk.bpl
new file mode 100644
index 00000000..4883f080
--- /dev/null
+++ b/Test/test17/flpydisk.bpl
@@ -0,0 +1,2295 @@
+type ptr;
+function Ptr(ref, int) returns (ptr);
+function Obj(ptr) returns (ref);
+function Off(ptr) returns (int);
+
+// Ptr, Obj, Off axioms
+axiom(forall x:ptr :: {Obj(x)}{Off(x)} x == Ptr(Obj(x), Off(x)));
+axiom(forall x_obj:ref, x_off:int :: {Ptr(x_obj, x_off)} x_obj == Obj(Ptr(x_obj, x_off)));
+axiom(forall x_obj:ref, x_off:int :: {Ptr(x_obj, x_off)} x_off == Off(Ptr(x_obj, x_off)));
+
+// Mutable
+var Mem:[ptr]ptr;
+var alloc:[ref]name;
+var BS:[ptr]bool;
+const field:[ptr]name;
+
+// Immutable
+function Size(ref) returns (int);
+function Type(ref) returns (int);
+function IsHeap(ref) returns (bool); //if the object was allocated by malloc or allocation due to address taken
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED:name;
+
+function In(ptr, [ptr]bool) returns (bool);
+function Subset([ptr]bool, [ptr]bool) returns (bool);
+//function Equal([ptr]bool, [ptr]bool) returns (bool);
+function Disjoint([ptr]bool, [ptr]bool) returns (bool);
+//function UniqueDereference([ptr]bool, [ptr]ptr, ptr) returns (bool);
+
+//function Element(a:ptr) returns (bool);
+//axiom(forall a:ptr, S:[ptr]bool :: {In(a,S)} Element(a));
+
+function Empty() returns ([ptr]bool);
+function Singleton(ptr) returns ([ptr]bool);
+function Reachable([ptr,ptr]bool, ptr) returns ([ptr]bool);
+function Union([ptr]bool, [ptr]bool) returns ([ptr]bool);
+function Intersection([ptr]bool, [ptr]bool) returns ([ptr]bool);
+function Difference([ptr]bool, [ptr]bool) returns ([ptr]bool);
+function Decrement([ptr]bool, int) returns ([ptr]bool);
+function Increment([ptr]bool, int) returns ([ptr]bool);
+function Dereference([ptr]bool, [ptr]ptr) returns ([ptr]bool);
+function Array(ptr, int, ptr) returns ([ptr]bool);
+function Array1(ptr, ptr) returns ([ptr]bool);
+
+
+axiom(forall x:ptr :: !In(x, Empty()));
+
+axiom(forall x:ptr, y:ptr :: {In(x, Singleton(y))} In(x, Singleton(y)) ==> x == y);
+axiom(forall y:ptr :: {Singleton(y)} In(y, Singleton(y)));
+
+/* this formulation of Union IS more complete than the earlier one */
+/* In(e, A U B), In(d, A), A U B = Singleton(c), d != e */
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x, Union(S,T))} In(x, Union(S,T)) ==> In(x, S) || In(x,T));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {Union(S,T), In(x,S)} In(x, S) ==> In(x, Union(S,T)));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {Union(S,T), In(x,T)} In(x, T) ==> In(x, Union(S,T)));
+
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x,S), In(x,T), Intersection(S,T)} In(x,S) && In(x,T) ==> In(x, Intersection(S,T)));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x,Intersection(S,T))} In(x, Intersection(S,T)) ==> In(x,S) && In(x,T));
+
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {Difference(S,T), In(x,S)} In(x, S) ==> In(x, Difference(S,T)) || In(x,T));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x,Difference(S,T))} In(x, Difference(S,T)) ==> In(x, S));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x,Difference(S,T)), In(x,T)} !(In(x, Difference(S,T)) && In(x,T)));
+
+axiom(forall x:ptr, n:int, S:[ptr]bool :: {In(x, Decrement(S,n))} In(x, Decrement(S,n)) <==> In(Ptr(Obj(x),Off(x)+n),S));
+axiom(forall x:ptr, n:int, S:[ptr]bool :: {In(x, Increment(S,n))} In(x, Increment(S,n)) <==> In(Ptr(Obj(x),Off(x)-n),S));
+
+axiom(forall x:ptr, S:[ptr]bool, M:[ptr]ptr :: {In(x, Dereference(S,M))} In(x, Dereference(S,M)) ==> (exists y:ptr :: x == M[y] && In(y,S)));
+axiom(forall x:ptr, S:[ptr]bool, M:[ptr]ptr :: {M[x], In(x, S), Dereference(S,M)} In(x, S) ==> In(M[x], Dereference(S,M)));
+
+axiom(forall a:ptr, x:ptr, n:int, z:ptr :: {In(a,Array(x,n,z))}
+ In(a,Array(x,n,z)) ==>
+ (Obj(a) == Obj(x) && Obj(z) == null && (exists k:int :: 0 <= k && k < Off(z) && Off(a) == Off(x) + n*k)));
+
+axiom(forall a:ptr, x:ptr, n:int, z:ptr :: {In(a, Array(x,n,z))}
+ In(a, Array(x,n,z)) ==> (exists k:int :: 0 <= k && a == PLUS(x,n,Ptr(null,k))));
+axiom(forall x:ptr, n:int, z:ptr :: {Array(x,n,z)} Obj(z) == null && Off(z) > 0 ==> In(x, Array(x,n,z)));
+axiom(forall x:ptr, n:int, y:ptr, z:ptr :: {PLUS(x,n,y), Array(x,n,z)}
+ Obj(y) == null && Obj(z) == null && Off(x) <= Off(PLUS(x,n,y)) && Off(PLUS(x,n,y)) < Off(PLUS(x,n,z)) <==> In(PLUS(x,n,y), Array(x,n,z)));
+
+axiom(forall x:ptr, y:ptr, z:ptr :: {In(x,Array1(y,z))}
+ In(x,Array1(y,z)) <==>
+ (Obj(x) == Obj(y) && Off(y) <= Off(x) && Off(x) < Off(y) + Off(z)));
+
+
+/*
+axiom(forall x:ptr :: !In(x, Empty()));
+axiom(forall x:ptr, y:ptr :: {In(x, Singleton(y))} In(x, Singleton(y)) <==> x == y);
+
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x, Union(S,T))} In(x, Union(S,T)) <==> In(x, S) || In(x,T));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {Union(S,T), In(x,S)} In(x, S) ==> In(x, Union(S,T)));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {Union(S,T), In(x,T)} In(x, T) ==> In(x, Union(S,T)));
+
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x, Difference(S,T))} In(x, Difference(S,T)) <==> In(x, S) && !In(x,T));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {Difference(S,T), In(x,S), In(x,T)} (In(x, S) && !In(x,T)) ==> In(x, Difference(S,T)));
+
+axiom(forall x:ptr, n:int, S:[ptr]bool :: {In(x, Decrement(S,n))} In(x, Decrement(S,n)) <==> In(Ptr(Obj(x),Off(x)+n),S));
+axiom(forall x:ptr, n:int, S:[ptr]bool :: {In(x, Increment(S,n))} In(x, Increment(S,n)) <==> In(Ptr(Obj(x),Off(x)-n),S));
+axiom(forall x:ptr, S:[ptr]bool, M:[ptr]ptr :: {In(x, Dereference(S,M))} In(x, Dereference(S,M)) <==> (exists y:ptr :: x == M[y] && In(y,S)));
+axiom(forall x:ptr, S:[ptr]bool, M:[ptr]ptr :: {In(x, S), Dereference(S,M)} In(x, S) ==> In(M[x], Dereference(S,M)));
+
+axiom(forall a:ptr, x:ptr, n:int, z:ptr :: {In(a,Array(x,n,z))}
+ In(a,Array(x,n,z)) ==>
+ (Obj(a) == Obj(x) && Obj(z) == null && (exists k:int :: 0 <= k && k < Off(z) && Off(a) == Off(x) + n*k)));
+
+axiom(forall a:ptr, x:ptr, n:int, z:ptr :: {In(a, Array(x,n,z))}
+ In(a, Array(x,n,z)) ==> (exists k:int :: 0 <= k && a == PLUS(x,n,Ptr(null,k))));
+axiom(forall x:ptr, n:int, z:ptr :: {Array(x,n,z)} Obj(z) == null && Off(z) > 0 ==> In(x, Array(x,n,z)));
+axiom(forall x:ptr, n:int, y:ptr, z:ptr :: {PLUS(x,n,y), Array(x,n,z)}
+ Obj(y) == null && Obj(z) == null && Off(x) <= Off(PLUS(x,n,y)) && Off(PLUS(x,n,y)) < Off(PLUS(x,n,z)) <==> In(PLUS(x,n,y), Array(x,n,z)));
+
+axiom(forall x:ptr, y:ptr, z:ptr :: {In(x,Array1(y,z))}
+ In(x,Array1(y,z)) <==>
+ (Obj(x) == Obj(y) && Off(y) <= Off(x) && Off(x) < Off(y) + Off(z)));
+*/
+
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x,S), Subset(S,T)} In(x,S) && Subset(S,T) ==> In(x,T));
+axiom(forall S:[ptr]bool, T:[ptr]bool :: {Subset(S,T)} Subset(S,T) || (exists x:ptr :: In(x,S) && !In(x,T)));
+axiom(forall x:ptr, S:[ptr]bool, T:[ptr]bool :: {In(x,S), Disjoint(S,T), In(x,T)} !(In(x,S) && Disjoint(S,T) && In(x,T)));
+axiom(forall S:[ptr]bool, T:[ptr]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:ptr :: In(x,S) && In(x,T)));
+
+/*
+axiom(forall S:[ptr]bool, T:[ptr]bool :: {Subset(S,T)} Subset(S,T) <==> (forall x:ptr :: In(x,S) ==> In(x,T)));
+axiom(forall S:[ptr]bool, T:[ptr]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(T,S) && Subset(S,T));
+axiom(forall S:[ptr]bool, T:[ptr]bool :: {Disjoint(S,T)} Disjoint(S,T) <==> (forall x:ptr :: !(In(x,S) && In(x,T))));
+axiom(forall S:[ptr]bool, M:[ptr]ptr, p:ptr :: {UniqueDereference(S,M,p)}
+ UniqueDereference(S,M,p) <==>
+ (forall x:ptr, y:ptr :: {M[x],M[y]} In(x,S) && In(y,S) && M[x] == M[y] ==> x == y || M[x] == p));
+*/
+
+
+function ByteCapacity__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_ByteCapacity__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_ByteCapacity__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_ByteCapacity__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {ByteCapacity__DISKETTE_EXTENSION(x)} home_ByteCapacity__DISKETTE_EXTENSION(ByteCapacity__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_ByteCapacity__DISKETTE_EXTENSION(x)} ByteCapacity__DISKETTE_EXTENSION(home_ByteCapacity__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {ByteCapacity__DISKETTE_EXTENSION(x)} ByteCapacity__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 152));
+axiom (forall x:ptr :: {home_ByteCapacity__DISKETTE_EXTENSION(x)} home_ByteCapacity__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 152));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_ByteCapacity__DISKETTE_EXTENSION(S))} In(x, _S_ByteCapacity__DISKETTE_EXTENSION(S)) ==> In(home_ByteCapacity__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_ByteCapacity__DISKETTE_EXTENSION(S))} In(x, _S_home_ByteCapacity__DISKETTE_EXTENSION(S)) ==> In(ByteCapacity__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_ByteCapacity__DISKETTE_EXTENSION(S)} In(x, S) ==> In(ByteCapacity__DISKETTE_EXTENSION(x), _S_ByteCapacity__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_ByteCapacity__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_ByteCapacity__DISKETTE_EXTENSION(x), _S_home_ByteCapacity__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,152), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,152), 1) == home_ByteCapacity__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,152))} MINUS_LEFT_PTR(x, 1, Ptr(null,152)) == home_ByteCapacity__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function ByteOffset___unnamed_16_39e6661e(ptr) returns (ptr);
+function home_ByteOffset___unnamed_16_39e6661e(ptr) returns (ptr);
+function _S_ByteOffset___unnamed_16_39e6661e([ptr]bool) returns ([ptr]bool);
+function _S_home_ByteOffset___unnamed_16_39e6661e([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {ByteOffset___unnamed_16_39e6661e(x)} home_ByteOffset___unnamed_16_39e6661e(ByteOffset___unnamed_16_39e6661e(x)) == x);
+axiom (forall x:ptr :: {home_ByteOffset___unnamed_16_39e6661e(x)} ByteOffset___unnamed_16_39e6661e(home_ByteOffset___unnamed_16_39e6661e(x)) == x);
+axiom (forall x:ptr :: {ByteOffset___unnamed_16_39e6661e(x)} ByteOffset___unnamed_16_39e6661e(x) == Ptr(Obj(x), Off(x) + 8));
+axiom (forall x:ptr :: {home_ByteOffset___unnamed_16_39e6661e(x)} home_ByteOffset___unnamed_16_39e6661e(x) == Ptr(Obj(x), Off(x) - 8));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_ByteOffset___unnamed_16_39e6661e(S))} In(x, _S_ByteOffset___unnamed_16_39e6661e(S)) ==> In(home_ByteOffset___unnamed_16_39e6661e(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_ByteOffset___unnamed_16_39e6661e(S))} In(x, _S_home_ByteOffset___unnamed_16_39e6661e(S)) ==> In(ByteOffset___unnamed_16_39e6661e(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_ByteOffset___unnamed_16_39e6661e(S)} In(x, S) ==> In(ByteOffset___unnamed_16_39e6661e(x), _S_ByteOffset___unnamed_16_39e6661e(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_ByteOffset___unnamed_16_39e6661e(S)} In(x, S) ==> In(home_ByteOffset___unnamed_16_39e6661e(x), _S_home_ByteOffset___unnamed_16_39e6661e(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,8), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,8), 1) == home_ByteOffset___unnamed_16_39e6661e(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,8))} MINUS_LEFT_PTR(x, 1, Ptr(null,8)) == home_ByteOffset___unnamed_16_39e6661e(x));
+
+
+
+
+
+function BytesPerSector__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_BytesPerSector__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_BytesPerSector__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_BytesPerSector__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {BytesPerSector__DISKETTE_EXTENSION(x)} home_BytesPerSector__DISKETTE_EXTENSION(BytesPerSector__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_BytesPerSector__DISKETTE_EXTENSION(x)} BytesPerSector__DISKETTE_EXTENSION(home_BytesPerSector__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {BytesPerSector__DISKETTE_EXTENSION(x)} BytesPerSector__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 148));
+axiom (forall x:ptr :: {home_BytesPerSector__DISKETTE_EXTENSION(x)} home_BytesPerSector__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 148));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_BytesPerSector__DISKETTE_EXTENSION(S))} In(x, _S_BytesPerSector__DISKETTE_EXTENSION(S)) ==> In(home_BytesPerSector__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_BytesPerSector__DISKETTE_EXTENSION(S))} In(x, _S_home_BytesPerSector__DISKETTE_EXTENSION(S)) ==> In(BytesPerSector__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_BytesPerSector__DISKETTE_EXTENSION(S)} In(x, S) ==> In(BytesPerSector__DISKETTE_EXTENSION(x), _S_BytesPerSector__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_BytesPerSector__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_BytesPerSector__DISKETTE_EXTENSION(x), _S_home_BytesPerSector__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,148), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,148), 1) == home_BytesPerSector__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,148))} MINUS_LEFT_PTR(x, 1, Ptr(null,148)) == home_BytesPerSector__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function CancelRoutine__IRP(ptr) returns (ptr);
+function home_CancelRoutine__IRP(ptr) returns (ptr);
+function _S_CancelRoutine__IRP([ptr]bool) returns ([ptr]bool);
+function _S_home_CancelRoutine__IRP([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {CancelRoutine__IRP(x)} home_CancelRoutine__IRP(CancelRoutine__IRP(x)) == x);
+axiom (forall x:ptr :: {home_CancelRoutine__IRP(x)} CancelRoutine__IRP(home_CancelRoutine__IRP(x)) == x);
+axiom (forall x:ptr :: {CancelRoutine__IRP(x)} CancelRoutine__IRP(x) == Ptr(Obj(x), Off(x) + 56));
+axiom (forall x:ptr :: {home_CancelRoutine__IRP(x)} home_CancelRoutine__IRP(x) == Ptr(Obj(x), Off(x) - 56));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_CancelRoutine__IRP(S))} In(x, _S_CancelRoutine__IRP(S)) ==> In(home_CancelRoutine__IRP(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_CancelRoutine__IRP(S))} In(x, _S_home_CancelRoutine__IRP(S)) ==> In(CancelRoutine__IRP(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_CancelRoutine__IRP(S)} In(x, S) ==> In(CancelRoutine__IRP(x), _S_CancelRoutine__IRP(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_CancelRoutine__IRP(S)} In(x, S) ==> In(home_CancelRoutine__IRP(x), _S_home_CancelRoutine__IRP(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,56), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,56), 1) == home_CancelRoutine__IRP(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,56))} MINUS_LEFT_PTR(x, 1, Ptr(null,56)) == home_CancelRoutine__IRP(x));
+
+
+
+
+
+function Cancel__IRP(ptr) returns (ptr);
+function home_Cancel__IRP(ptr) returns (ptr);
+function _S_Cancel__IRP([ptr]bool) returns ([ptr]bool);
+function _S_home_Cancel__IRP([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Cancel__IRP(x)} home_Cancel__IRP(Cancel__IRP(x)) == x);
+axiom (forall x:ptr :: {home_Cancel__IRP(x)} Cancel__IRP(home_Cancel__IRP(x)) == x);
+axiom (forall x:ptr :: {Cancel__IRP(x)} Cancel__IRP(x) == Ptr(Obj(x), Off(x) + 36));
+axiom (forall x:ptr :: {home_Cancel__IRP(x)} home_Cancel__IRP(x) == Ptr(Obj(x), Off(x) - 36));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Cancel__IRP(S))} In(x, _S_Cancel__IRP(S)) ==> In(home_Cancel__IRP(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Cancel__IRP(S))} In(x, _S_home_Cancel__IRP(S)) ==> In(Cancel__IRP(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Cancel__IRP(S)} In(x, S) ==> In(Cancel__IRP(x), _S_Cancel__IRP(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Cancel__IRP(S)} In(x, S) ==> In(home_Cancel__IRP(x), _S_home_Cancel__IRP(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,36), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,36), 1) == home_Cancel__IRP(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,36))} MINUS_LEFT_PTR(x, 1, Ptr(null,36)) == home_Cancel__IRP(x));
+
+
+
+
+
+function Control__IO_STACK_LOCATION(ptr) returns (ptr);
+function home_Control__IO_STACK_LOCATION(ptr) returns (ptr);
+function _S_Control__IO_STACK_LOCATION([ptr]bool) returns ([ptr]bool);
+function _S_home_Control__IO_STACK_LOCATION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Control__IO_STACK_LOCATION(x)} home_Control__IO_STACK_LOCATION(Control__IO_STACK_LOCATION(x)) == x);
+axiom (forall x:ptr :: {home_Control__IO_STACK_LOCATION(x)} Control__IO_STACK_LOCATION(home_Control__IO_STACK_LOCATION(x)) == x);
+axiom (forall x:ptr :: {Control__IO_STACK_LOCATION(x)} Control__IO_STACK_LOCATION(x) == Ptr(Obj(x), Off(x) + 3));
+axiom (forall x:ptr :: {home_Control__IO_STACK_LOCATION(x)} home_Control__IO_STACK_LOCATION(x) == Ptr(Obj(x), Off(x) - 3));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Control__IO_STACK_LOCATION(S))} In(x, _S_Control__IO_STACK_LOCATION(S)) ==> In(home_Control__IO_STACK_LOCATION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Control__IO_STACK_LOCATION(S))} In(x, _S_home_Control__IO_STACK_LOCATION(S)) ==> In(Control__IO_STACK_LOCATION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Control__IO_STACK_LOCATION(S)} In(x, S) ==> In(Control__IO_STACK_LOCATION(x), _S_Control__IO_STACK_LOCATION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Control__IO_STACK_LOCATION(S)} In(x, S) ==> In(home_Control__IO_STACK_LOCATION(x), _S_home_Control__IO_STACK_LOCATION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,3), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,3), 1) == home_Control__IO_STACK_LOCATION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,3))} MINUS_LEFT_PTR(x, 1, Ptr(null,3)) == home_Control__IO_STACK_LOCATION(x));
+
+
+
+
+
+function CurrentStackLocation___unnamed_4_f80453a0(ptr) returns (ptr);
+function home_CurrentStackLocation___unnamed_4_f80453a0(ptr) returns (ptr);
+function _S_CurrentStackLocation___unnamed_4_f80453a0([ptr]bool) returns ([ptr]bool);
+function _S_home_CurrentStackLocation___unnamed_4_f80453a0([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {CurrentStackLocation___unnamed_4_f80453a0(x)} home_CurrentStackLocation___unnamed_4_f80453a0(CurrentStackLocation___unnamed_4_f80453a0(x)) == x);
+axiom (forall x:ptr :: {home_CurrentStackLocation___unnamed_4_f80453a0(x)} CurrentStackLocation___unnamed_4_f80453a0(home_CurrentStackLocation___unnamed_4_f80453a0(x)) == x);
+axiom (forall x:ptr :: {CurrentStackLocation___unnamed_4_f80453a0(x)} CurrentStackLocation___unnamed_4_f80453a0(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home_CurrentStackLocation___unnamed_4_f80453a0(x)} home_CurrentStackLocation___unnamed_4_f80453a0(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_CurrentStackLocation___unnamed_4_f80453a0(S))} In(x, _S_CurrentStackLocation___unnamed_4_f80453a0(S)) ==> In(home_CurrentStackLocation___unnamed_4_f80453a0(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_CurrentStackLocation___unnamed_4_f80453a0(S))} In(x, _S_home_CurrentStackLocation___unnamed_4_f80453a0(S)) ==> In(CurrentStackLocation___unnamed_4_f80453a0(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_CurrentStackLocation___unnamed_4_f80453a0(S)} In(x, S) ==> In(CurrentStackLocation___unnamed_4_f80453a0(x), _S_CurrentStackLocation___unnamed_4_f80453a0(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_CurrentStackLocation___unnamed_4_f80453a0(S)} In(x, S) ==> In(home_CurrentStackLocation___unnamed_4_f80453a0(x), _S_home_CurrentStackLocation___unnamed_4_f80453a0(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home_CurrentStackLocation___unnamed_4_f80453a0(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home_CurrentStackLocation___unnamed_4_f80453a0(x));
+
+
+
+
+
+function DeviceExtension__DEVICE_OBJECT(ptr) returns (ptr);
+function home_DeviceExtension__DEVICE_OBJECT(ptr) returns (ptr);
+function _S_DeviceExtension__DEVICE_OBJECT([ptr]bool) returns ([ptr]bool);
+function _S_home_DeviceExtension__DEVICE_OBJECT([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {DeviceExtension__DEVICE_OBJECT(x)} home_DeviceExtension__DEVICE_OBJECT(DeviceExtension__DEVICE_OBJECT(x)) == x);
+axiom (forall x:ptr :: {home_DeviceExtension__DEVICE_OBJECT(x)} DeviceExtension__DEVICE_OBJECT(home_DeviceExtension__DEVICE_OBJECT(x)) == x);
+axiom (forall x:ptr :: {DeviceExtension__DEVICE_OBJECT(x)} DeviceExtension__DEVICE_OBJECT(x) == Ptr(Obj(x), Off(x) + 40));
+axiom (forall x:ptr :: {home_DeviceExtension__DEVICE_OBJECT(x)} home_DeviceExtension__DEVICE_OBJECT(x) == Ptr(Obj(x), Off(x) - 40));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_DeviceExtension__DEVICE_OBJECT(S))} In(x, _S_DeviceExtension__DEVICE_OBJECT(S)) ==> In(home_DeviceExtension__DEVICE_OBJECT(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_DeviceExtension__DEVICE_OBJECT(S))} In(x, _S_home_DeviceExtension__DEVICE_OBJECT(S)) ==> In(DeviceExtension__DEVICE_OBJECT(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_DeviceExtension__DEVICE_OBJECT(S)} In(x, S) ==> In(DeviceExtension__DEVICE_OBJECT(x), _S_DeviceExtension__DEVICE_OBJECT(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_DeviceExtension__DEVICE_OBJECT(S)} In(x, S) ==> In(home_DeviceExtension__DEVICE_OBJECT(x), _S_home_DeviceExtension__DEVICE_OBJECT(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,40), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,40), 1) == home_DeviceExtension__DEVICE_OBJECT(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,40))} MINUS_LEFT_PTR(x, 1, Ptr(null,40)) == home_DeviceExtension__DEVICE_OBJECT(x));
+
+
+
+
+
+function DeviceObject__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_DeviceObject__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_DeviceObject__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_DeviceObject__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {DeviceObject__DISKETTE_EXTENSION(x)} home_DeviceObject__DISKETTE_EXTENSION(DeviceObject__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_DeviceObject__DISKETTE_EXTENSION(x)} DeviceObject__DISKETTE_EXTENSION(home_DeviceObject__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {DeviceObject__DISKETTE_EXTENSION(x)} DeviceObject__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 28));
+axiom (forall x:ptr :: {home_DeviceObject__DISKETTE_EXTENSION(x)} home_DeviceObject__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 28));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_DeviceObject__DISKETTE_EXTENSION(S))} In(x, _S_DeviceObject__DISKETTE_EXTENSION(S)) ==> In(home_DeviceObject__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_DeviceObject__DISKETTE_EXTENSION(S))} In(x, _S_home_DeviceObject__DISKETTE_EXTENSION(S)) ==> In(DeviceObject__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_DeviceObject__DISKETTE_EXTENSION(S)} In(x, S) ==> In(DeviceObject__DISKETTE_EXTENSION(x), _S_DeviceObject__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_DeviceObject__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_DeviceObject__DISKETTE_EXTENSION(x), _S_home_DeviceObject__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,28), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,28), 1) == home_DeviceObject__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,28))} MINUS_LEFT_PTR(x, 1, Ptr(null,28)) == home_DeviceObject__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function FlCancelSpinLock__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_FlCancelSpinLock__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_FlCancelSpinLock__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_FlCancelSpinLock__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {FlCancelSpinLock__DISKETTE_EXTENSION(x)} home_FlCancelSpinLock__DISKETTE_EXTENSION(FlCancelSpinLock__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_FlCancelSpinLock__DISKETTE_EXTENSION(x)} FlCancelSpinLock__DISKETTE_EXTENSION(home_FlCancelSpinLock__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {FlCancelSpinLock__DISKETTE_EXTENSION(x)} FlCancelSpinLock__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home_FlCancelSpinLock__DISKETTE_EXTENSION(x)} home_FlCancelSpinLock__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_FlCancelSpinLock__DISKETTE_EXTENSION(S))} In(x, _S_FlCancelSpinLock__DISKETTE_EXTENSION(S)) ==> In(home_FlCancelSpinLock__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_FlCancelSpinLock__DISKETTE_EXTENSION(S))} In(x, _S_home_FlCancelSpinLock__DISKETTE_EXTENSION(S)) ==> In(FlCancelSpinLock__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_FlCancelSpinLock__DISKETTE_EXTENSION(S)} In(x, S) ==> In(FlCancelSpinLock__DISKETTE_EXTENSION(x), _S_FlCancelSpinLock__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_FlCancelSpinLock__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_FlCancelSpinLock__DISKETTE_EXTENSION(x), _S_home_FlCancelSpinLock__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home_FlCancelSpinLock__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home_FlCancelSpinLock__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function HoldNewReqMutex__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_HoldNewReqMutex__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_HoldNewReqMutex__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_HoldNewReqMutex__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {HoldNewReqMutex__DISKETTE_EXTENSION(x)} home_HoldNewReqMutex__DISKETTE_EXTENSION(HoldNewReqMutex__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_HoldNewReqMutex__DISKETTE_EXTENSION(x)} HoldNewReqMutex__DISKETTE_EXTENSION(home_HoldNewReqMutex__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {HoldNewReqMutex__DISKETTE_EXTENSION(x)} HoldNewReqMutex__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 316));
+axiom (forall x:ptr :: {home_HoldNewReqMutex__DISKETTE_EXTENSION(x)} home_HoldNewReqMutex__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 316));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_HoldNewReqMutex__DISKETTE_EXTENSION(S))} In(x, _S_HoldNewReqMutex__DISKETTE_EXTENSION(S)) ==> In(home_HoldNewReqMutex__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_HoldNewReqMutex__DISKETTE_EXTENSION(S))} In(x, _S_home_HoldNewReqMutex__DISKETTE_EXTENSION(S)) ==> In(HoldNewReqMutex__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_HoldNewReqMutex__DISKETTE_EXTENSION(S)} In(x, S) ==> In(HoldNewReqMutex__DISKETTE_EXTENSION(x), _S_HoldNewReqMutex__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_HoldNewReqMutex__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_HoldNewReqMutex__DISKETTE_EXTENSION(x), _S_home_HoldNewReqMutex__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,316), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,316), 1) == home_HoldNewReqMutex__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,316))} MINUS_LEFT_PTR(x, 1, Ptr(null,316)) == home_HoldNewReqMutex__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function HoldNewRequests__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_HoldNewRequests__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_HoldNewRequests__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_HoldNewRequests__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {HoldNewRequests__DISKETTE_EXTENSION(x)} home_HoldNewRequests__DISKETTE_EXTENSION(HoldNewRequests__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_HoldNewRequests__DISKETTE_EXTENSION(x)} HoldNewRequests__DISKETTE_EXTENSION(home_HoldNewRequests__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {HoldNewRequests__DISKETTE_EXTENSION(x)} HoldNewRequests__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 14));
+axiom (forall x:ptr :: {home_HoldNewRequests__DISKETTE_EXTENSION(x)} home_HoldNewRequests__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 14));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_HoldNewRequests__DISKETTE_EXTENSION(S))} In(x, _S_HoldNewRequests__DISKETTE_EXTENSION(S)) ==> In(home_HoldNewRequests__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_HoldNewRequests__DISKETTE_EXTENSION(S))} In(x, _S_home_HoldNewRequests__DISKETTE_EXTENSION(S)) ==> In(HoldNewRequests__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_HoldNewRequests__DISKETTE_EXTENSION(S)} In(x, S) ==> In(HoldNewRequests__DISKETTE_EXTENSION(x), _S_HoldNewRequests__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_HoldNewRequests__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_HoldNewRequests__DISKETTE_EXTENSION(x), _S_home_HoldNewRequests__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,14), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,14), 1) == home_HoldNewRequests__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,14))} MINUS_LEFT_PTR(x, 1, Ptr(null,14)) == home_HoldNewRequests__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function Information__IO_STATUS_BLOCK(ptr) returns (ptr);
+function home_Information__IO_STATUS_BLOCK(ptr) returns (ptr);
+function _S_Information__IO_STATUS_BLOCK([ptr]bool) returns ([ptr]bool);
+function _S_home_Information__IO_STATUS_BLOCK([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Information__IO_STATUS_BLOCK(x)} home_Information__IO_STATUS_BLOCK(Information__IO_STATUS_BLOCK(x)) == x);
+axiom (forall x:ptr :: {home_Information__IO_STATUS_BLOCK(x)} Information__IO_STATUS_BLOCK(home_Information__IO_STATUS_BLOCK(x)) == x);
+axiom (forall x:ptr :: {Information__IO_STATUS_BLOCK(x)} Information__IO_STATUS_BLOCK(x) == Ptr(Obj(x), Off(x) + 4));
+axiom (forall x:ptr :: {home_Information__IO_STATUS_BLOCK(x)} home_Information__IO_STATUS_BLOCK(x) == Ptr(Obj(x), Off(x) - 4));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Information__IO_STATUS_BLOCK(S))} In(x, _S_Information__IO_STATUS_BLOCK(S)) ==> In(home_Information__IO_STATUS_BLOCK(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Information__IO_STATUS_BLOCK(S))} In(x, _S_home_Information__IO_STATUS_BLOCK(S)) ==> In(Information__IO_STATUS_BLOCK(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Information__IO_STATUS_BLOCK(S)} In(x, S) ==> In(Information__IO_STATUS_BLOCK(x), _S_Information__IO_STATUS_BLOCK(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Information__IO_STATUS_BLOCK(S)} In(x, S) ==> In(home_Information__IO_STATUS_BLOCK(x), _S_home_Information__IO_STATUS_BLOCK(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,4), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,4), 1) == home_Information__IO_STATUS_BLOCK(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,4))} MINUS_LEFT_PTR(x, 1, Ptr(null,4)) == home_Information__IO_STATUS_BLOCK(x));
+
+
+
+
+
+function IoStatus__IRP(ptr) returns (ptr);
+function home_IoStatus__IRP(ptr) returns (ptr);
+function _S_IoStatus__IRP([ptr]bool) returns ([ptr]bool);
+function _S_home_IoStatus__IRP([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {IoStatus__IRP(x)} home_IoStatus__IRP(IoStatus__IRP(x)) == x);
+axiom (forall x:ptr :: {home_IoStatus__IRP(x)} IoStatus__IRP(home_IoStatus__IRP(x)) == x);
+axiom (forall x:ptr :: {IoStatus__IRP(x)} IoStatus__IRP(x) == Ptr(Obj(x), Off(x) + 24));
+axiom (forall x:ptr :: {home_IoStatus__IRP(x)} home_IoStatus__IRP(x) == Ptr(Obj(x), Off(x) - 24));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_IoStatus__IRP(S))} In(x, _S_IoStatus__IRP(S)) ==> In(home_IoStatus__IRP(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_IoStatus__IRP(S))} In(x, _S_home_IoStatus__IRP(S)) ==> In(IoStatus__IRP(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_IoStatus__IRP(S)} In(x, S) ==> In(IoStatus__IRP(x), _S_IoStatus__IRP(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_IoStatus__IRP(S)} In(x, S) ==> In(home_IoStatus__IRP(x), _S_home_IoStatus__IRP(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,24), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,24), 1) == home_IoStatus__IRP(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,24))} MINUS_LEFT_PTR(x, 1, Ptr(null,24)) == home_IoStatus__IRP(x));
+
+
+
+
+
+function IsRemoved__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_IsRemoved__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_IsRemoved__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_IsRemoved__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {IsRemoved__DISKETTE_EXTENSION(x)} home_IsRemoved__DISKETTE_EXTENSION(IsRemoved__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_IsRemoved__DISKETTE_EXTENSION(x)} IsRemoved__DISKETTE_EXTENSION(home_IsRemoved__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {IsRemoved__DISKETTE_EXTENSION(x)} IsRemoved__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 13));
+axiom (forall x:ptr :: {home_IsRemoved__DISKETTE_EXTENSION(x)} home_IsRemoved__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 13));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_IsRemoved__DISKETTE_EXTENSION(S))} In(x, _S_IsRemoved__DISKETTE_EXTENSION(S)) ==> In(home_IsRemoved__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_IsRemoved__DISKETTE_EXTENSION(S))} In(x, _S_home_IsRemoved__DISKETTE_EXTENSION(S)) ==> In(IsRemoved__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_IsRemoved__DISKETTE_EXTENSION(S)} In(x, S) ==> In(IsRemoved__DISKETTE_EXTENSION(x), _S_IsRemoved__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_IsRemoved__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_IsRemoved__DISKETTE_EXTENSION(x), _S_home_IsRemoved__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,13), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,13), 1) == home_IsRemoved__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,13))} MINUS_LEFT_PTR(x, 1, Ptr(null,13)) == home_IsRemoved__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function IsStarted__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_IsStarted__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_IsStarted__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_IsStarted__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {IsStarted__DISKETTE_EXTENSION(x)} home_IsStarted__DISKETTE_EXTENSION(IsStarted__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_IsStarted__DISKETTE_EXTENSION(x)} IsStarted__DISKETTE_EXTENSION(home_IsStarted__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {IsStarted__DISKETTE_EXTENSION(x)} IsStarted__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 12));
+axiom (forall x:ptr :: {home_IsStarted__DISKETTE_EXTENSION(x)} home_IsStarted__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 12));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_IsStarted__DISKETTE_EXTENSION(S))} In(x, _S_IsStarted__DISKETTE_EXTENSION(S)) ==> In(home_IsStarted__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_IsStarted__DISKETTE_EXTENSION(S))} In(x, _S_home_IsStarted__DISKETTE_EXTENSION(S)) ==> In(IsStarted__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_IsStarted__DISKETTE_EXTENSION(S)} In(x, S) ==> In(IsStarted__DISKETTE_EXTENSION(x), _S_IsStarted__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_IsStarted__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_IsStarted__DISKETTE_EXTENSION(x), _S_home_IsStarted__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,12), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,12), 1) == home_IsStarted__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,12))} MINUS_LEFT_PTR(x, 1, Ptr(null,12)) == home_IsStarted__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function Length___unnamed_16_39e6661e(ptr) returns (ptr);
+function home_Length___unnamed_16_39e6661e(ptr) returns (ptr);
+function _S_Length___unnamed_16_39e6661e([ptr]bool) returns ([ptr]bool);
+function _S_home_Length___unnamed_16_39e6661e([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Length___unnamed_16_39e6661e(x)} home_Length___unnamed_16_39e6661e(Length___unnamed_16_39e6661e(x)) == x);
+axiom (forall x:ptr :: {home_Length___unnamed_16_39e6661e(x)} Length___unnamed_16_39e6661e(home_Length___unnamed_16_39e6661e(x)) == x);
+axiom (forall x:ptr :: {Length___unnamed_16_39e6661e(x)} Length___unnamed_16_39e6661e(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home_Length___unnamed_16_39e6661e(x)} home_Length___unnamed_16_39e6661e(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Length___unnamed_16_39e6661e(S))} In(x, _S_Length___unnamed_16_39e6661e(S)) ==> In(home_Length___unnamed_16_39e6661e(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Length___unnamed_16_39e6661e(S))} In(x, _S_home_Length___unnamed_16_39e6661e(S)) ==> In(Length___unnamed_16_39e6661e(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Length___unnamed_16_39e6661e(S)} In(x, S) ==> In(Length___unnamed_16_39e6661e(x), _S_Length___unnamed_16_39e6661e(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Length___unnamed_16_39e6661e(S)} In(x, S) ==> In(home_Length___unnamed_16_39e6661e(x), _S_home_Length___unnamed_16_39e6661e(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home_Length___unnamed_16_39e6661e(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home_Length___unnamed_16_39e6661e(x));
+
+
+
+
+
+function ListEntry___unnamed_12_003c1454(ptr) returns (ptr);
+function home_ListEntry___unnamed_12_003c1454(ptr) returns (ptr);
+function _S_ListEntry___unnamed_12_003c1454([ptr]bool) returns ([ptr]bool);
+function _S_home_ListEntry___unnamed_12_003c1454([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {ListEntry___unnamed_12_003c1454(x)} home_ListEntry___unnamed_12_003c1454(ListEntry___unnamed_12_003c1454(x)) == x);
+axiom (forall x:ptr :: {home_ListEntry___unnamed_12_003c1454(x)} ListEntry___unnamed_12_003c1454(home_ListEntry___unnamed_12_003c1454(x)) == x);
+axiom (forall x:ptr :: {ListEntry___unnamed_12_003c1454(x)} ListEntry___unnamed_12_003c1454(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home_ListEntry___unnamed_12_003c1454(x)} home_ListEntry___unnamed_12_003c1454(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_ListEntry___unnamed_12_003c1454(S))} In(x, _S_ListEntry___unnamed_12_003c1454(S)) ==> In(home_ListEntry___unnamed_12_003c1454(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_ListEntry___unnamed_12_003c1454(S))} In(x, _S_home_ListEntry___unnamed_12_003c1454(S)) ==> In(ListEntry___unnamed_12_003c1454(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_ListEntry___unnamed_12_003c1454(S)} In(x, S) ==> In(ListEntry___unnamed_12_003c1454(x), _S_ListEntry___unnamed_12_003c1454(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_ListEntry___unnamed_12_003c1454(S)} In(x, S) ==> In(home_ListEntry___unnamed_12_003c1454(x), _S_home_ListEntry___unnamed_12_003c1454(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home_ListEntry___unnamed_12_003c1454(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home_ListEntry___unnamed_12_003c1454(x));
+
+
+
+
+
+function ListSpinLock__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_ListSpinLock__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_ListSpinLock__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_ListSpinLock__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {ListSpinLock__DISKETTE_EXTENSION(x)} home_ListSpinLock__DISKETTE_EXTENSION(ListSpinLock__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_ListSpinLock__DISKETTE_EXTENSION(x)} ListSpinLock__DISKETTE_EXTENSION(home_ListSpinLock__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {ListSpinLock__DISKETTE_EXTENSION(x)} ListSpinLock__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 52));
+axiom (forall x:ptr :: {home_ListSpinLock__DISKETTE_EXTENSION(x)} home_ListSpinLock__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 52));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_ListSpinLock__DISKETTE_EXTENSION(S))} In(x, _S_ListSpinLock__DISKETTE_EXTENSION(S)) ==> In(home_ListSpinLock__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_ListSpinLock__DISKETTE_EXTENSION(S))} In(x, _S_home_ListSpinLock__DISKETTE_EXTENSION(S)) ==> In(ListSpinLock__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_ListSpinLock__DISKETTE_EXTENSION(S)} In(x, S) ==> In(ListSpinLock__DISKETTE_EXTENSION(x), _S_ListSpinLock__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_ListSpinLock__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_ListSpinLock__DISKETTE_EXTENSION(x), _S_home_ListSpinLock__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,52), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,52), 1) == home_ListSpinLock__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,52))} MINUS_LEFT_PTR(x, 1, Ptr(null,52)) == home_ListSpinLock__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function LowPart___unnamed_8_34582070(ptr) returns (ptr);
+function home_LowPart___unnamed_8_34582070(ptr) returns (ptr);
+function _S_LowPart___unnamed_8_34582070([ptr]bool) returns ([ptr]bool);
+function _S_home_LowPart___unnamed_8_34582070([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {LowPart___unnamed_8_34582070(x)} home_LowPart___unnamed_8_34582070(LowPart___unnamed_8_34582070(x)) == x);
+axiom (forall x:ptr :: {home_LowPart___unnamed_8_34582070(x)} LowPart___unnamed_8_34582070(home_LowPart___unnamed_8_34582070(x)) == x);
+axiom (forall x:ptr :: {LowPart___unnamed_8_34582070(x)} LowPart___unnamed_8_34582070(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home_LowPart___unnamed_8_34582070(x)} home_LowPart___unnamed_8_34582070(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_LowPart___unnamed_8_34582070(S))} In(x, _S_LowPart___unnamed_8_34582070(S)) ==> In(home_LowPart___unnamed_8_34582070(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_LowPart___unnamed_8_34582070(S))} In(x, _S_home_LowPart___unnamed_8_34582070(S)) ==> In(LowPart___unnamed_8_34582070(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_LowPart___unnamed_8_34582070(S)} In(x, S) ==> In(LowPart___unnamed_8_34582070(x), _S_LowPart___unnamed_8_34582070(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_LowPart___unnamed_8_34582070(S)} In(x, S) ==> In(home_LowPart___unnamed_8_34582070(x), _S_home_LowPart___unnamed_8_34582070(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home_LowPart___unnamed_8_34582070(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home_LowPart___unnamed_8_34582070(x));
+
+
+
+
+
+function MediaType__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_MediaType__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_MediaType__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_MediaType__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {MediaType__DISKETTE_EXTENSION(x)} home_MediaType__DISKETTE_EXTENSION(MediaType__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_MediaType__DISKETTE_EXTENSION(x)} MediaType__DISKETTE_EXTENSION(home_MediaType__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {MediaType__DISKETTE_EXTENSION(x)} MediaType__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 156));
+axiom (forall x:ptr :: {home_MediaType__DISKETTE_EXTENSION(x)} home_MediaType__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 156));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_MediaType__DISKETTE_EXTENSION(S))} In(x, _S_MediaType__DISKETTE_EXTENSION(S)) ==> In(home_MediaType__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_MediaType__DISKETTE_EXTENSION(S))} In(x, _S_home_MediaType__DISKETTE_EXTENSION(S)) ==> In(MediaType__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_MediaType__DISKETTE_EXTENSION(S)} In(x, S) ==> In(MediaType__DISKETTE_EXTENSION(x), _S_MediaType__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_MediaType__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_MediaType__DISKETTE_EXTENSION(x), _S_home_MediaType__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,156), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,156), 1) == home_MediaType__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,156))} MINUS_LEFT_PTR(x, 1, Ptr(null,156)) == home_MediaType__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function NewRequestQueueSpinLock__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_NewRequestQueueSpinLock__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_NewRequestQueueSpinLock__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {NewRequestQueueSpinLock__DISKETTE_EXTENSION(x)} home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(NewRequestQueueSpinLock__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(x)} NewRequestQueueSpinLock__DISKETTE_EXTENSION(home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {NewRequestQueueSpinLock__DISKETTE_EXTENSION(x)} NewRequestQueueSpinLock__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 24));
+axiom (forall x:ptr :: {home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(x)} home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 24));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_NewRequestQueueSpinLock__DISKETTE_EXTENSION(S))} In(x, _S_NewRequestQueueSpinLock__DISKETTE_EXTENSION(S)) ==> In(home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(S))} In(x, _S_home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(S)) ==> In(NewRequestQueueSpinLock__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_NewRequestQueueSpinLock__DISKETTE_EXTENSION(S)} In(x, S) ==> In(NewRequestQueueSpinLock__DISKETTE_EXTENSION(x), _S_NewRequestQueueSpinLock__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(x), _S_home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,24), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,24), 1) == home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,24))} MINUS_LEFT_PTR(x, 1, Ptr(null,24)) == home_NewRequestQueueSpinLock__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function NewRequestQueue__DISKETTE_EXTENSION(ptr) returns (ptr);
+function home_NewRequestQueue__DISKETTE_EXTENSION(ptr) returns (ptr);
+function _S_NewRequestQueue__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+function _S_home_NewRequestQueue__DISKETTE_EXTENSION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {NewRequestQueue__DISKETTE_EXTENSION(x)} home_NewRequestQueue__DISKETTE_EXTENSION(NewRequestQueue__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {home_NewRequestQueue__DISKETTE_EXTENSION(x)} NewRequestQueue__DISKETTE_EXTENSION(home_NewRequestQueue__DISKETTE_EXTENSION(x)) == x);
+axiom (forall x:ptr :: {NewRequestQueue__DISKETTE_EXTENSION(x)} NewRequestQueue__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) + 16));
+axiom (forall x:ptr :: {home_NewRequestQueue__DISKETTE_EXTENSION(x)} home_NewRequestQueue__DISKETTE_EXTENSION(x) == Ptr(Obj(x), Off(x) - 16));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_NewRequestQueue__DISKETTE_EXTENSION(S))} In(x, _S_NewRequestQueue__DISKETTE_EXTENSION(S)) ==> In(home_NewRequestQueue__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_NewRequestQueue__DISKETTE_EXTENSION(S))} In(x, _S_home_NewRequestQueue__DISKETTE_EXTENSION(S)) ==> In(NewRequestQueue__DISKETTE_EXTENSION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_NewRequestQueue__DISKETTE_EXTENSION(S)} In(x, S) ==> In(NewRequestQueue__DISKETTE_EXTENSION(x), _S_NewRequestQueue__DISKETTE_EXTENSION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_NewRequestQueue__DISKETTE_EXTENSION(S)} In(x, S) ==> In(home_NewRequestQueue__DISKETTE_EXTENSION(x), _S_home_NewRequestQueue__DISKETTE_EXTENSION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,16), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,16), 1) == home_NewRequestQueue__DISKETTE_EXTENSION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,16))} MINUS_LEFT_PTR(x, 1, Ptr(null,16)) == home_NewRequestQueue__DISKETTE_EXTENSION(x));
+
+
+
+
+
+function Overlay___unnamed_48_c27ef811(ptr) returns (ptr);
+function home_Overlay___unnamed_48_c27ef811(ptr) returns (ptr);
+function _S_Overlay___unnamed_48_c27ef811([ptr]bool) returns ([ptr]bool);
+function _S_home_Overlay___unnamed_48_c27ef811([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Overlay___unnamed_48_c27ef811(x)} home_Overlay___unnamed_48_c27ef811(Overlay___unnamed_48_c27ef811(x)) == x);
+axiom (forall x:ptr :: {home_Overlay___unnamed_48_c27ef811(x)} Overlay___unnamed_48_c27ef811(home_Overlay___unnamed_48_c27ef811(x)) == x);
+axiom (forall x:ptr :: {Overlay___unnamed_48_c27ef811(x)} Overlay___unnamed_48_c27ef811(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home_Overlay___unnamed_48_c27ef811(x)} home_Overlay___unnamed_48_c27ef811(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Overlay___unnamed_48_c27ef811(S))} In(x, _S_Overlay___unnamed_48_c27ef811(S)) ==> In(home_Overlay___unnamed_48_c27ef811(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Overlay___unnamed_48_c27ef811(S))} In(x, _S_home_Overlay___unnamed_48_c27ef811(S)) ==> In(Overlay___unnamed_48_c27ef811(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Overlay___unnamed_48_c27ef811(S)} In(x, S) ==> In(Overlay___unnamed_48_c27ef811(x), _S_Overlay___unnamed_48_c27ef811(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Overlay___unnamed_48_c27ef811(S)} In(x, S) ==> In(home_Overlay___unnamed_48_c27ef811(x), _S_home_Overlay___unnamed_48_c27ef811(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home_Overlay___unnamed_48_c27ef811(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home_Overlay___unnamed_48_c27ef811(x));
+
+
+
+
+
+function Parameters__IO_STACK_LOCATION(ptr) returns (ptr);
+function home_Parameters__IO_STACK_LOCATION(ptr) returns (ptr);
+function _S_Parameters__IO_STACK_LOCATION([ptr]bool) returns ([ptr]bool);
+function _S_home_Parameters__IO_STACK_LOCATION([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Parameters__IO_STACK_LOCATION(x)} home_Parameters__IO_STACK_LOCATION(Parameters__IO_STACK_LOCATION(x)) == x);
+axiom (forall x:ptr :: {home_Parameters__IO_STACK_LOCATION(x)} Parameters__IO_STACK_LOCATION(home_Parameters__IO_STACK_LOCATION(x)) == x);
+axiom (forall x:ptr :: {Parameters__IO_STACK_LOCATION(x)} Parameters__IO_STACK_LOCATION(x) == Ptr(Obj(x), Off(x) + 4));
+axiom (forall x:ptr :: {home_Parameters__IO_STACK_LOCATION(x)} home_Parameters__IO_STACK_LOCATION(x) == Ptr(Obj(x), Off(x) - 4));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Parameters__IO_STACK_LOCATION(S))} In(x, _S_Parameters__IO_STACK_LOCATION(S)) ==> In(home_Parameters__IO_STACK_LOCATION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Parameters__IO_STACK_LOCATION(S))} In(x, _S_home_Parameters__IO_STACK_LOCATION(S)) ==> In(Parameters__IO_STACK_LOCATION(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Parameters__IO_STACK_LOCATION(S)} In(x, S) ==> In(Parameters__IO_STACK_LOCATION(x), _S_Parameters__IO_STACK_LOCATION(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Parameters__IO_STACK_LOCATION(S)} In(x, S) ==> In(home_Parameters__IO_STACK_LOCATION(x), _S_home_Parameters__IO_STACK_LOCATION(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,4), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,4), 1) == home_Parameters__IO_STACK_LOCATION(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,4))} MINUS_LEFT_PTR(x, 1, Ptr(null,4)) == home_Parameters__IO_STACK_LOCATION(x));
+
+
+
+
+
+function Read___unnamed_16_c0f0e7de(ptr) returns (ptr);
+function home_Read___unnamed_16_c0f0e7de(ptr) returns (ptr);
+function _S_Read___unnamed_16_c0f0e7de([ptr]bool) returns ([ptr]bool);
+function _S_home_Read___unnamed_16_c0f0e7de([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Read___unnamed_16_c0f0e7de(x)} home_Read___unnamed_16_c0f0e7de(Read___unnamed_16_c0f0e7de(x)) == x);
+axiom (forall x:ptr :: {home_Read___unnamed_16_c0f0e7de(x)} Read___unnamed_16_c0f0e7de(home_Read___unnamed_16_c0f0e7de(x)) == x);
+axiom (forall x:ptr :: {Read___unnamed_16_c0f0e7de(x)} Read___unnamed_16_c0f0e7de(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home_Read___unnamed_16_c0f0e7de(x)} home_Read___unnamed_16_c0f0e7de(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Read___unnamed_16_c0f0e7de(S))} In(x, _S_Read___unnamed_16_c0f0e7de(S)) ==> In(home_Read___unnamed_16_c0f0e7de(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Read___unnamed_16_c0f0e7de(S))} In(x, _S_home_Read___unnamed_16_c0f0e7de(S)) ==> In(Read___unnamed_16_c0f0e7de(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Read___unnamed_16_c0f0e7de(S)} In(x, S) ==> In(Read___unnamed_16_c0f0e7de(x), _S_Read___unnamed_16_c0f0e7de(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Read___unnamed_16_c0f0e7de(S)} In(x, S) ==> In(home_Read___unnamed_16_c0f0e7de(x), _S_home_Read___unnamed_16_c0f0e7de(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home_Read___unnamed_16_c0f0e7de(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home_Read___unnamed_16_c0f0e7de(x));
+
+
+
+
+
+function Status___unnamed_4_c7b3d275(ptr) returns (ptr);
+function home_Status___unnamed_4_c7b3d275(ptr) returns (ptr);
+function _S_Status___unnamed_4_c7b3d275([ptr]bool) returns ([ptr]bool);
+function _S_home_Status___unnamed_4_c7b3d275([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Status___unnamed_4_c7b3d275(x)} home_Status___unnamed_4_c7b3d275(Status___unnamed_4_c7b3d275(x)) == x);
+axiom (forall x:ptr :: {home_Status___unnamed_4_c7b3d275(x)} Status___unnamed_4_c7b3d275(home_Status___unnamed_4_c7b3d275(x)) == x);
+axiom (forall x:ptr :: {Status___unnamed_4_c7b3d275(x)} Status___unnamed_4_c7b3d275(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home_Status___unnamed_4_c7b3d275(x)} home_Status___unnamed_4_c7b3d275(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Status___unnamed_4_c7b3d275(S))} In(x, _S_Status___unnamed_4_c7b3d275(S)) ==> In(home_Status___unnamed_4_c7b3d275(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Status___unnamed_4_c7b3d275(S))} In(x, _S_home_Status___unnamed_4_c7b3d275(S)) ==> In(Status___unnamed_4_c7b3d275(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Status___unnamed_4_c7b3d275(S)} In(x, S) ==> In(Status___unnamed_4_c7b3d275(x), _S_Status___unnamed_4_c7b3d275(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Status___unnamed_4_c7b3d275(S)} In(x, S) ==> In(home_Status___unnamed_4_c7b3d275(x), _S_home_Status___unnamed_4_c7b3d275(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home_Status___unnamed_4_c7b3d275(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home_Status___unnamed_4_c7b3d275(x));
+
+
+
+
+
+function Tail__IRP(ptr) returns (ptr);
+function home_Tail__IRP(ptr) returns (ptr);
+function _S_Tail__IRP([ptr]bool) returns ([ptr]bool);
+function _S_home_Tail__IRP([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {Tail__IRP(x)} home_Tail__IRP(Tail__IRP(x)) == x);
+axiom (forall x:ptr :: {home_Tail__IRP(x)} Tail__IRP(home_Tail__IRP(x)) == x);
+axiom (forall x:ptr :: {Tail__IRP(x)} Tail__IRP(x) == Ptr(Obj(x), Off(x) + 64));
+axiom (forall x:ptr :: {home_Tail__IRP(x)} home_Tail__IRP(x) == Ptr(Obj(x), Off(x) - 64));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_Tail__IRP(S))} In(x, _S_Tail__IRP(S)) ==> In(home_Tail__IRP(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home_Tail__IRP(S))} In(x, _S_home_Tail__IRP(S)) ==> In(Tail__IRP(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_Tail__IRP(S)} In(x, S) ==> In(Tail__IRP(x), _S_Tail__IRP(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home_Tail__IRP(S)} In(x, S) ==> In(home_Tail__IRP(x), _S_home_Tail__IRP(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,64), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,64), 1) == home_Tail__IRP(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,64))} MINUS_LEFT_PTR(x, 1, Ptr(null,64)) == home_Tail__IRP(x));
+
+
+
+
+
+function __unnamed_12_003c1454___unnamed_40_6ef75b20(ptr) returns (ptr);
+function home___unnamed_12_003c1454___unnamed_40_6ef75b20(ptr) returns (ptr);
+function _S___unnamed_12_003c1454___unnamed_40_6ef75b20([ptr]bool) returns ([ptr]bool);
+function _S_home___unnamed_12_003c1454___unnamed_40_6ef75b20([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {__unnamed_12_003c1454___unnamed_40_6ef75b20(x)} home___unnamed_12_003c1454___unnamed_40_6ef75b20(__unnamed_12_003c1454___unnamed_40_6ef75b20(x)) == x);
+axiom (forall x:ptr :: {home___unnamed_12_003c1454___unnamed_40_6ef75b20(x)} __unnamed_12_003c1454___unnamed_40_6ef75b20(home___unnamed_12_003c1454___unnamed_40_6ef75b20(x)) == x);
+axiom (forall x:ptr :: {__unnamed_12_003c1454___unnamed_40_6ef75b20(x)} __unnamed_12_003c1454___unnamed_40_6ef75b20(x) == Ptr(Obj(x), Off(x) + 24));
+axiom (forall x:ptr :: {home___unnamed_12_003c1454___unnamed_40_6ef75b20(x)} home___unnamed_12_003c1454___unnamed_40_6ef75b20(x) == Ptr(Obj(x), Off(x) - 24));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S___unnamed_12_003c1454___unnamed_40_6ef75b20(S))} In(x, _S___unnamed_12_003c1454___unnamed_40_6ef75b20(S)) ==> In(home___unnamed_12_003c1454___unnamed_40_6ef75b20(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home___unnamed_12_003c1454___unnamed_40_6ef75b20(S))} In(x, _S_home___unnamed_12_003c1454___unnamed_40_6ef75b20(S)) ==> In(__unnamed_12_003c1454___unnamed_40_6ef75b20(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S___unnamed_12_003c1454___unnamed_40_6ef75b20(S)} In(x, S) ==> In(__unnamed_12_003c1454___unnamed_40_6ef75b20(x), _S___unnamed_12_003c1454___unnamed_40_6ef75b20(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home___unnamed_12_003c1454___unnamed_40_6ef75b20(S)} In(x, S) ==> In(home___unnamed_12_003c1454___unnamed_40_6ef75b20(x), _S_home___unnamed_12_003c1454___unnamed_40_6ef75b20(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,24), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,24), 1) == home___unnamed_12_003c1454___unnamed_40_6ef75b20(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,24))} MINUS_LEFT_PTR(x, 1, Ptr(null,24)) == home___unnamed_12_003c1454___unnamed_40_6ef75b20(x));
+
+
+
+
+
+function __unnamed_4_c7b3d275__IO_STATUS_BLOCK(ptr) returns (ptr);
+function home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(ptr) returns (ptr);
+function _S___unnamed_4_c7b3d275__IO_STATUS_BLOCK([ptr]bool) returns ([ptr]bool);
+function _S_home___unnamed_4_c7b3d275__IO_STATUS_BLOCK([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {__unnamed_4_c7b3d275__IO_STATUS_BLOCK(x)} home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(__unnamed_4_c7b3d275__IO_STATUS_BLOCK(x)) == x);
+axiom (forall x:ptr :: {home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(x)} __unnamed_4_c7b3d275__IO_STATUS_BLOCK(home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(x)) == x);
+axiom (forall x:ptr :: {__unnamed_4_c7b3d275__IO_STATUS_BLOCK(x)} __unnamed_4_c7b3d275__IO_STATUS_BLOCK(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(x)} home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S___unnamed_4_c7b3d275__IO_STATUS_BLOCK(S))} In(x, _S___unnamed_4_c7b3d275__IO_STATUS_BLOCK(S)) ==> In(home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(S))} In(x, _S_home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(S)) ==> In(__unnamed_4_c7b3d275__IO_STATUS_BLOCK(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S___unnamed_4_c7b3d275__IO_STATUS_BLOCK(S)} In(x, S) ==> In(__unnamed_4_c7b3d275__IO_STATUS_BLOCK(x), _S___unnamed_4_c7b3d275__IO_STATUS_BLOCK(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(S)} In(x, S) ==> In(home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(x), _S_home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home___unnamed_4_c7b3d275__IO_STATUS_BLOCK(x));
+
+
+
+
+
+function __unnamed_4_f80453a0___unnamed_12_003c1454(ptr) returns (ptr);
+function home___unnamed_4_f80453a0___unnamed_12_003c1454(ptr) returns (ptr);
+function _S___unnamed_4_f80453a0___unnamed_12_003c1454([ptr]bool) returns ([ptr]bool);
+function _S_home___unnamed_4_f80453a0___unnamed_12_003c1454([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {__unnamed_4_f80453a0___unnamed_12_003c1454(x)} home___unnamed_4_f80453a0___unnamed_12_003c1454(__unnamed_4_f80453a0___unnamed_12_003c1454(x)) == x);
+axiom (forall x:ptr :: {home___unnamed_4_f80453a0___unnamed_12_003c1454(x)} __unnamed_4_f80453a0___unnamed_12_003c1454(home___unnamed_4_f80453a0___unnamed_12_003c1454(x)) == x);
+axiom (forall x:ptr :: {__unnamed_4_f80453a0___unnamed_12_003c1454(x)} __unnamed_4_f80453a0___unnamed_12_003c1454(x) == Ptr(Obj(x), Off(x) + 8));
+axiom (forall x:ptr :: {home___unnamed_4_f80453a0___unnamed_12_003c1454(x)} home___unnamed_4_f80453a0___unnamed_12_003c1454(x) == Ptr(Obj(x), Off(x) - 8));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S___unnamed_4_f80453a0___unnamed_12_003c1454(S))} In(x, _S___unnamed_4_f80453a0___unnamed_12_003c1454(S)) ==> In(home___unnamed_4_f80453a0___unnamed_12_003c1454(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home___unnamed_4_f80453a0___unnamed_12_003c1454(S))} In(x, _S_home___unnamed_4_f80453a0___unnamed_12_003c1454(S)) ==> In(__unnamed_4_f80453a0___unnamed_12_003c1454(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S___unnamed_4_f80453a0___unnamed_12_003c1454(S)} In(x, S) ==> In(__unnamed_4_f80453a0___unnamed_12_003c1454(x), _S___unnamed_4_f80453a0___unnamed_12_003c1454(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home___unnamed_4_f80453a0___unnamed_12_003c1454(S)} In(x, S) ==> In(home___unnamed_4_f80453a0___unnamed_12_003c1454(x), _S_home___unnamed_4_f80453a0___unnamed_12_003c1454(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,8), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,8), 1) == home___unnamed_4_f80453a0___unnamed_12_003c1454(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,8))} MINUS_LEFT_PTR(x, 1, Ptr(null,8)) == home___unnamed_4_f80453a0___unnamed_12_003c1454(x));
+
+
+
+
+
+function __unnamed_8_34582070__LARGE_INTEGER(ptr) returns (ptr);
+function home___unnamed_8_34582070__LARGE_INTEGER(ptr) returns (ptr);
+function _S___unnamed_8_34582070__LARGE_INTEGER([ptr]bool) returns ([ptr]bool);
+function _S_home___unnamed_8_34582070__LARGE_INTEGER([ptr]bool) returns ([ptr]bool);
+
+axiom (forall x:ptr :: {__unnamed_8_34582070__LARGE_INTEGER(x)} home___unnamed_8_34582070__LARGE_INTEGER(__unnamed_8_34582070__LARGE_INTEGER(x)) == x);
+axiom (forall x:ptr :: {home___unnamed_8_34582070__LARGE_INTEGER(x)} __unnamed_8_34582070__LARGE_INTEGER(home___unnamed_8_34582070__LARGE_INTEGER(x)) == x);
+axiom (forall x:ptr :: {__unnamed_8_34582070__LARGE_INTEGER(x)} __unnamed_8_34582070__LARGE_INTEGER(x) == Ptr(Obj(x), Off(x) + 0));
+axiom (forall x:ptr :: {home___unnamed_8_34582070__LARGE_INTEGER(x)} home___unnamed_8_34582070__LARGE_INTEGER(x) == Ptr(Obj(x), Off(x) - 0));
+
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S___unnamed_8_34582070__LARGE_INTEGER(S))} In(x, _S___unnamed_8_34582070__LARGE_INTEGER(S)) ==> In(home___unnamed_8_34582070__LARGE_INTEGER(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, _S_home___unnamed_8_34582070__LARGE_INTEGER(S))} In(x, _S_home___unnamed_8_34582070__LARGE_INTEGER(S)) ==> In(__unnamed_8_34582070__LARGE_INTEGER(x), S));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S___unnamed_8_34582070__LARGE_INTEGER(S)} In(x, S) ==> In(__unnamed_8_34582070__LARGE_INTEGER(x), _S___unnamed_8_34582070__LARGE_INTEGER(S)));
+axiom (forall x:ptr, S:[ptr]bool :: {In(x, S), _S_home___unnamed_8_34582070__LARGE_INTEGER(S)} In(x, S) ==> In(home___unnamed_8_34582070__LARGE_INTEGER(x), _S_home___unnamed_8_34582070__LARGE_INTEGER(S)));
+
+axiom (forall x:ptr :: {MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1)} MINUS_BOTH_PTR_OR_BOTH_INT(x, Ptr(null,0), 1) == home___unnamed_8_34582070__LARGE_INTEGER(x));
+axiom (forall x:ptr :: {MINUS_LEFT_PTR(x, 1, Ptr(null,0))} MINUS_LEFT_PTR(x, 1, Ptr(null,0)) == home___unnamed_8_34582070__LARGE_INTEGER(x));
+
+
+
+// Axiom for null constraint
+//modifying to make the signature match with old BSConstraint that constrains Mem
+function BSConstraint
+(
+ BS:[ptr]bool,
+ Mem:[ptr]ptr
+) returns (bool);
+
+axiom (
+ forall
+ BS:[ptr]bool, Mem:[ptr]ptr :: {BSConstraint(BS,Mem)}
+
+ BSConstraint(BS,Mem)
+ ==>
+ (
+ (forall i:int :: {Ptr(null,i)} BS[Ptr(null,i)])
+/*
+ &&
+
+ (forall a:ptr :: {BS[a]} Element(a))
+*/
+ )
+);
+procedure __delBS(a:ptr);
+requires(BS[a]);
+modifies BS;
+ensures(forall x:ptr :: {BS[x]} x == a || (old(BS)[x] <==> BS[x]));
+ensures(!BS[a]);
+
+procedure __addBS(a:ptr);
+requires(!BS[a]);
+modifies BS;
+ensures(forall x:ptr :: {BS[x]} x == a || (old(BS)[x] <==> BS[x]));
+ensures(BS[a]);
+
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:ptr, b:ptr, size:int) returns (ptr);
+axiom(forall a:ptr, b:ptr, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+(Obj(a) == Obj(b) ==> Obj(MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)) == null && size * Off(MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)) == Off(a) - Off(b))
+&&
+(Obj(b) == null && size == 1 ==> Obj(MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)) == Obj(a) && Off(MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)) == Off(a) - Off(b))
+&&
+(Obj(MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)) == null || Obj(MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)) == Obj(a) || Obj(MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)) == Obj(b))
+);
+
+function MINUS_LEFT_PTR(a:ptr, a_size:int, b:ptr) returns (ptr);
+axiom(forall a:ptr, a_size:int, b:ptr :: {MINUS_LEFT_PTR(a,a_size,b)}
+(Obj(b) == null ==> Obj(MINUS_LEFT_PTR(a,a_size,b)) == Obj(a) && Off(MINUS_LEFT_PTR(a,a_size,b)) == Off(a) - a_size * Off(b))
+&&
+(Obj(a) == Obj(b) && a_size == 1 ==> Obj(MINUS_LEFT_PTR(a,a_size,b)) == null && Off(MINUS_LEFT_PTR(a,a_size,b)) == Off(a) - Off(b))
+&&
+(Obj(MINUS_LEFT_PTR(a,a_size,b)) == null || Obj(MINUS_LEFT_PTR(a,a_size,b)) == Obj(a) || Obj(MINUS_LEFT_PTR(a,a_size,b)) == Obj(b))
+);
+
+function PLUS(a:ptr, a_size:int, b:ptr) returns (ptr);
+axiom(forall a:ptr, a_size:int, b:ptr :: {PLUS(a,a_size,b)}
+(Obj(b) == null ==> Obj(PLUS(a,a_size,b)) == Obj(a) && Off(PLUS(a,a_size,b)) == Off(a) + a_size * Off(b))
+&&
+(Obj(a) == null && a_size == 1 ==> Obj(PLUS(a,a_size,b)) == Obj(b) && Off(PLUS(a,a_size,b)) == Off(a) + Off(b))
+&&
+(Obj(PLUS(a,a_size,b)) == null || Obj(PLUS(a,a_size,b)) == Obj(a) || Obj(PLUS(a,a_size,b)) == Obj(b))
+);
+
+function MULT(a:ptr, b:ptr) returns (ptr);
+axiom(forall a:ptr, b:ptr :: {MULT(a,b)} Obj(MULT(a,b)) == null);
+
+function BINARY_BOTH_INT(a:ptr, b:ptr) returns (ptr);
+axiom(forall a:ptr, b:ptr :: {BINARY_BOTH_INT(a,b)} Obj(BINARY_BOTH_INT(a,b)) == null);
+
+function POW2(a:ptr) returns (bool);
+axiom POW2(Ptr(null,1));
+axiom POW2(Ptr(null,2));
+axiom POW2(Ptr(null,4));
+axiom POW2(Ptr(null,8));
+axiom POW2(Ptr(null,16));
+axiom POW2(Ptr(null,32));
+axiom POW2(Ptr(null,64));
+axiom POW2(Ptr(null,128));
+axiom POW2(Ptr(null,256));
+axiom POW2(Ptr(null,512));
+axiom POW2(Ptr(null,1024));
+axiom POW2(Ptr(null,2048));
+axiom POW2(Ptr(null,4096));
+axiom POW2(Ptr(null,8192));
+axiom POW2(Ptr(null,16384));
+axiom POW2(Ptr(null,32768));
+axiom POW2(Ptr(null,65536));
+axiom POW2(Ptr(null,131072));
+axiom POW2(Ptr(null,262144));
+axiom POW2(Ptr(null,524288));
+axiom POW2(Ptr(null,1048576));
+axiom POW2(Ptr(null,2097152));
+axiom POW2(Ptr(null,4194304));
+axiom POW2(Ptr(null,8388608));
+axiom POW2(Ptr(null,16777216));
+axiom POW2(Ptr(null,33554432));
+
+axiom (forall n:int, m:int :: {Ptr(null,n),POW2(Ptr(null,m))} POW2(Ptr(null,m)) && m < n && n < 2*m ==> !POW2(Ptr(null,n)));
+
+function choose(a:bool, b:ptr, c:ptr) returns (x:ptr);
+axiom(forall a:bool, b:ptr, c:ptr :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:ptr, c:ptr :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:ptr, b:ptr) returns (x:ptr);
+axiom(forall a:ptr, b:ptr :: {BIT_BAND(a,b)} Obj(BIT_BAND(a,b)) == null || Obj(BIT_BAND(a,b)) == Obj(a) || Obj(BIT_BAND(a,b)) == Obj(b));
+axiom(forall a:ptr, b:ptr :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:ptr, b:ptr :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == Ptr(null,0));
+axiom(forall a:ptr, b:ptr :: {BIT_BAND(a,b)} a == Ptr(null,0) || b == Ptr(null,0) ==> BIT_BAND(a,b) == Ptr(null,0));
+axiom(forall a:ptr, b:ptr, c:ptr :: {BIT_BAND(BIT_BAND(a,b),c)} BIT_BAND(BIT_BAND(a,b),c) == c <==> BIT_BAND(a,c) == c && BIT_BAND(b,c) == c);
+
+function BIT_BOR(a:ptr, b:ptr) returns (x:ptr);
+axiom(forall a:ptr, b:ptr :: {BIT_BOR(a,b)} Obj(BIT_BOR(a,b)) == null || Obj(BIT_BOR(a,b)) == Obj(a) || Obj(BIT_BOR(a,b)) == Obj(b));
+axiom(forall a:ptr, b:ptr, c:ptr :: {BIT_BAND(BIT_BOR(a,b),c)} BIT_BAND(a,c) != Ptr(null,0) || BIT_BAND(b,c) != Ptr(null,0) <==> BIT_BAND(BIT_BOR(a,b),c) != Ptr(null,0));
+axiom(forall n:int, m:int :: {POW2(Ptr(null,n)), POW2(Ptr(null,m))} n > 0 && POW2(Ptr(null,m)) && m < n && 2*m > n ==>
+ Ptr(null, n) == BIT_BOR(Ptr(null, m), Ptr(null, n - m)));
+
+
+function BIT_BXOR(a:ptr, b:ptr) returns (x:ptr);
+axiom(forall a:ptr, b:ptr :: {BIT_BXOR(a,b)} Obj(BIT_BXOR(a,b)) == null || Obj(BIT_BXOR(a,b)) == Obj(a) || Obj(BIT_BXOR(a,b)) == Obj(b));
+
+function BIT_BNOT(a:ptr) returns (ptr);
+axiom(forall a:ptr, b:ptr :: {BIT_BAND(a,b)} a == BIT_BNOT(b) || b == BIT_BNOT(a) ==> BIT_BAND(a,b) == Ptr(null,0));
+axiom(forall a:ptr, b:ptr :: {BIT_BNOT(BIT_BOR(a,b))} BIT_BNOT(BIT_BOR(a,b)) == BIT_BAND(BIT_BNOT(a),BIT_BNOT(b)));
+axiom(forall a:ptr, b:ptr, c:ptr :: {BIT_BAND(BIT_BAND(a,b),c)} a == BIT_BNOT(c) || b == BIT_BNOT(c) ==> BIT_BAND(BIT_BAND(a,b),c) == Ptr(null,0));
+axiom(forall a:ptr, b:ptr, c:ptr :: {BIT_BAND(BIT_BAND(BIT_BNOT(a),b),c)} POW2(c) && POW2(a) && c != a ==>
+ (BIT_BAND(b,c) != Ptr(null,0) <==> BIT_BAND(BIT_BAND(BIT_BNOT(a),b),c) != Ptr(null,0)));
+axiom(forall a:ptr, b:ptr, c:ptr :: {BIT_BAND(BIT_BAND(a,BIT_BNOT(b)),c)} POW2(c) && POW2(b) && c != b ==>
+ (BIT_BAND(a,c) != Ptr(null,0) <==> BIT_BAND(BIT_BAND(a,BIT_BNOT(b)),c) != Ptr(null,0)));
+
+
+function LIFT(a:bool) returns (ptr);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != Ptr(null,0));
+axiom(forall a:bool :: {LIFT(a)} Obj(LIFT(a)) == null); // need to show T_char(LIFT(a))
+
+function NOT(a:ptr) returns (ptr);
+axiom(forall a:ptr :: {NOT(a)} a == Ptr(null,0) ==> NOT(a) != Ptr(null,0));
+axiom(forall a:ptr :: {NOT(a)} a != Ptr(null,0) ==> NOT(a) == Ptr(null,0));
+
+function NULL_CHECK(a:ptr) returns (ptr);
+axiom(forall a:ptr :: {NULL_CHECK(a)} a == Ptr(null,0) ==> NULL_CHECK(a) != Ptr(null,0));
+axiom(forall a:ptr :: {NULL_CHECK(a)} a != Ptr(null,0) ==> NULL_CHECK(a) == Ptr(null,0));
+
+
+function FreshObj(alloc:[ref]name, old_alloc:[ref]name, p: ptr) returns (bool);
+axiom(forall alloc:[ref]name, old_alloc:[ref]name, p: ptr :: {FreshObj(alloc, old_alloc, p)}
+ FreshObj(alloc, old_alloc, p) <==> alloc[Obj(p)] == ALLOCATED && old_alloc[Obj(p)] == UNALLOCATED
+);
+
+
+procedure nondet_choice() returns (x:ptr);
+ensures (Obj(x) == null);
+
+procedure CreateMutexA$12 (a0:ptr, a1:ptr, a2:ptr) returns (new:ptr);
+modifies alloc;
+ensures (old(alloc)[Obj(new)] == UNALLOCATED && alloc[Obj(new)] == ALLOCATED);
+ensures (Size(Obj(new)) == 1);
+ensures (Off(new) == 0);
+ensures (Obj(new) != null);
+ensures (forall i:int :: BS[Ptr(Obj(new), i)]);
+ensures (forall i:int :: Obj(Mem[Ptr(Obj(new), i)]) == null);
+ensures (forall x_obj:ref :: {alloc[x_obj]} x_obj == Obj(new) || old(alloc)[x_obj] == alloc[x_obj]);
+ensures (Mem[new] == Ptr(null,0));
+
+procedure WaitForSingleObject$8 (lock :ptr, wait:ptr) returns (status:ptr);
+modifies Mem;
+ensures (forall x:ptr :: {Mem[x]} x == lock || old(Mem)[x] == Mem[x]);
+ensures (old(Mem)[lock] == Ptr(null,0) && Mem[lock] == Ptr(null,1));
+
+procedure ReleaseMutex$4 (lock:ptr) returns (status:ptr);
+modifies Mem;
+ensures (forall x:ptr :: {Mem[x]} x == lock || old(Mem)[x] == Mem[x]);
+ensures (old(Mem)[lock] == Ptr(null,1) && Mem[lock] == Ptr(null,0));
+
+
+
+procedure havoc_assert(i:ptr);
+requires (i != Ptr(null, 0));
+
+procedure havoc_assume(i:ptr);
+ensures (i != Ptr(null, 0));
+
+
+procedure __HAVOC_free(a:ptr);
+modifies alloc;
+//requires (alloc[Obj(a)] == ALLOCATED);
+//requires (Off(a) == 0);
+ensures (alloc[Obj(a)] != UNALLOCATED);
+ensures (alloc[Obj(a)] != ALLOCATED);
+ensures (forall x_obj:ref :: {alloc[x_obj]} Obj(a) == x_obj || old(alloc)[x_obj] == alloc[x_obj]);
+
+procedure __HAVOC_malloc_heap(obj_size:ptr) returns (new:ptr);
+modifies alloc;
+ensures (old(alloc)[Obj(new)] == UNALLOCATED && alloc[Obj(new)] == ALLOCATED);
+ensures (Size(Obj(new)) == Off(obj_size));
+ensures (Off(new) == 0);
+ensures (Obj(new) != null);
+ensures (IsHeap(Obj(new)));
+ensures (forall i:int :: BS[Ptr(Obj(new), i)]);
+ensures (forall i:int :: Obj(Mem[Ptr(Obj(new), i)]) == null);
+ensures (forall x_obj:ref :: {alloc[x_obj]} x_obj == Obj(new) || old(alloc)[x_obj] == alloc[x_obj]);
+
+
+procedure __HAVOC_malloc_stack(obj_size:ptr) returns (new:ptr);
+modifies alloc;
+ensures (old(alloc)[Obj(new)] == UNALLOCATED && alloc[Obj(new)] == ALLOCATED);
+ensures (Size(Obj(new)) == Off(obj_size));
+ensures (Off(new) == 0);
+ensures (Obj(new) != null);
+ensures (!IsHeap(Obj(new)));
+ensures (forall i:int :: BS[Ptr(Obj(new), i)]);
+ensures (forall i:int :: Obj(Mem[Ptr(Obj(new), i)]) == null);
+ensures (forall x_obj:ref :: {alloc[x_obj]} x_obj == Obj(new) || old(alloc)[x_obj] == alloc[x_obj]);
+
+procedure _strdup(str:ptr) returns (new:ptr);
+modifies alloc;
+ensures (old(alloc)[Obj(new)] == UNALLOCATED && alloc[Obj(new)] == ALLOCATED);
+ensures (Off(new) == 0);
+ensures (Obj(new) != null);
+ensures (forall i:int :: BS[Ptr(Obj(new), i)]);
+ensures (forall i:int :: Obj(Mem[Ptr(Obj(new), i)]) == null);
+ensures (forall x_obj:ref :: {alloc[x_obj]} x_obj == Obj(new) || old(alloc)[x_obj] == alloc[x_obj]);
+
+procedure _xstrcasecmp(a0:ptr, a1:ptr) returns (ret:ptr);
+
+procedure _xstrcmp(a0:ptr, a1:ptr) returns (ret:ptr);
+var Mem_ByteCapacity__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_ByteOffset___unnamed_16_39e6661e:[ptr]ptr;
+var Mem_BytesPerSector__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_CHAR:[ptr]ptr;
+var Mem_CancelRoutine__IRP:[ptr]ptr;
+var Mem_Cancel__IRP:[ptr]ptr;
+var Mem_Control__IO_STACK_LOCATION:[ptr]ptr;
+var Mem_CurrentStackLocation___unnamed_4_f80453a0:[ptr]ptr;
+var Mem_DeviceExtension__DEVICE_OBJECT:[ptr]ptr;
+var Mem_DeviceObject__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_FUNCTION:[ptr]ptr;
+var Mem_FlCancelSpinLock__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_HoldNewReqMutex__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_HoldNewRequests__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_INT4:[ptr]ptr;
+var Mem_Information__IO_STATUS_BLOCK:[ptr]ptr;
+var Mem_IoStatus__IRP:[ptr]ptr;
+var Mem_IsRemoved__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_IsStarted__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_Length___unnamed_16_39e6661e:[ptr]ptr;
+var Mem_ListEntry___unnamed_12_003c1454:[ptr]ptr;
+var Mem_ListSpinLock__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_LowPart___unnamed_8_34582070:[ptr]ptr;
+var Mem_MediaType__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_NewRequestQueue__DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_Overlay___unnamed_48_c27ef811:[ptr]ptr;
+var Mem_PCHAR:[ptr]ptr;
+var Mem_PFUNCTION:[ptr]ptr;
+var Mem_PPFUNCTION:[ptr]ptr;
+var Mem_PUINT4:[ptr]ptr;
+var Mem_PVOID:[ptr]ptr;
+var Mem_P_DISKETTE_EXTENSION:[ptr]ptr;
+var Mem_P_FAST_MUTEX:[ptr]ptr;
+var Mem_P_IO_STACK_LOCATION:[ptr]ptr;
+var Mem_P_LIST_ENTRY:[ptr]ptr;
+var Mem_Parameters__IO_STACK_LOCATION:[ptr]ptr;
+var Mem_Read___unnamed_16_c0f0e7de:[ptr]ptr;
+var Mem_Status___unnamed_4_c7b3d275:[ptr]ptr;
+var Mem_Tail__IRP:[ptr]ptr;
+var Mem_UCHAR:[ptr]ptr;
+var Mem_UINT4:[ptr]ptr;
+var Mem___unnamed_12_003c1454___unnamed_40_6ef75b20:[ptr]ptr;
+var Mem___unnamed_4_c7b3d275__IO_STATUS_BLOCK:[ptr]ptr;
+var Mem___unnamed_4_f80453a0___unnamed_12_003c1454:[ptr]ptr;
+var Mem___unnamed_8_34582070__LARGE_INTEGER:[ptr]ptr;
+
+var Res_IRQL:[ptr]ptr;
+var Res_SPINLOCK:[ptr]ptr;
+var Res_SPINLOCK_IRQL:[ptr]ptr;
+
+
+
+const unique DriverEntry : ptr;
+const unique DriverEntry_ref : ref;
+const unique FloppyCancelQueuedRequest : ptr;
+const unique FloppyCancelQueuedRequest_ref : ref;
+var FloppyDebugLevel : ptr;
+var PagingMutex : ptr;
+var PagingReferenceCount : ptr;
+const {:existential true} $FloppyQueueRequest$pre$0 : bool;
+const {:existential true} $FloppyQueueRequest$pre$1 : bool;
+const {:existential true} $FloppyQueueRequest$pre$2 : bool;
+const {:existential true} $FloppyQueueRequest$pre$3 : bool;
+const {:existential true} $FloppyQueueRequest$post$12 : bool;
+const {:existential true} $FloppyQueueRequest$post$13 : bool;
+const {:existential true} $FloppyQueueRequest$post$14 : bool;
+const {:existential true} $FloppyQueueRequest$post$15 : bool;
+const {:existential true} $FloppyQueueRequest$mod$16 : bool;
+const {:existential true} $FloppyQueueRequest$mod$17 : bool;
+const {:existential true} $FloppyQueueRequest$mod$18 : bool;
+const {:existential true} $FloppyQueueRequest$mod$19 : bool;
+const {:existential true} $FloppyQueueRequest$mod$20 : bool;
+const {:existential true} $FloppyQueueRequest$mod$21 : bool;
+const {:existential true} $FloppyReadWrite$pre$42 : bool;
+const {:existential true} $FloppyReadWrite$pre$43 : bool;
+const {:existential true} $FloppyReadWrite$pre$44 : bool;
+const {:existential true} $FloppyReadWrite$pre$45 : bool;
+const {:existential true} $FloppyReadWrite$pre$46 : bool;
+const {:existential true} $FloppyReadWrite$post$57 : bool;
+const {:existential true} $FloppyReadWrite$post$58 : bool;
+const {:existential true} $FloppyReadWrite$post$59 : bool;
+const {:existential true} $FloppyReadWrite$post$60 : bool;
+const {:existential true} $FloppyReadWrite$post$61 : bool;
+const {:existential true} $FloppyReadWrite$mod$62 : bool;
+const {:existential true} $FloppyReadWrite$mod$63 : bool;
+const {:existential true} $FloppyReadWrite$mod$64 : bool;
+const {:existential true} $FloppyReadWrite$mod$65 : bool;
+const {:existential true} $FloppyReadWrite$mod$66 : bool;
+const {:existential true} $FloppyReadWrite$mod$67 : bool;
+
+
+procedure ExAcquireFastMutex ( a0:ptr) ;
+
+
+procedure ExReleaseFastMutex ( a0:ptr) ;
+
+
+procedure ExfInterlockedInsertTailList ( a0:ptr, a1:ptr, a2:ptr) returns (ret:ptr);
+
+
+procedure FlQueueIrpToThread ( Irp$21:ptr, DisketteExtension$11:ptr) returns ( $result.FlQueueIrpToThread$861.0$1$:ptr) ;
+
+
+
+
+
+procedure IofCompleteRequest ( a0:ptr, a1:ptr) ;
+
+
+procedure KfAcquireSpinLock ( SpinLock1:ptr) returns ( $result.__prototypewdm_KfAcquireSpinLock$92.0$1$__prototypewdm_KfAcquireSpinLock$4:ptr) ;
+
+//TAG: requires __resource("SPINLOCK", SpinLock) == 0
+requires(Res_SPINLOCK[SpinLock1] == Ptr(null, 0));
+//TAG: ensures __resource("SPINLOCK", SpinLock) == 1
+ensures(Res_SPINLOCK[SpinLock1] == Ptr(null, 1));
+//TAG: ensures __resource("SPINLOCK_IRQL", SpinLock) == __return
+ensures(Res_SPINLOCK_IRQL[SpinLock1] == $result.__prototypewdm_KfAcquireSpinLock$92.0$1$__prototypewdm_KfAcquireSpinLock$4);
+//TAG: ensures __global_resource("IRQL") == 2
+ensures(Res_IRQL[Ptr(null,1)] == Ptr(null, 2));
+//TAG: ensures __return == __old_global_resource("IRQL")
+ensures($result.__prototypewdm_KfAcquireSpinLock$92.0$1$__prototypewdm_KfAcquireSpinLock$4 == old(Res_IRQL)[Ptr(null,1)]);
+
+modifies Res_IRQL;
+ensures(forall r:ptr :: {Res_IRQL[r]} (Ptr(null, 1) == r) || Off(old(Res_IRQL)[r]) == Off(Res_IRQL[r]));
+free requires ((forall __x:ptr :: {Res_IRQL[__x]} Obj(Res_IRQL[__x]) == null && Off(Res_IRQL[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_IRQL[__x]} Obj(Res_IRQL[__x]) == null && Off(Res_IRQL[__x]) >= 0));
+free requires (Res_IRQL[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_IRQL[Ptr(null,0)] == Ptr(null,0));
+modifies Res_SPINLOCK;
+//TAG: net change in resource SPINLOCK only for: SpinLock
+ensures(forall r:ptr :: {Res_SPINLOCK[r]} (SpinLock1 == r) || Off(old(Res_SPINLOCK)[r]) == Off(Res_SPINLOCK[r]));
+free requires ((forall __x:ptr :: {Res_SPINLOCK[__x]} Obj(Res_SPINLOCK[__x]) == null && Off(Res_SPINLOCK[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_SPINLOCK[__x]} Obj(Res_SPINLOCK[__x]) == null && Off(Res_SPINLOCK[__x]) >= 0));
+free requires (Res_SPINLOCK[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_SPINLOCK[Ptr(null,0)] == Ptr(null,0));
+modifies Res_SPINLOCK_IRQL;
+//TAG: net change in resource SPINLOCK_IRQL only for: SpinLock
+ensures(forall r:ptr :: {Res_SPINLOCK_IRQL[r]} (SpinLock1 == r) || Off(old(Res_SPINLOCK_IRQL)[r]) == Off(Res_SPINLOCK_IRQL[r]));
+free requires ((forall __x:ptr :: {Res_SPINLOCK_IRQL[__x]} Obj(Res_SPINLOCK_IRQL[__x]) == null && Off(Res_SPINLOCK_IRQL[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_SPINLOCK_IRQL[__x]} Obj(Res_SPINLOCK_IRQL[__x]) == null && Off(Res_SPINLOCK_IRQL[__x]) >= 0));
+free requires (Res_SPINLOCK_IRQL[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_SPINLOCK_IRQL[Ptr(null,0)] == Ptr(null,0));
+
+
+
+procedure KfReleaseSpinLock ( SpinLock$11:ptr, NewIrql1:ptr);
+
+//TAG: requires __global_resource("IRQL") == 2
+requires(Res_IRQL[Ptr(null,1)] == Ptr(null, 2));
+//TAG: requires __resource("SPINLOCK", SpinLock) == 1
+requires(Res_SPINLOCK[SpinLock$11] == Ptr(null, 1));
+//TAG: requires __resource("SPINLOCK_IRQL", SpinLock) == NewIrql
+requires(Res_SPINLOCK_IRQL[SpinLock$11] == NewIrql1);
+//TAG: ensures __resource("SPINLOCK", SpinLock) == 0
+ensures(Res_SPINLOCK[SpinLock$11] == Ptr(null, 0));
+//TAG: ensures __global_resource("IRQL") == NewIrql
+ensures(Res_IRQL[Ptr(null,1)] == NewIrql1);
+
+modifies Res_IRQL;
+ensures(forall r:ptr :: {Res_IRQL[r]} (Ptr(null, 1) == r) || Off(old(Res_IRQL)[r]) == Off(Res_IRQL[r]));
+free requires ((forall __x:ptr :: {Res_IRQL[__x]} Obj(Res_IRQL[__x]) == null && Off(Res_IRQL[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_IRQL[__x]} Obj(Res_IRQL[__x]) == null && Off(Res_IRQL[__x]) >= 0));
+free requires (Res_IRQL[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_IRQL[Ptr(null,0)] == Ptr(null,0));
+modifies Res_SPINLOCK;
+//TAG: net change in resource SPINLOCK only for: SpinLock
+ensures(forall r:ptr :: {Res_SPINLOCK[r]} (SpinLock$11 == r) || Off(old(Res_SPINLOCK)[r]) == Off(Res_SPINLOCK[r]));
+free requires ((forall __x:ptr :: {Res_SPINLOCK[__x]} Obj(Res_SPINLOCK[__x]) == null && Off(Res_SPINLOCK[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_SPINLOCK[__x]} Obj(Res_SPINLOCK[__x]) == null && Off(Res_SPINLOCK[__x]) >= 0));
+free requires (Res_SPINLOCK[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_SPINLOCK[Ptr(null,0)] == Ptr(null,0));
+
+
+
+procedure MmPageEntireDriver ( a0:ptr) returns (ret:ptr);
+
+
+procedure MmResetDriverPaging ( a0:ptr) ;
+
+
+procedure FloppyQueueRequest ( DisketteExtension1:ptr, Irp1:ptr) returns ( $result.FloppyQueueRequest$5780.0$1$:ptr)
+
+//TAG: requires $FloppyQueueRequest$pre$0 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)DeviceExtension)->ListSpinLock) == 0)
+requires($FloppyQueueRequest$pre$0 || ((true) ==> (Res_SPINLOCK[ListSpinLock__DISKETTE_EXTENSION(DisketteExtension1)] == Ptr(null, 0))));
+//TAG: requires $FloppyQueueRequest$pre$1 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)DeviceExtension)->FlCancelSpinLock) == 0)
+requires($FloppyQueueRequest$pre$1 || ((true) ==> (Res_SPINLOCK[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension1)] == Ptr(null, 0))));
+//TAG: requires $FloppyQueueRequest$pre$2 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)DeviceExtension)->NewRequestQueueSpinLock) == 0)
+requires($FloppyQueueRequest$pre$2 || ((true) ==> (Res_SPINLOCK[NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension1)] == Ptr(null, 0))));
+//TAG: requires $FloppyQueueRequest$pre$3 || (1 ==> ((DISKETTE_EXTENSION *)DeviceExtension)->DeviceObject->DeviceExtension == DeviceExtension)
+requires($FloppyQueueRequest$pre$3 || ((true) ==> (Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(Mem_DeviceObject__DISKETTE_EXTENSION[DeviceObject__DISKETTE_EXTENSION(DisketteExtension1)])] == DisketteExtension1)));
+//TAG: ensures $FloppyQueueRequest$post$12 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)DeviceExtension)->ListSpinLock) == 0)
+ensures($FloppyQueueRequest$post$12 || ((true) ==> (Res_SPINLOCK[ListSpinLock__DISKETTE_EXTENSION(DisketteExtension1)] == Ptr(null, 0))));
+//TAG: ensures $FloppyQueueRequest$post$13 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)DeviceExtension)->FlCancelSpinLock) == 0)
+ensures($FloppyQueueRequest$post$13 || ((true) ==> (Res_SPINLOCK[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension1)] == Ptr(null, 0))));
+//TAG: ensures $FloppyQueueRequest$post$14 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)DeviceExtension)->NewRequestQueueSpinLock) == 0)
+ensures($FloppyQueueRequest$post$14 || ((true) ==> (Res_SPINLOCK[NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension1)] == Ptr(null, 0))));
+//TAG: ensures $FloppyQueueRequest$post$15 || (1 ==> ((DISKETTE_EXTENSION *)DeviceExtension)->DeviceObject->DeviceExtension == DeviceExtension)
+ensures($FloppyQueueRequest$post$15 || ((true) ==> (Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(Mem_DeviceObject__DISKETTE_EXTENSION[DeviceObject__DISKETTE_EXTENSION(DisketteExtension1)])] == DisketteExtension1)));
+modifies alloc;
+free ensures(forall f:ref :: {alloc[f]} old(alloc)[f] != UNALLOCATED ==> alloc[f] == old(alloc)[f]);
+
+modifies Res_IRQL;
+//TAG: no net change in resource IRQL
+ensures(forall r:ptr :: {Res_IRQL[r]} Off(old(Res_IRQL)[r]) == Off(Res_IRQL[r]));
+free requires ((forall __x:ptr :: {Res_IRQL[__x]} Obj(Res_IRQL[__x]) == null && Off(Res_IRQL[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_IRQL[__x]} Obj(Res_IRQL[__x]) == null && Off(Res_IRQL[__x]) >= 0));
+free requires (Res_IRQL[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_IRQL[Ptr(null,0)] == Ptr(null,0));
+modifies Res_SPINLOCK;
+//TAG: net change in resource SPINLOCK only for: &DeviceExtension->ListSpinLock, &DeviceExtension->FlCancelSpinLock, &DeviceExtension->NewRequestQueueSpinLock
+ensures(forall r:ptr :: {Res_SPINLOCK[r]} (!$FloppyQueueRequest$mod$16 && ListSpinLock__DISKETTE_EXTENSION(DisketteExtension1) == r) || (!$FloppyQueueRequest$mod$18 && FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension1) == r) || (!$FloppyQueueRequest$mod$20 && NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension1) == r) || Off(old(Res_SPINLOCK)[r]) == Off(Res_SPINLOCK[r]));
+free requires ((forall __x:ptr :: {Res_SPINLOCK[__x]} Obj(Res_SPINLOCK[__x]) == null && Off(Res_SPINLOCK[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_SPINLOCK[__x]} Obj(Res_SPINLOCK[__x]) == null && Off(Res_SPINLOCK[__x]) >= 0));
+free requires (Res_SPINLOCK[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_SPINLOCK[Ptr(null,0)] == Ptr(null,0));
+modifies Res_SPINLOCK_IRQL;
+//TAG: net change in resource SPINLOCK_IRQL only for: &DeviceExtension->ListSpinLock, &DeviceExtension->FlCancelSpinLock, &DeviceExtension->NewRequestQueueSpinLock
+ensures(forall r:ptr :: {Res_SPINLOCK_IRQL[r]} (!$FloppyQueueRequest$mod$17 && ListSpinLock__DISKETTE_EXTENSION(DisketteExtension1) == r) || (!$FloppyQueueRequest$mod$19 && FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension1) == r) || (!$FloppyQueueRequest$mod$21 && NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension1) == r) || Off(old(Res_SPINLOCK_IRQL)[r]) == Off(Res_SPINLOCK_IRQL[r]));
+free requires ((forall __x:ptr :: {Res_SPINLOCK_IRQL[__x]} Obj(Res_SPINLOCK_IRQL[__x]) == null && Off(Res_SPINLOCK_IRQL[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_SPINLOCK_IRQL[__x]} Obj(Res_SPINLOCK_IRQL[__x]) == null && Off(Res_SPINLOCK_IRQL[__x]) >= 0));
+free requires (Res_SPINLOCK_IRQL[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_SPINLOCK_IRQL[Ptr(null,0)] == Ptr(null,0));
+modifies Mem_Control__IO_STACK_LOCATION;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_Control__IO_STACK_LOCATION[m]} Mem_Control__IO_STACK_LOCATION[m] == old(Mem_Control__IO_STACK_LOCATION)[m]);
+free ensures(Mem_Control__IO_STACK_LOCATION[Ptr(null,0)] == old(Mem_Control__IO_STACK_LOCATION)[Ptr(null,0)]);
+modifies Mem_FUNCTION;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_FUNCTION[m]} Mem_FUNCTION[m] == old(Mem_FUNCTION)[m]);
+free ensures(Mem_FUNCTION[Ptr(null,0)] == old(Mem_FUNCTION)[Ptr(null,0)]);
+modifies Mem_FlCancelSpinLock__DISKETTE_EXTENSION;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_FlCancelSpinLock__DISKETTE_EXTENSION[m]} Mem_FlCancelSpinLock__DISKETTE_EXTENSION[m] == old(Mem_FlCancelSpinLock__DISKETTE_EXTENSION)[m]);
+free ensures(Mem_FlCancelSpinLock__DISKETTE_EXTENSION[Ptr(null,0)] == old(Mem_FlCancelSpinLock__DISKETTE_EXTENSION)[Ptr(null,0)]);
+modifies Mem_Information__IO_STATUS_BLOCK;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_Information__IO_STATUS_BLOCK[m]} Mem_Information__IO_STATUS_BLOCK[m] == old(Mem_Information__IO_STATUS_BLOCK)[m]);
+free ensures(Mem_Information__IO_STATUS_BLOCK[Ptr(null,0)] == old(Mem_Information__IO_STATUS_BLOCK)[Ptr(null,0)]);
+modifies Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[m]} Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[m] == old(Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION)[m]);
+free ensures(Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[Ptr(null,0)] == old(Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION)[Ptr(null,0)]);
+modifies Mem_Status___unnamed_4_c7b3d275;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_Status___unnamed_4_c7b3d275[m]} Mem_Status___unnamed_4_c7b3d275[m] == old(Mem_Status___unnamed_4_c7b3d275)[m]);
+free ensures(Mem_Status___unnamed_4_c7b3d275[Ptr(null,0)] == old(Mem_Status___unnamed_4_c7b3d275)[Ptr(null,0)]);
+modifies Mem_UINT4;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_UINT4[m]} Mem_UINT4[m] == old(Mem_UINT4)[m]);
+free ensures(Mem_UINT4[Ptr(null,0)] == old(Mem_UINT4)[Ptr(null,0)]);
+
+{
+var havoc_stringTemp:ptr;
+var condVal:ptr;
+var DisketteExtension : ptr;
+var Irp : ptr;
+var $RtlAssert.arg.1$3$ : ptr;
+var $RtlAssert.arg.2$2$ : ptr;
+var $_InterlockedExchange.arg.1$7$ : ptr;
+var $_InterlockedExchange.arg.1$9$ : ptr;
+var $_InterlockedExchange.arg.2$6$ : ptr;
+var $ntStatus$4$5806.24$ : ptr;
+var $oldIrql$3$5805.24$ : ptr;
+var $result.ExfInterlockedInsertTailList$5854.36$11$ : ptr;
+var $result.KfAcquireSpinLock$5825.4$4$ : ptr;
+var $result.MmPageEntireDriver$5842.8$10$ : ptr;
+var $result._InterlockedExchange$5826.4$5$ : ptr;
+var $result._InterlockedExchange$5831.26$8$ : ptr;
+var tempBoogie0:ptr;
+var tempBoogie1:ptr;
+var tempBoogie2:ptr;
+var tempBoogie3:ptr;
+var tempBoogie4:ptr;
+var tempBoogie5:ptr;
+var tempBoogie6:ptr;
+var tempBoogie7:ptr;
+var tempBoogie8:ptr;
+var tempBoogie9:ptr;
+var tempBoogie10:ptr;
+var tempBoogie11:ptr;
+var tempBoogie12:ptr;
+var tempBoogie13:ptr;
+var tempBoogie14:ptr;
+var tempBoogie15:ptr;
+var tempBoogie16:ptr;
+var tempBoogie17:ptr;
+var tempBoogie18:ptr;
+var tempBoogie19:ptr;
+
+
+start:
+
+assume (alloc[Obj(DisketteExtension1)] != UNALLOCATED);
+assume (alloc[Obj(Irp1)] != UNALLOCATED);
+DisketteExtension := Ptr(null, 0);
+Irp := Ptr(null, 0);
+$RtlAssert.arg.1$3$ := Ptr(null, 0);
+$RtlAssert.arg.2$2$ := Ptr(null, 0);
+$_InterlockedExchange.arg.1$7$ := Ptr(null, 0);
+$_InterlockedExchange.arg.1$9$ := Ptr(null, 0);
+$_InterlockedExchange.arg.2$6$ := Ptr(null, 0);
+$ntStatus$4$5806.24$ := Ptr(null, 0);
+$oldIrql$3$5805.24$ := Ptr(null, 0);
+$result.ExfInterlockedInsertTailList$5854.36$11$ := Ptr(null, 0);
+$result.KfAcquireSpinLock$5825.4$4$ := Ptr(null, 0);
+$result.MmPageEntireDriver$5842.8$10$ := Ptr(null, 0);
+$result._InterlockedExchange$5826.4$5$ := Ptr(null, 0);
+$result._InterlockedExchange$5831.26$8$ := Ptr(null, 0);
+DisketteExtension := DisketteExtension1;
+Irp := Irp1;
+$result.FloppyQueueRequest$5780.0$1$ := Ptr(null,0);
+goto label_3;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5864)
+label_1:
+assume (forall m:ptr :: {Mem_Control__IO_STACK_LOCATION[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_Control__IO_STACK_LOCATION[m] == old(Mem_Control__IO_STACK_LOCATION)[m]);
+assume (forall m:ptr :: {Mem_FUNCTION[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_FUNCTION[m] == old(Mem_FUNCTION)[m]);
+assume (forall m:ptr :: {Mem_FlCancelSpinLock__DISKETTE_EXTENSION[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_FlCancelSpinLock__DISKETTE_EXTENSION[m] == old(Mem_FlCancelSpinLock__DISKETTE_EXTENSION)[m]);
+assume (forall m:ptr :: {Mem_Information__IO_STATUS_BLOCK[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_Information__IO_STATUS_BLOCK[m] == old(Mem_Information__IO_STATUS_BLOCK)[m]);
+assume (forall m:ptr :: {Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[m] == old(Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION)[m]);
+assume (forall m:ptr :: {Mem_Status___unnamed_4_c7b3d275[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_Status___unnamed_4_c7b3d275[m] == old(Mem_Status___unnamed_4_c7b3d275)[m]);
+assume (forall m:ptr :: {Mem_UINT4[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_UINT4[m] == old(Mem_UINT4)[m]);
+return;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5864)
+label_2:
+assume false;
+return;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5805)
+label_3:
+goto label_4;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5806)
+label_4:
+goto label_5;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5811)
+label_5:
+call ExAcquireFastMutex (Mem_P_FAST_MUTEX[PagingMutex]);
+goto label_8;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5811)
+label_8:
+tempBoogie0 := Ptr(Obj(Mem_UINT4[PagingReferenceCount]), Off(Mem_UINT4[PagingReferenceCount]) + 1 * 1) ;
+Mem_UINT4[PagingReferenceCount] := tempBoogie0;
+goto label_8_true , label_8_false ;
+
+
+label_8_true :
+assume (Mem_UINT4[PagingReferenceCount] == Ptr(null, 1));
+goto label_12;
+
+
+label_8_false :
+assume !(Mem_UINT4[PagingReferenceCount] == Ptr(null, 1));
+goto label_9;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5811)
+label_9:
+call ExReleaseFastMutex (Mem_P_FAST_MUTEX[PagingMutex]);
+goto label_15;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5811)
+label_12:
+call MmResetDriverPaging (DriverEntry);
+goto label_9;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5816)
+label_15:
+goto label_15_true , label_15_false ;
+
+
+label_15_true :
+assume (Mem_HoldNewRequests__DISKETTE_EXTENSION[HoldNewRequests__DISKETTE_EXTENSION(DisketteExtension)] != Ptr(null,0));
+goto label_17;
+
+
+label_15_false :
+assume (Mem_HoldNewRequests__DISKETTE_EXTENSION[HoldNewRequests__DISKETTE_EXTENSION(DisketteExtension)] == Ptr(null,0));
+goto label_16;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5816)
+label_16:
+call havoc_stringTemp := __HAVOC_malloc_stack(Ptr(null,1));
+$RtlAssert.arg.2$2$ := havoc_stringTemp ;
+goto label_61;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5825)
+label_17:
+assume (Mem_FlCancelSpinLock__DISKETTE_EXTENSION[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)] == Mem_UINT4[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)]);
+call $result.KfAcquireSpinLock$5825.4$4$ := KfAcquireSpinLock (FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension));
+Mem_FlCancelSpinLock__DISKETTE_EXTENSION[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)] := Mem_UINT4[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)];
+goto label_20;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5825)
+label_20:
+$oldIrql$3$5805.24$ := $result.KfAcquireSpinLock$5825.4$4$ ;
+goto label_21;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5826)
+label_21:
+$_InterlockedExchange.arg.2$6$ := FloppyCancelQueuedRequest ;
+goto label_22;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5826)
+label_22:
+$_InterlockedExchange.arg.1$7$ := CancelRoutine__IRP(Irp) ;
+goto label_23;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5826)
+label_23:
+// ignoring intrinsic intrinsic._InterlockedExchange
+havoc $result._InterlockedExchange$5826.4$5$;
+goto label_26;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5831)
+label_26:
+goto label_26_true , label_26_false ;
+
+
+label_26_true :
+assume (Mem_Cancel__IRP[Cancel__IRP(Irp)] != Ptr(null,0));
+goto label_28;
+
+
+label_26_false :
+assume (Mem_Cancel__IRP[Cancel__IRP(Irp)] == Ptr(null,0));
+goto label_27;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5850)
+label_27:
+Mem_Status___unnamed_4_c7b3d275[Status___unnamed_4_c7b3d275(__unnamed_4_c7b3d275__IO_STATUS_BLOCK(IoStatus__IRP(Irp)))] := Ptr(null, 259) ;
+goto label_53;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5831)
+label_28:
+$_InterlockedExchange.arg.1$9$ := CancelRoutine__IRP(Irp) ;
+goto label_29;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5831)
+label_29:
+// ignoring intrinsic intrinsic._InterlockedExchange
+havoc $result._InterlockedExchange$5831.26$8$;
+goto label_32;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5831)
+label_32:
+goto label_32_true , label_32_false ;
+
+
+label_32_true :
+assume ($result._InterlockedExchange$5831.26$8$ != Ptr(null,0));
+goto label_33;
+
+
+label_32_false :
+assume ($result._InterlockedExchange$5831.26$8$ == Ptr(null,0));
+goto label_27;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5836)
+label_33:
+Mem_Status___unnamed_4_c7b3d275[Status___unnamed_4_c7b3d275(__unnamed_4_c7b3d275__IO_STATUS_BLOCK(IoStatus__IRP(Irp)))] := Ptr(null, -1073741536) ;
+goto label_34;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5837)
+label_34:
+Mem_Information__IO_STATUS_BLOCK[Information__IO_STATUS_BLOCK(IoStatus__IRP(Irp))] := Ptr(null, 0) ;
+goto label_35;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5839)
+label_35:
+assume (Mem_FlCancelSpinLock__DISKETTE_EXTENSION[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)] == Mem_UINT4[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)]);
+call KfReleaseSpinLock (FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension), $oldIrql$3$5805.24$);
+Mem_FlCancelSpinLock__DISKETTE_EXTENSION[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)] := Mem_UINT4[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)];
+goto label_38;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5840)
+label_38:
+call IofCompleteRequest (Irp, Ptr(null, 0));
+goto label_41;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5842)
+label_41:
+call ExAcquireFastMutex (Mem_P_FAST_MUTEX[PagingMutex]);
+goto label_44;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5842)
+label_44:
+tempBoogie0 := Ptr(Obj(Mem_UINT4[PagingReferenceCount]), Off(Mem_UINT4[PagingReferenceCount]) - 1) ;
+Mem_UINT4[PagingReferenceCount] := tempBoogie0;
+goto label_44_true , label_44_false ;
+
+
+label_44_true :
+assume (Mem_UINT4[PagingReferenceCount] != Ptr(null,0));
+goto label_48;
+
+
+label_44_false :
+assume (Mem_UINT4[PagingReferenceCount] == Ptr(null,0));
+goto label_45;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5842)
+label_45:
+call $result.MmPageEntireDriver$5842.8$10$ := MmPageEntireDriver (DriverEntry);
+goto label_48;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5842)
+label_48:
+call ExReleaseFastMutex (Mem_P_FAST_MUTEX[PagingMutex]);
+goto label_51;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5844)
+label_51:
+$ntStatus$4$5806.24$ := Ptr(null, -1073741536) ;
+goto label_52;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5863)
+label_52:
+$result.FloppyQueueRequest$5780.0$1$ := $ntStatus$4$5806.24$ ;
+goto label_1;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5852)
+label_53:
+tempBoogie0 := BIT_BOR(Mem_Control__IO_STACK_LOCATION[Control__IO_STACK_LOCATION(Mem_CurrentStackLocation___unnamed_4_f80453a0[CurrentStackLocation___unnamed_4_f80453a0(__unnamed_4_f80453a0___unnamed_12_003c1454(__unnamed_12_003c1454___unnamed_40_6ef75b20(Overlay___unnamed_48_c27ef811(Tail__IRP(Irp)))))])], Ptr(null, 1)) ;
+Mem_Control__IO_STACK_LOCATION[Control__IO_STACK_LOCATION(Mem_CurrentStackLocation___unnamed_4_f80453a0[CurrentStackLocation___unnamed_4_f80453a0(__unnamed_4_f80453a0___unnamed_12_003c1454(__unnamed_12_003c1454___unnamed_40_6ef75b20(Overlay___unnamed_48_c27ef811(Tail__IRP(Irp)))))])] := tempBoogie0 ;
+goto label_54;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5854)
+label_54:
+assume (Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension)] == Mem_UINT4[NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension)]);
+call $result.ExfInterlockedInsertTailList$5854.36$11$ := ExfInterlockedInsertTailList (NewRequestQueue__DISKETTE_EXTENSION(DisketteExtension), ListEntry___unnamed_12_003c1454(__unnamed_12_003c1454___unnamed_40_6ef75b20(Overlay___unnamed_48_c27ef811(Tail__IRP(Irp)))), NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension));
+Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension)] := Mem_UINT4[NewRequestQueueSpinLock__DISKETTE_EXTENSION(DisketteExtension)];
+goto label_57;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5858)
+label_57:
+assume (Mem_FlCancelSpinLock__DISKETTE_EXTENSION[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)] == Mem_UINT4[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)]);
+call KfReleaseSpinLock (FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension), $oldIrql$3$5805.24$);
+Mem_FlCancelSpinLock__DISKETTE_EXTENSION[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)] := Mem_UINT4[FlCancelSpinLock__DISKETTE_EXTENSION(DisketteExtension)];
+goto label_60;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5860)
+label_60:
+$ntStatus$4$5806.24$ := Ptr(null, 259) ;
+goto label_52;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5816)
+label_61:
+call havoc_stringTemp := __HAVOC_malloc_stack(Ptr(null,1));
+$RtlAssert.arg.1$3$ := havoc_stringTemp ;
+goto label_62;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(5816)
+label_62:
+// skip RtlAssert
+goto label_17;
+
+}
+
+
+
+procedure FloppyReadWrite ( DeviceObject1:ptr, Irp$11:ptr) returns ( $result.FloppyReadWrite$2203.0$1$:ptr)
+
+//TAG: requires $FloppyReadWrite$pre$42 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)(DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->ListSpinLock) == 0)
+requires($FloppyReadWrite$pre$42 || ((true) ==> (Res_SPINLOCK[ListSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])] == Ptr(null, 0))));
+//TAG: requires $FloppyReadWrite$pre$43 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)(DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->FlCancelSpinLock) == 0)
+requires($FloppyReadWrite$pre$43 || ((true) ==> (Res_SPINLOCK[FlCancelSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])] == Ptr(null, 0))));
+//TAG: requires $FloppyReadWrite$pre$44 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)(DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->NewRequestQueueSpinLock) == 0)
+requires($FloppyReadWrite$pre$44 || ((true) ==> (Res_SPINLOCK[NewRequestQueueSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])] == Ptr(null, 0))));
+//TAG: requires $FloppyReadWrite$pre$45 || (1 ==> ((DISKETTE_EXTENSION *)(DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->DeviceObject->DeviceExtension == (DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))
+requires($FloppyReadWrite$pre$45 || ((true) ==> (Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(Mem_DeviceObject__DISKETTE_EXTENSION[DeviceObject__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])])] == Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])));
+//TAG: requires $FloppyReadWrite$pre$46 || (((DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->DeviceObject == DeviceObject)
+requires($FloppyReadWrite$pre$46 || (Mem_DeviceObject__DISKETTE_EXTENSION[DeviceObject__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])] == DeviceObject1));
+//TAG: ensures $FloppyReadWrite$post$57 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)(DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->ListSpinLock) == 0)
+ensures($FloppyReadWrite$post$57 || ((true) ==> (Res_SPINLOCK[ListSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])] == Ptr(null, 0))));
+//TAG: ensures $FloppyReadWrite$post$58 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)(DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->FlCancelSpinLock) == 0)
+ensures($FloppyReadWrite$post$58 || ((true) ==> (Res_SPINLOCK[FlCancelSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])] == Ptr(null, 0))));
+//TAG: ensures $FloppyReadWrite$post$59 || (1 ==> __resource("SPINLOCK", &((DISKETTE_EXTENSION *)(DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->NewRequestQueueSpinLock) == 0)
+ensures($FloppyReadWrite$post$59 || ((true) ==> (Res_SPINLOCK[NewRequestQueueSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])] == Ptr(null, 0))));
+//TAG: ensures $FloppyReadWrite$post$60 || (1 ==> ((DISKETTE_EXTENSION *)(DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->DeviceObject->DeviceExtension == (DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))
+ensures($FloppyReadWrite$post$60 || ((true) ==> (Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(Mem_DeviceObject__DISKETTE_EXTENSION[DeviceObject__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])])] == Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])));
+//TAG: ensures $FloppyReadWrite$post$61 || (((DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->DeviceObject == DeviceObject)
+ensures($FloppyReadWrite$post$61 || (Mem_DeviceObject__DISKETTE_EXTENSION[DeviceObject__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)])] == DeviceObject1));
+modifies alloc;
+free ensures(forall f:ref :: {alloc[f]} old(alloc)[f] != UNALLOCATED ==> alloc[f] == old(alloc)[f]);
+
+modifies Res_IRQL;
+//TAG: no net change in resource IRQL
+ensures(forall r:ptr :: {Res_IRQL[r]} Off(old(Res_IRQL)[r]) == Off(Res_IRQL[r]));
+free requires ((forall __x:ptr :: {Res_IRQL[__x]} Obj(Res_IRQL[__x]) == null && Off(Res_IRQL[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_IRQL[__x]} Obj(Res_IRQL[__x]) == null && Off(Res_IRQL[__x]) >= 0));
+free requires (Res_IRQL[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_IRQL[Ptr(null,0)] == Ptr(null,0));
+modifies Res_SPINLOCK;
+//TAG: net change in resource SPINLOCK only for: &((DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->ListSpinLock, &((DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->FlCancelSpinLock, &((DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->NewRequestQueueSpinLock
+ensures(forall r:ptr :: {Res_SPINLOCK[r]} (!$FloppyReadWrite$mod$62 && ListSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)]) == r) || (!$FloppyReadWrite$mod$64 && FlCancelSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)]) == r) || (!$FloppyReadWrite$mod$66 && NewRequestQueueSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)]) == r) || Off(old(Res_SPINLOCK)[r]) == Off(Res_SPINLOCK[r]));
+free requires ((forall __x:ptr :: {Res_SPINLOCK[__x]} Obj(Res_SPINLOCK[__x]) == null && Off(Res_SPINLOCK[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_SPINLOCK[__x]} Obj(Res_SPINLOCK[__x]) == null && Off(Res_SPINLOCK[__x]) >= 0));
+free requires (Res_SPINLOCK[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_SPINLOCK[Ptr(null,0)] == Ptr(null,0));
+modifies Res_SPINLOCK_IRQL;
+//TAG: net change in resource SPINLOCK_IRQL only for: &((DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->ListSpinLock, &((DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->FlCancelSpinLock, &((DISKETTE_EXTENSION *)(DeviceObject->DeviceExtension))->NewRequestQueueSpinLock
+ensures(forall r:ptr :: {Res_SPINLOCK_IRQL[r]} (!$FloppyReadWrite$mod$63 && ListSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)]) == r) || (!$FloppyReadWrite$mod$65 && FlCancelSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)]) == r) || (!$FloppyReadWrite$mod$67 && NewRequestQueueSpinLock__DISKETTE_EXTENSION(Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject1)]) == r) || Off(old(Res_SPINLOCK_IRQL)[r]) == Off(Res_SPINLOCK_IRQL[r]));
+free requires ((forall __x:ptr :: {Res_SPINLOCK_IRQL[__x]} Obj(Res_SPINLOCK_IRQL[__x]) == null && Off(Res_SPINLOCK_IRQL[__x]) >= 0));
+free ensures ((forall __x:ptr :: {Res_SPINLOCK_IRQL[__x]} Obj(Res_SPINLOCK_IRQL[__x]) == null && Off(Res_SPINLOCK_IRQL[__x]) >= 0));
+free requires (Res_SPINLOCK_IRQL[Ptr(null,0)] == Ptr(null,0));
+free ensures (Res_SPINLOCK_IRQL[Ptr(null,0)] == Ptr(null,0));
+modifies Mem_Control__IO_STACK_LOCATION;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_Control__IO_STACK_LOCATION[m]} Mem_Control__IO_STACK_LOCATION[m] == old(Mem_Control__IO_STACK_LOCATION)[m]);
+free ensures(Mem_Control__IO_STACK_LOCATION[Ptr(null,0)] == old(Mem_Control__IO_STACK_LOCATION)[Ptr(null,0)]);
+modifies Mem_FUNCTION;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_FUNCTION[m]} Mem_FUNCTION[m] == old(Mem_FUNCTION)[m]);
+free ensures(Mem_FUNCTION[Ptr(null,0)] == old(Mem_FUNCTION)[Ptr(null,0)]);
+modifies Mem_FlCancelSpinLock__DISKETTE_EXTENSION;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_FlCancelSpinLock__DISKETTE_EXTENSION[m]} Mem_FlCancelSpinLock__DISKETTE_EXTENSION[m] == old(Mem_FlCancelSpinLock__DISKETTE_EXTENSION)[m]);
+free ensures(Mem_FlCancelSpinLock__DISKETTE_EXTENSION[Ptr(null,0)] == old(Mem_FlCancelSpinLock__DISKETTE_EXTENSION)[Ptr(null,0)]);
+modifies Mem_Information__IO_STATUS_BLOCK;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_Information__IO_STATUS_BLOCK[m]} Mem_Information__IO_STATUS_BLOCK[m] == old(Mem_Information__IO_STATUS_BLOCK)[m]);
+free ensures(Mem_Information__IO_STATUS_BLOCK[Ptr(null,0)] == old(Mem_Information__IO_STATUS_BLOCK)[Ptr(null,0)]);
+modifies Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[m]} Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[m] == old(Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION)[m]);
+free ensures(Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[Ptr(null,0)] == old(Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION)[Ptr(null,0)]);
+modifies Mem_Status___unnamed_4_c7b3d275;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_Status___unnamed_4_c7b3d275[m]} Mem_Status___unnamed_4_c7b3d275[m] == old(Mem_Status___unnamed_4_c7b3d275)[m]);
+free ensures(Mem_Status___unnamed_4_c7b3d275[Ptr(null,0)] == old(Mem_Status___unnamed_4_c7b3d275)[Ptr(null,0)]);
+modifies Mem_UINT4;
+//TAG: no updated memory locations
+free ensures(forall m:ptr :: {Mem_UINT4[m]} Mem_UINT4[m] == old(Mem_UINT4)[m]);
+free ensures(Mem_UINT4[Ptr(null,0)] == old(Mem_UINT4)[Ptr(null,0)]);
+
+{
+var havoc_stringTemp:ptr;
+var condVal:ptr;
+var $DbgPrint.arg.1$10$ : ptr;
+var $DbgPrint.arg.1$13$ : ptr;
+var $DbgPrint.arg.1$15$ : ptr;
+var $DbgPrint.arg.1$3$ : ptr;
+var $DbgPrint.arg.1$6$ : ptr;
+var $DbgPrint.arg.1$8$ : ptr;
+var DeviceObject : ptr;
+var Irp$1 : ptr;
+var $disketteExtension$5$2232.24$ : ptr;
+var $irpSp$3$2230.23$ : ptr;
+var $ntStatus$4$2231.13$ : ptr;
+var $result.DbgPrint$2234.4$2$ : ptr;
+var $result.DbgPrint$2278.0$5$ : ptr;
+var $result.DbgPrint$2280.0$7$ : ptr;
+var $result.DbgPrint$2305.0$9$ : ptr;
+var $result.DbgPrint$2317.0$12$ : ptr;
+var $result.DbgPrint$2327.0$14$ : ptr;
+var $result.FlQueueIrpToThread$2308.41$11$ : ptr;
+var $result.FloppyQueueRequest$2247.37$4$ : ptr;
+var tempBoogie0:ptr;
+var tempBoogie1:ptr;
+var tempBoogie2:ptr;
+var tempBoogie3:ptr;
+var tempBoogie4:ptr;
+var tempBoogie5:ptr;
+var tempBoogie6:ptr;
+var tempBoogie7:ptr;
+var tempBoogie8:ptr;
+var tempBoogie9:ptr;
+var tempBoogie10:ptr;
+var tempBoogie11:ptr;
+var tempBoogie12:ptr;
+var tempBoogie13:ptr;
+var tempBoogie14:ptr;
+var tempBoogie15:ptr;
+var tempBoogie16:ptr;
+var tempBoogie17:ptr;
+var tempBoogie18:ptr;
+var tempBoogie19:ptr;
+
+
+start:
+
+assume (alloc[Obj(DeviceObject1)] != UNALLOCATED);
+assume (alloc[Obj(Irp$11)] != UNALLOCATED);
+$DbgPrint.arg.1$10$ := Ptr(null, 0);
+$DbgPrint.arg.1$13$ := Ptr(null, 0);
+$DbgPrint.arg.1$15$ := Ptr(null, 0);
+$DbgPrint.arg.1$3$ := Ptr(null, 0);
+$DbgPrint.arg.1$6$ := Ptr(null, 0);
+$DbgPrint.arg.1$8$ := Ptr(null, 0);
+DeviceObject := Ptr(null, 0);
+Irp$1 := Ptr(null, 0);
+$disketteExtension$5$2232.24$ := Ptr(null, 0);
+$irpSp$3$2230.23$ := Ptr(null, 0);
+$ntStatus$4$2231.13$ := Ptr(null, 0);
+$result.DbgPrint$2234.4$2$ := Ptr(null, 0);
+$result.DbgPrint$2278.0$5$ := Ptr(null, 0);
+$result.DbgPrint$2280.0$7$ := Ptr(null, 0);
+$result.DbgPrint$2305.0$9$ := Ptr(null, 0);
+$result.DbgPrint$2317.0$12$ := Ptr(null, 0);
+$result.DbgPrint$2327.0$14$ := Ptr(null, 0);
+$result.FlQueueIrpToThread$2308.41$11$ := Ptr(null, 0);
+$result.FloppyQueueRequest$2247.37$4$ := Ptr(null, 0);
+DeviceObject := DeviceObject1;
+Irp$1 := Irp$11;
+$result.FloppyReadWrite$2203.0$1$ := Ptr(null,0);
+goto label_3;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2334)
+label_1:
+assume (forall m:ptr :: {Mem_Control__IO_STACK_LOCATION[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_Control__IO_STACK_LOCATION[m] == old(Mem_Control__IO_STACK_LOCATION)[m]);
+assume (forall m:ptr :: {Mem_FUNCTION[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_FUNCTION[m] == old(Mem_FUNCTION)[m]);
+assume (forall m:ptr :: {Mem_FlCancelSpinLock__DISKETTE_EXTENSION[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_FlCancelSpinLock__DISKETTE_EXTENSION[m] == old(Mem_FlCancelSpinLock__DISKETTE_EXTENSION)[m]);
+assume (forall m:ptr :: {Mem_Information__IO_STATUS_BLOCK[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_Information__IO_STATUS_BLOCK[m] == old(Mem_Information__IO_STATUS_BLOCK)[m]);
+assume (forall m:ptr :: {Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION[m] == old(Mem_NewRequestQueueSpinLock__DISKETTE_EXTENSION)[m]);
+assume (forall m:ptr :: {Mem_Status___unnamed_4_c7b3d275[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_Status___unnamed_4_c7b3d275[m] == old(Mem_Status___unnamed_4_c7b3d275)[m]);
+assume (forall m:ptr :: {Mem_UINT4[m]} alloc[Obj(m)] != ALLOCATED && old(alloc)[Obj(m)] != ALLOCATED ==> Mem_UINT4[m] == old(Mem_UINT4)[m]);
+return;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2334)
+label_2:
+assume false;
+return;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2230)
+label_3:
+goto label_4;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2231)
+label_4:
+goto label_5;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2232)
+label_5:
+goto label_6;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2234)
+label_6:
+goto label_6_true , label_6_false ;
+
+
+label_6_true :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 8)) != Ptr(null,0));
+goto label_8;
+
+
+label_6_false :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 8)) == Ptr(null,0));
+goto label_7;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2236)
+label_7:
+$disketteExtension$5$2232.24$ := Mem_DeviceExtension__DEVICE_OBJECT[DeviceExtension__DEVICE_OBJECT(DeviceObject)] ;
+goto label_12;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2234)
+label_8:
+call havoc_stringTemp := __HAVOC_malloc_stack(Ptr(null,1));
+$DbgPrint.arg.1$3$ := havoc_stringTemp ;
+goto label_9;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2234)
+label_9:
+havoc $result.DbgPrint$2234.4$2$;
+// skip DbgPrint
+goto label_7;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2238)
+label_12:
+$irpSp$3$2230.23$ := Mem_CurrentStackLocation___unnamed_4_f80453a0[CurrentStackLocation___unnamed_4_f80453a0(__unnamed_4_f80453a0___unnamed_12_003c1454(__unnamed_12_003c1454___unnamed_40_6ef75b20(Overlay___unnamed_48_c27ef811(Tail__IRP(Irp$1)))))] ;
+goto label_13;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2244)
+label_13:
+call ExAcquireFastMutex (HoldNewReqMutex__DISKETTE_EXTENSION($disketteExtension$5$2232.24$));
+goto label_16;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2245)
+label_16:
+goto label_16_true , label_16_false ;
+
+
+label_16_true :
+assume (Mem_HoldNewRequests__DISKETTE_EXTENSION[HoldNewRequests__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)] != Ptr(null,0));
+goto label_18;
+
+
+label_16_false :
+assume (Mem_HoldNewRequests__DISKETTE_EXTENSION[HoldNewRequests__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)] == Ptr(null,0));
+goto label_17;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2257)
+label_17:
+goto label_17_true , label_17_false ;
+
+
+label_17_true :
+assume (Mem_IsRemoved__DISKETTE_EXTENSION[IsRemoved__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)] != Ptr(null,0));
+goto label_27;
+
+
+label_17_false :
+assume (Mem_IsRemoved__DISKETTE_EXTENSION[IsRemoved__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)] == Ptr(null,0));
+goto label_26;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2247)
+label_18:
+call $result.FloppyQueueRequest$2247.37$4$ := FloppyQueueRequest ($disketteExtension$5$2232.24$, Irp$1);
+goto label_21;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2247)
+label_21:
+$ntStatus$4$2231.13$ := $result.FloppyQueueRequest$2247.37$4$ ;
+goto label_22;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2249)
+label_22:
+call ExReleaseFastMutex (HoldNewReqMutex__DISKETTE_EXTENSION($disketteExtension$5$2232.24$));
+goto label_25;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2250)
+label_25:
+$result.FloppyReadWrite$2203.0$1$ := $ntStatus$4$2231.13$ ;
+goto label_1;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2257)
+label_26:
+goto label_26_true , label_26_false ;
+
+
+label_26_true :
+assume (Mem_IsStarted__DISKETTE_EXTENSION[IsStarted__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)] != Ptr(null,0));
+goto label_39;
+
+
+label_26_false :
+assume (Mem_IsStarted__DISKETTE_EXTENSION[IsStarted__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)] == Ptr(null,0));
+goto label_27;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2259)
+label_27:
+call ExReleaseFastMutex (HoldNewReqMutex__DISKETTE_EXTENSION($disketteExtension$5$2232.24$));
+goto label_30;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2261)
+label_30:
+goto label_30_true , label_30_false ;
+
+
+label_30_true :
+assume (Mem_IsRemoved__DISKETTE_EXTENSION[IsRemoved__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)] != Ptr(null,0));
+goto label_32;
+
+
+label_30_false :
+assume (Mem_IsRemoved__DISKETTE_EXTENSION[IsRemoved__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)] == Ptr(null,0));
+goto label_31;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2264)
+label_31:
+$ntStatus$4$2231.13$ := Ptr(null, -1073741823) ;
+goto label_33;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2262)
+label_32:
+$ntStatus$4$2231.13$ := Ptr(null, -1073741738) ;
+goto label_33;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2266)
+label_33:
+Mem_Information__IO_STATUS_BLOCK[Information__IO_STATUS_BLOCK(IoStatus__IRP(Irp$1))] := Ptr(null, 0) ;
+goto label_34;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2267)
+label_34:
+Mem_Status___unnamed_4_c7b3d275[Status___unnamed_4_c7b3d275(__unnamed_4_c7b3d275__IO_STATUS_BLOCK(IoStatus__IRP(Irp$1)))] := $ntStatus$4$2231.13$ ;
+goto label_35;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2268)
+label_35:
+call IofCompleteRequest (Irp$1, Ptr(null, 0));
+goto label_38;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2269)
+label_38:
+$result.FloppyReadWrite$2203.0$1$ := $ntStatus$4$2231.13$ ;
+goto label_1;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2272)
+label_39:
+assume (null == Obj(Mem_MediaType__DISKETTE_EXTENSION[MediaType__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]));
+goto label_39_true , label_39_false ;
+
+
+label_39_true :
+assume (0 < Off(Mem_MediaType__DISKETTE_EXTENSION[MediaType__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]));
+goto label_41;
+
+
+label_39_false :
+assume !(0 < Off(Mem_MediaType__DISKETTE_EXTENSION[MediaType__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]));
+goto label_40;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2299)
+label_40:
+goto label_40_true , label_40_false ;
+
+
+label_40_true :
+assume (Mem_Length___unnamed_16_39e6661e[Length___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))] != Ptr(null,0));
+goto label_69;
+
+
+label_40_false :
+assume (Mem_Length___unnamed_16_39e6661e[Length___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))] == Ptr(null,0));
+goto label_68;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2274)
+label_41:
+assume (Obj(Mem_ByteCapacity__DISKETTE_EXTENSION[ByteCapacity__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]) == Obj(PLUS(Mem_LowPart___unnamed_8_34582070[LowPart___unnamed_8_34582070(__unnamed_8_34582070__LARGE_INTEGER(ByteOffset___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))))], 1, Mem_Length___unnamed_16_39e6661e[Length___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))])));
+goto label_41_true , label_41_false ;
+
+
+label_41_true :
+assume (Off(Mem_ByteCapacity__DISKETTE_EXTENSION[ByteCapacity__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]) < Off(PLUS(Mem_LowPart___unnamed_8_34582070[LowPart___unnamed_8_34582070(__unnamed_8_34582070__LARGE_INTEGER(ByteOffset___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))))], 1, Mem_Length___unnamed_16_39e6661e[Length___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))])));
+goto label_43;
+
+
+label_41_false :
+assume !(Off(Mem_ByteCapacity__DISKETTE_EXTENSION[ByteCapacity__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]) < Off(PLUS(Mem_LowPart___unnamed_8_34582070[LowPart___unnamed_8_34582070(__unnamed_8_34582070__LARGE_INTEGER(ByteOffset___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))))], 1, Mem_Length___unnamed_16_39e6661e[Length___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))])));
+goto label_42;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2275)
+label_42:
+goto label_42_true , label_42_false ;
+
+
+label_42_true :
+assume (BIT_BAND(Mem_Length___unnamed_16_39e6661e[Length___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))], Ptr(Obj(Mem_BytesPerSector__DISKETTE_EXTENSION[BytesPerSector__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]), Off(Mem_BytesPerSector__DISKETTE_EXTENSION[BytesPerSector__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]) - 1)) != Ptr(null,0));
+goto label_43;
+
+
+label_42_false :
+assume (BIT_BAND(Mem_Length___unnamed_16_39e6661e[Length___unnamed_16_39e6661e(Read___unnamed_16_c0f0e7de(Parameters__IO_STACK_LOCATION($irpSp$3$2230.23$)))], Ptr(Obj(Mem_BytesPerSector__DISKETTE_EXTENSION[BytesPerSector__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]), Off(Mem_BytesPerSector__DISKETTE_EXTENSION[BytesPerSector__DISKETTE_EXTENSION($disketteExtension$5$2232.24$)]) - 1)) == Ptr(null,0));
+goto label_40;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2278)
+label_43:
+goto label_43_true , label_43_false ;
+
+
+label_43_true :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 1)) != Ptr(null,0));
+goto label_45;
+
+
+label_43_false :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 1)) == Ptr(null,0));
+goto label_44;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2280)
+label_44:
+goto label_44_true , label_44_false ;
+
+
+label_44_true :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 2)) != Ptr(null,0));
+goto label_50;
+
+
+label_44_false :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 2)) == Ptr(null,0));
+goto label_49;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2278)
+label_45:
+call havoc_stringTemp := __HAVOC_malloc_stack(Ptr(null,1));
+$DbgPrint.arg.1$6$ := havoc_stringTemp ;
+goto label_46;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2278)
+label_46:
+havoc $result.DbgPrint$2278.0$5$;
+// skip DbgPrint
+goto label_44;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2290)
+label_49:
+$ntStatus$4$2231.13$ := Ptr(null, -1073741811) ;
+goto label_54;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2280)
+label_50:
+call havoc_stringTemp := __HAVOC_malloc_stack(Ptr(null,1));
+$DbgPrint.arg.1$8$ := havoc_stringTemp ;
+goto label_51;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2280)
+label_51:
+havoc $result.DbgPrint$2280.0$7$;
+// skip DbgPrint
+goto label_49;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2323)
+label_54:
+call ExReleaseFastMutex (HoldNewReqMutex__DISKETTE_EXTENSION($disketteExtension$5$2232.24$));
+goto label_57;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2325)
+label_57:
+goto label_57_true , label_57_false ;
+
+
+label_57_true :
+assume ($ntStatus$4$2231.13$ != Ptr(null, 259));
+goto label_59;
+
+
+label_57_false :
+assume !($ntStatus$4$2231.13$ != Ptr(null, 259));
+goto label_58;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2333)
+label_58:
+$result.FloppyReadWrite$2203.0$1$ := $ntStatus$4$2231.13$ ;
+goto label_1;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2326)
+label_59:
+Mem_Status___unnamed_4_c7b3d275[Status___unnamed_4_c7b3d275(__unnamed_4_c7b3d275__IO_STATUS_BLOCK(IoStatus__IRP(Irp$1)))] := $ntStatus$4$2231.13$ ;
+goto label_60;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2327)
+label_60:
+goto label_60_true , label_60_false ;
+
+
+label_60_true :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 1)) != Ptr(null,0));
+goto label_64;
+
+
+label_60_false :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 1)) == Ptr(null,0));
+goto label_61;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2330)
+label_61:
+call IofCompleteRequest (Irp$1, Ptr(null, 0));
+goto label_58;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2327)
+label_64:
+call havoc_stringTemp := __HAVOC_malloc_stack(Ptr(null,1));
+$DbgPrint.arg.1$15$ := havoc_stringTemp ;
+goto label_65;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2327)
+label_65:
+havoc $result.DbgPrint$2327.0$14$;
+// skip DbgPrint
+goto label_61;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2315)
+label_68:
+Mem_Information__IO_STATUS_BLOCK[Information__IO_STATUS_BLOCK(IoStatus__IRP(Irp$1))] := Ptr(null, 0) ;
+goto label_78;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2305)
+label_69:
+goto label_69_true , label_69_false ;
+
+
+label_69_true :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 16)) != Ptr(null,0));
+goto label_73;
+
+
+label_69_false :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 16)) == Ptr(null,0));
+goto label_70;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2308)
+label_70:
+call $result.FlQueueIrpToThread$2308.41$11$ := FlQueueIrpToThread (Irp$1, $disketteExtension$5$2232.24$);
+goto label_77;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2305)
+label_73:
+call havoc_stringTemp := __HAVOC_malloc_stack(Ptr(null,1));
+$DbgPrint.arg.1$10$ := havoc_stringTemp ;
+goto label_74;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2305)
+label_74:
+havoc $result.DbgPrint$2305.0$9$;
+// skip DbgPrint
+goto label_70;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2308)
+label_77:
+$ntStatus$4$2231.13$ := $result.FlQueueIrpToThread$2308.41$11$ ;
+goto label_54;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2316)
+label_78:
+Mem_Status___unnamed_4_c7b3d275[Status___unnamed_4_c7b3d275(__unnamed_4_c7b3d275__IO_STATUS_BLOCK(IoStatus__IRP(Irp$1)))] := Ptr(null, 0) ;
+goto label_79;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2317)
+label_79:
+goto label_79_true , label_79_false ;
+
+
+label_79_true :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 1)) != Ptr(null,0));
+goto label_81;
+
+
+label_79_false :
+assume (BIT_BAND(Mem_UINT4[FloppyDebugLevel], Ptr(null, 1)) == Ptr(null,0));
+goto label_80;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2319)
+label_80:
+$ntStatus$4$2231.13$ := Ptr(null, 0) ;
+goto label_54;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2317)
+label_81:
+call havoc_stringTemp := __HAVOC_malloc_stack(Ptr(null,1));
+$DbgPrint.arg.1$13$ := havoc_stringTemp ;
+goto label_82;
+
+
+// c:\nt\drivers\storage\fdc\flpydisk\floppy.c(2317)
+label_82:
+havoc $result.DbgPrint$2317.0$12$;
+// skip DbgPrint
+goto label_80;
+
+}
+
diff --git a/Test/test17/runtest.bat b/Test/test17/runtest.bat
new file mode 100644
index 00000000..727d4a89
--- /dev/null
+++ b/Test/test17/runtest.bat
@@ -0,0 +1,12 @@
+@echo off
+setlocal
+
+set BOOGIEDIR=..\..\Binaries
+set BGEXE=%BOOGIEDIR%\Boogie.exe
+
+
+for %%f in (contractinfer flpydisk) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %BGEXE% %* /errorLimit:1 /contractInfer /z3mam:4 /subsumption:0 %%f.bpl
+)
diff --git a/Test/test2/Answer b/Test/test2/Answer
new file mode 100644
index 00000000..7876d732
--- /dev/null
+++ b/Test/test2/Answer
@@ -0,0 +1,359 @@
+
+-------------------- FormulaTerm.bpl --------------------
+FormulaTerm.bpl(10,3): Error BP5003: A postcondition might not hold at this return statement.
+FormulaTerm.bpl(4,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ FormulaTerm.bpl(8,1): start
+
+Boogie program verifier finished with 11 verified, 1 error
+
+-------------------- FormulaTerm2.bpl --------------------
+FormulaTerm2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ FormulaTerm2.bpl(36,3): start
+FormulaTerm2.bpl(47,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ FormulaTerm2.bpl(45,3): start
+
+Boogie program verifier finished with 2 verified, 2 errors
+
+-------------------- Passification.bpl --------------------
+Passification.bpl(44,3): Error BP5003: A postcondition might not hold at this return statement.
+Passification.bpl(36,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Passification.bpl(39,1): A
+Passification.bpl(116,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Passification.bpl(106,1): L0
+ Passification.bpl(111,1): L1
+ Passification.bpl(115,1): L2
+Passification.bpl(151,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Passification.bpl(144,1): L0
+ Passification.bpl(150,1): L2
+Passification.bpl(165,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Passification.bpl(158,1): L0
+ Passification.bpl(161,1): L1
+ Passification.bpl(164,1): L2
+
+Boogie program verifier finished with 7 verified, 4 errors
+
+-------------------- B.bpl --------------------
+
+Boogie program verifier finished with 4 verified, 0 errors
+
+-------------------- Ensures.bpl --------------------
+Ensures.bpl(30,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(28,3): start
+Ensures.bpl(35,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(34,3): start
+Ensures.bpl(41,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(39,3): start
+Ensures.bpl(47,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(45,3): start
+Ensures.bpl(72,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(70,3): start
+
+Boogie program verifier finished with 5 verified, 5 errors
+
+-------------------- Old.bpl --------------------
+Old.bpl(29,5): Error BP5003: A postcondition might not hold at this return statement.
+Old.bpl(26,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Old.bpl(28,3): start
+
+Boogie program verifier finished with 7 verified, 1 error
+
+-------------------- OldIllegal.bpl --------------------
+OldIllegal.bpl(7,11): Error: old expressions allowed only in two-state contexts
+OldIllegal.bpl(14,23): Error: old expressions allowed only in two-state contexts
+2 name resolution errors detected in OldIllegal.bpl
+
+-------------------- Arrays.bpl --------------------
+Arrays.bpl(46,5): Error BP5003: A postcondition might not hold at this return statement.
+Arrays.bpl(38,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Arrays.bpl(42,3): start
+Arrays.bpl(127,5): Error BP5003: A postcondition might not hold at this return statement.
+Arrays.bpl(119,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Arrays.bpl(123,3): start
+
+Boogie program verifier finished with 8 verified, 2 errors
+
+-------------------- Axioms.bpl --------------------
+Axioms.bpl(19,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Axioms.bpl(18,3): start
+
+Boogie program verifier finished with 2 verified, 1 error
+
+-------------------- Quantifiers.bpl --------------------
+Quantifiers.bpl(20,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(19,3): start
+Quantifiers.bpl(43,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(42,3): start
+Quantifiers.bpl(65,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(64,3): start
+Quantifiers.bpl(73,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(71,3): start
+Quantifiers.bpl(125,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(124,3): start
+Quantifiers.bpl(150,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(149,3): start
+
+Boogie program verifier finished with 8 verified, 6 errors
+
+-------------------- Call.bpl --------------------
+Call.bpl(13,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Call.bpl(9,3): entry
+Call.bpl(46,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Call.bpl(45,3): start
+Call.bpl(55,5): Error BP5003: A postcondition might not hold at this return statement.
+Call.bpl(20,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Call.bpl(53,3): start
+
+Boogie program verifier finished with 2 verified, 3 errors
+
+-------------------- AssumeEnsures.bpl --------------------
+AssumeEnsures.bpl(28,9): Error BP5001: This assertion might not hold.
+Execution trace:
+ AssumeEnsures.bpl(26,5): entry
+AssumeEnsures.bpl(47,9): Error BP5001: This assertion might not hold.
+Execution trace:
+ AssumeEnsures.bpl(46,5): entry
+AssumeEnsures.bpl(62,9): Error BP5001: This assertion might not hold.
+Execution trace:
+ AssumeEnsures.bpl(60,5): entry
+
+Boogie program verifier finished with 4 verified, 3 errors
+
+-------------------- CutBackEdge.bpl --------------------
+CutBackEdge.bpl(10,5): Error BP5005: This loop invariant might not be maintained by the loop.
+Execution trace:
+ CutBackEdge.bpl(5,3): entry
+ CutBackEdge.bpl(9,3): block850
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- False.bpl --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+-------------------- LoopInvAssume.bpl --------------------
+LoopInvAssume.bpl(18,7): Error BP5001: This assertion might not hold.
+Execution trace:
+ LoopInvAssume.bpl(8,4): entry
+ LoopInvAssume.bpl(16,4): exit
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- strings-no-where.bpl --------------------
+strings-no-where.bpl(201,103): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(203,105): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(209,106): Error: invalid type for argument 1 in application of IsAllocated: struct (expected: any)
+strings-no-where.bpl(211,72): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-no-where.bpl(211,108): Error: invalid type for argument 1 in application of IsAllocated: elements (expected: any)
+strings-no-where.bpl(211,130): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-no-where.bpl(213,78): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-no-where.bpl(235,98): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(249,118): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(699,34): Error: invalid type for argument 1 in application of IsAllocated: int (expected: any)
+strings-no-where.bpl(728,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-no-where.bpl(737,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-no-where.bpl(751,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-no-where.bpl(760,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-no-where.bpl(926,36): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(949,36): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(975,9): Error: mismatched types in assignment command (cannot assign name to any)
+strings-no-where.bpl(990,36): Error: invalid argument types (any and name) to binary operator ==
+18 type checking errors detected in strings-no-where.bpl
+
+-------------------- strings-where.bpl --------------------
+strings-where.bpl(201,103): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(203,105): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(209,106): Error: invalid type for argument 1 in application of IsAllocated: struct (expected: any)
+strings-where.bpl(211,72): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-where.bpl(211,108): Error: invalid type for argument 1 in application of IsAllocated: elements (expected: any)
+strings-where.bpl(211,130): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-where.bpl(213,78): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-where.bpl(235,98): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(249,118): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(699,34): Error: invalid type for argument 1 in application of IsAllocated: int (expected: any)
+strings-where.bpl(728,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-where.bpl(737,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-where.bpl(751,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-where.bpl(760,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-where.bpl(926,36): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(949,36): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(975,9): Error: mismatched types in assignment command (cannot assign name to any)
+strings-where.bpl(990,36): Error: invalid argument types (any and name) to binary operator ==
+18 type checking errors detected in strings-where.bpl
+
+-------------------- Structured.bpl --------------------
+Structured.bpl(252,14): Error BP5003: A postcondition might not hold at this return statement.
+Structured.bpl(243,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Structured.bpl(245,3): anon0
+ Structured.bpl(245,3): anon6_LoopHead
+ Structured.bpl(246,5): anon6_LoopBody
+ Structured.bpl(247,7): anon7_LoopBody
+ Structured.bpl(252,5): anon4
+ Structured.bpl(252,14): anon9_Then
+Structured.bpl(303,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Structured.bpl(299,5): anon0
+ Structured.bpl(300,3): anon3_Else
+ Structured.bpl(303,3): anon2
+Structured.bpl(311,7): Error BP5001: This assertion might not hold.
+Execution trace:
+ Structured.bpl(308,3): anon0
+ Structured.bpl(308,3): anon1_Then
+ Structured.bpl(309,5): A
+
+Boogie program verifier finished with 15 verified, 3 errors
+
+-------------------- Where.bpl --------------------
+Where.bpl(8,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(6,3): anon0
+Where.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(16,5): anon0
+Where.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(30,3): anon0
+Where.bpl(44,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(40,5): anon0
+Where.bpl(57,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(52,3): anon0
+Where.bpl(111,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(102,5): anon0
+ Where.bpl(104,3): anon3_LoopHead
+ Where.bpl(110,3): anon2
+Where.bpl(128,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(121,5): anon0
+ Where.bpl(122,3): anon3_LoopHead
+ Where.bpl(125,3): anon2
+Where.bpl(145,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(138,5): anon0
+ Where.bpl(139,3): anon3_LoopHead
+ Where.bpl(142,3): anon2
+Where.bpl(162,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(155,5): anon0
+ Where.bpl(156,3): anon3_LoopHead
+ Where.bpl(159,3): anon2
+
+Boogie program verifier finished with 2 verified, 9 errors
+
+-------------------- UpdateExpr.bpl --------------------
+UpdateExpr.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(14,3): anon0
+UpdateExpr.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(19,3): anon0
+UpdateExpr.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(32,3): anon0
+UpdateExpr.bpl(38,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(38,3): anon0
+UpdateExpr.bpl(52,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(51,5): anon0
+
+Boogie program verifier finished with 5 verified, 5 errors
+
+-------------------- NeverPattern.bpl --------------------
+NeverPattern.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NeverPattern.bpl(15,3): anon0
+NeverPattern.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NeverPattern.bpl(21,3): anon0
+NeverPattern.bpl(28,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NeverPattern.bpl(27,3): anon0
+
+Boogie program verifier finished with 1 verified, 3 errors
+
+-------------------- NullaryMaps.bpl --------------------
+NullaryMaps.bpl(28,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NullaryMaps.bpl(28,3): anon0
+NullaryMaps.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NullaryMaps.bpl(28,3): anon0
+NullaryMaps.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NullaryMaps.bpl(36,3): anon0
+
+Boogie program verifier finished with 2 verified, 3 errors
+
+-------------------- Implies.bpl --------------------
+Implies.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Implies.bpl(11,3): anon0
+Implies.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Implies.bpl(11,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+-------------------- sk_hack.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- CallForall.bpl --------------------
+CallForall.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(17,3): anon0
+CallForall.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(28,3): anon0
+CallForall.bpl(41,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(40,3): anon0
+CallForall.bpl(47,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(46,3): anon0
+CallForall.bpl(75,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(75,3): anon0
+CallForall.bpl(111,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(109,3): anon0
+CallForall.bpl(118,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(117,3): anon0
+CallForall.bpl(125,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(124,3): anon0
+
+Boogie program verifier finished with 10 verified, 8 errors
diff --git a/Test/test2/Arrays.bpl b/Test/test2/Arrays.bpl
new file mode 100644
index 00000000..d0f712c9
--- /dev/null
+++ b/Test/test2/Arrays.bpl
@@ -0,0 +1,180 @@
+// -------------------- 1-dimensional arrays --------------------
+
+var A: [ref]int;
+
+procedure P0(o: ref, q: ref, y: int)
+ requires o != q;
+ modifies A;
+ ensures A[o] == old(A[o]) + y;
+ ensures (forall p: ref :: A[p] == old(A[p]) || p == o);
+{
+ var k: int;
+
+ start:
+ k := A[q];
+ A[o] := y + A[o];
+ A[q] := k;
+ return;
+}
+
+procedure P1(o: ref, q: ref, y: int)
+ // This procedure does not have the assumption that o != q.
+ modifies A;
+ // It also does not ensures anything about A[o]
+ ensures (forall p: ref :: A[p] == old(A[p]) || p == o);
+{
+ var k: int;
+
+ start:
+ k := A[q];
+ A[o] := y + A[o];
+ A[q] := k;
+ return;
+}
+
+procedure P2(o: ref, q: ref, y: int)
+ // This procedure does not have the assumption that o != q.
+ modifies A;
+ ensures A[o] == old(A[o]) + y;
+{
+ var k: int;
+
+ start:
+ k := A[q];
+ A[o] := y + A[o];
+ A[q] := k;
+ return;
+} // error: postcondition violated (if o == q)
+
+// -------------------- 2-dimensional arrays --------------------
+
+var B: [ref,name]int;
+const F: name;
+
+procedure Q0(o: ref, q: ref, y: int, G: name)
+ requires o != q && F != G;
+ modifies B;
+ ensures B[o,F] == old(B[o,F]) + y;
+ ensures (forall p: ref, f: name :: B[p,f] == old(B[p,f]) ||
+ (p == o && f == F));
+{
+ var k: int;
+
+ start:
+ k := B[q,G];
+ B[o,F] := y + B[o,F];
+ B[q,G] := k;
+ return;
+}
+
+procedure Q1(o: ref, q: ref, y: int, G: name)
+ // This procedure does not have the assumption that o != q && F != G.
+ modifies B;
+ // It also does not ensures anything about B[o,F]
+ ensures (forall p: ref, f: name :: B[p,f] == old(B[p,f]) ||
+ (p == o && f == F));
+{
+ var k: int;
+
+ start:
+ k := B[q,G];
+ B[o,F] := y + B[o,F];
+ B[q,G] := k;
+ return;
+}
+
+procedure Q2(o: ref, q: ref, y: int, G: name)
+ requires F != G;
+ // This procedure does not have the assumption that o != q.
+ modifies B;
+ ensures B[o,F] == old(B[o,F]) + y;
+{
+ var k: int;
+
+ start:
+ k := B[q,G];
+ B[o,F] := y + B[o,F];
+ B[q,G] := k;
+ return;
+}
+
+procedure Q3(o: ref, q: ref, y: int, G: name)
+ requires o != q;
+ // This procedure does not have the assumption that F != G.
+ modifies B;
+ ensures B[o,F] == old(B[o,F]) + y;
+{
+ var k: int;
+
+ start:
+ k := B[q,G];
+ B[o,F] := y + B[o,F];
+ B[q,G] := k;
+ return;
+}
+
+procedure Q4(o: ref, q: ref, y: int, G: name)
+ // This procedure does not have either of the assumptions o != q and F != G.
+ modifies B;
+ ensures B[o,F] == old(B[o,F]) + y;
+{
+ var k: int;
+
+ start:
+ k := B[q,G];
+ B[o,F] := y + B[o,F];
+ B[q,G] := k;
+ return;
+} // error: postcondition violated
+
+// -------------------- more tests --------------------
+
+procedure Skip0(o: ref, q: ref, G: name, H: name)
+ modifies A,B;
+ ensures (forall p: ref :: A[p] == old(A[p]));
+ ensures (forall p: ref, g: name :: B[p,g] == old(B[p,g]));
+{
+ start:
+ return;
+}
+
+procedure Skip1(o: ref, q: ref, G: name, H: name)
+ modifies A,B;
+ ensures (forall p: ref :: A[p] == old(A[p]));
+ ensures (forall p: ref, g: name :: B[p,g] == old(B[p,g]));
+{
+ var k: int;
+ var l: int;
+
+ start:
+ k := A[o];
+ l := A[q];
+ goto oneWay, theOtherWay;
+
+ oneWay:
+ A[o] := k;
+ A[q] := l;
+ goto next;
+
+ theOtherWay:
+ A[q] := l;
+ A[o] := k;
+ goto next;
+
+ next:
+ k := B[o,G];
+ l := B[q,H];
+ goto Lx, Ly;
+
+ Lx:
+ B[o,G] := k;
+ B[q,H] := l;
+ return;
+
+ Ly:
+ B[q,H] := l;
+ B[o,G] := k;
+ return;
+}
+
+type name, ref;
diff --git a/Test/test2/AssumeEnsures.bpl b/Test/test2/AssumeEnsures.bpl
new file mode 100644
index 00000000..901c06c8
--- /dev/null
+++ b/Test/test2/AssumeEnsures.bpl
@@ -0,0 +1,69 @@
+var g: int;
+
+procedure Foo() returns ();
+ modifies g;
+ free ensures 0 <= g;
+
+implementation Foo() returns ()
+{
+ entry:
+ g := g + 1;
+ return;
+}
+
+procedure BarGood() returns ()
+ modifies g;
+{
+ entry:
+ call Foo();
+ assert 0 <= g;
+ return;
+}
+
+procedure BarBad() returns ()
+ modifies g;
+{
+ entry:
+ call Foo();
+ assert 0 < g;
+ return;
+}
+
+// ----- Free preconditions
+
+procedure Proc() returns ();
+ free requires g == 15;
+
+implementation Proc() returns ()
+{
+ entry:
+ assert g > 10; // yes, this condition can be used here
+ return;
+}
+
+implementation Proc() returns ()
+{
+ entry:
+ assert g < 10; // error
+ return;
+}
+
+procedure Caller0() returns ()
+{
+ entry:
+ call Proc(); // yes, legal, since the precondition is not checked
+ return;
+}
+
+procedure Caller1() returns ()
+{
+ entry:
+ call Proc();
+ assert g > 10; // error, because:
+ // Free preconditions are ignored (that is, treated as "skip") for the caller.
+ // This is a BoogiePL design choice. Another alternative would be to treat free
+ // preconditions as assume commands also on the caller side, either in the order
+ // that all preconditions are given, or before or after all the checked preconditions
+ // have been checked.
+ return;
+}
diff --git a/Test/test2/Axioms.bpl b/Test/test2/Axioms.bpl
new file mode 100644
index 00000000..4fe7a8a7
--- /dev/null
+++ b/Test/test2/Axioms.bpl
@@ -0,0 +1,29 @@
+const Seven: int;
+axiom Seven == 7;
+
+function inc(int) returns (int);
+axiom (forall j: int :: inc(j) == j+1);
+
+procedure P()
+{
+ start:
+ assert 4 <= Seven;
+ assert Seven < inc(Seven);
+ assert inc(5) + inc(inc(2)) == Seven + 3;
+ return;
+}
+
+procedure Q()
+{
+ start:
+ assert inc(5) + inc(inc(2)) == Seven; // error
+ return;
+}
+
+function inc2(x:int) returns(int) { x + 2 }
+
+procedure ExpandTest()
+{
+ var q:int;
+ assert inc(inc(q)) == inc2(q);
+}
diff --git a/Test/test2/B.bpl b/Test/test2/B.bpl
new file mode 100644
index 00000000..553d5002
--- /dev/null
+++ b/Test/test2/B.bpl
@@ -0,0 +1,86 @@
+// ----------- BEGIN PRELUDE
+
+var Heap: [ref, name]int;
+const N: name;
+
+procedure Q0()
+{
+ var h: int;
+
+ entry:
+ goto Else;
+
+ Then:
+ h := 15;
+ goto end;
+
+ Else:
+ assume h == 0;
+ goto end;
+
+ end:
+ assert 0 <= h;
+ return;
+}
+
+procedure Q1()
+{
+ var h: int;
+
+ entry:
+ goto Else;
+
+ Then:
+ h := -15;
+ goto end;
+
+ Else:
+ assume h == 0;
+ goto end;
+
+ end:
+ h := -h;
+ assert 0 <= h;
+ return;
+}
+
+procedure P0(this: ref)
+ modifies Heap;
+{
+ entry:
+ goto Else;
+
+ Then:
+ Heap[this, N] := 15;
+ goto end;
+
+ Else:
+ assume Heap[this, N] == 0;
+ goto end;
+
+ end:
+ assert 0 <= Heap[this, N];
+ return;
+}
+
+procedure P1(this: ref)
+ modifies Heap;
+{
+ entry:
+ goto Else;
+
+ Then:
+ Heap[this, N] := -15;
+ goto end;
+
+ Else:
+ assume Heap[this, N] == 0;
+ goto end;
+
+ end:
+ Heap[this, N] := -Heap[this, N];
+ assert 0 <= Heap[this, N];
+ return;
+}
+
+type name, ref;
diff --git a/Test/test2/Call.bpl b/Test/test2/Call.bpl
new file mode 100644
index 00000000..c1de1e71
--- /dev/null
+++ b/Test/test2/Call.bpl
@@ -0,0 +1,60 @@
+procedure Bar() returns (barresult: ref);
+
+procedure Foo();
+
+implementation Foo()
+{
+ var x: ref;
+
+ entry:
+ call x := Bar();
+ assume x == null;
+ call x := Bar();
+ assert x == null;
+ return;
+
+}
+
+procedure DifferentFormalNames(x: int, y: int) returns (z: int);
+ requires x < y;
+ ensures z == x;
+
+implementation DifferentFormalNames(x: int, y: int) returns (z: int)
+{
+ start:
+ assert x < y;
+ z := x;
+ return;
+}
+
+implementation DifferentFormalNames(y: int, x: int) returns (w: int)
+{
+ start:
+ goto A, B;
+ A:
+ assert y < x;
+ assume false;
+ return;
+ B:
+ w := y;
+ return;
+}
+
+implementation DifferentFormalNames(y: int, x: int) returns (w: int)
+{
+ start:
+ assert x < y; // error
+ w := y;
+ return;
+}
+
+implementation DifferentFormalNames(y: int, x: int) returns (w: int)
+{
+ start:
+ w := x;
+ return; // error: postcondition violation
+}
+
+type ref;
+
+const null : ref;
diff --git a/Test/test2/CallForall.bpl b/Test/test2/CallForall.bpl
new file mode 100644
index 00000000..98a62103
--- /dev/null
+++ b/Test/test2/CallForall.bpl
@@ -0,0 +1,134 @@
+function G(int) returns (int);
+axiom (forall x: int :: { G(x) } 0 <= x ==> G(x) == x);
+
+function F(int) returns (int);
+axiom (forall x: int :: { F(G(x)) } 0 <= x ==> F(G(x)) == 5);
+
+procedure Lemma(y: int)
+ requires 0 <= y;
+ ensures F(y) == 5;
+{
+ // proof:
+ assert G(y) == y;
+}
+
+procedure Main0()
+{
+ assert F(2) == 5; // error: cannot prove this directly, because of the trigger
+}
+
+procedure Main1()
+{
+ call Lemma(2);
+ assert F(2) == 5;
+}
+
+procedure Main2()
+{
+ call Lemma(3);
+ assert F(2) == 5; // error: Lemma was instantiated the wrong way
+}
+
+procedure Main3()
+{
+ call forall Lemma(*);
+ assert F(2) == 5;
+}
+
+procedure Main4()
+{
+ call forall Lemma(*);
+ assert false; // error
+}
+
+procedure Main5(z: int)
+{
+ call forall Lemma(*);
+ assert F(z) == 5; // error: z might be negative
+}
+
+procedure Main6(z: int)
+ requires 0 <= z;
+{
+ call forall Lemma(*);
+ assert F(z) == 5;
+}
+
+// ------------ several parameters
+
+function K(int, int) returns (int);
+axiom (forall x: int, y: int :: { K(G(x), G(y)) } 0 <= x && 0 <= y ==> K(G(x), G(y)) == 25);
+
+procedure MultivarLemma(x: int, y: int)
+ requires 0 <= x;
+ requires 0 <= y;
+ ensures K(x,y) == 25;
+{
+ // proof:
+ assert G(x) == x;
+ assert G(y) == y;
+}
+
+procedure Multi0(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ assert K(x,y) == 25; // error
+}
+
+procedure Multi1(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ call MultivarLemma(x, y);
+ assert K(x,y) == 25;
+}
+
+procedure Multi2(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ call forall MultivarLemma(x, y);
+ assert K(x,y) == 25;
+}
+
+procedure Multi3(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ call forall MultivarLemma(*, y);
+ assert K(x,y) == 25;
+}
+
+procedure Multi4(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ call forall MultivarLemma(x, *);
+ assert K(x,y) == 25;
+}
+
+procedure Multi5(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ call forall MultivarLemma(2 + 100, *);
+ assert K(102, y) == 25;
+ assert false; // error
+}
+
+procedure Multi6(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ call forall MultivarLemma(*, y);
+ assert K(x+2,y+2) == 25; // error
+}
+
+procedure Multi7(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ call forall MultivarLemma(x, *);
+ assert K(x+2,y+2) == 25; // error
+}
+
+procedure Multi8(x: int, y: int)
+ requires 0 <= x && 0 <= y;
+{
+ call forall MultivarLemma(*, *);
+ assert K(x+2,y+2) == 25; // that's the ticket!
+}
+
diff --git a/Test/test2/CutBackEdge.bpl b/Test/test2/CutBackEdge.bpl
new file mode 100644
index 00000000..934974aa
--- /dev/null
+++ b/Test/test2/CutBackEdge.bpl
@@ -0,0 +1,14 @@
+procedure Test()
+{
+ var i: int;
+
+ entry:
+ i := 0;
+ goto block850;
+
+ block850:
+ assert i == 0;
+ havoc i;
+ goto block850;
+
+}
diff --git a/Test/test2/Ensures.bpl b/Test/test2/Ensures.bpl
new file mode 100644
index 00000000..4e36c108
--- /dev/null
+++ b/Test/test2/Ensures.bpl
@@ -0,0 +1,75 @@
+var H: [ref,name]int;
+var that: ref;
+
+const X: name;
+const Y: name;
+
+procedure P(this: ref);
+ modifies H;
+ ensures H[this,X] == 5;
+
+implementation P(this: ref) {
+ start:
+ H[this,X] := 5;
+ return;
+}
+
+procedure Q(this: ref);
+ modifies H;
+ ensures (forall o: ref, F: name :: o == this && F == X ==> H[o,F] == 5);
+
+implementation Q(this: ref) {
+ start:
+ H[this,X] := 5;
+ return;
+}
+
+implementation Q(this: ref) {
+ start:
+ H[this,X] := 7;
+ return; // error
+}
+
+implementation Q(this: ref) {
+ start:
+ return; // error
+}
+
+implementation Q(this: ref) {
+ start:
+ H[that,X] := 5;
+ return; // error
+}
+
+implementation Q(this: ref) {
+ start:
+ H[this,Y] := 5;
+ return; // error
+}
+
+implementation Q(this: ref) {
+ start:
+ call P(this);
+ return;
+}
+
+implementation Q(this: ref) {
+ start:
+ call Q(this);
+ return;
+}
+
+implementation Q(this: ref) {
+ start:
+ call P(this);
+ call Q(this);
+ return;
+}
+
+implementation Q(this: ref) {
+ start:
+ call P(that);
+ return; // error
+}
+
+type name, ref;
diff --git a/Test/test2/False.bpl b/Test/test2/False.bpl
new file mode 100644
index 00000000..3fe14865
--- /dev/null
+++ b/Test/test2/False.bpl
@@ -0,0 +1,16 @@
+procedure Test1()
+{
+ entry:
+ assert !true == false;
+ return;
+}
+
+procedure Test2()
+{
+ var b: bool;
+
+ entry:
+ assume b != false;
+ assert b;
+ return;
+}
diff --git a/Test/test2/FormulaTerm.bpl b/Test/test2/FormulaTerm.bpl
new file mode 100644
index 00000000..e14707cb
--- /dev/null
+++ b/Test/test2/FormulaTerm.bpl
@@ -0,0 +1,139 @@
+// Test formula-term distinction in Simplify
+
+procedure plus(x: int, y: int) returns (z: int);
+ ensures z == x + y;
+
+implementation plus(x: int, y: int) returns (z: int)
+{
+start:
+ assume z == 3;
+ return; // ERROR: postcondition possibly violated
+}
+
+implementation plus(x: int, y: int) returns (z: int)
+{
+start:
+ z := x + y;
+ return;
+}
+
+implementation plus(x: int, y: int) returns (z: int)
+{
+start:
+ z := x + y;
+ z := 0 + z;
+ return;
+}
+
+procedure plus2(x: int, y: int) returns (z: int)
+ ensures z == x + y;
+{
+start:
+ z := x + y;
+ return;
+}
+
+procedure or(x: int, y: int, a: int, b: int) returns (z: int)
+ requires a == b;
+{
+var t: bool;
+start:
+ t := (x < y || x > y || x == y || x != y) && a >= b && a <= b;
+ assert (x < y || x > y || x == y || x != y) && a >= b && a <= b;
+ assert t;
+ return;
+}
+
+procedure less(x: int, y: int) returns (z: bool);
+ requires x < y;
+ ensures z == (x < y);
+
+implementation less(x: int, y: int) returns (z: bool)
+{
+start:
+ z := x < y;
+ return;
+}
+
+implementation less(x: int, y: int) returns (z: bool)
+{
+start:
+ goto yes, no;
+yes:
+ assume x < y;
+ z := true;
+ return;
+no:
+ assume !(x < y);
+ z := false;
+ return;
+}
+
+implementation less(x: int, y: int) returns (z: bool)
+{
+start:
+ goto yes, no;
+yes:
+ assume x < y;
+ z := true;
+ return;
+no:
+ assume x >= y;
+ z := false;
+ return;
+}
+
+procedure LESS(x: int, y: int) returns (z: bool);
+ requires x < y;
+ ensures z <==> (x < y);
+
+implementation LESS(x: int, y: int) returns (z: bool)
+{
+start:
+ z := x < y;
+ return;
+}
+
+implementation LESS(x: int, y: int) returns (z: bool)
+{
+start:
+ goto yes, no;
+yes:
+ assume x < y;
+ z := true;
+ return;
+no:
+ assume !(x < y);
+ z := false;
+ return;
+}
+
+implementation LESS(x: int, y: int) returns (z: bool)
+{
+start:
+ goto yes, no;
+yes:
+ assume x < y;
+ z := true;
+ return;
+no:
+ assume x >= y;
+ z := false;
+ return;
+}
+
+procedure Assignments()
+{
+ var b: bool;
+ var c: bool;
+ var d: bool;
+ var x: bool, y: bool;
+
+ entry:
+ b := c || d;
+ b := c && d;
+ x := c <==> d;
+ y := c ==> d;
+ assert x ==> y;
+ return;
+}
diff --git a/Test/test2/FormulaTerm2.bpl b/Test/test2/FormulaTerm2.bpl
new file mode 100644
index 00000000..6c5e4bf3
--- /dev/null
+++ b/Test/test2/FormulaTerm2.bpl
@@ -0,0 +1,49 @@
+// This file has been created to test some of the formula/term issues in Zap.
+// However, the test harness does not specify any particular prover to be used,
+// since these tests should pass regardless of which prover is used.
+
+procedure P()
+{
+ var a: int, b: int, t: bool;
+
+ start:
+ assume a == b;
+ t := a == b;
+ assert t;
+ return;
+}
+
+function f(bool) returns (int);
+const A: int;
+const B: int;
+
+axiom f(A < B) == 5;
+
+procedure Q()
+{
+ start:
+ assume A < B;
+ assert f(true) == 5;
+ return;
+}
+
+// ----- and now some erroneous procedures
+
+procedure PX()
+{
+ var a: int, b: int, t: bool;
+
+ start:
+ assume a == b;
+ t := a == b;
+ assert !t; // error
+ return;
+}
+
+procedure QX()
+{
+ start:
+ assume A < B;
+ assert f(true) < 2; // error
+ return;
+}
diff --git a/Test/test2/Implies.bpl b/Test/test2/Implies.bpl
new file mode 100644
index 00000000..3034f973
--- /dev/null
+++ b/Test/test2/Implies.bpl
@@ -0,0 +1,16 @@
+
+const a:bool;
+const b:bool;
+const c:bool;
+const d:bool;
+
+function f(int) returns (bool);
+axiom (forall x:int :: f(x) <== x >= 0);
+
+procedure P() {
+ assert (a ==> (b ==> c) ==> d) == (d <== (c <== b) <== a);
+ assert (a ==> b ==> c) == (c <== (a ==> b)); // error
+
+ assert f(23);
+ assert f(-5); // error
+} \ No newline at end of file
diff --git a/Test/test2/LoopInvAssume.bpl b/Test/test2/LoopInvAssume.bpl
new file mode 100644
index 00000000..1304e668
--- /dev/null
+++ b/Test/test2/LoopInvAssume.bpl
@@ -0,0 +1,20 @@
+// Check that assumes in loop invariants are handled correctly
+
+var x : int;
+
+procedure Test()
+ modifies x;
+{
+ entry:
+ goto loophead, exit;
+
+ loophead:
+ assume x >= 0;
+ x := 0;
+ goto loophead, exit;
+
+ exit:
+ assume x < 0;
+ assert false;
+ return;
+}
diff --git a/Test/test2/NeverPattern.bpl b/Test/test2/NeverPattern.bpl
new file mode 100644
index 00000000..f0478077
--- /dev/null
+++ b/Test/test2/NeverPattern.bpl
@@ -0,0 +1,29 @@
+function {:never_pattern true} f1(x:int) returns(int);
+function {:never_pattern false} f2(x:int) returns(int);
+function f3(x:int) returns(int);
+
+
+procedure foo()
+{
+ assume (forall x : int :: f1(x) > 0 && f2(x) > 0 && f3(x) > 0);
+ assert f2(3) > 0;
+ assert f3(4) > 0;
+}
+
+procedure bar()
+{
+ assume (forall x : int :: f1(x) > 0 && f2(x) > 0 && f3(x) > 0 && f1(7) == 3);
+ assert f1(3) > 0;
+}
+
+procedure bar1()
+{
+ assume (forall x : int :: {:nopats f2(x)} f1(x) > 0 && f2(x) > 0 && f3(x) > 0 && f1(7) == 3);
+ assert f1(3) > 0;
+}
+
+procedure bar2()
+{
+ assume (forall x : int :: {:nopats f2(x)} f1(x) > 0 && f2(x) > 0 && f3(x) > 0 && f1(7) == 3);
+ assert f2(3) > 0;
+}
diff --git a/Test/test2/NullaryMaps.bpl b/Test/test2/NullaryMaps.bpl
new file mode 100644
index 00000000..1bc18c41
--- /dev/null
+++ b/Test/test2/NullaryMaps.bpl
@@ -0,0 +1,57 @@
+// aren't these cool!
+
+var m: []int;
+var p: <a>[]a;
+
+type ref;
+const null: ref;
+
+procedure P()
+ requires m[] == 5;
+ modifies m;
+ modifies p;
+ ensures m[] == 30;
+ ensures p[] == null;
+{
+ m[] := 12;
+ p[] := 12;
+ p[] := true;
+ assert p[] == m[];
+ assert p[];
+ m := m[:= 30];
+ p := p[:=null];
+}
+
+procedure Q()
+ modifies m;
+{
+ assert m[] == 5; // error
+ m[] := 30;
+ assert m[] == 5; // error
+}
+
+procedure R()
+ modifies p;
+{
+ assert p[] < 3; // error
+}
+
+// ----
+
+type Field a;
+type HeapType = <a>[ref, Field a]a;
+const F0: Field int;
+const F1: Field bool;
+const alloc: Field bool;
+var Heap: HeapType;
+procedure FrameCondition(this: ref)
+ modifies Heap;
+ ensures (forall<a> o: ref, f: Field a ::
+ Heap[o,f] == old(Heap)[o,f] ||
+ !old(Heap)[o,alloc] ||
+ (o == this && f == F0) ||
+ (o == this && f == F1)
+ );
+{
+}
+
diff --git a/Test/test2/Old.bpl b/Test/test2/Old.bpl
new file mode 100644
index 00000000..00f798bc
--- /dev/null
+++ b/Test/test2/Old.bpl
@@ -0,0 +1,132 @@
+var x: int;
+var y: int;
+
+procedure P()
+ modifies x;
+ ensures x == old(x) + 1;
+{
+ start:
+ x := 1 + x;
+ return;
+}
+
+procedure Q();
+ modifies x;
+ ensures x == old(x) + 1;
+
+implementation Q()
+{
+ start:
+ x := 1 + x;
+ return;
+}
+
+procedure R()
+ modifies x;
+ ensures x == old(x) + 1;
+{
+ start:
+ return;
+} // error: does not establish postcondition
+
+procedure Swap()
+ modifies x, y;
+ ensures x == old(y) && y == old(x);
+{
+ var t: int;
+
+ start:
+ goto A, B;
+ A:
+ t := x;
+ x := y;
+ y := t;
+ goto end;
+ B:
+ x := x - y; // x == old(x) - old(y)
+ y := y + x; // y == old(y) + (old(x) - old(y)) == old(x)
+ x := y - x; // x == old(x) - (old(x) - old(y)) == old(y)
+ goto end;
+ end:
+ return;
+}
+
+procedure OutParam0(x: int) returns (y: int)
+ ensures y == x + 1;
+{
+ start:
+ y := x + 1;
+ return;
+}
+
+// OutParam1 is like OutParam0, except that there's now a separate
+// implementation declaration, which means that the specification
+// and body use different AST nodes for the formal parameters. This
+// may make a difference in the various substitutions going on.
+// (Indeed, a previous bug caused OutParam0 to verify but not OutParam1.)
+procedure OutParam1(x: int) returns (y: int);
+ ensures y == x + 1;
+implementation OutParam1(x: int) returns (y: int)
+{
+ start:
+ y := x + 1;
+ return;
+}
+
+var a: [ref]int;
+var b: [ref]int;
+
+procedure SwapElems(o: ref) returns (p: ref)
+ modifies a, b;
+ ensures a[o] == old(b[p]) && b[o] == old(a[p]);
+{
+ var ta: int, tb: int;
+
+ start:
+ goto A, B, C;
+ A:
+ havoc p;
+ goto B, C;
+ B:
+ ta := a[p];
+ tb := b[p];
+ a[o] := tb;
+ b[o] := ta;
+ return;
+ C:
+ assume a[o] == b[o];assume false;
+
+ p := o;
+ return;
+}
+
+
+
+//-------------------------------------------------------------------------
+// Test old in Boogie PL code
+//-------------------------------------------------------------------------
+
+var Global0: int;
+
+// Good
+procedure OldInCode0()
+ requires Global0 >= 0;
+ ensures Global0 <= old(Global0) + 1;
+ modifies Global0;
+{
+ var local0: int;
+
+ start:
+ goto A,B;
+ A:
+ assert Global0 == old(Global0);
+ return;
+
+ B:
+ local0 := Global0 + 1;
+ local0 := local0 - 1;
+ Global0 := old(local0 + 1);
+ return;
+}
+
+type ref;
diff --git a/Test/test2/OldIllegal.bpl b/Test/test2/OldIllegal.bpl
new file mode 100644
index 00000000..342c5b19
--- /dev/null
+++ b/Test/test2/OldIllegal.bpl
@@ -0,0 +1,16 @@
+// Test old appearing in illegal locations
+
+var Global0: int;
+
+// Bad
+procedure OldInCode1()
+ requires old(Global0) == 0;
+{
+ start:
+ return;
+}
+
+// Bad
+axiom (forall o:ref :: old(o) == o);
+
+type ref;
diff --git a/Test/test2/Output b/Test/test2/Output
new file mode 100644
index 00000000..7876d732
--- /dev/null
+++ b/Test/test2/Output
@@ -0,0 +1,359 @@
+
+-------------------- FormulaTerm.bpl --------------------
+FormulaTerm.bpl(10,3): Error BP5003: A postcondition might not hold at this return statement.
+FormulaTerm.bpl(4,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ FormulaTerm.bpl(8,1): start
+
+Boogie program verifier finished with 11 verified, 1 error
+
+-------------------- FormulaTerm2.bpl --------------------
+FormulaTerm2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ FormulaTerm2.bpl(36,3): start
+FormulaTerm2.bpl(47,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ FormulaTerm2.bpl(45,3): start
+
+Boogie program verifier finished with 2 verified, 2 errors
+
+-------------------- Passification.bpl --------------------
+Passification.bpl(44,3): Error BP5003: A postcondition might not hold at this return statement.
+Passification.bpl(36,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Passification.bpl(39,1): A
+Passification.bpl(116,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Passification.bpl(106,1): L0
+ Passification.bpl(111,1): L1
+ Passification.bpl(115,1): L2
+Passification.bpl(151,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Passification.bpl(144,1): L0
+ Passification.bpl(150,1): L2
+Passification.bpl(165,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Passification.bpl(158,1): L0
+ Passification.bpl(161,1): L1
+ Passification.bpl(164,1): L2
+
+Boogie program verifier finished with 7 verified, 4 errors
+
+-------------------- B.bpl --------------------
+
+Boogie program verifier finished with 4 verified, 0 errors
+
+-------------------- Ensures.bpl --------------------
+Ensures.bpl(30,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(28,3): start
+Ensures.bpl(35,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(34,3): start
+Ensures.bpl(41,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(39,3): start
+Ensures.bpl(47,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(45,3): start
+Ensures.bpl(72,5): Error BP5003: A postcondition might not hold at this return statement.
+Ensures.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Ensures.bpl(70,3): start
+
+Boogie program verifier finished with 5 verified, 5 errors
+
+-------------------- Old.bpl --------------------
+Old.bpl(29,5): Error BP5003: A postcondition might not hold at this return statement.
+Old.bpl(26,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Old.bpl(28,3): start
+
+Boogie program verifier finished with 7 verified, 1 error
+
+-------------------- OldIllegal.bpl --------------------
+OldIllegal.bpl(7,11): Error: old expressions allowed only in two-state contexts
+OldIllegal.bpl(14,23): Error: old expressions allowed only in two-state contexts
+2 name resolution errors detected in OldIllegal.bpl
+
+-------------------- Arrays.bpl --------------------
+Arrays.bpl(46,5): Error BP5003: A postcondition might not hold at this return statement.
+Arrays.bpl(38,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Arrays.bpl(42,3): start
+Arrays.bpl(127,5): Error BP5003: A postcondition might not hold at this return statement.
+Arrays.bpl(119,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Arrays.bpl(123,3): start
+
+Boogie program verifier finished with 8 verified, 2 errors
+
+-------------------- Axioms.bpl --------------------
+Axioms.bpl(19,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Axioms.bpl(18,3): start
+
+Boogie program verifier finished with 2 verified, 1 error
+
+-------------------- Quantifiers.bpl --------------------
+Quantifiers.bpl(20,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(19,3): start
+Quantifiers.bpl(43,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(42,3): start
+Quantifiers.bpl(65,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(64,3): start
+Quantifiers.bpl(73,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(71,3): start
+Quantifiers.bpl(125,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(124,3): start
+Quantifiers.bpl(150,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Quantifiers.bpl(149,3): start
+
+Boogie program verifier finished with 8 verified, 6 errors
+
+-------------------- Call.bpl --------------------
+Call.bpl(13,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Call.bpl(9,3): entry
+Call.bpl(46,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ Call.bpl(45,3): start
+Call.bpl(55,5): Error BP5003: A postcondition might not hold at this return statement.
+Call.bpl(20,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Call.bpl(53,3): start
+
+Boogie program verifier finished with 2 verified, 3 errors
+
+-------------------- AssumeEnsures.bpl --------------------
+AssumeEnsures.bpl(28,9): Error BP5001: This assertion might not hold.
+Execution trace:
+ AssumeEnsures.bpl(26,5): entry
+AssumeEnsures.bpl(47,9): Error BP5001: This assertion might not hold.
+Execution trace:
+ AssumeEnsures.bpl(46,5): entry
+AssumeEnsures.bpl(62,9): Error BP5001: This assertion might not hold.
+Execution trace:
+ AssumeEnsures.bpl(60,5): entry
+
+Boogie program verifier finished with 4 verified, 3 errors
+
+-------------------- CutBackEdge.bpl --------------------
+CutBackEdge.bpl(10,5): Error BP5005: This loop invariant might not be maintained by the loop.
+Execution trace:
+ CutBackEdge.bpl(5,3): entry
+ CutBackEdge.bpl(9,3): block850
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- False.bpl --------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+-------------------- LoopInvAssume.bpl --------------------
+LoopInvAssume.bpl(18,7): Error BP5001: This assertion might not hold.
+Execution trace:
+ LoopInvAssume.bpl(8,4): entry
+ LoopInvAssume.bpl(16,4): exit
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- strings-no-where.bpl --------------------
+strings-no-where.bpl(201,103): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(203,105): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(209,106): Error: invalid type for argument 1 in application of IsAllocated: struct (expected: any)
+strings-no-where.bpl(211,72): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-no-where.bpl(211,108): Error: invalid type for argument 1 in application of IsAllocated: elements (expected: any)
+strings-no-where.bpl(211,130): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-no-where.bpl(213,78): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-no-where.bpl(235,98): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(249,118): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(699,34): Error: invalid type for argument 1 in application of IsAllocated: int (expected: any)
+strings-no-where.bpl(728,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-no-where.bpl(737,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-no-where.bpl(751,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-no-where.bpl(760,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-no-where.bpl(926,36): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(949,36): Error: invalid argument types (any and name) to binary operator ==
+strings-no-where.bpl(975,9): Error: mismatched types in assignment command (cannot assign name to any)
+strings-no-where.bpl(990,36): Error: invalid argument types (any and name) to binary operator ==
+18 type checking errors detected in strings-no-where.bpl
+
+-------------------- strings-where.bpl --------------------
+strings-where.bpl(201,103): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(203,105): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(209,106): Error: invalid type for argument 1 in application of IsAllocated: struct (expected: any)
+strings-where.bpl(211,72): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-where.bpl(211,108): Error: invalid type for argument 1 in application of IsAllocated: elements (expected: any)
+strings-where.bpl(211,130): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-where.bpl(213,78): Error: invalid type for argument 1 in application of IsAllocated: ref (expected: any)
+strings-where.bpl(235,98): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(249,118): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(699,34): Error: invalid type for argument 1 in application of IsAllocated: int (expected: any)
+strings-where.bpl(728,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-where.bpl(737,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-where.bpl(751,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-where.bpl(760,9): Error: mismatched types in assignment command (cannot assign bool to any)
+strings-where.bpl(926,36): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(949,36): Error: invalid argument types (any and name) to binary operator ==
+strings-where.bpl(975,9): Error: mismatched types in assignment command (cannot assign name to any)
+strings-where.bpl(990,36): Error: invalid argument types (any and name) to binary operator ==
+18 type checking errors detected in strings-where.bpl
+
+-------------------- Structured.bpl --------------------
+Structured.bpl(252,14): Error BP5003: A postcondition might not hold at this return statement.
+Structured.bpl(243,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ Structured.bpl(245,3): anon0
+ Structured.bpl(245,3): anon6_LoopHead
+ Structured.bpl(246,5): anon6_LoopBody
+ Structured.bpl(247,7): anon7_LoopBody
+ Structured.bpl(252,5): anon4
+ Structured.bpl(252,14): anon9_Then
+Structured.bpl(303,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Structured.bpl(299,5): anon0
+ Structured.bpl(300,3): anon3_Else
+ Structured.bpl(303,3): anon2
+Structured.bpl(311,7): Error BP5001: This assertion might not hold.
+Execution trace:
+ Structured.bpl(308,3): anon0
+ Structured.bpl(308,3): anon1_Then
+ Structured.bpl(309,5): A
+
+Boogie program verifier finished with 15 verified, 3 errors
+
+-------------------- Where.bpl --------------------
+Where.bpl(8,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(6,3): anon0
+Where.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(16,5): anon0
+Where.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(30,3): anon0
+Where.bpl(44,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(40,5): anon0
+Where.bpl(57,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(52,3): anon0
+Where.bpl(111,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(102,5): anon0
+ Where.bpl(104,3): anon3_LoopHead
+ Where.bpl(110,3): anon2
+Where.bpl(128,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(121,5): anon0
+ Where.bpl(122,3): anon3_LoopHead
+ Where.bpl(125,3): anon2
+Where.bpl(145,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(138,5): anon0
+ Where.bpl(139,3): anon3_LoopHead
+ Where.bpl(142,3): anon2
+Where.bpl(162,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Where.bpl(155,5): anon0
+ Where.bpl(156,3): anon3_LoopHead
+ Where.bpl(159,3): anon2
+
+Boogie program verifier finished with 2 verified, 9 errors
+
+-------------------- UpdateExpr.bpl --------------------
+UpdateExpr.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(14,3): anon0
+UpdateExpr.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(19,3): anon0
+UpdateExpr.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(32,3): anon0
+UpdateExpr.bpl(38,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(38,3): anon0
+UpdateExpr.bpl(52,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ UpdateExpr.bpl(51,5): anon0
+
+Boogie program verifier finished with 5 verified, 5 errors
+
+-------------------- NeverPattern.bpl --------------------
+NeverPattern.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NeverPattern.bpl(15,3): anon0
+NeverPattern.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NeverPattern.bpl(21,3): anon0
+NeverPattern.bpl(28,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NeverPattern.bpl(27,3): anon0
+
+Boogie program verifier finished with 1 verified, 3 errors
+
+-------------------- NullaryMaps.bpl --------------------
+NullaryMaps.bpl(28,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NullaryMaps.bpl(28,3): anon0
+NullaryMaps.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NullaryMaps.bpl(28,3): anon0
+NullaryMaps.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ NullaryMaps.bpl(36,3): anon0
+
+Boogie program verifier finished with 2 verified, 3 errors
+
+-------------------- Implies.bpl --------------------
+Implies.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Implies.bpl(11,3): anon0
+Implies.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Implies.bpl(11,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+-------------------- sk_hack.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- CallForall.bpl --------------------
+CallForall.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(17,3): anon0
+CallForall.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(28,3): anon0
+CallForall.bpl(41,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(40,3): anon0
+CallForall.bpl(47,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(46,3): anon0
+CallForall.bpl(75,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(75,3): anon0
+CallForall.bpl(111,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(109,3): anon0
+CallForall.bpl(118,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(117,3): anon0
+CallForall.bpl(125,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ CallForall.bpl(124,3): anon0
+
+Boogie program verifier finished with 10 verified, 8 errors
diff --git a/Test/test2/Passification.bpl b/Test/test2/Passification.bpl
new file mode 100644
index 00000000..e13d3e49
--- /dev/null
+++ b/Test/test2/Passification.bpl
@@ -0,0 +1,169 @@
+// VC generation tests: passification
+
+procedure good0(x: int) returns (y: int, z: int)
+ ensures z == 4 || z == 4+x;
+{
+var t: int;
+A:
+ t := y;
+ z := 3;
+ goto B, C;
+B:
+ z := z + x;
+ goto D;
+C:
+ goto D;
+D:
+ z := z + 1;
+ y := t;
+ return;
+}
+
+procedure good1(x: int) returns (y: int, z: int)
+ ensures z == x + 4;
+{
+var t: int;
+A:
+ t := y;
+ z := 3;
+ z := z + x;
+ z := z + 1;
+ y := t;
+ return;
+}
+
+procedure bad0(x: int) returns (y: int, z: int)
+ ensures y == 4; // ERROR: postcondition violation
+{
+var t: int;
+A:
+ t := z;
+ z := 3;
+ z := z + 1;
+ y := t;
+ return;
+}
+
+procedure Loop()
+{
+start:
+ goto start;
+}
+
+procedure UnreachableBlock()
+{
+start:
+ return;
+notReached:
+ goto start;
+reallyNeverReached:
+ goto reallyNeverReached;
+}
+
+procedure Loop0() returns (z: int)
+ ensures 10 <= z;
+{
+var x: int;
+A:
+ goto B, C;
+B:
+ assume x < 10;
+ x := x + 1;
+ goto A;
+C:
+ assume !(x < 10);
+ z := x;
+ return;
+}
+
+const unique A0: name;
+const unique A1: name;
+const unique A2: name;
+
+procedure Array0() returns (z: int)
+ ensures z >= 5;
+{
+var a: [name,name]int;
+L0:
+ a[A0,A2] := 5;
+ a[A0,A1] := 20;
+ assert a[A0,A1] == 20;
+ goto L1,L2;
+L1:
+ a[A0,A2] := 18;
+ assert a[A0,A2] == 18;
+ goto L2;
+L2:
+ assert a[A0,A1] == 20;
+ z := a[A0,A2];
+ return;
+}
+
+procedure Array1(o0: ref, o1: ref) returns (z: int)
+ ensures z >= 5;
+{
+var a: [ref,name]int;
+L0:
+ a[o1,A0] := 5;
+ a[o0,A0] := 20;
+ assert a[o0,A0] == 20;
+ goto L1,L2;
+L1:
+ a[o1,A0] := 18;
+ assert a[o1,A0] == 18;
+ goto L2;
+L2:
+ assert a[o0,A0] == 20; // ERROR: assertion failure
+ z := a[o1,A0];
+ return;
+}
+
+procedure Array2(o0: ref, o1: ref) returns (z: int)
+ ensures z >= 5;
+{
+var a: [ref,name]int;
+L0:
+ assume o1 != o0;
+ a[o1,A0] := 5;
+ a[o0,A0] := 20;
+ assert a[o0,A0] == 20;
+ goto L1,L2;
+L1:
+ a[o1,A0] := 18;
+ assert a[o1,A0] == 18;
+ goto L2;
+L2:
+ assert a[o0,A0] == 20;
+ z := a[o1,A0];
+ return;
+}
+
+procedure P()
+{
+var t: int;
+L0:
+ t := 0;
+ goto L1, L2;
+L1:
+ t := 1;
+ goto L2;
+L2:
+ assert t == 1; // ERROR: assert failure
+ return;
+}
+
+procedure Q()
+{
+var t: int;
+L0:
+ t := 0;
+ goto L1, L2;
+L1:
+ t := 1;
+ goto L2;
+L2:
+ assert t == 0; // ERROR: assert failure
+ return;
+}
+
+type name, ref;
diff --git a/Test/test2/Quantifiers.bpl b/Test/test2/Quantifiers.bpl
new file mode 100644
index 00000000..d368fe1f
--- /dev/null
+++ b/Test/test2/Quantifiers.bpl
@@ -0,0 +1,154 @@
+// ----------------------------------------------------------------------- single trigger
+
+function f(int, int) returns (int);
+
+axiom (forall x: int, y: int :: f(x,y) < x+y);
+axiom (forall x: int :: { f(x,10) } f(x,10) == 3);
+
+procedure P(a: int, b: int)
+ requires a <= 25 && b <= 30;
+{
+ start:
+ assert f(a,b) <= 100;
+ return;
+}
+
+procedure Q(a: int, b: int)
+ requires a + 2 <= b;
+{
+ start:
+ assert f(a,b) == 3; // not provable with the trigger given above
+ return;
+}
+
+procedure R(a: int, b: int)
+ requires a + 2 <= b;
+{
+ start:
+ assume b <= 10 && 8 <= a;
+ assert f(a,b) == 3; // now, the trigger should fire
+ return;
+}
+
+// ----------------------------------------------------------------------- multi trigger
+
+function g(int, int) returns (int);
+
+axiom (forall x: int, y: int :: { g(x,10),g(x,y) } g(x,y) == 3); // multi-trigger
+
+procedure S(a: int, b: int)
+ requires a + 2 <= b;
+{
+ start:
+ assert g(a,b) == 3; // not provable with the trigger given above
+ return;
+}
+
+procedure T(a: int, b: int)
+ requires a + 2 <= b;
+{
+ start:
+ assume b <= 10 && 8 <= a;
+ assert g(a,b) == 3; // this should trigger
+ return;
+}
+
+// ----------------------------------------------------------------------- several triggers
+
+function h(int, int) returns (int);
+
+axiom (forall y: int :: { g(y,y) } { h(y,h(y,10)) } h(y, h(y,y)) == y); // several triggers
+
+procedure U0(a: int)
+{
+ start:
+ assert h(a,h(a,a)) == a; // not provable with the triggers given above
+ return;
+}
+
+procedure U1(a: int, b: int)
+{
+ start:
+ assume g(a,b) == 5;
+ assert h(a,h(a,a)) == a; // not provable with the triggers given above
+ return;
+}
+
+procedure V0(a: int, b: int)
+ requires a == b;
+{
+ start:
+ assume g(a,b) == 5;
+ assert h(a,h(a,a)) == a; // this should trigger
+ return;
+}
+
+procedure V1(a: int, b: int)
+{
+ start:
+ assume a == 10;
+ assert h(a,h(a,a)) == a; // this should trigger
+ return;
+}
+
+procedure V2(a: int, b: int)
+{
+ start:
+ assume 0 <= h(a,h(a,10));
+ assume a == 17;
+ assert h(a,h(a,a)) == a; // this should trigger
+ return;
+}
+
+// ----------------------------------------------------------------------- negated triggers
+
+function ka(ref) returns (int);
+function kb(ref) returns (int);
+function kbSynonym(ref) returns (int);
+function isA(ref, name) returns (bool);
+function isB(ref, name) returns (bool);
+const $T: name;
+
+axiom (forall o: ref ::
+ isA(o, $T) ==> ka(o) < ka(o)); // automatically inferred triggers can be both isA(o,$T) and ka(o)
+
+axiom (forall o: ref ::
+ {:nopats isB(o, $T) }
+ isB(o, $T) ==> kb(o) < kbSynonym(o)); // prevent isB(o,$T) from being used as a trigger
+
+axiom (forall o: ref :: kb(o) == kbSynonym(o));
+
+procedure W(o: ref, e: int)
+ requires isB(o, $T);
+{
+ start:
+ assert e > 20; // the isB axiom should not trigger, so this cannot be proved
+ return;
+}
+
+procedure X0(o: ref, e: int)
+ requires isA(o, $T);
+{
+ start:
+ assert e > 20; // this should trigger the isA axiom, so anything is provable
+ return;
+}
+
+procedure X1(o: ref, e: int, u: int)
+ requires isB(o, $T);
+{
+ start:
+ assume f(kb(o), kb(o)) == u;
+ assert e > 20; // this should now trigger the isB axiom, so anything is provable
+ return;
+}
+
+procedure X2(o: ref, e: int, u: int)
+ requires isB(o, $T);
+{
+ start:
+ assert e > 20; // error is report here, providing evidence that the isB axiom has not been triggered
+ return;
+}
+
+type name, ref;
diff --git a/Test/test2/Structured.bpl b/Test/test2/Structured.bpl
new file mode 100644
index 00000000..ce97b145
--- /dev/null
+++ b/Test/test2/Structured.bpl
@@ -0,0 +1,327 @@
+
+const K: int;
+
+function f(int) returns (int);
+
+axiom (exists k: int :: f(k) == K);
+
+procedure Find(a: int, b: int) returns (k: int);
+ requires a <= b && (forall j: int :: a < j && j < b ==> f(j) != K);
+ ensures f(k) == K;
+
+// nondeterministic, unstructured, recursive version
+implementation Find(a: int, b: int) returns (k: int)
+{
+ entry:
+ goto A, B, C;
+
+ A:
+ assume f(a) == K;
+ k := a;
+ return;
+
+ B:
+ assume f(b) == K;
+ k := b;
+ return;
+
+ C:
+ assume f(a) != K && f(b) != K;
+ call k := Find(a-1, b+1);
+ return;
+}
+
+// nondeterministic, recursive version
+implementation Find(a: int, b: int) returns (k: int)
+{
+ if (*) {
+ assume f(a) == K;
+ k := a;
+ } else if (*) {
+ assume f(b) == K;
+ k := b;
+ } else {
+ assume f(a) != K && f(b) != K;
+ call k := Find(a-1, b+1);
+ }
+}
+
+// deterministic, structured, recursive version
+implementation Find(a: int, b: int) returns (k: int)
+{
+ if (f(a) == K) {
+ k := a;
+ } else if (f(b) == K) {
+ k := b;
+ } else {
+ call k := Find(a-1, b+1);
+ }
+}
+
+// deterministic, structured, iterative version
+implementation Find(a: int, b: int) returns (k: int)
+{
+ var x: int, y: int;
+
+ x := a;
+ y := b;
+
+ while (f(x) != K && f(y) != K)
+ invariant x <= y && (forall j: int :: x < j && j < y ==> f(j) != K);
+ {
+ x := x-1;
+ y := y+1;
+ }
+
+ if (f(x) == K) {
+ k := x;
+ } else {
+ k := y;
+ }
+}
+
+// deterministic, structured, iterative version with breaks
+implementation Find(a: int, b: int) returns (k: int)
+{
+ var x: int, y: int;
+
+ x := a;
+ y := b;
+
+ while (true)
+ invariant x <= y && (forall j: int :: x < j && j < y ==> f(j) != K);
+ {
+ if (f(x) == K) {
+ k := x;
+ break;
+ } else if (f(y) == K) {
+ k := y;
+ break;
+ }
+ x := x-1;
+ y := y+1;
+ }
+}
+
+// deterministic, somewhat structured, iterative version
+implementation Find(a: int, b: int) returns (k: int)
+{
+ var x: int, y: int;
+
+ x := a;
+ y := b;
+
+ while (true)
+ invariant x <= y && (forall j: int :: x < j && j < y ==> f(j) != K);
+ {
+ if (f(x) == K) {
+ goto FoundX;
+ } else if (f(y) == K) {
+ goto FoundY;
+ }
+ x := x-1;
+ y := y+1;
+ }
+
+ FoundX:
+ k := x;
+ return;
+
+ FoundY:
+ k := y;
+ return;
+}
+
+// deterministic, structured, iterative version with breaks
+implementation Find(a: int, b: int) returns (k: int)
+{
+ var x: int, y: int;
+
+ x := a;
+ y := b;
+
+ outer:
+ if (true) {
+ inner:
+ while (true)
+ invariant x <= y && (forall j: int :: x < j && j < y ==> f(j) != K);
+ {
+ if (f(x) == K) {
+ break inner;
+ } else if (f(y) == K) {
+ break outer;
+ }
+ x := x-1;
+ y := y+1;
+ }
+
+ k := x;
+ return;
+ }
+ k := y;
+}
+
+// ----- free invariant -----
+
+function Teal(int) returns (bool);
+function ShadeOfGreen(int) returns (bool);
+axiom (forall w: int :: Teal(w) ==> ShadeOfGreen(w));
+
+procedure P(x: int) returns (y: int)
+ requires Teal(x);
+ ensures ShadeOfGreen(y);
+{
+ y := x;
+ while (y < 100)
+ free invariant Teal(y);
+ {
+ y := y + 5;
+ }
+}
+
+// ----- run off the end of the BigBlock -----
+
+procedure RunOffEnd0() returns (x: int)
+ ensures x == 3;
+{
+ x := 0;
+ Label0:
+ x := x + 1;
+ Label1:
+ x := x + 1;
+ Label2:
+ Label3:
+ Label4:
+ x := x + 1;
+}
+
+procedure RunOffEnd1() returns (x: int)
+ ensures x == 4;
+{
+ x := 0;
+ Label0:
+ x := x + 1;
+ Label1:
+ if (*) {
+ Label2:
+ x := x + 2;
+ } else if (*) {
+ Label3:
+ x := 2;
+ x := x + 2;
+ Label4:
+ Label5:
+ x := x - 1;
+ } else {
+ if (*) {
+ x := 0;
+ while (x < 3)
+ invariant x <= 3;
+ { x := x + 1; }
+ } else {
+ x := x + 2;
+ }
+ }
+ x := x + 1;
+}
+
+procedure RunOffEnd2() returns (x: int)
+ ensures x == 10;
+{
+ while (true) {
+ while (true) {
+ if (*) {
+ x := 10;
+ break;
+ }
+ }
+ if (*) { break; }
+ }
+}
+
+procedure RunOffEnd3() returns (x: int)
+ ensures x == 9;
+{
+ while (true) {
+ while (true) {
+ if (*) {
+ x := 10;
+ break;
+ }
+ }
+ if (*) { break; }
+ } // error: violated postcondition
+}
+
+procedure RunOffEnd4() returns (x: int)
+{
+ var y: int;
+ var bad: bool;
+
+ while (true) {
+ y := x;
+ bad := false;
+ if (*) {
+ x := x + 1;
+ bad := true;
+ }
+ if (x == y) { break; }
+ }
+ assert !bad;
+}
+
+procedure RunOffEnd5() returns (x: int)
+{
+ while (true) {
+ if (x == 5) { }
+ }
+ assert false;
+}
+
+procedure RunOffEnd6() returns (x: int)
+{
+ x := 7;
+ while (true)
+ invariant x == 7;
+ {
+ x := 5;
+ MyLabel:
+ x := 7;
+ }
+}
+
+// ----- jump optimizations -----
+
+procedure Q0()
+{
+ var x: int;
+
+ x := 0;
+ if (*) {
+ x := 1;
+ }
+ assert x == 1; // error
+}
+
+procedure Q1() returns (x: int)
+{
+ if (x == 0) {
+ A:
+ x := x + 0;
+ assert x == 0; // error
+ B:
+ x := x + 1;
+ goto A;
+ }
+}
+
+procedure Q2() returns (x: int)
+{
+ if (x == 0) {
+ while (x < 10)
+ invariant x <= 10;
+ {
+ x := x + 1;
+ }
+ }
+}
diff --git a/Test/test2/UpdateExpr.bpl b/Test/test2/UpdateExpr.bpl
new file mode 100644
index 00000000..8f950073
--- /dev/null
+++ b/Test/test2/UpdateExpr.bpl
@@ -0,0 +1,81 @@
+
+const a: [int]bool;
+
+// element 5 of a stores the value true
+axiom a == a[5 := true];
+
+procedure P()
+{
+ assert a[5];
+}
+
+procedure Q()
+{
+ assert a[4]; // error
+}
+
+procedure R()
+{
+ assert !a[5]; // error
+}
+
+procedure S(y: int, t: bool)
+ requires y <= 5;
+{
+ if (a[y := t][5] == false) {
+ assert y == 5;
+ }
+}
+
+procedure T0(aa: [int,ref]bool)
+{
+ assert aa[5,null := true] != aa[2,null := false]; // error
+}
+
+procedure T1(aa: [int,ref]bool)
+ requires aa[5,null] && !aa[2,null];
+{
+ assert aa[5,null := true] == aa[2,null := false]; // error, because we have no extensionality
+}
+
+procedure T2(aa: [int,ref]bool)
+ requires aa[5,null] && !aa[2,null];
+{
+ assert (forall x: int, y: ref :: aa[5,null := true][x,y] == aa[2,null := false][x,y]);
+}
+
+procedure U0(a: [int]int)
+{
+ var b: [int]int;
+
+ b := a[5 := 12];
+ assert a == b; // error
+}
+
+procedure U1() returns (a: [int]int)
+{
+ var b: [int]int;
+
+ b := a[5 := 12];
+ a[5] := 12;
+ assert a == b;
+}
+
+type Field a;
+const unique IntField: Field int;
+const unique RefField: Field ref;
+const unique SomeField: Field int;
+
+procedure FieldProc(H: <a>[ref,Field a]a, this: ref)
+{
+ var i: int, r: ref, y: any;
+ var K: <a>[ref,Field a]a;
+
+ K := H[this, IntField := 5][this, RefField := null][this, SomeField := 100][this, IntField := 7];
+ assert K[this, IntField] == 7;
+ assert K[this, RefField] == null;
+ assert K[this, SomeField] == 100;
+}
+
+type ref, any;
+const null : ref;
diff --git a/Test/test2/Where.bpl b/Test/test2/Where.bpl
new file mode 100644
index 00000000..96ffcf04
--- /dev/null
+++ b/Test/test2/Where.bpl
@@ -0,0 +1,163 @@
+procedure P0()
+{
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ assert 0 <= x;
+ assert x <= y;
+ assert y < 5; // error
+}
+
+procedure P1()
+{
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ x := 5;
+ havoc y;
+ assert 5 <= y;
+
+ havoc x;
+ assert 0 <= x;
+ assert x <= y; // error
+}
+
+procedure P2()
+{
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ havoc y; // y first
+ havoc x;
+ assert x <= y; // error
+}
+
+procedure P3()
+{
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ x := 5;
+ havoc x; // this time, x first
+ havoc y;
+ assert x <= y; // yeah!
+ assert 5 <= y; // error
+}
+
+procedure P4()
+{
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ havoc x, y; // both at the same time
+ assert 0 <= x && x <= y;
+ havoc y, x; // or in the other order
+ assert 0 <= x && x <= y;
+
+ assert x == 7; // error
+}
+
+procedure R0() returns (wProc: int where wProc == xProc,
+ xProc: int where 0 <= xProc,
+ yProc: int where xProc <= yProc);
+implementation R0() returns (w: int, x: int, y: int)
+{
+ while (*) {
+ assert w == x;
+ assert 0 <= x;
+ assert x <= y;
+ }
+ while (*) {
+ assert w == x;
+ assert 0 <= x;
+ assert x <= y;
+ // the following makes w, x, y loop targets
+ w := w + 1;
+ havoc x;
+ y := w;
+ }
+ assert w == x;
+ assert 0 <= x;
+ assert x <= y;
+}
+
+procedure R1()
+{
+ var a: int;
+ var b: int;
+ var c: int;
+
+ call a, b, c := R0();
+ assert a == b;
+ assert 0 <= b;
+ assert b <= c;
+}
+
+procedure R2()
+{
+ var w: int where w == x;
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ x := 5;
+ y := 10;
+ while (*) {
+ w := w + 1;
+ assert w == 6;
+ y := y + 2;
+ assert 7 <= y;
+ }
+ assert x == 5 && 0 <= y - w;
+ assert y == 10; // error
+}
+
+procedure R3()
+{
+ var w: int where w == x;
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ // change w and x
+ y := 10;
+ while (*) {
+ w := w; x := x;
+ }
+ assert w == x;
+ assert 0 <= x;
+ assert y == 10;
+ assert w <= 10; // error
+}
+
+procedure R4()
+{
+ var w: int where w == x;
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ // change x and y
+ w := 12;
+ while (*) {
+ x := x; y := y;
+ }
+ assert 0 <= x;
+ assert x <= y;
+ assert w == 12;
+ assert 8 <= y; // error
+}
+
+procedure R5(K: int)
+{
+ var w: int where w == x;
+ var x: int where 0 <= x;
+ var y: int where x <= y;
+
+ // change w and y
+ x := K;
+ while (*) {
+ w := w; y := y;
+ }
+ assert w == K;
+ assert K <= y;
+ assert x == K;
+ assert 0 <= x; // error
+}
diff --git a/Test/test2/runtest.bat b/Test/test2/runtest.bat
new file mode 100644
index 00000000..5f48a799
--- /dev/null
+++ b/Test/test2/runtest.bat
@@ -0,0 +1,26 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+rem set BGEXE=mono ..\..\Binaries\Boogie.exe
+
+for %%f in (FormulaTerm.bpl FormulaTerm2.bpl Passification.bpl B.bpl
+ Ensures.bpl Old.bpl OldIllegal.bpl Arrays.bpl Axioms.bpl
+ Quantifiers.bpl Call.bpl AssumeEnsures.bpl
+ CutBackEdge.bpl False.bpl LoopInvAssume.bpl
+ strings-no-where.bpl strings-where.bpl
+ Structured.bpl Where.bpl UpdateExpr.bpl
+ NeverPattern.bpl NullaryMaps.bpl Implies.bpl) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %BGEXE% %* /noinfer %%f
+)
+
+echo -------------------- sk_hack.bpl --------------------
+%BGEXE% %* /noinfer /bv:z sk_hack.bpl
+
+for %%f in (CallForall.bpl) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %BGEXE% %* %%f
+)
diff --git a/Test/test2/sk_hack.bpl b/Test/test2/sk_hack.bpl
new file mode 100644
index 00000000..df942317
--- /dev/null
+++ b/Test/test2/sk_hack.bpl
@@ -0,0 +1,32 @@
+function in_set(int) returns(bool);
+function next(int) returns(int);
+function f(int) returns(bool);
+function g(int) returns(bool);
+
+// this function is treated specially by Z3 when used in triggers
+// sk_hack(f(x)) means to activate the e-node f(x0) when trying to prove
+// !(forall x : T :: {sk_hack(f(x))} p(x)) by proving !p(x0)
+// (i.e., after skolemization of x to x0).
+function sk_hack(bool) returns(bool);
+
+// PR: sk_hack cannot be defined as a polymorphic function
+// when using /quantifierTypePremisses:a, because then it would
+// get an additional explicit type parameter, and Z3 would
+// no longer recognise it.
+
+procedure foo()
+{
+ assume (forall x:int :: {in_set(next(x))}
+ in_set(x) ==> in_set(next(x)));
+
+ assume (forall x:int :: {in_set(x)}
+ in_set(x) ==> f(x));
+
+ assume (forall x:int :: {f(next(x))}
+ f(next(x)) ==> g(x));
+
+ assert (forall x:int ::
+ { sk_hack(in_set(next(x))) }
+ in_set(x) ==> g(x));
+ }
+
diff --git a/Test/test2/strings-no-where.bpl b/Test/test2/strings-no-where.bpl
new file mode 100644
index 00000000..ff723db2
--- /dev/null
+++ b/Test/test2/strings-no-where.bpl
@@ -0,0 +1,995 @@
+type real;
+
+type elements;
+
+type struct;
+
+var $Heap: [ref,name]any;
+function cast<S,T>(S) returns (T);
+function IsHeap(h: [ref,name]any) returns (bool);
+
+const unique $allocated: name;
+
+const unique $elements: name;
+
+const unique $inv: name;
+
+const unique $writable: name;
+
+const unique $sharingMode: name;
+
+const unique $SharingMode_Unshared: name;
+
+const unique $SharingMode_LockProtected: name;
+
+function ClassRepr(class: name) returns (ref);
+
+axiom (forall c0: name, c1: name :: c0 != c1 ==> ClassRepr(c0) != ClassRepr(c1));
+
+axiom (forall T: name :: !($typeof(ClassRepr(T)) <: System.Object));
+
+axiom (forall T: name :: ClassRepr(T) != null);
+
+axiom (forall T: name, h: [ref,name]any :: { h[ClassRepr(T), $writable] } IsHeap(h) ==> cast(h[ClassRepr(T), $writable]):bool);
+
+function IsDirectlyModifiableField(f: name) returns (bool);
+
+axiom !IsDirectlyModifiableField($allocated);
+
+axiom IsDirectlyModifiableField($elements);
+
+axiom !IsDirectlyModifiableField($inv);
+
+axiom !IsDirectlyModifiableField($writable);
+
+function IsStaticField(f: name) returns (bool);
+
+axiom !IsStaticField($allocated);
+
+axiom !IsStaticField($elements);
+
+axiom !IsStaticField($inv);
+
+axiom !IsStaticField($writable);
+
+function ValueArrayGet(elements, int) returns (any);
+
+function ValueArraySet(elements, int, any) returns (elements);
+
+function RefArrayGet(elements, int) returns (ref);
+
+function RefArraySet(elements, int, ref) returns (elements);
+
+axiom (forall A: elements, i: int, x: any :: ValueArrayGet(ValueArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: any :: i != j ==> ValueArrayGet(ValueArraySet(A, i, x), j) == ValueArrayGet(A, j));
+
+axiom (forall A: elements, i: int, x: ref :: RefArrayGet(RefArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: ref :: i != j ==> RefArrayGet(RefArraySet(A, i, x), j) == RefArrayGet(A, j));
+
+function ArrayIndex(arr: ref, dim: int, indexAtDim: int, remainingIndexContribution: int) returns (int);
+
+axiom (forall a: ref, d: int, x: int, y: int, x': int, y': int :: ArrayIndex(a, d, x, y) == ArrayIndex(a, d, x', y') ==> x == x' && y == y');
+
+axiom (forall a: ref, T: name, i: int, r: int, heap: [ref,name]any :: $typeof(a) <: RefArray(T, r) ==> $Is(RefArrayGet(cast(heap[a, $elements]):elements, i), T));
+
+function $Rank(ref) returns (int);
+
+axiom (forall a: ref :: 1 <= $Rank(a));
+
+axiom (forall a: ref, T: name, r: int :: { $Is(a, ValueArray(T, r)) } $Is(a, ValueArray(T, r)) ==> $Rank(a) == r);
+
+axiom (forall a: ref, T: name, r: int :: { $Is(a, RefArray(T, r)) } $Is(a, RefArray(T, r)) ==> $Rank(a) == r);
+
+function $Length(ref) returns (int);
+
+axiom (forall a: ref :: { $Length(a) } 0 <= $Length(a));
+
+function $DimLength(ref, int) returns (int);
+
+axiom (forall a: ref, i: int :: 0 <= $DimLength(a, i));
+
+axiom (forall a: ref :: $Rank(a) == 1 ==> $DimLength(a, 0) == $Length(a));
+
+function $LBound(ref, int) returns (int);
+
+function $UBound(ref, int) returns (int);
+
+axiom (forall a: ref, i: int :: { $LBound(a, i) } $LBound(a, i) == 0);
+
+axiom (forall a: ref, i: int :: { $UBound(a, i) } $UBound(a, i) == $DimLength(a, i) - 1);
+
+const unique System.Array: name;
+
+axiom $IsClass(System.Array);
+
+axiom System.Array <: System.Object;
+
+function $ElementType(name) returns (name);
+
+function ValueArray(elementType: name, rank: int) returns (name);
+
+axiom (forall T: name, r: int :: { ValueArray(T, r) } ValueArray(T, r) <: System.Array);
+
+function RefArray(elementType: name, rank: int) returns (name);
+
+axiom (forall T: name, r: int :: { RefArray(T, r) } RefArray(T, r) <: System.Array);
+
+axiom (forall T: name, U: name, r: int :: U <: T ==> RefArray(U, r) <: RefArray(T, r));
+
+axiom (forall A: name, r: int :: $ElementType(ValueArray(A, r)) == A);
+
+axiom (forall A: name, r: int :: $ElementType(RefArray(A, r)) == A);
+
+axiom (forall A: name, r: int, T: name :: { T <: RefArray(A, r) } T <: RefArray(A, r) ==> T == RefArray($ElementType(T), r) && $ElementType(T) <: A);
+
+axiom (forall A: name, r: int, T: name :: { T <: ValueArray(A, r) } T <: ValueArray(A, r) ==> T == ValueArray(A, r));
+
+axiom (forall A: name, r: int, T: name :: RefArray(A, r) <: T ==> System.Array <: T || (T == RefArray($ElementType(T), r) && A <: $ElementType(T)));
+
+axiom (forall A: name, r: int, T: name :: ValueArray(A, r) <: T ==> System.Array <: T || T == ValueArray(A, r));
+
+function $ArrayPtr(elementType: name) returns (name);
+
+function $StructGet(struct, name) returns (any);
+
+function $StructSet(struct, name, any) returns (struct);
+
+axiom (forall s: struct, f: name, x: any :: $StructGet($StructSet(s, f, x), f) == x);
+
+axiom (forall s: struct, f: name, f': name, x: any :: f != f' ==> $StructGet($StructSet(s, f, x), f') == $StructGet(s, f'));
+
+function ZeroInit(s: struct, typ: name) returns (bool);
+
+function $typeof(ref) returns (name);
+
+function Implements(class: name, interface: name) returns (bool);
+
+axiom (forall T: name, J: name :: { Implements(T, J) } Implements(T, J) ==> T <: J);
+
+function InterfaceExtends(subIntf: name, superIntf: name) returns (bool);
+
+axiom (forall J: name, K: name :: { InterfaceExtends(J, K) } InterfaceExtends(J, K) ==> J <: K);
+
+function $IsClass(name) returns (bool);
+
+axiom (forall C: name :: { $IsClass(C) } $IsClass(C) ==> C <: C);
+
+function AsDirectSubClass(sub: name, base: name) returns (sub': name);
+
+function OneClassDown(sub: name, base: name) returns (directSub: name);
+
+axiom (forall A: name, B: name, C: name :: { C <: AsDirectSubClass(B, A) } C <: AsDirectSubClass(B, A) ==> OneClassDown(C, A) == B);
+
+function $IsInterface(name) returns (bool);
+
+axiom (forall J: name :: { $IsInterface(J) } $IsInterface(J) ==> J <: System.Object);
+
+function $IsValueType(name) returns (bool);
+
+axiom (forall T: name :: $IsValueType(T) ==> (forall U: name :: T <: U ==> T == U) && (forall U: name :: U <: T ==> T == U));
+
+const unique System.Object: name;
+
+axiom $IsClass(System.Object);
+
+function $IsTokenForType(struct, name) returns (bool);
+
+function TypeObject(name) returns (ref);
+
+const unique System.Type: name;
+
+axiom System.Type <: System.Object;
+
+axiom (forall T: name :: { TypeObject(T) } $IsNotNull(TypeObject(T), System.Type));
+
+function $Is(ref, name) returns (bool);
+
+axiom (forall o: ref, T: name :: { $Is(o, T) } $Is(o, T) <==> o == null || $typeof(o) <: T);
+
+function $IsNotNull(ref, name) returns (bool);
+
+axiom (forall o: ref, T: name :: { $IsNotNull(o, T) } $IsNotNull(o, T) <==> o != null && $Is(o, T));
+
+function $As(ref, name) returns (ref);
+
+axiom (forall o: ref, T: name :: $Is(o, T) ==> $As(o, T) == o);
+
+axiom (forall o: ref, T: name :: !$Is(o, T) ==> $As(o, T) == null);
+
+axiom (forall heap: [ref,name]any, o: ref, A: name, r: int :: $Is(o, RefArray(A, r)) ==> heap[o, $inv] == $typeof(o));
+
+axiom (forall heap: [ref,name]any, o: ref, A: name, r: int :: $Is(o, ValueArray(A, r)) ==> heap[o, $inv] == $typeof(o));
+
+function IsAllocated(h: [ref,name]any, o: any) returns (bool);
+
+axiom (forall h: [ref,name]any, o: ref, f: name :: { IsAllocated(h, h[o, f]) } IsHeap(h) ==> IsAllocated(h, h[o, f]));
+
+axiom (forall h: [ref,name]any, s: struct, f: name :: { IsAllocated(h, $StructGet(s, f)) } IsAllocated(h, s) ==> IsAllocated(h, $StructGet(s, f)));
+
+axiom (forall h: [ref,name]any, e: elements, i: int :: { IsAllocated(h, RefArrayGet(e, i)) } IsAllocated(h, e) ==> IsAllocated(h, RefArrayGet(e, i)));
+
+axiom (forall h: [ref,name]any, o: ref :: { h[o, $allocated] } IsAllocated(h, o) ==> cast(h[o, $allocated]):bool);
+
+axiom (forall h: [ref,name]any, c: name :: { h[ClassRepr(c), $allocated] } IsHeap(h) ==> cast(h[ClassRepr(c), $allocated]):bool);
+
+function DeclType(field: name) returns (class: name);
+
+function AsNonNullRefField(field: name, T: name) returns (f: name);
+
+function AsRefField(field: name, T: name) returns (f: name);
+
+function AsRangeField(field: name, T: name) returns (f: name);
+
+axiom (forall f: name, T: name :: { AsNonNullRefField(f, T) } AsNonNullRefField(f, T) == f ==> AsRefField(f, T) == f);
+
+axiom (forall h: [ref,name]any, o: ref, f: name, T: name :: { h[o, AsRefField(f, T)] } IsHeap(h) ==> $Is(cast(h[o, AsRefField(f, T)]):ref, T));
+
+axiom (forall h: [ref,name]any, o: ref, f: name, T: name :: { h[o, AsNonNullRefField(f, T)] } IsHeap(h) ==> cast(h[o, AsNonNullRefField(f, T)]):ref != null);
+
+axiom (forall h: [ref,name]any, o: ref, f: name, T: name :: { h[o, AsRangeField(f, T)] } IsHeap(h) ==> InRange(cast(h[o, AsRangeField(f, T)]):int, T));
+
+const unique System.String: name;
+
+axiom (forall h: [ref,name]any, s: ref :: IsHeap(h) && $typeof(s) == System.String ==> h[s, $inv] == $typeof(s) && cast(h[s, $writable]):bool);
+
+function AsOwnedField(f: name) returns (name);
+
+axiom (forall h: [ref,name]any, o: ref, f: name :: { h[o, AsOwnedField(f)] } IsHeap(h) && cast(h[o, $inv]):name <: DeclType(AsOwnedField(f)) ==> cast(h[o, AsOwnedField(f)]):ref == null || $typeof(cast(h[o, AsOwnedField(f)]):ref) == System.String || !cast(h[cast(h[o, AsOwnedField(f)]):ref, $writable]):bool);
+
+axiom (forall h: [ref,name]any, o: ref :: { h[o, $writable] } IsHeap(h) && !cast(h[o, $writable]):bool ==> cast(h[o, $inv]):name == $typeof(o));
+
+function Box(any, ref) returns (ref);
+
+function Unbox(ref) returns (any);
+
+axiom (forall x: any, p: ref :: { Unbox(Box(x, p)) } Unbox(Box(x, p)) == x);
+
+axiom (forall heap: [ref,name]any, x: any, p: ref :: { heap[Box(x, p), $inv] } IsHeap(heap) ==> heap[Box(x, p), $inv] == $typeof(Box(x, p)));
+
+function UnboxedType(ref) returns (name);
+
+function BoxTester(p: ref, typ: name) returns (ref);
+
+axiom (forall p: ref, typ: name :: { BoxTester(p, typ) } UnboxedType(p) == typ <==> BoxTester(p, typ) != null);
+
+const unique System.Int16: name;
+
+axiom $IsValueType(System.Int16);
+
+const unique System.Int32: name;
+
+axiom $IsValueType(System.Int32);
+
+const unique System.Int64: name;
+
+axiom $IsValueType(System.Int64);
+
+const unique System.Byte: name;
+
+axiom $IsValueType(System.Byte);
+
+const unique System.Int16.MinValue: int;
+
+const unique System.Int16.MaxValue: int;
+
+const unique System.Int32.MinValue: int;
+
+const unique System.Int32.MaxValue: int;
+
+const unique System.Int64.MinValue: int;
+
+const unique System.Int64.MaxValue: int;
+
+axiom System.Int64.MinValue < System.Int32.MinValue;
+
+axiom System.Int32.MinValue < System.Int16.MinValue;
+
+axiom System.Int16.MinValue < System.Int16.MaxValue;
+
+axiom System.Int16.MaxValue < System.Int32.MaxValue;
+
+axiom System.Int32.MaxValue < System.Int64.MaxValue;
+
+function InRange(i: int, T: name) returns (bool);
+
+axiom (forall i: int :: InRange(i, System.Int16) <==> System.Int16.MinValue <= i && i <= System.Int16.MaxValue);
+
+axiom (forall i: int :: InRange(i, System.Int32) <==> System.Int32.MinValue <= i && i <= System.Int32.MaxValue);
+
+axiom (forall i: int :: InRange(i, System.Int64) <==> System.Int64.MinValue <= i && i <= System.Int64.MaxValue);
+
+axiom (forall i: int :: { InRange(i, System.Byte) } InRange(i, System.Byte) <==> 0 <= i && i < 256);
+
+function $RealToInt(real) returns (int);
+
+function $IntToReal(int) returns (real);
+
+function $SizeIs(name, int) returns (bool);
+
+function $IfThenElse(bool, any, any) returns (any);
+
+axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } b ==> $IfThenElse(b, x, y) == x);
+
+axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } !b ==> $IfThenElse(b, x, y) == y);
+
+function #neg(int) returns (int);
+
+function #rneg(real) returns (real);
+
+function #rdiv(real, real) returns (real);
+
+function #and(int, int) returns (int);
+
+function #or(int, int) returns (int);
+
+function #xor(int, int) returns (int);
+
+function #shl(int, int) returns (int);
+
+function #shr(int, int) returns (int);
+
+axiom (forall x: int, y: int :: { x % y } { x / y } x % y == x - x / y * y);
+
+axiom (forall x: int, y: int :: { x % y } 0 <= x && 0 < y ==> 0 <= x % y && x % y < y);
+
+axiom (forall x: int, y: int :: { x % y } 0 <= x && y < 0 ==> 0 <= x % y && x % y < 0 - y);
+
+axiom (forall x: int, y: int :: { x % y } x <= 0 && 0 < y ==> 0 - y < x % y && x % y <= 0);
+
+axiom (forall x: int, y: int :: { x % y } x <= 0 && y < 0 ==> y < x % y && x % y <= 0);
+
+axiom (forall x: int, y: int :: { (x + y) % y } 0 <= x && 0 <= y ==> (x + y) % y == x % y);
+
+axiom (forall x: int, y: int :: { (y + x) % y } 0 <= x && 0 <= y ==> (y + x) % y == x % y);
+
+axiom (forall x: int, y: int :: { (x - y) % y } 0 <= x - y && 0 <= y ==> (x - y) % y == x % y);
+
+axiom (forall a: int, b: int, d: int :: { a % d,b % d } 2 <= d && a % d == b % d && a < b ==> a + d <= b);
+
+axiom (forall i: int :: { #shl(i, 0) } #shl(i, 0) == i);
+
+axiom (forall i: int, j: int :: 0 <= j ==> #shl(i, j + 1) == #shl(i, j) * 2);
+
+axiom (forall i: int :: { #shr(i, 0) } #shr(i, 0) == i);
+
+axiom (forall i: int, j: int :: 0 <= j ==> #shr(i, j + 1) == #shr(i, j) / 2);
+
+const unique $UnknownRef: ref;
+
+const unique System.IComparable: name;
+
+const unique Microsoft.Singularity.Applications.ThreadTest: name;
+
+const unique System.Threading.Thread: name;
+
+const unique System.Collections.IEnumerable: name;
+
+const unique System.Threading.ThreadStart: name;
+
+const unique System.ICloneable: name;
+
+const unique System.MulticastDelegate: name;
+
+const unique System.Delegate: name;
+
+const unique $stringLiteral0: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral0, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral0, $allocated]):bool) && $IsNotNull($stringLiteral0, System.String) && $Length($stringLiteral0) == 13;
+
+const unique $stringLiteral1: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral1, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral1, $allocated]):bool) && $IsNotNull($stringLiteral1, System.String) && $Length($stringLiteral1) == 14;
+
+const unique $stringLiteral2: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral2, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral2, $allocated]):bool) && $IsNotNull($stringLiteral2, System.String) && $Length($stringLiteral2) == 11;
+
+const unique $stringLiteral3: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral3, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral3, $allocated]):bool) && $IsNotNull($stringLiteral3, System.String) && $Length($stringLiteral3) == 18;
+
+const unique $stringLiteral4: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral4, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral4, $allocated]):bool) && $IsNotNull($stringLiteral4, System.String) && $Length($stringLiteral4) == 19;
+
+const unique $stringLiteral5: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral5, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral5, $allocated]):bool) && $IsNotNull($stringLiteral5, System.String) && $Length($stringLiteral5) == 14;
+
+const unique $stringLiteral6: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral6, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral6, $allocated]):bool) && $IsNotNull($stringLiteral6, System.String) && $Length($stringLiteral6) == 15;
+
+const unique $stringLiteral7: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral7, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral7, $allocated]):bool) && $IsNotNull($stringLiteral7, System.String) && $Length($stringLiteral7) == 11;
+
+const unique $stringLiteral8: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral8, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral8, $allocated]):bool) && $IsNotNull($stringLiteral8, System.String) && $Length($stringLiteral8) == 19;
+
+const unique $stringLiteral9: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral9, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral9, $allocated]):bool) && $IsNotNull($stringLiteral9, System.String) && $Length($stringLiteral9) == 20;
+
+const unique $stringLiteral10: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral10, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral10, $allocated]):bool) && $IsNotNull($stringLiteral10, System.String) && $Length($stringLiteral10) == 22;
+
+const unique $stringLiteral11: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral11, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral11, $allocated]):bool) && $IsNotNull($stringLiteral11, System.String) && $Length($stringLiteral11) == 21;
+
+const unique $stringLiteral12: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral12, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral12, $allocated]):bool) && $IsNotNull($stringLiteral12, System.String) && $Length($stringLiteral12) == 23;
+
+const unique $stringLiteral13: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral13, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral13, $allocated]):bool) && $IsNotNull($stringLiteral13, System.String) && $Length($stringLiteral13) == 22;
+
+axiom $IsClass(Microsoft.Singularity.Applications.ThreadTest);
+
+axiom Microsoft.Singularity.Applications.ThreadTest <: System.Object && AsDirectSubClass(Microsoft.Singularity.Applications.ThreadTest, System.Object) == Microsoft.Singularity.Applications.ThreadTest;
+
+axiom (forall $K: name :: { Microsoft.Singularity.Applications.ThreadTest <: $K } Microsoft.Singularity.Applications.ThreadTest <: $K <==> Microsoft.Singularity.Applications.ThreadTest == $K || System.Object <: $K);
+
+function Inv_Microsoft.Singularity.Applications.ThreadTest(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_Microsoft.Singularity.Applications.ThreadTest(this, heap) } Inv_Microsoft.Singularity.Applications.ThreadTest(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: Microsoft.Singularity.Applications.ThreadTest } { Inv_Microsoft.Singularity.Applications.ThreadTest($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: Microsoft.Singularity.Applications.ThreadTest ==> Inv_Microsoft.Singularity.Applications.ThreadTest($o, heap));
+
+procedure Microsoft.Singularity.Applications.ThreadTest.FirstThreadMethod();
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Microsoft.Singularity.Applications.ThreadTest.FirstThreadMethod()
+{
+ var stack0o: ref, i: int, stack0i: int, stack0b: bool, local1: int, $Heap$block1513$LoopPreheader: [ref,name]any;
+
+ entry:
+ assume IsHeap($Heap);
+ goto block1479;
+
+ block1479:
+ goto block1496;
+
+ block1496:
+ // ----- load constant First thread! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(21,13)
+ stack0o := $stringLiteral0;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(21,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant First thread! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(22,13)
+ stack0o := $stringLiteral1;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(22,13)
+ call Microsoft.Singularity.DebugStub.Print$System.String(stack0o);
+ // ----- load constant 0 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,18)
+ i := 0;
+ goto block1513$LoopPreheader;
+
+ block1513:
+ // ----- default loop invariant: $inv field ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,29)
+ assert (forall $o: ref :: $Heap$block1513$LoopPreheader[$o, $inv] == $Heap[$o, $inv] || cast($Heap$block1513$LoopPreheader[$o, $allocated]):bool != true);
+ assert (forall $o: ref :: cast($Heap$block1513$LoopPreheader[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ // ----- load constant 10 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,29)
+ stack0i := 10;
+ // ----- binary operator ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,29)
+ stack0b := i >= stack0i;
+ // ----- branch ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,29)
+ goto true1513to1547, false1513to1530;
+
+ true1513to1547:
+ assume stack0b == true;
+ goto block1547;
+
+ false1513to1530:
+ assume stack0b == false;
+ goto block1530;
+
+ block1547:
+ // ----- load constant First thread done! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(29,13)
+ stack0o := $stringLiteral3;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(29,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant First thread done! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(30,13)
+ stack0o := $stringLiteral4;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(30,13)
+ call Microsoft.Singularity.DebugStub.Print$System.String(stack0o);
+ // ----- return ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(31,10)
+ return;
+
+ block1530:
+ // ----- load constant [0] ... ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(25,17)
+ stack0o := $stringLiteral2;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(25,17)
+ // Commented out, to avoid problems with the theorem prover nondeterministically choosing this error over the one 12 lines above: call System.Console.WriteLine$System.String(stack0o);
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(26,17)
+ call System.Threading.Thread.Yield();
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,37)
+ local1 := i;
+ // ----- load constant 1
+ stack0i := 1;
+ // ----- binary operator
+ stack0i := local1 + stack0i;
+ // ----- copy
+ i := stack0i;
+ // ----- copy
+ stack0i := local1;
+ // ----- branch
+ goto block1513;
+
+ block1513$LoopPreheader:
+ $Heap$block1513$LoopPreheader := $Heap;
+ goto block1513;
+
+}
+
+
+
+axiom $IsClass(System.String);
+
+axiom System.String <: System.Object && AsDirectSubClass(System.String, System.Object) == System.String;
+
+axiom $IsInterface(System.IComparable);
+
+axiom (forall $K: name :: { System.IComparable <: $K } System.IComparable <: $K <==> System.IComparable == $K || System.Object == $K);
+
+axiom Implements(System.String, System.IComparable);
+
+axiom $IsInterface(System.ICloneable);
+
+axiom (forall $K: name :: { System.ICloneable <: $K } System.ICloneable <: $K <==> System.ICloneable == $K || System.Object == $K);
+
+axiom Implements(System.String, System.ICloneable);
+
+axiom $IsInterface(System.Collections.IEnumerable);
+
+axiom (forall $K: name :: { System.Collections.IEnumerable <: $K } System.Collections.IEnumerable <: $K <==> System.Collections.IEnumerable == $K || System.Object == $K);
+
+axiom Implements(System.String, System.Collections.IEnumerable);
+
+axiom (forall $K: name :: { System.String <: $K } System.String <: $K <==> System.String == $K || System.Object <: $K || System.IComparable <: $K || System.ICloneable <: $K || System.Collections.IEnumerable <: $K);
+
+axiom (forall $U: name :: { $U <: System.String } $U <: System.String ==> $U == System.String);
+
+function Inv_System.String(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.String(this, heap) } Inv_System.String(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.String } { Inv_System.String($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.String ==> Inv_System.String($o, heap));
+
+procedure System.Console.WriteLine$System.String(value$in: ref);
+ requires value$in == null || (cast($Heap[value$in, $writable]):bool == true && cast($Heap[value$in, $inv]):name == $typeof(value$in));
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure Microsoft.Singularity.DebugStub.Print$System.String(value$in: ref);
+ requires value$in == null || (cast($Heap[value$in, $writable]):bool == true && cast($Heap[value$in, $inv]):name == $typeof(value$in));
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure System.Threading.Thread.Yield();
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure Microsoft.Singularity.Applications.ThreadTest.SecondThreadMethod();
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Microsoft.Singularity.Applications.ThreadTest.SecondThreadMethod()
+{
+ var stack0o: ref, i: int, stack0i: int, stack0b: bool, local1: int, $Heap$block2516$LoopPreheader: [ref,name]any;
+
+ entry:
+ assume IsHeap($Heap);
+ goto block2482;
+
+ block2482:
+ goto block2499;
+
+ block2499:
+ // ----- load constant Second thread! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(35,13)
+ stack0o := $stringLiteral5;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(35,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant Second thread! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(36,13)
+ stack0o := $stringLiteral6;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(36,13)
+ call Microsoft.Singularity.DebugStub.Print$System.String(stack0o);
+ // ----- load constant 0 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,18)
+ i := 0;
+ goto block2516$LoopPreheader;
+
+ block2516:
+ // ----- default loop invariant: $inv field ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,29)
+ assert (forall $o: ref :: $Heap$block2516$LoopPreheader[$o, $inv] == $Heap[$o, $inv] || cast($Heap$block2516$LoopPreheader[$o, $allocated]):bool != true);
+ assert (forall $o: ref :: cast($Heap$block2516$LoopPreheader[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ // ----- load constant 10 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,29)
+ stack0i := 10;
+ // ----- binary operator ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,29)
+ stack0b := i >= stack0i;
+ // ----- branch ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,29)
+ goto true2516to2550, false2516to2533;
+
+ true2516to2550:
+ assume stack0b == true;
+ goto block2550;
+
+ false2516to2533:
+ assume stack0b == false;
+ goto block2533;
+
+ block2550:
+ // ----- load constant Second thread done! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(44,13)
+ stack0o := $stringLiteral8;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(44,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant Second thread done! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(45,13)
+ stack0o := $stringLiteral9;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(45,13)
+ call Microsoft.Singularity.DebugStub.Print$System.String(stack0o);
+ // ----- return ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(46,10)
+ return;
+
+ block2533:
+ // ----- load constant ... [1] ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(40,17)
+ stack0o := $stringLiteral7;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(40,17)
+ // Commented out, to avoid problems with the theorem prover nondeterministically choosing this error over the one 12 lines above: call System.Console.WriteLine$System.String(stack0o);
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(41,17)
+ call System.Threading.Thread.Yield();
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,37)
+ local1 := i;
+ // ----- load constant 1
+ stack0i := 1;
+ // ----- binary operator
+ stack0i := local1 + stack0i;
+ // ----- copy
+ i := stack0i;
+ // ----- copy
+ stack0i := local1;
+ // ----- branch
+ goto block2516;
+
+ block2516$LoopPreheader:
+ $Heap$block2516$LoopPreheader := $Heap;
+ goto block2516;
+
+}
+
+
+
+procedure Microsoft.Singularity.Applications.ThreadTest.Main$System.String.array(args$in: ref) returns ($result: int);
+ requires args$in == null || (cast($Heap[args$in, $writable]):bool == true && cast($Heap[args$in, $inv]):name == $typeof(args$in));
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures IsAllocated($Heap, $result);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Microsoft.Singularity.Applications.ThreadTest.Main$System.String.array(args$in: ref) returns ($result: int)
+{
+ var args: ref, stack0o: ref, stack1o: ref, stack50000o: ref, t1: ref, t2: ref, i: int, stack0i: int, stack0b: bool, local3: int, return.value: int, SS$Display.Return.Local: int, $Heap$block3825$LoopPreheader: [ref,name]any;
+
+ entry:
+ assume IsHeap($Heap);
+ args := args$in;
+ assume $Is(args, RefArray(System.String, 1));
+ assume cast($Heap[args$in, $allocated]):bool == true;
+ goto block3791;
+
+ block3791:
+ goto block3808;
+
+ block3808:
+ stack0o := null;
+ // ----- load function ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ havoc stack1o;
+ // ----- new object ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ havoc stack50000o;
+ assume cast($Heap[stack50000o, $allocated]):bool == false && stack50000o != null && $typeof(stack50000o) == System.Threading.ThreadStart;
+ $Heap[stack50000o, $allocated] := true;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ assert stack50000o != null;
+ call System.Threading.ThreadStart..ctor$System.Object$System.IntPtr(stack50000o, stack0o, stack1o);
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ stack0o := stack50000o;
+ // ----- new object ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ havoc stack50000o;
+ assume cast($Heap[stack50000o, $allocated]):bool == false && stack50000o != null && $typeof(stack50000o) == System.Threading.Thread;
+ $Heap[stack50000o, $allocated] := true;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ assert stack50000o != null;
+ call System.Threading.Thread..ctor$System.Threading.ThreadStart(stack50000o, stack0o);
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ stack0o := stack50000o;
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ t1 := stack0o;
+ stack0o := null;
+ // ----- load function ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ havoc stack1o;
+ // ----- new object ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ havoc stack50000o;
+ assume cast($Heap[stack50000o, $allocated]):bool == false && stack50000o != null && $typeof(stack50000o) == System.Threading.ThreadStart;
+ $Heap[stack50000o, $allocated] := true;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ assert stack50000o != null;
+ call System.Threading.ThreadStart..ctor$System.Object$System.IntPtr(stack50000o, stack0o, stack1o);
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ stack0o := stack50000o;
+ // ----- new object ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ havoc stack50000o;
+ assume cast($Heap[stack50000o, $allocated]):bool == false && stack50000o != null && $typeof(stack50000o) == System.Threading.Thread;
+ $Heap[stack50000o, $allocated] := true;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ assert stack50000o != null;
+ call System.Threading.Thread..ctor$System.Threading.ThreadStart(stack50000o, stack0o);
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ stack0o := stack50000o;
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ t2 := stack0o;
+ // ----- load constant Starting first thread. ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(54,13)
+ stack0o := $stringLiteral10;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(54,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(55,13)
+ assert t1 != null;
+ call System.Threading.Thread.Start(t1);
+ // ----- load constant Started first thread. ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(56,13)
+ stack0o := $stringLiteral11;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(56,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant Starting second thread. ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(58,13)
+ stack0o := $stringLiteral12;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(58,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(59,13)
+ assert t2 != null;
+ call System.Threading.Thread.Start(t2);
+ // ----- load constant Started second thread. ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(60,13)
+ stack0o := $stringLiteral13;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(60,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant 0 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,18)
+ i := 0;
+ goto block3825$LoopPreheader;
+
+ block3825:
+ // ----- default loop invariant: $inv field ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,29)
+ assert (forall $o: ref :: $Heap$block3825$LoopPreheader[$o, $inv] == $Heap[$o, $inv] || cast($Heap$block3825$LoopPreheader[$o, $allocated]):bool != true);
+ assert (forall $o: ref :: cast($Heap$block3825$LoopPreheader[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ // ----- load constant 30 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,29)
+ stack0i := 30;
+ // ----- binary operator ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,29)
+ stack0b := i >= stack0i;
+ // ----- branch ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,29)
+ goto true3825to3859, false3825to3842;
+
+ true3825to3859:
+ assume stack0b == true;
+ goto block3859;
+
+ false3825to3842:
+ assume stack0b == false;
+ goto block3842;
+
+ block3859:
+ // ----- load constant 0 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(66,13)
+ return.value := 0;
+ // ----- branch
+ goto block3876;
+
+ block3842:
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(64,17)
+ call System.Threading.Thread.Yield();
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,37)
+ local3 := i;
+ // ----- load constant 1
+ stack0i := 1;
+ // ----- binary operator
+ stack0i := local3 + stack0i;
+ // ----- copy
+ i := stack0i;
+ // ----- copy
+ stack0i := local3;
+ // ----- branch
+ goto block3825;
+
+ block3876:
+ // ----- copy
+ SS$Display.Return.Local := return.value;
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(67,10)
+ stack0i := return.value;
+ // ----- return ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(67,10)
+ $result := stack0i;
+ return;
+
+ block3825$LoopPreheader:
+ $Heap$block3825$LoopPreheader := $Heap;
+ goto block3825;
+
+}
+
+
+
+axiom $IsClass(System.Threading.ThreadStart);
+
+axiom $IsClass(System.MulticastDelegate);
+
+axiom $IsClass(System.Delegate);
+
+axiom System.Delegate <: System.Object && AsDirectSubClass(System.Delegate, System.Object) == System.Delegate;
+
+axiom Implements(System.Delegate, System.ICloneable);
+
+axiom (forall $K: name :: { System.Delegate <: $K } System.Delegate <: $K <==> System.Delegate == $K || System.Object <: $K || System.ICloneable <: $K);
+
+function Inv_System.Delegate(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.Delegate(this, heap) } Inv_System.Delegate(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.Delegate } { Inv_System.Delegate($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.Delegate ==> Inv_System.Delegate($o, heap));
+
+axiom System.MulticastDelegate <: System.Delegate && AsDirectSubClass(System.MulticastDelegate, System.Delegate) == System.MulticastDelegate;
+
+axiom (forall $K: name :: { System.MulticastDelegate <: $K } System.MulticastDelegate <: $K <==> System.MulticastDelegate == $K || System.Delegate <: $K);
+
+function Inv_System.MulticastDelegate(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.MulticastDelegate(this, heap) } Inv_System.MulticastDelegate(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.MulticastDelegate } { Inv_System.MulticastDelegate($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.MulticastDelegate ==> Inv_System.MulticastDelegate($o, heap));
+
+axiom System.Threading.ThreadStart <: System.MulticastDelegate && AsDirectSubClass(System.Threading.ThreadStart, System.MulticastDelegate) == System.Threading.ThreadStart;
+
+axiom (forall $K: name :: { System.Threading.ThreadStart <: $K } System.Threading.ThreadStart <: $K <==> System.Threading.ThreadStart == $K || System.MulticastDelegate <: $K);
+
+axiom (forall $U: name :: { $U <: System.Threading.ThreadStart } $U <: System.Threading.ThreadStart ==> $U == System.Threading.ThreadStart);
+
+function Inv_System.Threading.ThreadStart(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.Threading.ThreadStart(this, heap) } Inv_System.Threading.ThreadStart(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.Threading.ThreadStart } { Inv_System.Threading.ThreadStart($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.Threading.ThreadStart ==> Inv_System.Threading.ThreadStart($o, heap));
+
+procedure System.Threading.ThreadStart..ctor$System.Object$System.IntPtr(this: ref, object$in: ref, method$in: ref);
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+ ensures cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Threading.ThreadStart;
+
+
+
+axiom $IsClass(System.Threading.Thread);
+
+axiom System.Threading.Thread <: System.Object && AsDirectSubClass(System.Threading.Thread, System.Object) == System.Threading.Thread;
+
+axiom (forall $K: name :: { System.Threading.Thread <: $K } System.Threading.Thread <: $K <==> System.Threading.Thread == $K || System.Object <: $K);
+
+axiom (forall $U: name :: { $U <: System.Threading.Thread } $U <: System.Threading.Thread ==> $U == System.Threading.Thread);
+
+function Inv_System.Threading.Thread(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.Threading.Thread(this, heap) } Inv_System.Threading.Thread(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.Threading.Thread } { Inv_System.Threading.Thread($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.Threading.Thread ==> Inv_System.Threading.Thread($o, heap));
+
+procedure System.Threading.Thread..ctor$System.Threading.ThreadStart(this: ref, start$in: ref);
+ requires start$in == null || (cast($Heap[start$in, $writable]):bool == true && cast($Heap[start$in, $inv]):name == $typeof(start$in));
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && ($o != this || !(System.Threading.Thread <: DeclType($f))) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: $o == this || old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+ ensures cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Threading.Thread;
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+
+
+
+procedure System.Threading.Thread.Start(this: ref);
+ requires cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == $typeof(this);
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure Microsoft.Singularity.Applications.ThreadTest..ctor(this: ref);
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && ($o != this || !(Microsoft.Singularity.Applications.ThreadTest <: DeclType($f))) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: $o == this || old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+ ensures cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == Microsoft.Singularity.Applications.ThreadTest;
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+
+
+
+implementation Microsoft.Singularity.Applications.ThreadTest..ctor(this: ref)
+{
+
+ entry:
+ assume IsHeap($Heap);
+ assume $IsNotNull(this, Microsoft.Singularity.Applications.ThreadTest);
+ assume cast($Heap[this, $allocated]):bool == true;
+ assume cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Object;
+ goto block4777;
+
+ block4777:
+ goto block4794;
+
+ block4794:
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(17,18)
+ assert this != null;
+ call System.Object..ctor(this);
+ // ----- return ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(17,28)
+ assert this != null;
+ assert cast($Heap[this, $writable]):bool == true && System.Object <: cast($Heap[this, $inv]):name;
+ assert cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Object;
+ assert Inv_Microsoft.Singularity.Applications.ThreadTest(this, $Heap);
+ $Heap[this, $inv] := Microsoft.Singularity.Applications.ThreadTest;
+ return;
+
+}
+
+
+
+procedure System.Object..ctor(this: ref);
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && ($o != this || !(System.Object <: DeclType($f))) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: $o == this || old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+ ensures cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Object;
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+
+
+
+type ref, name, any;
+const null : ref;
diff --git a/Test/test2/strings-where.bpl b/Test/test2/strings-where.bpl
new file mode 100644
index 00000000..da529b84
--- /dev/null
+++ b/Test/test2/strings-where.bpl
@@ -0,0 +1,995 @@
+type real;
+
+type elements;
+
+type struct;
+
+var $Heap: [ref,name]any where IsHeap($Heap);
+function cast<S,T>(S) returns (T);
+function IsHeap(h: [ref,name]any) returns (bool);
+
+const unique $allocated: name;
+
+const unique $elements: name;
+
+const unique $inv: name;
+
+const unique $writable: name;
+
+const unique $sharingMode: name;
+
+const unique $SharingMode_Unshared: name;
+
+const unique $SharingMode_LockProtected: name;
+
+function ClassRepr(class: name) returns (ref);
+
+axiom (forall c0: name, c1: name :: c0 != c1 ==> ClassRepr(c0) != ClassRepr(c1));
+
+axiom (forall T: name :: !($typeof(ClassRepr(T)) <: System.Object));
+
+axiom (forall T: name :: ClassRepr(T) != null);
+
+axiom (forall T: name, h: [ref,name]any :: { h[ClassRepr(T), $writable] } IsHeap(h) ==> cast(h[ClassRepr(T), $writable]):bool);
+
+function IsDirectlyModifiableField(f: name) returns (bool);
+
+axiom !IsDirectlyModifiableField($allocated);
+
+axiom IsDirectlyModifiableField($elements);
+
+axiom !IsDirectlyModifiableField($inv);
+
+axiom !IsDirectlyModifiableField($writable);
+
+function IsStaticField(f: name) returns (bool);
+
+axiom !IsStaticField($allocated);
+
+axiom !IsStaticField($elements);
+
+axiom !IsStaticField($inv);
+
+axiom !IsStaticField($writable);
+
+function ValueArrayGet(elements, int) returns (any);
+
+function ValueArraySet(elements, int, any) returns (elements);
+
+function RefArrayGet(elements, int) returns (ref);
+
+function RefArraySet(elements, int, ref) returns (elements);
+
+axiom (forall A: elements, i: int, x: any :: ValueArrayGet(ValueArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: any :: i != j ==> ValueArrayGet(ValueArraySet(A, i, x), j) == ValueArrayGet(A, j));
+
+axiom (forall A: elements, i: int, x: ref :: RefArrayGet(RefArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: ref :: i != j ==> RefArrayGet(RefArraySet(A, i, x), j) == RefArrayGet(A, j));
+
+function ArrayIndex(arr: ref, dim: int, indexAtDim: int, remainingIndexContribution: int) returns (int);
+
+axiom (forall a: ref, d: int, x: int, y: int, x': int, y': int :: ArrayIndex(a, d, x, y) == ArrayIndex(a, d, x', y') ==> x == x' && y == y');
+
+axiom (forall a: ref, T: name, i: int, r: int, heap: [ref,name]any :: $typeof(a) <: RefArray(T, r) ==> $Is(RefArrayGet(cast(heap[a, $elements]):elements, i), T));
+
+function $Rank(ref) returns (int);
+
+axiom (forall a: ref :: 1 <= $Rank(a));
+
+axiom (forall a: ref, T: name, r: int :: { $Is(a, ValueArray(T, r)) } $Is(a, ValueArray(T, r)) ==> $Rank(a) == r);
+
+axiom (forall a: ref, T: name, r: int :: { $Is(a, RefArray(T, r)) } $Is(a, RefArray(T, r)) ==> $Rank(a) == r);
+
+function $Length(ref) returns (int);
+
+axiom (forall a: ref :: { $Length(a) } 0 <= $Length(a));
+
+function $DimLength(ref, int) returns (int);
+
+axiom (forall a: ref, i: int :: 0 <= $DimLength(a, i));
+
+axiom (forall a: ref :: $Rank(a) == 1 ==> $DimLength(a, 0) == $Length(a));
+
+function $LBound(ref, int) returns (int);
+
+function $UBound(ref, int) returns (int);
+
+axiom (forall a: ref, i: int :: { $LBound(a, i) } $LBound(a, i) == 0);
+
+axiom (forall a: ref, i: int :: { $UBound(a, i) } $UBound(a, i) == $DimLength(a, i) - 1);
+
+const unique System.Array: name;
+
+axiom $IsClass(System.Array);
+
+axiom System.Array <: System.Object;
+
+function $ElementType(name) returns (name);
+
+function ValueArray(elementType: name, rank: int) returns (name);
+
+axiom (forall T: name, r: int :: { ValueArray(T, r) } ValueArray(T, r) <: System.Array);
+
+function RefArray(elementType: name, rank: int) returns (name);
+
+axiom (forall T: name, r: int :: { RefArray(T, r) } RefArray(T, r) <: System.Array);
+
+axiom (forall T: name, U: name, r: int :: U <: T ==> RefArray(U, r) <: RefArray(T, r));
+
+axiom (forall A: name, r: int :: $ElementType(ValueArray(A, r)) == A);
+
+axiom (forall A: name, r: int :: $ElementType(RefArray(A, r)) == A);
+
+axiom (forall A: name, r: int, T: name :: { T <: RefArray(A, r) } T <: RefArray(A, r) ==> T == RefArray($ElementType(T), r) && $ElementType(T) <: A);
+
+axiom (forall A: name, r: int, T: name :: { T <: ValueArray(A, r) } T <: ValueArray(A, r) ==> T == ValueArray(A, r));
+
+axiom (forall A: name, r: int, T: name :: RefArray(A, r) <: T ==> System.Array <: T || (T == RefArray($ElementType(T), r) && A <: $ElementType(T)));
+
+axiom (forall A: name, r: int, T: name :: ValueArray(A, r) <: T ==> System.Array <: T || T == ValueArray(A, r));
+
+function $ArrayPtr(elementType: name) returns (name);
+
+function $StructGet(struct, name) returns (any);
+
+function $StructSet(struct, name, any) returns (struct);
+
+axiom (forall s: struct, f: name, x: any :: $StructGet($StructSet(s, f, x), f) == x);
+
+axiom (forall s: struct, f: name, f': name, x: any :: f != f' ==> $StructGet($StructSet(s, f, x), f') == $StructGet(s, f'));
+
+function ZeroInit(s: struct, typ: name) returns (bool);
+
+function $typeof(ref) returns (name);
+
+function Implements(class: name, interface: name) returns (bool);
+
+axiom (forall T: name, J: name :: { Implements(T, J) } Implements(T, J) ==> T <: J);
+
+function InterfaceExtends(subIntf: name, superIntf: name) returns (bool);
+
+axiom (forall J: name, K: name :: { InterfaceExtends(J, K) } InterfaceExtends(J, K) ==> J <: K);
+
+function $IsClass(name) returns (bool);
+
+axiom (forall C: name :: { $IsClass(C) } $IsClass(C) ==> C <: C);
+
+function AsDirectSubClass(sub: name, base: name) returns (sub': name);
+
+function OneClassDown(sub: name, base: name) returns (directSub: name);
+
+axiom (forall A: name, B: name, C: name :: { C <: AsDirectSubClass(B, A) } C <: AsDirectSubClass(B, A) ==> OneClassDown(C, A) == B);
+
+function $IsInterface(name) returns (bool);
+
+axiom (forall J: name :: { $IsInterface(J) } $IsInterface(J) ==> J <: System.Object);
+
+function $IsValueType(name) returns (bool);
+
+axiom (forall T: name :: $IsValueType(T) ==> (forall U: name :: T <: U ==> T == U) && (forall U: name :: U <: T ==> T == U));
+
+const unique System.Object: name;
+
+axiom $IsClass(System.Object);
+
+function $IsTokenForType(struct, name) returns (bool);
+
+function TypeObject(name) returns (ref);
+
+const unique System.Type: name;
+
+axiom System.Type <: System.Object;
+
+axiom (forall T: name :: { TypeObject(T) } $IsNotNull(TypeObject(T), System.Type));
+
+function $Is(ref, name) returns (bool);
+
+axiom (forall o: ref, T: name :: { $Is(o, T) } $Is(o, T) <==> o == null || $typeof(o) <: T);
+
+function $IsNotNull(ref, name) returns (bool);
+
+axiom (forall o: ref, T: name :: { $IsNotNull(o, T) } $IsNotNull(o, T) <==> o != null && $Is(o, T));
+
+function $As(ref, name) returns (ref);
+
+axiom (forall o: ref, T: name :: $Is(o, T) ==> $As(o, T) == o);
+
+axiom (forall o: ref, T: name :: !$Is(o, T) ==> $As(o, T) == null);
+
+axiom (forall heap: [ref,name]any, o: ref, A: name, r: int :: $Is(o, RefArray(A, r)) ==> heap[o, $inv] == $typeof(o));
+
+axiom (forall heap: [ref,name]any, o: ref, A: name, r: int :: $Is(o, ValueArray(A, r)) ==> heap[o, $inv] == $typeof(o));
+
+function IsAllocated(h: [ref,name]any, o: any) returns (bool);
+
+axiom (forall h: [ref,name]any, o: ref, f: name :: { IsAllocated(h, h[o, f]) } IsHeap(h) ==> IsAllocated(h, h[o, f]));
+
+axiom (forall h: [ref,name]any, s: struct, f: name :: { IsAllocated(h, $StructGet(s, f)) } IsAllocated(h, s) ==> IsAllocated(h, $StructGet(s, f)));
+
+axiom (forall h: [ref,name]any, e: elements, i: int :: { IsAllocated(h, RefArrayGet(e, i)) } IsAllocated(h, e) ==> IsAllocated(h, RefArrayGet(e, i)));
+
+axiom (forall h: [ref,name]any, o: ref :: { h[o, $allocated] } IsAllocated(h, o) ==> cast(h[o, $allocated]):bool);
+
+axiom (forall h: [ref,name]any, c: name :: { h[ClassRepr(c), $allocated] } IsHeap(h) ==> cast(h[ClassRepr(c), $allocated]):bool);
+
+function DeclType(field: name) returns (class: name);
+
+function AsNonNullRefField(field: name, T: name) returns (f: name);
+
+function AsRefField(field: name, T: name) returns (f: name);
+
+function AsRangeField(field: name, T: name) returns (f: name);
+
+axiom (forall f: name, T: name :: { AsNonNullRefField(f, T) } AsNonNullRefField(f, T) == f ==> AsRefField(f, T) == f);
+
+axiom (forall h: [ref,name]any, o: ref, f: name, T: name :: { h[o, AsRefField(f, T)] } IsHeap(h) ==> $Is(cast(h[o, AsRefField(f, T)]):ref, T));
+
+axiom (forall h: [ref,name]any, o: ref, f: name, T: name :: { h[o, AsNonNullRefField(f, T)] } IsHeap(h) ==> cast(h[o, AsNonNullRefField(f, T)]):ref != null);
+
+axiom (forall h: [ref,name]any, o: ref, f: name, T: name :: { h[o, AsRangeField(f, T)] } IsHeap(h) ==> InRange(cast(h[o, AsRangeField(f, T)]):int, T));
+
+const unique System.String: name;
+
+axiom (forall h: [ref,name]any, s: ref :: IsHeap(h) && $typeof(s) == System.String ==> h[s, $inv] == $typeof(s) && cast(h[s, $writable]):bool);
+
+function AsOwnedField(f: name) returns (name);
+
+axiom (forall h: [ref,name]any, o: ref, f: name :: { h[o, AsOwnedField(f)] } IsHeap(h) && cast(h[o, $inv]):name <: DeclType(AsOwnedField(f)) ==> cast(h[o, AsOwnedField(f)]):ref == null || $typeof(cast(h[o, AsOwnedField(f)]):ref) == System.String || !cast(h[cast(h[o, AsOwnedField(f)]):ref, $writable]):bool);
+
+axiom (forall h: [ref,name]any, o: ref :: { h[o, $writable] } IsHeap(h) && !cast(h[o, $writable]):bool ==> cast(h[o, $inv]):name == $typeof(o));
+
+function Box(any, ref) returns (ref);
+
+function Unbox(ref) returns (any);
+
+axiom (forall x: any, p: ref :: { Unbox(Box(x, p)) } Unbox(Box(x, p)) == x);
+
+axiom (forall heap: [ref,name]any, x: any, p: ref :: { heap[Box(x, p), $inv] } IsHeap(heap) ==> heap[Box(x, p), $inv] == $typeof(Box(x, p)));
+
+function UnboxedType(ref) returns (name);
+
+function BoxTester(p: ref, typ: name) returns (ref);
+
+axiom (forall p: ref, typ: name :: { BoxTester(p, typ) } UnboxedType(p) == typ <==> BoxTester(p, typ) != null);
+
+const unique System.Int16: name;
+
+axiom $IsValueType(System.Int16);
+
+const unique System.Int32: name;
+
+axiom $IsValueType(System.Int32);
+
+const unique System.Int64: name;
+
+axiom $IsValueType(System.Int64);
+
+const unique System.Byte: name;
+
+axiom $IsValueType(System.Byte);
+
+const unique System.Int16.MinValue: int;
+
+const unique System.Int16.MaxValue: int;
+
+const unique System.Int32.MinValue: int;
+
+const unique System.Int32.MaxValue: int;
+
+const unique System.Int64.MinValue: int;
+
+const unique System.Int64.MaxValue: int;
+
+axiom System.Int64.MinValue < System.Int32.MinValue;
+
+axiom System.Int32.MinValue < System.Int16.MinValue;
+
+axiom System.Int16.MinValue < System.Int16.MaxValue;
+
+axiom System.Int16.MaxValue < System.Int32.MaxValue;
+
+axiom System.Int32.MaxValue < System.Int64.MaxValue;
+
+function InRange(i: int, T: name) returns (bool);
+
+axiom (forall i: int :: InRange(i, System.Int16) <==> System.Int16.MinValue <= i && i <= System.Int16.MaxValue);
+
+axiom (forall i: int :: InRange(i, System.Int32) <==> System.Int32.MinValue <= i && i <= System.Int32.MaxValue);
+
+axiom (forall i: int :: InRange(i, System.Int64) <==> System.Int64.MinValue <= i && i <= System.Int64.MaxValue);
+
+axiom (forall i: int :: { InRange(i, System.Byte) } InRange(i, System.Byte) <==> 0 <= i && i < 256);
+
+function $RealToInt(real) returns (int);
+
+function $IntToReal(int) returns (real);
+
+function $SizeIs(name, int) returns (bool);
+
+function $IfThenElse(bool, any, any) returns (any);
+
+axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } b ==> $IfThenElse(b, x, y) == x);
+
+axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } !b ==> $IfThenElse(b, x, y) == y);
+
+function #neg(int) returns (int);
+
+function #rneg(real) returns (real);
+
+function #rdiv(real, real) returns (real);
+
+function #and(int, int) returns (int);
+
+function #or(int, int) returns (int);
+
+function #xor(int, int) returns (int);
+
+function #shl(int, int) returns (int);
+
+function #shr(int, int) returns (int);
+
+axiom (forall x: int, y: int :: { x % y } { x / y } x % y == x - x / y * y);
+
+axiom (forall x: int, y: int :: { x % y } 0 <= x && 0 < y ==> 0 <= x % y && x % y < y);
+
+axiom (forall x: int, y: int :: { x % y } 0 <= x && y < 0 ==> 0 <= x % y && x % y < 0 - y);
+
+axiom (forall x: int, y: int :: { x % y } x <= 0 && 0 < y ==> 0 - y < x % y && x % y <= 0);
+
+axiom (forall x: int, y: int :: { x % y } x <= 0 && y < 0 ==> y < x % y && x % y <= 0);
+
+axiom (forall x: int, y: int :: { (x + y) % y } 0 <= x && 0 <= y ==> (x + y) % y == x % y);
+
+axiom (forall x: int, y: int :: { (y + x) % y } 0 <= x && 0 <= y ==> (y + x) % y == x % y);
+
+axiom (forall x: int, y: int :: { (x - y) % y } 0 <= x - y && 0 <= y ==> (x - y) % y == x % y);
+
+axiom (forall a: int, b: int, d: int :: { a % d,b % d } 2 <= d && a % d == b % d && a < b ==> a + d <= b);
+
+axiom (forall i: int :: { #shl(i, 0) } #shl(i, 0) == i);
+
+axiom (forall i: int, j: int :: 0 <= j ==> #shl(i, j + 1) == #shl(i, j) * 2);
+
+axiom (forall i: int :: { #shr(i, 0) } #shr(i, 0) == i);
+
+axiom (forall i: int, j: int :: 0 <= j ==> #shr(i, j + 1) == #shr(i, j) / 2);
+
+const unique $UnknownRef: ref;
+
+const unique System.IComparable: name;
+
+const unique Microsoft.Singularity.Applications.ThreadTest: name;
+
+const unique System.Threading.Thread: name;
+
+const unique System.Collections.IEnumerable: name;
+
+const unique System.Threading.ThreadStart: name;
+
+const unique System.ICloneable: name;
+
+const unique System.MulticastDelegate: name;
+
+const unique System.Delegate: name;
+
+const unique $stringLiteral0: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral0, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral0, $allocated]):bool) && $IsNotNull($stringLiteral0, System.String) && $Length($stringLiteral0) == 13;
+
+const unique $stringLiteral1: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral1, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral1, $allocated]):bool) && $IsNotNull($stringLiteral1, System.String) && $Length($stringLiteral1) == 14;
+
+const unique $stringLiteral2: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral2, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral2, $allocated]):bool) && $IsNotNull($stringLiteral2, System.String) && $Length($stringLiteral2) == 11;
+
+const unique $stringLiteral3: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral3, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral3, $allocated]):bool) && $IsNotNull($stringLiteral3, System.String) && $Length($stringLiteral3) == 18;
+
+const unique $stringLiteral4: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral4, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral4, $allocated]):bool) && $IsNotNull($stringLiteral4, System.String) && $Length($stringLiteral4) == 19;
+
+const unique $stringLiteral5: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral5, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral5, $allocated]):bool) && $IsNotNull($stringLiteral5, System.String) && $Length($stringLiteral5) == 14;
+
+const unique $stringLiteral6: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral6, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral6, $allocated]):bool) && $IsNotNull($stringLiteral6, System.String) && $Length($stringLiteral6) == 15;
+
+const unique $stringLiteral7: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral7, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral7, $allocated]):bool) && $IsNotNull($stringLiteral7, System.String) && $Length($stringLiteral7) == 11;
+
+const unique $stringLiteral8: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral8, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral8, $allocated]):bool) && $IsNotNull($stringLiteral8, System.String) && $Length($stringLiteral8) == 19;
+
+const unique $stringLiteral9: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral9, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral9, $allocated]):bool) && $IsNotNull($stringLiteral9, System.String) && $Length($stringLiteral9) == 20;
+
+const unique $stringLiteral10: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral10, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral10, $allocated]):bool) && $IsNotNull($stringLiteral10, System.String) && $Length($stringLiteral10) == 22;
+
+const unique $stringLiteral11: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral11, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral11, $allocated]):bool) && $IsNotNull($stringLiteral11, System.String) && $Length($stringLiteral11) == 21;
+
+const unique $stringLiteral12: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral12, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral12, $allocated]):bool) && $IsNotNull($stringLiteral12, System.String) && $Length($stringLiteral12) == 23;
+
+const unique $stringLiteral13: ref;
+
+axiom (forall heap: [ref,name]any :: { cast(heap[$stringLiteral13, $allocated]):bool } IsHeap(heap) ==> cast(heap[$stringLiteral13, $allocated]):bool) && $IsNotNull($stringLiteral13, System.String) && $Length($stringLiteral13) == 22;
+
+axiom $IsClass(Microsoft.Singularity.Applications.ThreadTest);
+
+axiom Microsoft.Singularity.Applications.ThreadTest <: System.Object && AsDirectSubClass(Microsoft.Singularity.Applications.ThreadTest, System.Object) == Microsoft.Singularity.Applications.ThreadTest;
+
+axiom (forall $K: name :: { Microsoft.Singularity.Applications.ThreadTest <: $K } Microsoft.Singularity.Applications.ThreadTest <: $K <==> Microsoft.Singularity.Applications.ThreadTest == $K || System.Object <: $K);
+
+function Inv_Microsoft.Singularity.Applications.ThreadTest(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_Microsoft.Singularity.Applications.ThreadTest(this, heap) } Inv_Microsoft.Singularity.Applications.ThreadTest(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: Microsoft.Singularity.Applications.ThreadTest } { Inv_Microsoft.Singularity.Applications.ThreadTest($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: Microsoft.Singularity.Applications.ThreadTest ==> Inv_Microsoft.Singularity.Applications.ThreadTest($o, heap));
+
+procedure Microsoft.Singularity.Applications.ThreadTest.FirstThreadMethod();
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Microsoft.Singularity.Applications.ThreadTest.FirstThreadMethod()
+{
+ var stack0o: ref, i: int, stack0i: int, stack0b: bool, local1: int, $Heap$block1513$LoopPreheader: [ref,name]any;
+
+ entry:
+ assume IsHeap($Heap);
+ goto block1479;
+
+ block1479:
+ goto block1496;
+
+ block1496:
+ // ----- load constant First thread! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(21,13)
+ stack0o := $stringLiteral0;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(21,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant First thread! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(22,13)
+ stack0o := $stringLiteral1;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(22,13)
+ call Microsoft.Singularity.DebugStub.Print$System.String(stack0o);
+ // ----- load constant 0 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,18)
+ i := 0;
+ goto block1513$LoopPreheader;
+
+ block1513:
+ // ----- default loop invariant: $inv field ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,29)
+ assert (forall $o: ref :: $Heap$block1513$LoopPreheader[$o, $inv] == $Heap[$o, $inv] || cast($Heap$block1513$LoopPreheader[$o, $allocated]):bool != true);
+ assert (forall $o: ref :: cast($Heap$block1513$LoopPreheader[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ // ----- load constant 10 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,29)
+ stack0i := 10;
+ // ----- binary operator ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,29)
+ stack0b := i >= stack0i;
+ // ----- branch ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,29)
+ goto true1513to1547, false1513to1530;
+
+ true1513to1547:
+ assume stack0b == true;
+ goto block1547;
+
+ false1513to1530:
+ assume stack0b == false;
+ goto block1530;
+
+ block1547:
+ // ----- load constant First thread done! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(29,13)
+ stack0o := $stringLiteral3;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(29,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant First thread done! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(30,13)
+ stack0o := $stringLiteral4;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(30,13)
+ call Microsoft.Singularity.DebugStub.Print$System.String(stack0o);
+ // ----- return ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(31,10)
+ return;
+
+ block1530:
+ // ----- load constant [0] ... ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(25,17)
+ stack0o := $stringLiteral2;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(25,17)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(26,17)
+ call System.Threading.Thread.Yield();
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(24,37)
+ local1 := i;
+ // ----- load constant 1
+ stack0i := 1;
+ // ----- binary operator
+ stack0i := local1 + stack0i;
+ // ----- copy
+ i := stack0i;
+ // ----- copy
+ stack0i := local1;
+ // ----- branch
+ goto block1513;
+
+ block1513$LoopPreheader:
+ $Heap$block1513$LoopPreheader := $Heap;
+ goto block1513;
+
+}
+
+
+
+axiom $IsClass(System.String);
+
+axiom System.String <: System.Object && AsDirectSubClass(System.String, System.Object) == System.String;
+
+axiom $IsInterface(System.IComparable);
+
+axiom (forall $K: name :: { System.IComparable <: $K } System.IComparable <: $K <==> System.IComparable == $K || System.Object == $K);
+
+axiom Implements(System.String, System.IComparable);
+
+axiom $IsInterface(System.ICloneable);
+
+axiom (forall $K: name :: { System.ICloneable <: $K } System.ICloneable <: $K <==> System.ICloneable == $K || System.Object == $K);
+
+axiom Implements(System.String, System.ICloneable);
+
+axiom $IsInterface(System.Collections.IEnumerable);
+
+axiom (forall $K: name :: { System.Collections.IEnumerable <: $K } System.Collections.IEnumerable <: $K <==> System.Collections.IEnumerable == $K || System.Object == $K);
+
+axiom Implements(System.String, System.Collections.IEnumerable);
+
+axiom (forall $K: name :: { System.String <: $K } System.String <: $K <==> System.String == $K || System.Object <: $K || System.IComparable <: $K || System.ICloneable <: $K || System.Collections.IEnumerable <: $K);
+
+axiom (forall $U: name :: { $U <: System.String } $U <: System.String ==> $U == System.String);
+
+function Inv_System.String(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.String(this, heap) } Inv_System.String(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.String } { Inv_System.String($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.String ==> Inv_System.String($o, heap));
+
+procedure System.Console.WriteLine$System.String(value$in: ref);
+ requires value$in == null || (cast($Heap[value$in, $writable]):bool == true && cast($Heap[value$in, $inv]):name == $typeof(value$in));
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure Microsoft.Singularity.DebugStub.Print$System.String(value$in: ref);
+ requires value$in == null || (cast($Heap[value$in, $writable]):bool == true && cast($Heap[value$in, $inv]):name == $typeof(value$in));
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure System.Threading.Thread.Yield();
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure Microsoft.Singularity.Applications.ThreadTest.SecondThreadMethod();
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Microsoft.Singularity.Applications.ThreadTest.SecondThreadMethod()
+{
+ var stack0o: ref, i: int, stack0i: int, stack0b: bool, local1: int, $Heap$block2516$LoopPreheader: [ref,name]any;
+
+ entry:
+ assume IsHeap($Heap);
+ goto block2482;
+
+ block2482:
+ goto block2499;
+
+ block2499:
+ // ----- load constant Second thread! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(35,13)
+ stack0o := $stringLiteral5;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(35,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant Second thread! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(36,13)
+ stack0o := $stringLiteral6;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(36,13)
+ call Microsoft.Singularity.DebugStub.Print$System.String(stack0o);
+ // ----- load constant 0 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,18)
+ i := 0;
+ goto block2516$LoopPreheader;
+
+ block2516:
+ // ----- default loop invariant: $inv field ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,29)
+ assert (forall $o: ref :: $Heap$block2516$LoopPreheader[$o, $inv] == $Heap[$o, $inv] || cast($Heap$block2516$LoopPreheader[$o, $allocated]):bool != true);
+ assert (forall $o: ref :: cast($Heap$block2516$LoopPreheader[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ // ----- load constant 10 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,29)
+ stack0i := 10;
+ // ----- binary operator ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,29)
+ stack0b := i >= stack0i;
+ // ----- branch ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,29)
+ goto true2516to2550, false2516to2533;
+
+ true2516to2550:
+ assume stack0b == true;
+ goto block2550;
+
+ false2516to2533:
+ assume stack0b == false;
+ goto block2533;
+
+ block2550:
+ // ----- load constant Second thread done! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(44,13)
+ stack0o := $stringLiteral8;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(44,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant Second thread done! ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(45,13)
+ stack0o := $stringLiteral9;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(45,13)
+ call Microsoft.Singularity.DebugStub.Print$System.String(stack0o);
+ // ----- return ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(46,10)
+ return;
+
+ block2533:
+ // ----- load constant ... [1] ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(40,17)
+ stack0o := $stringLiteral7;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(40,17)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(41,17)
+ call System.Threading.Thread.Yield();
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(38,37)
+ local1 := i;
+ // ----- load constant 1
+ stack0i := 1;
+ // ----- binary operator
+ stack0i := local1 + stack0i;
+ // ----- copy
+ i := stack0i;
+ // ----- copy
+ stack0i := local1;
+ // ----- branch
+ goto block2516;
+
+ block2516$LoopPreheader:
+ $Heap$block2516$LoopPreheader := $Heap;
+ goto block2516;
+
+}
+
+
+
+procedure Microsoft.Singularity.Applications.ThreadTest.Main$System.String.array(args$in: ref) returns ($result: int);
+ requires args$in == null || (cast($Heap[args$in, $writable]):bool == true && cast($Heap[args$in, $inv]):name == $typeof(args$in));
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures IsAllocated($Heap, $result);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Microsoft.Singularity.Applications.ThreadTest.Main$System.String.array(args$in: ref) returns ($result: int)
+{
+ var args: ref, stack0o: ref, stack1o: ref, stack50000o: ref, t1: ref, t2: ref, i: int, stack0i: int, stack0b: bool, local3: int, return.value: int, SS$Display.Return.Local: int, $Heap$block3825$LoopPreheader: [ref,name]any;
+
+ entry:
+ assume IsHeap($Heap);
+ args := args$in;
+ assume $Is(args, RefArray(System.String, 1));
+ assume cast($Heap[args$in, $allocated]):bool == true;
+ goto block3791;
+
+ block3791:
+ goto block3808;
+
+ block3808:
+ stack0o := null;
+ // ----- load function ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ havoc stack1o;
+ // ----- new object ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ havoc stack50000o;
+ assume cast($Heap[stack50000o, $allocated]):bool == false && stack50000o != null && $typeof(stack50000o) == System.Threading.ThreadStart;
+ $Heap[stack50000o, $allocated] := true;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ assert stack50000o != null;
+ call System.Threading.ThreadStart..ctor$System.Object$System.IntPtr(stack50000o, stack0o, stack1o);
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ stack0o := stack50000o;
+ // ----- new object ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ havoc stack50000o;
+ assume cast($Heap[stack50000o, $allocated]):bool == false && stack50000o != null && $typeof(stack50000o) == System.Threading.Thread;
+ $Heap[stack50000o, $allocated] := true;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ assert stack50000o != null;
+ call System.Threading.Thread..ctor$System.Threading.ThreadStart(stack50000o, stack0o);
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ stack0o := stack50000o;
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(51,13)
+ t1 := stack0o;
+ stack0o := null;
+ // ----- load function ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ havoc stack1o;
+ // ----- new object ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ havoc stack50000o;
+ assume cast($Heap[stack50000o, $allocated]):bool == false && stack50000o != null && $typeof(stack50000o) == System.Threading.ThreadStart;
+ $Heap[stack50000o, $allocated] := true;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ assert stack50000o != null;
+ call System.Threading.ThreadStart..ctor$System.Object$System.IntPtr(stack50000o, stack0o, stack1o);
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ stack0o := stack50000o;
+ // ----- new object ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ havoc stack50000o;
+ assume cast($Heap[stack50000o, $allocated]):bool == false && stack50000o != null && $typeof(stack50000o) == System.Threading.Thread;
+ $Heap[stack50000o, $allocated] := true;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ assert stack50000o != null;
+ call System.Threading.Thread..ctor$System.Threading.ThreadStart(stack50000o, stack0o);
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ stack0o := stack50000o;
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(52,13)
+ t2 := stack0o;
+ // ----- load constant Starting first thread. ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(54,13)
+ stack0o := $stringLiteral10;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(54,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(55,13)
+ assert t1 != null;
+ call System.Threading.Thread.Start(t1);
+ // ----- load constant Started first thread. ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(56,13)
+ stack0o := $stringLiteral11;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(56,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant Starting second thread. ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(58,13)
+ stack0o := $stringLiteral12;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(58,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(59,13)
+ assert t2 != null;
+ call System.Threading.Thread.Start(t2);
+ // ----- load constant Started second thread. ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(60,13)
+ stack0o := $stringLiteral13;
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(60,13)
+ call System.Console.WriteLine$System.String(stack0o);
+ // ----- load constant 0 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,18)
+ i := 0;
+ goto block3825$LoopPreheader;
+
+ block3825:
+ // ----- default loop invariant: $inv field ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,29)
+ assert (forall $o: ref :: $Heap$block3825$LoopPreheader[$o, $inv] == $Heap[$o, $inv] || cast($Heap$block3825$LoopPreheader[$o, $allocated]):bool != true);
+ assert (forall $o: ref :: cast($Heap$block3825$LoopPreheader[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ // ----- load constant 30 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,29)
+ stack0i := 30;
+ // ----- binary operator ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,29)
+ stack0b := i >= stack0i;
+ // ----- branch ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,29)
+ goto true3825to3859, false3825to3842;
+
+ true3825to3859:
+ assume stack0b == true;
+ goto block3859;
+
+ false3825to3842:
+ assume stack0b == false;
+ goto block3842;
+
+ block3859:
+ // ----- load constant 0 ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(66,13)
+ return.value := 0;
+ // ----- branch
+ goto block3876;
+
+ block3842:
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(64,17)
+ call System.Threading.Thread.Yield();
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(62,37)
+ local3 := i;
+ // ----- load constant 1
+ stack0i := 1;
+ // ----- binary operator
+ stack0i := local3 + stack0i;
+ // ----- copy
+ i := stack0i;
+ // ----- copy
+ stack0i := local3;
+ // ----- branch
+ goto block3825;
+
+ block3876:
+ // ----- copy
+ SS$Display.Return.Local := return.value;
+ // ----- copy ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(67,10)
+ stack0i := return.value;
+ // ----- return ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(67,10)
+ $result := stack0i;
+ return;
+
+ block3825$LoopPreheader:
+ $Heap$block3825$LoopPreheader := $Heap;
+ goto block3825;
+
+}
+
+
+
+axiom $IsClass(System.Threading.ThreadStart);
+
+axiom $IsClass(System.MulticastDelegate);
+
+axiom $IsClass(System.Delegate);
+
+axiom System.Delegate <: System.Object && AsDirectSubClass(System.Delegate, System.Object) == System.Delegate;
+
+axiom Implements(System.Delegate, System.ICloneable);
+
+axiom (forall $K: name :: { System.Delegate <: $K } System.Delegate <: $K <==> System.Delegate == $K || System.Object <: $K || System.ICloneable <: $K);
+
+function Inv_System.Delegate(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.Delegate(this, heap) } Inv_System.Delegate(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.Delegate } { Inv_System.Delegate($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.Delegate ==> Inv_System.Delegate($o, heap));
+
+axiom System.MulticastDelegate <: System.Delegate && AsDirectSubClass(System.MulticastDelegate, System.Delegate) == System.MulticastDelegate;
+
+axiom (forall $K: name :: { System.MulticastDelegate <: $K } System.MulticastDelegate <: $K <==> System.MulticastDelegate == $K || System.Delegate <: $K);
+
+function Inv_System.MulticastDelegate(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.MulticastDelegate(this, heap) } Inv_System.MulticastDelegate(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.MulticastDelegate } { Inv_System.MulticastDelegate($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.MulticastDelegate ==> Inv_System.MulticastDelegate($o, heap));
+
+axiom System.Threading.ThreadStart <: System.MulticastDelegate && AsDirectSubClass(System.Threading.ThreadStart, System.MulticastDelegate) == System.Threading.ThreadStart;
+
+axiom (forall $K: name :: { System.Threading.ThreadStart <: $K } System.Threading.ThreadStart <: $K <==> System.Threading.ThreadStart == $K || System.MulticastDelegate <: $K);
+
+axiom (forall $U: name :: { $U <: System.Threading.ThreadStart } $U <: System.Threading.ThreadStart ==> $U == System.Threading.ThreadStart);
+
+function Inv_System.Threading.ThreadStart(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.Threading.ThreadStart(this, heap) } Inv_System.Threading.ThreadStart(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.Threading.ThreadStart } { Inv_System.Threading.ThreadStart($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.Threading.ThreadStart ==> Inv_System.Threading.ThreadStart($o, heap));
+
+procedure System.Threading.ThreadStart..ctor$System.Object$System.IntPtr(this: ref, object$in: ref, method$in: ref);
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+ ensures cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Threading.ThreadStart;
+
+
+
+axiom $IsClass(System.Threading.Thread);
+
+axiom System.Threading.Thread <: System.Object && AsDirectSubClass(System.Threading.Thread, System.Object) == System.Threading.Thread;
+
+axiom (forall $K: name :: { System.Threading.Thread <: $K } System.Threading.Thread <: $K <==> System.Threading.Thread == $K || System.Object <: $K);
+
+axiom (forall $U: name :: { $U <: System.Threading.Thread } $U <: System.Threading.Thread ==> $U == System.Threading.Thread);
+
+function Inv_System.Threading.Thread(object: ref, heap: [ref,name]any) returns (result: bool);
+
+axiom (forall this: ref, heap: [ref,name]any :: { Inv_System.Threading.Thread(this, heap) } Inv_System.Threading.Thread(this, heap) <==> true);
+
+axiom (forall $o: ref, heap: [ref,name]any :: { cast(heap[$o, $inv]):name <: System.Threading.Thread } { Inv_System.Threading.Thread($o, heap) } IsHeap(heap) && cast(heap[$o, $inv]):name <: System.Threading.Thread ==> Inv_System.Threading.Thread($o, heap));
+
+procedure System.Threading.Thread..ctor$System.Threading.ThreadStart(this: ref, start$in: ref);
+ requires start$in == null || (cast($Heap[start$in, $writable]):bool == true && cast($Heap[start$in, $inv]):name == $typeof(start$in));
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && ($o != this || !(System.Threading.Thread <: DeclType($f))) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: $o == this || old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+ ensures cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Threading.Thread;
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+
+
+
+procedure System.Threading.Thread.Start(this: ref);
+ requires cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == $typeof(this);
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure Microsoft.Singularity.Applications.ThreadTest..ctor(this: ref);
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && ($o != this || !(Microsoft.Singularity.Applications.ThreadTest <: DeclType($f))) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: $o == this || old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+ ensures cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == Microsoft.Singularity.Applications.ThreadTest;
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+
+
+
+implementation Microsoft.Singularity.Applications.ThreadTest..ctor(this: ref)
+{
+
+ entry:
+ assume IsHeap($Heap);
+ assume $IsNotNull(this, Microsoft.Singularity.Applications.ThreadTest);
+ assume cast($Heap[this, $allocated]):bool == true;
+ assume cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Object;
+ goto block4777;
+
+ block4777:
+ goto block4794;
+
+ block4794:
+ // ----- call ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(17,18)
+ assert this != null;
+ call System.Object..ctor(this);
+ // ----- return ----- C:\Maf\Singularity\base\Applications\Tests\ThreadTest\ThreadTest.cs(17,28)
+ assert this != null;
+ assert cast($Heap[this, $writable]):bool == true && System.Object <: cast($Heap[this, $inv]):name;
+ assert cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Object;
+ assert Inv_Microsoft.Singularity.Applications.ThreadTest(this, $Heap);
+ $Heap[this, $inv] := Microsoft.Singularity.Applications.ThreadTest;
+ return;
+
+}
+
+
+
+procedure System.Object..ctor(this: ref);
+ modifies $Heap;
+ free ensures IsHeap($Heap);
+ free ensures (forall $o: ref, $f: name :: $f != $inv && $o != null && cast(old($Heap)[$o, $allocated]):bool == true && cast(old($Heap)[$o, $writable]):bool == true && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && ($o != this || !(System.Object <: DeclType($f))) ==> old($Heap[$o, $f]) == $Heap[$o, $f]);
+ free ensures (forall $o: ref :: $o == this || old($Heap)[$o, $inv] == $Heap[$o, $inv] || cast(old($Heap)[$o, $allocated]):bool != true);
+ free ensures (forall $o: ref :: cast(old($Heap)[$o, $allocated]):bool ==> cast($Heap[$o, $allocated]):bool);
+ free ensures (forall $o: ref :: $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+ ensures cast($Heap[this, $writable]):bool == true && cast($Heap[this, $inv]):name == System.Object;
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+
+
+
+type ref, name, any;
+const null : ref;
diff --git a/Test/test20/Answer b/Test/test20/Answer
new file mode 100644
index 00000000..a4b991f7
--- /dev/null
+++ b/Test/test20/Answer
@@ -0,0 +1,192 @@
+TypeDecls0.bpl(20,5): Error: more than one declaration of type name: C
+TypeDecls0.bpl(13,12): Error: more than one declaration of type variable: a
+TypeDecls0.bpl(14,18): Error: more than one declaration of type variable: a
+TypeDecls0.bpl(18,17): Error: type variable must occur in map arguments: b
+TypeDecls0.bpl(22,9): Error: type constructor received wrong number of arguments: C
+TypeDecls0.bpl(24,9): Error: undeclared type: A0
+TypeDecls0.bpl(25,9): Error: undeclared type: F
+TypeDecls0.bpl(28,9): Error: type constructor received wrong number of arguments: E
+TypeDecls0.bpl(30,9): Error: type constructor received wrong number of arguments: E
+TypeDecls0.bpl(32,9): Error: type constructor received wrong number of arguments: E
+TypeDecls0.bpl(38,11): Error: type constructor received wrong number of arguments: E
+TypeDecls0.bpl(38,13): Error: type constructor received wrong number of arguments: E
+12 name resolution errors detected in TypeDecls0.bpl
+TypeDecls1.bpl(7,13): Error: invalid type for argument 0 in map select: int (expected: <b>[b]a)
+TypeDecls1.bpl(13,25): Error: right-hand side in map store with wrong type: int (expected: bool)
+TypeDecls1.bpl(19,36): Error: invalid type for argument 0 in map select: <c>[c]c (expected: <b>[b]a)
+TypeDecls1.bpl(21,13): Error: invalid type for argument 0 in map select: <a>[<b>[b]a]bool (expected: <b>[b]a)
+4 type checking errors detected in TypeDecls1.bpl
+Prog0.bpl(17,10): Error: type variable must occur in map arguments: a
+Prog0.bpl(29,27): Error: more than one declaration of type variable: beta
+Prog0.bpl(32,22): Error: undeclared type: alpha
+Prog0.bpl(33,35): Error: undeclared type: alpha
+4 name resolution errors detected in Prog0.bpl
+Prog1.bpl(18,11): Error: invalid type for argument 0 in map select: int (expected: ref)
+Prog1.bpl(19,14): Error: invalid type for argument 1 in map select: int (expected: Field a)
+Prog1.bpl(20,17): Error: invalid argument types (bool and int) to binary operator >=
+3 type checking errors detected in Prog1.bpl
+Prog2.bpl(6,14): Error: trigger does not mention alpha, which does not occur in variables types either
+1 type checking errors detected in Prog2.bpl
+PolyFuns0.bpl(23,33): Error: invalid type for argument 1 in application of fieldValue: ref (expected: Field a)
+PolyFuns0.bpl(40,18): Error: invalid type for argument 1 in application of lessThan: bool (expected: a)
+PolyFuns0.bpl(41,43): Error: invalid type for argument 1 in application of lessThan: b (expected: a)
+PolyFuns0.bpl(53,55): Error: invalid argument types (<c>[Field c]a and <d>[Field d]d) to binary operator ==
+4 type checking errors detected in PolyFuns0.bpl
+PolyFuns1.bpl(10,9): Error: invalid type for argument 0 in application of F: <c>[c]c (expected: <b>[b]a)
+PolyFuns1.bpl(11,9): Error: invalid type for argument 0 in map select: <c>[c]c (expected: <b>[b]a)
+PolyFuns1.bpl(12,31): Error: invalid type for argument 0 in application of F: <c>[c]c (expected: <b>[b]a)
+PolyFuns1.bpl(13,31): Error: invalid type for argument 0 in map select: <c>[c]c (expected: <b>[b]a)
+PolyFuns1.bpl(17,55): Error: invalid argument types (<c>[Field c]a and <d>[Field d]d) to binary operator ==
+PolyFuns1.bpl(18,55): Error: invalid argument types (<c>[Field c]a and <d>[Field d]d) to binary operator ==
+PolyFuns1.bpl(28,11): Error: invalid type for argument 0 in call to Uhu: <dd>[Field dd]dd (expected: <c>[Field c]a)
+PolyFuns1.bpl(29,15): Error: invalid type for argument 1 in call to Uhu: <cc>[Field cc]T (expected: <d>[Field d]d)
+PolyFuns1.bpl(30,12): Error: invalid argument types (<cc>[Field cc]T and <dd>[Field dd]dd) to binary operator ==
+PolyFuns1.bpl(31,12): Error: invalid argument types (<dd>[Field dd]dd and <cc>[Field cc]T) to binary operator ==
+PolyFuns1.bpl(33,15): Error: invalid type for argument 1 in call to Uhu: <ee>[Field T]ee (expected: <d>[Field d]d)
+PolyFuns1.bpl(41,11): Error: invalid argument types (<a>[a,a]int and <b>[b,int]int) to binary operator ==
+PolyFuns1.bpl(42,11): Error: invalid argument types (<b>[b,int]int and <c>[int,c]int) to binary operator ==
+PolyFuns1.bpl(43,11): Error: invalid argument types (<a>[a,a]int and <c>[int,c]int) to binary operator ==
+PolyFuns1.bpl(50,11): Error: invalid argument types (<a,b>[a,a,b]int and <a,b>[a,b,b]int) to binary operator ==
+PolyFuns1.bpl(57,54): Error: invalid argument types (Field b and NagainCtor b) to binary operator ==
+16 type checking errors detected in PolyFuns1.bpl
+PolyProcs0.bpl(11,16): Error: invalid type for argument 0 in map select: Field b (expected: ref)
+PolyProcs0.bpl(11,19): Error: invalid type for argument 1 in map select: ref (expected: Field a)
+PolyProcs0.bpl(21,30): Error: invalid type for argument 1 in call to FieldAccess: Field int (expected: ref)
+PolyProcs0.bpl(21,34): Error: invalid type for argument 2 in call to FieldAccess: ref (expected: Field b)
+PolyProcs0.bpl(25,7): Error: invalid type for out-parameter 0 in call to FieldAccess: bool (expected: int)
+PolyProcs0.bpl(26,35): Error: invalid type for argument 2 in call to FieldAccess: ref (expected: Field b)
+PolyProcs0.bpl(41,35): Error: invalid type for argument 1 in call forall to injective: Field int (expected: ref)
+7 type checking errors detected in PolyProcs0.bpl
+TypeSynonyms0.bpl(9,5): Error: type synonym could not be resolved because of cycles: Cyclic0 (replacing body with "bool" to continue resolving)
+TypeSynonyms0.bpl(10,5): Error: type synonym could not be resolved because of cycles: Cyclic1 (replacing body with "bool" to continue resolving)
+TypeSynonyms0.bpl(12,5): Error: type synonym could not be resolved because of cycles: AlsoCyclic (replacing body with "bool" to continue resolving)
+TypeSynonyms0.bpl(22,10): Error: type constructor received wrong number of arguments: Field
+TypeSynonyms0.bpl(23,10): Error: type synonym received wrong number of arguments: Set
+TypeSynonyms0.bpl(26,10): Error: type variable must occur in map arguments: a
+6 name resolution errors detected in TypeSynonyms0.bpl
+TypeSynonyms1.bpl(46,8): Error: invalid type for argument 0 in application of h: <b>[b,b,<b2>[b2,b,int]int]int (expected: nested2)
+1 type checking errors detected in TypeSynonyms1.bpl
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+type Set a = [a]bool;
+
+type Field _;
+
+type Heap = <a>[ref,Field a]a;
+
+type notAllParams a b = Field b;
+
+type Cyclic0 = Cyclic1;
+
+type Cyclic1 = Cyclic0;
+
+type AlsoCyclic a = <b>[AlsoCyclic b]int;
+
+type C _ _;
+
+type C2 b a = C a b;
+
+function f(C int bool) returns (int);
+
+const x: C2 bool int;
+
+const y: Field int bool;
+
+const z: Set int bool;
+
+const d: <a,b>[notAllParams a b]int;
+
+type ref;
+<console>(10,-1): Error: type synonym could not be resolved because of cycles: Cyclic0 (replacing body with "bool" to continue resolving)
+<console>(12,-1): Error: type synonym could not be resolved because of cycles: Cyclic1 (replacing body with "bool" to continue resolving)
+<console>(14,-1): Error: type synonym could not be resolved because of cycles: AlsoCyclic (replacing body with "bool" to continue resolving)
+<console>(24,8): Error: type constructor received wrong number of arguments: Field
+<console>(26,8): Error: type synonym received wrong number of arguments: Set
+<console>(28,8): Error: type variable must occur in map arguments: a
+6 name resolution errors detected in TypeSynonyms0.bpl
+
+type Set a = [a]bool;
+
+function union<a>(x: Set a, y: Set a) returns (Set a);
+
+axiom (forall<a> x: Set a, y: Set a, z: a :: (x[z] || y[z]) == union(x, y)[z]);
+
+const intSet0: Set int;
+
+axiom (forall x: int :: intSet0[x] == (x == 0 || x == 2 || x == 3));
+
+const intSet1: Set int;
+
+axiom (forall x: int :: intSet1[x] == (x == 0 - 5 || x == 3));
+
+procedure P();
+
+
+
+implementation P()
+{
+ assert (forall x: int :: union(intSet0, intSet1)[x] == (x == 0 - 5 || x == 0 || x == 2 || x == 3));
+}
+
+
+
+type Set a = [a]bool;
+
+function union<a>(x: Set a, y: Set a) returns (Set a);
+
+axiom (forall<a> x: Set a, y: Set a, z: a :: x[z] || y[z] <==> union(x, y)[z]);
+
+const intSet0: Set int;
+
+axiom (forall x: int :: intSet0[x] <==> x == 0 || x == 2 || x == 3);
+
+const intSet1: Set int;
+
+axiom (forall x: int :: intSet1[x] <==> x == 0 - 5 || x == 3);
+
+procedure P();
+
+
+
+implementation P()
+{
+ assert (forall x: int :: union(intSet0, intSet1)[x] <==> x == 0 - 5 || x == 0 || x == 2 || x == 3);
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+PolyPolyPoly.bpl(12,26): Error: invalid argument types ([]? and <a>[]C a) to binary operator ==
+PolyPolyPoly.bpl(15,23): Error: invalid argument types ([]? and <a>[]C a) to binary operator ==
+PolyPolyPoly.bpl(21,57): Error: invalid type for argument 1 in map select: b (expected: a)
+3 type checking errors detected in PolyPolyPoly.bpl
+PolyPolyPoly2.bpl(5,8): Warning: type parameter a is ambiguous, instantiating to int
+PolyPolyPoly2.bpl(7,8): Warning: type parameter a is ambiguous, instantiating to <arg0,res>[arg0]res
+PolyPolyPoly2.bpl(11,8): Warning: type parameter a is ambiguous, instantiating to bv0
+PolyPolyPoly2.bpl(11,15): Warning: type parameter a is ambiguous, instantiating to bv0
+PolyPolyPoly2.bpl(11,27): Warning: type parameter a is ambiguous, instantiating to bv17
+PolyPolyPoly2.bpl(12,8): Warning: type parameter a is ambiguous, instantiating to bv17
+PolyPolyPoly2.bpl(12,15): Warning: type parameter a is ambiguous, instantiating to bv0
+PolyPolyPoly2.bpl(22,7): Warning: type parameter a is ambiguous, instantiating to int
+PolyPolyPoly2.bpl(31,3): Warning: type parameter a is ambiguous, instantiating to int
+PolyPolyPoly2.bpl(32,3): Warning: type parameter a is ambiguous, instantiating to int
+
+Boogie program verifier finished with 0 verified, 0 errors
+ProcParamReordering.bpl(13,15): Error: mismatched type of in-parameter in implementation P: y (named b in implementation)
+ProcParamReordering.bpl(15,15): Error: mismatched number of type parameters in procedure implementation: P
+2 type checking errors detected in ProcParamReordering.bpl
+ParallelAssignment.bpl(17,2): Error: mismatched types in assignment command (cannot assign bool to int)
+ParallelAssignment.bpl(18,4): Error: invalid type for argument 0 in map assignment: bool (expected: int)
+ParallelAssignment.bpl(20,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: z
+3 type checking errors detected in ParallelAssignment.bpl
+ParallelAssignment2.bpl(9,7): Error: number of left-hand sides does not match number of right-hand sides
+ParallelAssignment2.bpl(10,9): Error: variable a is assigned more than once in parallel assignment
+2 name resolution errors detected in ParallelAssignment2.bpl
+Coercions.bpl(11,8): Error: int cannot be coerced to E <a>[a]int
+Coercions.bpl(13,8): Error: C cannot be coerced to D
+Coercions.bpl(15,9): Error: int cannot be coerced to D
+Coercions.bpl(16,9): Error: int cannot be coerced to E int
+4 type checking errors detected in Coercions.bpl
+
+Boogie program verifier finished with 0 verified, 0 errors
diff --git a/Test/test20/Coercions.bpl b/Test/test20/Coercions.bpl
new file mode 100644
index 00000000..cab68149
--- /dev/null
+++ b/Test/test20/Coercions.bpl
@@ -0,0 +1,17 @@
+
+
+type C, D, E _;
+
+const x:int;
+const c:C;
+const d:D;
+
+axiom (x:int > 0);
+axiom (x:int < 0);
+axiom (x:E <a>[a]int < 0); // impossible coercion
+
+axiom (c:D == d); // impossible coercion
+
+axiom (15:D == d); // impossible coercion
+axiom (15:E int == d); // impossible coercion
+axiom ((18*15):int == 0);
diff --git a/Test/test20/EmptySeq.bpl b/Test/test20/EmptySeq.bpl
new file mode 100644
index 00000000..8fecfdf4
--- /dev/null
+++ b/Test/test20/EmptySeq.bpl
@@ -0,0 +1,6 @@
+type Seq T;
+
+function Seq#Length<T>(Seq T) returns (int);
+function Seq#Empty<T>() returns (Seq T);
+
+axiom (forall<T> :: Seq#Length(Seq#Empty(): Seq T) == 0);
diff --git a/Test/test20/Output b/Test/test20/Output
new file mode 100644
index 00000000..a4b991f7
--- /dev/null
+++ b/Test/test20/Output
@@ -0,0 +1,192 @@
+TypeDecls0.bpl(20,5): Error: more than one declaration of type name: C
+TypeDecls0.bpl(13,12): Error: more than one declaration of type variable: a
+TypeDecls0.bpl(14,18): Error: more than one declaration of type variable: a
+TypeDecls0.bpl(18,17): Error: type variable must occur in map arguments: b
+TypeDecls0.bpl(22,9): Error: type constructor received wrong number of arguments: C
+TypeDecls0.bpl(24,9): Error: undeclared type: A0
+TypeDecls0.bpl(25,9): Error: undeclared type: F
+TypeDecls0.bpl(28,9): Error: type constructor received wrong number of arguments: E
+TypeDecls0.bpl(30,9): Error: type constructor received wrong number of arguments: E
+TypeDecls0.bpl(32,9): Error: type constructor received wrong number of arguments: E
+TypeDecls0.bpl(38,11): Error: type constructor received wrong number of arguments: E
+TypeDecls0.bpl(38,13): Error: type constructor received wrong number of arguments: E
+12 name resolution errors detected in TypeDecls0.bpl
+TypeDecls1.bpl(7,13): Error: invalid type for argument 0 in map select: int (expected: <b>[b]a)
+TypeDecls1.bpl(13,25): Error: right-hand side in map store with wrong type: int (expected: bool)
+TypeDecls1.bpl(19,36): Error: invalid type for argument 0 in map select: <c>[c]c (expected: <b>[b]a)
+TypeDecls1.bpl(21,13): Error: invalid type for argument 0 in map select: <a>[<b>[b]a]bool (expected: <b>[b]a)
+4 type checking errors detected in TypeDecls1.bpl
+Prog0.bpl(17,10): Error: type variable must occur in map arguments: a
+Prog0.bpl(29,27): Error: more than one declaration of type variable: beta
+Prog0.bpl(32,22): Error: undeclared type: alpha
+Prog0.bpl(33,35): Error: undeclared type: alpha
+4 name resolution errors detected in Prog0.bpl
+Prog1.bpl(18,11): Error: invalid type for argument 0 in map select: int (expected: ref)
+Prog1.bpl(19,14): Error: invalid type for argument 1 in map select: int (expected: Field a)
+Prog1.bpl(20,17): Error: invalid argument types (bool and int) to binary operator >=
+3 type checking errors detected in Prog1.bpl
+Prog2.bpl(6,14): Error: trigger does not mention alpha, which does not occur in variables types either
+1 type checking errors detected in Prog2.bpl
+PolyFuns0.bpl(23,33): Error: invalid type for argument 1 in application of fieldValue: ref (expected: Field a)
+PolyFuns0.bpl(40,18): Error: invalid type for argument 1 in application of lessThan: bool (expected: a)
+PolyFuns0.bpl(41,43): Error: invalid type for argument 1 in application of lessThan: b (expected: a)
+PolyFuns0.bpl(53,55): Error: invalid argument types (<c>[Field c]a and <d>[Field d]d) to binary operator ==
+4 type checking errors detected in PolyFuns0.bpl
+PolyFuns1.bpl(10,9): Error: invalid type for argument 0 in application of F: <c>[c]c (expected: <b>[b]a)
+PolyFuns1.bpl(11,9): Error: invalid type for argument 0 in map select: <c>[c]c (expected: <b>[b]a)
+PolyFuns1.bpl(12,31): Error: invalid type for argument 0 in application of F: <c>[c]c (expected: <b>[b]a)
+PolyFuns1.bpl(13,31): Error: invalid type for argument 0 in map select: <c>[c]c (expected: <b>[b]a)
+PolyFuns1.bpl(17,55): Error: invalid argument types (<c>[Field c]a and <d>[Field d]d) to binary operator ==
+PolyFuns1.bpl(18,55): Error: invalid argument types (<c>[Field c]a and <d>[Field d]d) to binary operator ==
+PolyFuns1.bpl(28,11): Error: invalid type for argument 0 in call to Uhu: <dd>[Field dd]dd (expected: <c>[Field c]a)
+PolyFuns1.bpl(29,15): Error: invalid type for argument 1 in call to Uhu: <cc>[Field cc]T (expected: <d>[Field d]d)
+PolyFuns1.bpl(30,12): Error: invalid argument types (<cc>[Field cc]T and <dd>[Field dd]dd) to binary operator ==
+PolyFuns1.bpl(31,12): Error: invalid argument types (<dd>[Field dd]dd and <cc>[Field cc]T) to binary operator ==
+PolyFuns1.bpl(33,15): Error: invalid type for argument 1 in call to Uhu: <ee>[Field T]ee (expected: <d>[Field d]d)
+PolyFuns1.bpl(41,11): Error: invalid argument types (<a>[a,a]int and <b>[b,int]int) to binary operator ==
+PolyFuns1.bpl(42,11): Error: invalid argument types (<b>[b,int]int and <c>[int,c]int) to binary operator ==
+PolyFuns1.bpl(43,11): Error: invalid argument types (<a>[a,a]int and <c>[int,c]int) to binary operator ==
+PolyFuns1.bpl(50,11): Error: invalid argument types (<a,b>[a,a,b]int and <a,b>[a,b,b]int) to binary operator ==
+PolyFuns1.bpl(57,54): Error: invalid argument types (Field b and NagainCtor b) to binary operator ==
+16 type checking errors detected in PolyFuns1.bpl
+PolyProcs0.bpl(11,16): Error: invalid type for argument 0 in map select: Field b (expected: ref)
+PolyProcs0.bpl(11,19): Error: invalid type for argument 1 in map select: ref (expected: Field a)
+PolyProcs0.bpl(21,30): Error: invalid type for argument 1 in call to FieldAccess: Field int (expected: ref)
+PolyProcs0.bpl(21,34): Error: invalid type for argument 2 in call to FieldAccess: ref (expected: Field b)
+PolyProcs0.bpl(25,7): Error: invalid type for out-parameter 0 in call to FieldAccess: bool (expected: int)
+PolyProcs0.bpl(26,35): Error: invalid type for argument 2 in call to FieldAccess: ref (expected: Field b)
+PolyProcs0.bpl(41,35): Error: invalid type for argument 1 in call forall to injective: Field int (expected: ref)
+7 type checking errors detected in PolyProcs0.bpl
+TypeSynonyms0.bpl(9,5): Error: type synonym could not be resolved because of cycles: Cyclic0 (replacing body with "bool" to continue resolving)
+TypeSynonyms0.bpl(10,5): Error: type synonym could not be resolved because of cycles: Cyclic1 (replacing body with "bool" to continue resolving)
+TypeSynonyms0.bpl(12,5): Error: type synonym could not be resolved because of cycles: AlsoCyclic (replacing body with "bool" to continue resolving)
+TypeSynonyms0.bpl(22,10): Error: type constructor received wrong number of arguments: Field
+TypeSynonyms0.bpl(23,10): Error: type synonym received wrong number of arguments: Set
+TypeSynonyms0.bpl(26,10): Error: type variable must occur in map arguments: a
+6 name resolution errors detected in TypeSynonyms0.bpl
+TypeSynonyms1.bpl(46,8): Error: invalid type for argument 0 in application of h: <b>[b,b,<b2>[b2,b,int]int]int (expected: nested2)
+1 type checking errors detected in TypeSynonyms1.bpl
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+type Set a = [a]bool;
+
+type Field _;
+
+type Heap = <a>[ref,Field a]a;
+
+type notAllParams a b = Field b;
+
+type Cyclic0 = Cyclic1;
+
+type Cyclic1 = Cyclic0;
+
+type AlsoCyclic a = <b>[AlsoCyclic b]int;
+
+type C _ _;
+
+type C2 b a = C a b;
+
+function f(C int bool) returns (int);
+
+const x: C2 bool int;
+
+const y: Field int bool;
+
+const z: Set int bool;
+
+const d: <a,b>[notAllParams a b]int;
+
+type ref;
+<console>(10,-1): Error: type synonym could not be resolved because of cycles: Cyclic0 (replacing body with "bool" to continue resolving)
+<console>(12,-1): Error: type synonym could not be resolved because of cycles: Cyclic1 (replacing body with "bool" to continue resolving)
+<console>(14,-1): Error: type synonym could not be resolved because of cycles: AlsoCyclic (replacing body with "bool" to continue resolving)
+<console>(24,8): Error: type constructor received wrong number of arguments: Field
+<console>(26,8): Error: type synonym received wrong number of arguments: Set
+<console>(28,8): Error: type variable must occur in map arguments: a
+6 name resolution errors detected in TypeSynonyms0.bpl
+
+type Set a = [a]bool;
+
+function union<a>(x: Set a, y: Set a) returns (Set a);
+
+axiom (forall<a> x: Set a, y: Set a, z: a :: (x[z] || y[z]) == union(x, y)[z]);
+
+const intSet0: Set int;
+
+axiom (forall x: int :: intSet0[x] == (x == 0 || x == 2 || x == 3));
+
+const intSet1: Set int;
+
+axiom (forall x: int :: intSet1[x] == (x == 0 - 5 || x == 3));
+
+procedure P();
+
+
+
+implementation P()
+{
+ assert (forall x: int :: union(intSet0, intSet1)[x] == (x == 0 - 5 || x == 0 || x == 2 || x == 3));
+}
+
+
+
+type Set a = [a]bool;
+
+function union<a>(x: Set a, y: Set a) returns (Set a);
+
+axiom (forall<a> x: Set a, y: Set a, z: a :: x[z] || y[z] <==> union(x, y)[z]);
+
+const intSet0: Set int;
+
+axiom (forall x: int :: intSet0[x] <==> x == 0 || x == 2 || x == 3);
+
+const intSet1: Set int;
+
+axiom (forall x: int :: intSet1[x] <==> x == 0 - 5 || x == 3);
+
+procedure P();
+
+
+
+implementation P()
+{
+ assert (forall x: int :: union(intSet0, intSet1)[x] <==> x == 0 - 5 || x == 0 || x == 2 || x == 3);
+}
+
+
+
+Boogie program verifier finished with 0 verified, 0 errors
+PolyPolyPoly.bpl(12,26): Error: invalid argument types ([]? and <a>[]C a) to binary operator ==
+PolyPolyPoly.bpl(15,23): Error: invalid argument types ([]? and <a>[]C a) to binary operator ==
+PolyPolyPoly.bpl(21,57): Error: invalid type for argument 1 in map select: b (expected: a)
+3 type checking errors detected in PolyPolyPoly.bpl
+PolyPolyPoly2.bpl(5,8): Warning: type parameter a is ambiguous, instantiating to int
+PolyPolyPoly2.bpl(7,8): Warning: type parameter a is ambiguous, instantiating to <arg0,res>[arg0]res
+PolyPolyPoly2.bpl(11,8): Warning: type parameter a is ambiguous, instantiating to bv0
+PolyPolyPoly2.bpl(11,15): Warning: type parameter a is ambiguous, instantiating to bv0
+PolyPolyPoly2.bpl(11,27): Warning: type parameter a is ambiguous, instantiating to bv17
+PolyPolyPoly2.bpl(12,8): Warning: type parameter a is ambiguous, instantiating to bv17
+PolyPolyPoly2.bpl(12,15): Warning: type parameter a is ambiguous, instantiating to bv0
+PolyPolyPoly2.bpl(22,7): Warning: type parameter a is ambiguous, instantiating to int
+PolyPolyPoly2.bpl(31,3): Warning: type parameter a is ambiguous, instantiating to int
+PolyPolyPoly2.bpl(32,3): Warning: type parameter a is ambiguous, instantiating to int
+
+Boogie program verifier finished with 0 verified, 0 errors
+ProcParamReordering.bpl(13,15): Error: mismatched type of in-parameter in implementation P: y (named b in implementation)
+ProcParamReordering.bpl(15,15): Error: mismatched number of type parameters in procedure implementation: P
+2 type checking errors detected in ProcParamReordering.bpl
+ParallelAssignment.bpl(17,2): Error: mismatched types in assignment command (cannot assign bool to int)
+ParallelAssignment.bpl(18,4): Error: invalid type for argument 0 in map assignment: bool (expected: int)
+ParallelAssignment.bpl(20,4): Error: command assigns to a global variable that is not in the enclosing method's modifies clause: z
+3 type checking errors detected in ParallelAssignment.bpl
+ParallelAssignment2.bpl(9,7): Error: number of left-hand sides does not match number of right-hand sides
+ParallelAssignment2.bpl(10,9): Error: variable a is assigned more than once in parallel assignment
+2 name resolution errors detected in ParallelAssignment2.bpl
+Coercions.bpl(11,8): Error: int cannot be coerced to E <a>[a]int
+Coercions.bpl(13,8): Error: C cannot be coerced to D
+Coercions.bpl(15,9): Error: int cannot be coerced to D
+Coercions.bpl(16,9): Error: int cannot be coerced to E int
+4 type checking errors detected in Coercions.bpl
+
+Boogie program verifier finished with 0 verified, 0 errors
diff --git a/Test/test20/ParallelAssignment.bpl b/Test/test20/ParallelAssignment.bpl
new file mode 100644
index 00000000..3ca196c8
--- /dev/null
+++ b/Test/test20/ParallelAssignment.bpl
@@ -0,0 +1,23 @@
+// Examples from the Boogie2 language report
+// (stuff where resolution succeeds, but typechecking might fail)
+
+type C, D;
+
+var x : int;
+var y : int;
+var z : int;
+var a : [int]int;
+var b : [int][C, D]int;
+
+procedure P(i:int, j:int, m:C, n:D) returns () modifies x, y, a, b; {
+ x := x+1;
+ a[i] := 12;
+ x, y := y, x;
+ x, a[i] := x+1, x;
+ x := true; // type error
+ a[true] := 5; // type error
+
+ z := 23; // assignment to non-modifiable variable
+ b[i][m, n] := 17;
+ b[i][m, n], x := a[x], y;
+} \ No newline at end of file
diff --git a/Test/test20/ParallelAssignment2.bpl b/Test/test20/ParallelAssignment2.bpl
new file mode 100644
index 00000000..7d1f0daf
--- /dev/null
+++ b/Test/test20/ParallelAssignment2.bpl
@@ -0,0 +1,11 @@
+// Examples from the Boogie2 language report
+// (examples where already resolution fails)
+
+var x : int;
+var y : int;
+var a : [int]int;
+
+procedure P(i:int, j:int) returns () modifies x, y, a; {
+ x, y := 1; // wrong number of rhss
+ a[i], a[j] := a[j], a[i]; // variable assigned more than once
+} \ No newline at end of file
diff --git a/Test/test20/PolyFuns0.bpl b/Test/test20/PolyFuns0.bpl
new file mode 100644
index 00000000..938bc197
--- /dev/null
+++ b/Test/test20/PolyFuns0.bpl
@@ -0,0 +1,55 @@
+
+
+function size<alpha>(x : alpha) returns (int);
+
+axiom (forall x:int :: size(x) == 0);
+axiom (forall<alpha> x:alpha :: size(x) >= 0);
+
+axiom (forall m:[int]int, x:int :: size(m) >= m[x]);
+axiom (forall m:<a>[a]int :: size(m) == 13);
+
+type Field a;
+
+function fieldValue<a>(ref, Field a) returns (a);
+
+const intField : Field int;
+const refField : Field ref;
+const obj : ref;
+const someInt : int;
+
+axiom someInt == fieldValue(obj, intField);
+axiom someInt == fieldValue(fieldValue(obj, refField), intField);
+
+axiom someInt == fieldValue(obj, fieldValue(obj, refField)); // error: wrong argument type
+
+axiom (forall<a> f : Field a ::
+ (exists x:a :: fieldValue(obj, f) == x));
+
+axiom (forall<beta, alpha> a:alpha, b:beta ::
+ a == b ==> (exists c:alpha :: c == b));
+axiom (forall<a> f : Field a ::
+ (exists<b> x:b :: fieldValue(obj, f) == x));
+axiom (forall<a> f : Field a ::
+ (exists x:int :: fieldValue(obj, f) == x));
+
+function lessThan<a>(x : a, y : a) returns (bool);
+
+axiom (forall x:int, y:int :: x < y ==> lessThan(x, y));
+axiom lessThan(false, true);
+
+axiom lessThan(5, true); // error: incompatible arguments
+axiom (forall<a,b> x:a, y:b :: lessThan(x, y)); // error: incompatible arguments
+
+function lessThan2<a,b>(x : a, y : b) returns (bool);
+
+axiom (forall<a> x:a, y:a :: lessThan(x,y) == lessThan2(x,y));
+axiom (forall<a> x:a :: (exists m:a :: (forall y:a :: lessThan2(m, y))));
+
+axiom (exists<a,b> x:a, y:b :: lessThan2(x, y) == lessThan2(y, x));
+
+axiom (exists<a,b> x:<c>[Field c]a, y:<d>[Field d]b :: x == y);
+axiom (exists<a> x:<c>[Field c]a, y:<d>[Field d]int :: x == y);
+axiom (exists<a> x:<c>[Field c]int, y:<d>[Field d]a :: x == y);
+axiom (exists<a> x:<c>[Field c]a, y:<d>[Field d]d :: x == y); // error: not unifiable
+
+type ref;
diff --git a/Test/test20/PolyFuns1.bpl b/Test/test20/PolyFuns1.bpl
new file mode 100644
index 00000000..eaca67bf
--- /dev/null
+++ b/Test/test20/PolyFuns1.bpl
@@ -0,0 +1,59 @@
+
+function F<a>( <b>[b]a ) returns (bool);
+const M: <a>[ <b>[b]a ] bool;
+
+procedure P()
+{
+ var f: <c>[c]c;
+ var b: bool;
+
+ b := F(f); // type error
+ b := M[f]; // type error
+ b := (forall g: <c>[c]c :: F(g)); // type error
+ b := (forall g: <c>[c]c :: M[g]); // type error
+}
+
+type Field a;
+axiom (exists<a> x:<c>[Field c]a, y:<d>[Field d]d :: x == y); // error: not unifiable
+axiom (forall<a> x:<c>[Field c]a, y:<d>[Field d]d :: x == y); // error: not unifiable
+
+procedure Uhu<a>(x: <c>[Field c]a, y: <d>[Field d]d);
+procedure Oyeah<T>(t: T)
+{
+ var xx: <cc>[Field cc]T;
+ var yy: <dd>[Field dd]dd;
+ var zz: <ee>[Field T]ee;
+
+ call Uhu(xx, yy);
+ call Uhu(yy, yy); // type error in argument 0
+ call Uhu(xx, xx); // type error in argument 1
+ assert xx == yy; // error: not unifiable
+ assert yy == xx; // error: not unifiable
+
+ call Uhu(xx, zz); // type error in argument 1
+}
+
+procedure Jitters()
+{
+ var x: <a>[a,a]int;
+ var y: <b>[b,int]int;
+ var z: <c>[int,c]int;
+ assert x == y; // error: not unifiable
+ assert y == z; // error: not unifiable
+ assert x == z; // error: not unifiable
+}
+
+procedure Nuther()
+{
+ var x: <a,b>[a,a,b]int;
+ var y: <a,b>[a,b,b]int;
+ assert x == y; // error: not unifiable
+}
+
+type NagainCtor a;
+procedure Nagain()
+ requires (forall<a,b> x: a, y: b :: x == y);
+ ensures (forall<a,b> x: a, y: Field b, z: NagainCtor b :: x == y && x == z);
+ ensures (forall<b> y: Field b, z: NagainCtor b :: y == z); // error: types not unifiable
+{
+}
diff --git a/Test/test20/PolyPolyPoly.bpl b/Test/test20/PolyPolyPoly.bpl
new file mode 100644
index 00000000..8666d1fc
--- /dev/null
+++ b/Test/test20/PolyPolyPoly.bpl
@@ -0,0 +1,22 @@
+
+type C _;
+
+const p: <a>[]a;
+const q: <a>[a, a]a;
+const r: <a>[](C a);
+
+const x: C int;
+const y: C bool;
+
+axiom (p[][:= 5][:= true] == p);
+axiom (p[][:= 5][:= true] == r); // error
+axiom (p[][:= x][:= y] == p);
+axiom (p[][:= x][:= y] == r);
+axiom (p[][:= x][:= 5] == r); // error
+axiom (p[][:= x][:= y] == p[][:= 5][:= true]);
+axiom (q[p[][:= x][:= y], p[][:= 5][:= true]] == p);
+axiom (q[p[], p[]][:= 5][:= true] == p);
+
+axiom (exists<a> x:a :: p[][:= 5][:= true] == x);
+axiom (exists<a,b> x:a, y:b :: p[][:= 5][:= true] == q[x,y]); // error
+axiom (exists<a,b> x:a, y:b :: q[x, x] == q[y, y]);
diff --git a/Test/test20/PolyPolyPoly2.bpl b/Test/test20/PolyPolyPoly2.bpl
new file mode 100644
index 00000000..b07c565a
--- /dev/null
+++ b/Test/test20/PolyPolyPoly2.bpl
@@ -0,0 +1,34 @@
+
+const p: <a>[]a;
+const q: <a,b>[a]b;
+
+axiom (p[] == p[]); // warning
+axiom (p[][13 := false] == q);
+axiom (p[][13 := false] == p[]); // warning
+
+const c: bv17;
+
+axiom (p[] ++ p[] ++ c == p[]); // warning
+axiom (p[] ++ p[] == c); // warning
+axiom (p[] == c);
+
+type List _;
+
+function emptyList<a>() returns (List a);
+function append<a>(List a, List a) returns (List a);
+
+axiom (forall<a> l:List a :: append(emptyList(), l) == l);
+axiom (forall<a> l:List a :: append(l, emptyList()) == l);
+axiom (append(emptyList(), emptyList()) == emptyList()); // warning
+axiom (forall<a> l:List a :: l==emptyList() ==> append(l, emptyList()) == emptyList());
+
+var x: <a>[]a;
+var y: <a>[a]a;
+
+procedure P() returns () modifies x, y; {
+ x[] := 15;
+ x[] := false;
+ x[] := p[]; // warning
+ x[] := q[false]; // warning
+ y[13] := q[false];
+} \ No newline at end of file
diff --git a/Test/test20/PolyProcs0.bpl b/Test/test20/PolyProcs0.bpl
new file mode 100644
index 00000000..609f1167
--- /dev/null
+++ b/Test/test20/PolyProcs0.bpl
@@ -0,0 +1,44 @@
+
+
+type Field a;
+
+function FieldAccessFun<b>(heap : <a>[ref, Field a]a, obj : ref, f : Field b)
+ returns (res:b);
+
+procedure FieldAccess<b>(heap : <a>[ref, Field a]a, obj : ref, f : Field b)
+ returns (res:b) {
+ start:
+ res := heap[f, obj]; // error: wrong argument order
+ res := heap[obj, f];
+ assert res == FieldAccessFun(heap, obj, f);
+ return;
+}
+
+procedure UseHeap(heap : <a>[ref, Field a]a) {
+ var f1 : Field int; var f2 : Field bool; var obj : ref;
+ var x : int; var y : bool;
+
+ call x := FieldAccess(heap, f1, obj); // error: wrong argument order
+ call x := FieldAccess(heap, obj, f1);
+ call y := FieldAccess(heap, obj, f2);
+
+ call y := FieldAccess(heap, obj, f1); // error: wrong result type
+ call x := FieldAccess(heap, obj, obj); // error: wrong argument type
+}
+
+procedure injective<b>(heap : <a>[ref, Field a]a, obj0 : ref, obj1 : ref, f : Field b);
+ requires obj0 != obj1;
+ ensures heap[obj0, f] != heap[obj1, f];
+
+procedure testCallForall(heap : <a>[ref, Field a]a) {
+ var f1 : Field int; var f2 : Field bool;
+
+ start:
+ call forall injective(heap, *, *, f1);
+ call forall injective(heap, *, *, f2);
+ call forall injective(heap, *, *, *);
+
+ call forall injective(heap, *, f1, *); // error: wrong argument type
+}
+
+type ref;
diff --git a/Test/test20/ProcParamReordering.bpl b/Test/test20/ProcParamReordering.bpl
new file mode 100644
index 00000000..404b41a3
--- /dev/null
+++ b/Test/test20/ProcParamReordering.bpl
@@ -0,0 +1,15 @@
+
+type C _;
+
+
+procedure P<a, b>(x : a, y : b) returns ();
+
+implementation P<a, b>(x : a, y : b) returns () {}
+
+implementation P<c, d>(a : c, b : d) returns () {}
+
+implementation P<d, c>(a : c, b : d) returns () {}
+
+implementation P<d, c>(a : c, b : C d) returns () {}
+
+implementation P<a>(x : a, y : a) returns () {} \ No newline at end of file
diff --git a/Test/test20/Prog0.bpl b/Test/test20/Prog0.bpl
new file mode 100644
index 00000000..ea71b8a8
--- /dev/null
+++ b/Test/test20/Prog0.bpl
@@ -0,0 +1,35 @@
+// Let's test some Boogie 2 features ...
+type real;
+type elements;
+
+type Field a;
+var heap : <a> [ref, Field a] a;
+
+const emptyset : <a> [a] bool;
+
+function union(<a> [a] bool, <a> [a] bool) returns (<a> [a] bool);
+
+axiom (forall x : <a> [a] bool, y : <a> [a] bool,
+ z : int ::
+ { union(x, y)[z] }
+ union(x, y)[z] == (x[z] || y[z]));
+
+var tau : <a> [ref] int; // error: type variable has to occur in arguments
+
+axiom (forall x : int :: !emptyset[x]);
+
+// the more general version of the axiom that also uses type quantifiers
+
+axiom (forall<alpha>
+ x : <a> [a] bool, y : <a> [a] bool,
+ z : alpha ::
+ { union(x, y)[z] }
+ union(x, y)[z] == (x[z] || y[z]));
+
+axiom (forall<beta, alpha, beta> a:alpha, b:beta :: // error: variable bound twice
+ a == b ==> (exists c:alpha :: c == b));
+
+axiom (forall<beta> a:alpha, b:beta :: // error: alpha is not declared
+ a == b ==> (exists c:alpha :: c == b));
+
+type ref;
diff --git a/Test/test20/Prog1.bpl b/Test/test20/Prog1.bpl
new file mode 100644
index 00000000..1d75805c
--- /dev/null
+++ b/Test/test20/Prog1.bpl
@@ -0,0 +1,26 @@
+// Let's test some Boogie 2 features ...
+type real;
+type elements;
+
+type Field a;
+var heap : <a> [ref, Field a] a;
+
+
+
+procedure p (x:int, y:ref, z:<a> [ref, Field a] a) returns (newHeap : <a> [ref, Field a] a) {
+
+ var f : Field int;
+ var g : Field bool;
+
+ var heap : <a> [ref, Field a] a;
+
+ assert z[y, f] >= 0;
+ assert z[x, f] >= 0; // error: x has wrong type
+ assert z[y, x] >= 0; // error: x has wrong type
+ assert z[y, g] >= 0; // error: result of map select has wrong type
+
+ heap[y, g] := false;
+
+}
+
+type ref;
diff --git a/Test/test20/Prog2.bpl b/Test/test20/Prog2.bpl
new file mode 100644
index 00000000..43b9b28f
--- /dev/null
+++ b/Test/test20/Prog2.bpl
@@ -0,0 +1,16 @@
+function union(<a> [a] bool, <a> [a] bool) returns (<a> [a] bool);
+
+axiom (forall<alpha> // error: alpha has to occur in dummy types
+ x : <a> [a] bool, y : <a> [a] bool,
+ z : int ::
+ { union(x, y)[z] }
+ union(x, y)[z] == (x[z] || y[z]));
+
+function poly<a>() returns (a);
+
+axiom (forall<alpha>
+ x : <a> [a] bool, y : <a> [a] bool,
+ z : int ::
+ { union(x, y)[z], poly() : alpha }
+ union(x, y)[z] == (x[z] || y[z]));
+
diff --git a/Test/test20/TypeDecls0.bpl b/Test/test20/TypeDecls0.bpl
new file mode 100644
index 00000000..898e0d1a
--- /dev/null
+++ b/Test/test20/TypeDecls0.bpl
@@ -0,0 +1,45 @@
+type C a _ b;
+type D;
+type E _;
+
+var A0 : D;
+
+var A1 : C D D D;
+
+var A2 : <a,b> [b, C a b D] C a D [D]a;
+
+var A3 : <a,b> [b, C a int D] C bool ref [bv32]a;
+
+var A4 : <a,a> [a] a; // error: a bound twice
+var A5 : <a> [a] <a> [a] int; // error: a bound twice
+
+var A6 : <a> [a] <b> [b] int;
+
+var A7 : <a> [a] <b> [int] int; // error: b does not occur as map argument
+
+type C _ _; // error: C is already declared
+
+var A8 : C int ref; // error: wrong number of arguments
+
+var A9 : A0; // error: undeclared type
+var A10: F int; // error: undeclared type
+
+var A11: E D;
+var A12: E E D; // error: wrong number of arguments
+var A13: E (E D);
+var A14: E E E D; // error: wrong number of arguments
+
+var A15: E E int; // error: wrong number of arguments
+var A16: E (E int);
+
+var A17: bv64;
+var A18: [int] bv64;
+
+var A19: C E E D; // error: wrong number of arguments
+var A20: C (E (E D)) int [int] int;
+var A21: C (<a> [a] <b> [b] int) int [int] int;
+
+var A22: (D);
+var A23: ((D));
+
+type ref;
diff --git a/Test/test20/TypeDecls1.bpl b/Test/test20/TypeDecls1.bpl
new file mode 100644
index 00000000..02c5536a
--- /dev/null
+++ b/Test/test20/TypeDecls1.bpl
@@ -0,0 +1,23 @@
+
+// set of maps from anything to a specific type a
+const mapSet : <a>[<b>[b]a]bool;
+
+const emptySet : <a>[a]bool;
+
+axiom mapSet[5]; // type error
+
+axiom mapSet[emptySet] == true;
+
+axiom mapSet[emptySet := false] != mapSet;
+
+axiom mapSet[emptySet := 5] == mapSet; // type error
+
+axiom emptySet[13 := true][13] == true;
+
+axiom (forall f : <c>[c]int, x : ref :: mapSet[f] ==> f[x] >= 0);
+
+axiom (forall f : <c>[c]c :: mapSet[f]); // type error
+
+axiom mapSet[mapSet] == true; // type error
+
+type ref;
diff --git a/Test/test20/TypeSynonyms0.bpl b/Test/test20/TypeSynonyms0.bpl
new file mode 100644
index 00000000..d161b5df
--- /dev/null
+++ b/Test/test20/TypeSynonyms0.bpl
@@ -0,0 +1,29 @@
+
+
+type Set a = [a]bool;
+
+type Field a, Heap = <a>[ref, Field a]a;
+
+type notAllParams a b = Field b;
+
+type Cyclic0 = Cyclic1;
+type Cyclic1 = Cyclic0;
+
+type AlsoCyclic a = <b>[AlsoCyclic b]int;
+
+type C a b;
+
+type C2 b a = C a b;
+
+function f(C int bool) returns (int);
+const x : C2 bool int;
+
+
+const y : Field int bool; // wrong number of arguments
+const z : Set int bool; // wrong number of arguments
+
+
+const d : <a,b>[notAllParams a b]int; // error: not all parameters are used
+
+
+type ref;
diff --git a/Test/test20/TypeSynonyms1.bpl b/Test/test20/TypeSynonyms1.bpl
new file mode 100644
index 00000000..45b7e46d
--- /dev/null
+++ b/Test/test20/TypeSynonyms1.bpl
@@ -0,0 +1,47 @@
+
+
+
+type C a b;
+type C2 b a = C a b;
+
+
+// ordering of map type parameters
+function g0(<a,b>[C2 a b]int) returns (int);
+function g1(<a,b>[C2 b a]int) returns (int);
+function g2(<a,b>[C a b]int) returns (int);
+function g3(<a,b>[C b a]int) returns (int);
+
+const c0 : <a,b>[C2 a b]int;
+const c1 : <a,b>[C2 b a]int;
+const c2 : <a,b>[C a b]int;
+const c3 : <a,b>[C b a]int;
+
+axiom g0(c0) == 0;
+axiom g1(c0) == 0;
+axiom g2(c0) == 0;
+axiom g3(c0) == 0;
+axiom g0(c1) == 0;
+axiom g1(c1) == 0;
+axiom g2(c1) == 0;
+axiom g3(c1) == 0;
+axiom g0(c2) == 0;
+axiom g1(c2) == 0;
+axiom g2(c2) == 0;
+axiom g3(c2) == 0;
+axiom g0(c3) == 0;
+axiom g1(c3) == 0;
+axiom g2(c3) == 0;
+axiom g3(c3) == 0;
+
+
+type nested a = <b>[b, b, a]int;
+type nested2 = nested (nested int);
+
+
+function h(nested2) returns (bool);
+const e : <b>[b, b, <b2>[b2, b2, int]int]int;
+axiom h(e);
+
+const e2 : <b>[b, b, <b2>[b2, b, int]int]int; // wrong binding
+axiom h(e2);
+
diff --git a/Test/test20/TypeSynonyms2.bpl b/Test/test20/TypeSynonyms2.bpl
new file mode 100644
index 00000000..f6fee1f3
--- /dev/null
+++ b/Test/test20/TypeSynonyms2.bpl
@@ -0,0 +1,20 @@
+
+
+type Set a = [a]bool;
+
+function union<a>(x : Set a, y : Set a) returns (Set a);
+axiom (forall<a> x : Set a, y : Set a, z : a :: (x[z] || y[z]) == union(x, y)[z]);
+
+
+const intSet0 : Set int;
+axiom (forall x:int :: intSet0[x] == (x == 0 || x == 2 || x == 3));
+
+const intSet1 : Set int;
+axiom (forall x:int :: intSet1[x] == (x == -5 || x == 3));
+
+
+procedure P() returns () {
+ assert (forall x:int :: union(intSet0, intSet1)[x] ==
+ (x == -5 || x == 0 || x == 2 || x == 3));
+}
+
diff --git a/Test/test20/runtest.bat b/Test/test20/runtest.bat
new file mode 100644
index 00000000..0e607a1f
--- /dev/null
+++ b/Test/test20/runtest.bat
@@ -0,0 +1,26 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+rem set BGEXE=mono ..\..\Binaries\Boogie.exe
+
+%BGEXE% %* /noVerify TypeDecls0.bpl
+%BGEXE% %* /noVerify TypeDecls1.bpl
+%BGEXE% %* /noVerify Prog0.bpl
+%BGEXE% %* /noVerify Prog1.bpl
+%BGEXE% %* /noVerify Prog2.bpl
+%BGEXE% %* /noVerify PolyFuns0.bpl
+%BGEXE% %* /noVerify PolyFuns1.bpl
+%BGEXE% %* /noVerify PolyProcs0.bpl
+%BGEXE% %* /noVerify TypeSynonyms0.bpl
+%BGEXE% %* /noVerify TypeSynonyms1.bpl
+%BGEXE% %* TypeSynonyms2.bpl
+%BGEXE% %* /noVerify /print:- /env:0 TypeSynonyms0.bpl
+%BGEXE% %* /noVerify /print:- /env:0 /printDesugared TypeSynonyms2.bpl
+%BGEXE% %* /noVerify PolyPolyPoly.bpl
+%BGEXE% %* /noVerify PolyPolyPoly2.bpl
+%BGEXE% %* /noVerify ProcParamReordering.bpl
+%BGEXE% %* /noVerify ParallelAssignment.bpl
+%BGEXE% %* /noVerify ParallelAssignment2.bpl
+%BGEXE% %* /noVerify Coercions.bpl
+%BGEXE% %* /noVerify EmptySeq.bpl
diff --git a/Test/test21/Answer b/Test/test21/Answer
new file mode 100644
index 00000000..bda444d2
--- /dev/null
+++ b/Test/test21/Answer
@@ -0,0 +1,1677 @@
+--------------------- TypeEncoding n ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+
+Boogie program verifier finished with 3 verified, 0 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+
+Boogie program verifier finished with 4 verified, 2 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(46,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(49,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(52,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples0.bpl ----------------------------
+InterestingExamples0.bpl(7,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples0.bpl(5,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples2.bpl ----------------------------
+InterestingExamples2.bpl(9,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples2.bpl(8,6): anon0
+InterestingExamples2.bpl(10,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples2.bpl(8,6): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+Colors.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File HeapAbstraction.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(28,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+EmptyList.bpl(46,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(46,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(10,3): anon0
+BooleanQuantification.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(27,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File NameClash.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- TypeEncoding p ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+DisjointDomains.bpl(14,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(11,3): start
+DisjointDomains.bpl(21,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(20,3): start
+DisjointDomains.bpl(27,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(26,3): start
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+DisjointDomains2.bpl(32,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(30,3): start
+DisjointDomains2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(37,3): start
+DisjointDomains2.bpl(49,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(45,3): start
+DisjointDomains2.bpl(63,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(58,3): start
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(32,3): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples0.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples2.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File HeapAbstraction.bpl ----------------------------
+HeapAbstraction.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAbstraction.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+Triggers1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers1.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(10,3): anon0
+BooleanQuantification.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File NameClash.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- TypeEncoding a ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+DisjointDomains.bpl(14,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(11,3): start
+DisjointDomains.bpl(21,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(20,3): start
+DisjointDomains.bpl(27,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(26,3): start
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+DisjointDomains2.bpl(32,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(30,3): start
+DisjointDomains2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(37,3): start
+DisjointDomains2.bpl(49,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(45,3): start
+DisjointDomains2.bpl(63,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(58,3): start
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(32,3): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples0.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples2.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+Colors.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File HeapAbstraction.bpl ----------------------------
+HeapAbstraction.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAbstraction.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+Triggers1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers1.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(10,3): anon0
+BooleanQuantification.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File NameClash.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- TypeEncoding n z3types ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+
+Boogie program verifier finished with 3 verified, 0 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+
+Boogie program verifier finished with 4 verified, 2 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(46,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(49,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(52,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples0.bpl ----------------------------
+InterestingExamples0.bpl(7,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples0.bpl(5,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples2.bpl ----------------------------
+InterestingExamples2.bpl(9,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples2.bpl(8,6): anon0
+InterestingExamples2.bpl(10,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples2.bpl(8,6): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+Colors.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File HeapAbstraction.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 2 verified, 2 errors
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(28,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+EmptyList.bpl(46,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(46,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(27,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- TypeEncoding p z3types ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+DisjointDomains.bpl(14,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(11,3): start
+DisjointDomains.bpl(21,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(20,3): start
+DisjointDomains.bpl(27,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(26,3): start
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+DisjointDomains2.bpl(32,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(30,3): start
+DisjointDomains2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(37,3): start
+DisjointDomains2.bpl(49,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(45,3): start
+DisjointDomains2.bpl(63,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(58,3): start
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(32,3): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples0.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples2.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File HeapAbstraction.bpl ----------------------------
+HeapAbstraction.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAbstraction.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+Triggers1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers1.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 2 verified, 2 errors
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- TypeEncoding a z3types ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+DisjointDomains.bpl(14,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(11,3): start
+DisjointDomains.bpl(21,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(20,3): start
+DisjointDomains.bpl(27,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(26,3): start
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+DisjointDomains2.bpl(32,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(30,3): start
+DisjointDomains2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(37,3): start
+DisjointDomains2.bpl(49,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(45,3): start
+DisjointDomains2.bpl(63,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(58,3): start
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(32,3): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples0.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples2.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+Colors.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File HeapAbstraction.bpl ----------------------------
+HeapAbstraction.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAbstraction.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+Triggers1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers1.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 2 verified, 2 errors
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/test21/BooleanQuantification.bpl b/Test/test21/BooleanQuantification.bpl
new file mode 100644
index 00000000..52416e9d
--- /dev/null
+++ b/Test/test21/BooleanQuantification.bpl
@@ -0,0 +1,32 @@
+
+
+
+function f(bool) returns (int);
+
+axiom f(true) == 17;
+axiom f(false) == 19;
+
+procedure P() returns () {
+ assert (forall x:bool :: f(x) >= 0);
+}
+
+procedure Q() returns () {
+ assert (forall x:int :: (x==7 || x==9) ==> x >= 0);
+}
+
+procedure R() returns () {
+ assert f((forall x:bool :: f(x) >= 10)) < 19;
+ assert (exists x:bool :: f(x) > 20); // should not be provable
+}
+
+
+function g<a>(a) returns (int);
+
+axiom g(true) == 17;
+axiom g(false) == 21;
+
+procedure S() returns () {
+ assert (forall x:bool :: g(x) >= 0);
+ assert g((forall x:bool :: g(x) >= 0)) >= 17;
+ assert (forall x:bool :: f(x) == g(x)); // should not be provable
+} \ No newline at end of file
diff --git a/Test/test21/BooleanQuantification2.bpl b/Test/test21/BooleanQuantification2.bpl
new file mode 100644
index 00000000..af6e1f4f
--- /dev/null
+++ b/Test/test21/BooleanQuantification2.bpl
@@ -0,0 +1,14 @@
+
+
+axiom (forall x:bool :: x || !x);
+axiom (forall x:bool :: x == true || x == false);
+
+procedure P() returns () {
+ var i : int;
+ var j : bool;
+
+ assert i != 3 || i != 4;
+ assert j || !j;
+
+ assert false;
+} \ No newline at end of file
diff --git a/Test/test21/Boxing.bpl b/Test/test21/Boxing.bpl
new file mode 100644
index 00000000..08967891
--- /dev/null
+++ b/Test/test21/Boxing.bpl
@@ -0,0 +1,21 @@
+
+type Box;
+
+function box<a>(a) returns (Box);
+function unbox<a>(Box) returns (a);
+
+axiom (forall<a> x:a :: unbox(box(x)) == x);
+
+var b1: Box;
+var b2: Box;
+var b3: Box;
+
+procedure P() returns ()
+ modifies b1, b2, b3; {
+ b1 := box(13);
+ b2 := box(true);
+ b3 := box(b1);
+
+ assert unbox(b1) == 13 && unbox(b2) == true && unbox(unbox(b3)) == 13;
+ assert unbox(b1) == true; // error
+} \ No newline at end of file
diff --git a/Test/test21/Casts.bpl b/Test/test21/Casts.bpl
new file mode 100644
index 00000000..5173021e
--- /dev/null
+++ b/Test/test21/Casts.bpl
@@ -0,0 +1,11 @@
+
+
+procedure P() returns () {
+ var m : [int]int, n : [int]int, x : int;
+
+ assume m[x] == x;
+ assume n[x] == 1;
+
+ assert n[m[x]] == 1;
+ assert m[n[x]] == 1; // should not be provable
+} \ No newline at end of file
diff --git a/Test/test21/Coercions2.bpl b/Test/test21/Coercions2.bpl
new file mode 100644
index 00000000..c5abb724
--- /dev/null
+++ b/Test/test21/Coercions2.bpl
@@ -0,0 +1,24 @@
+
+
+type Box, C;
+
+function box<a>(a) returns (Box);
+function unbox<a>(Box) returns (a);
+
+axiom (forall<a> x:a :: unbox(box(x)) == x);
+
+axiom (forall<a> x:Box :: {unbox(x):a} box(unbox(x):a) == x);
+
+axiom (forall x:Box :: box(unbox(x)) == x); // warning
+
+procedure P() {
+ var b : Box;
+ var i : C;
+
+ assert unbox(box(13)) == 13;
+
+ i := unbox(b);
+ assert b == box(i);
+
+ assert false;
+} \ No newline at end of file
diff --git a/Test/test21/Colors.bpl b/Test/test21/Colors.bpl
new file mode 100644
index 00000000..be25cc15
--- /dev/null
+++ b/Test/test21/Colors.bpl
@@ -0,0 +1,21 @@
+
+
+type Color;
+
+const Blue, Red, Green : Color;
+
+axiom (forall x : Color :: x == Blue || x == Red || x == Green);
+
+procedure P() returns () {
+ var x : Color;
+
+ assume x != Blue;
+ assert x == Red; // should not be provable
+}
+
+procedure Q() returns () {
+ var x : Color;
+
+ assume x != Blue && x != Green;
+ assert x == Red;
+} \ No newline at end of file
diff --git a/Test/test21/DisjointDomains.bpl b/Test/test21/DisjointDomains.bpl
new file mode 100644
index 00000000..88647e6b
--- /dev/null
+++ b/Test/test21/DisjointDomains.bpl
@@ -0,0 +1,30 @@
+type C _;
+
+function f<a>(C a) returns (int);
+
+axiom (forall x : C int :: f(x) == 3);
+axiom (forall x : C bool :: f(x) == 7);
+
+procedure P() returns () {
+ var a : C int, b : C bool, c : C ref;
+
+ start:
+ assert f(a) == 3;
+ assert f(b) == 7;
+ assert f(b) == 8; // should not be provable
+}
+
+procedure Q() returns () {
+ var c : C ref;
+
+ start:
+ assert f(c) == 7; // should not be provable
+}
+
+procedure R<a>(c : C a) returns () {
+
+ start:
+ assert f(c) == 7; // should not be provable
+}
+
+type ref;
diff --git a/Test/test21/DisjointDomains2.bpl b/Test/test21/DisjointDomains2.bpl
new file mode 100644
index 00000000..3cac88ca
--- /dev/null
+++ b/Test/test21/DisjointDomains2.bpl
@@ -0,0 +1,64 @@
+type C _;
+
+function f<a>(C a) returns (int);
+
+axiom (forall<a> x : C a :: f(x) == 42);
+
+procedure P(a : C int) returns () {
+
+ start:
+ assert f(a) == 42;
+ assert f(a) == 43; // should not be provable
+}
+
+procedure Q<a>(c : C a) returns () {
+
+ start:
+ assert f(c) == 42;
+ assert f(c) == 43; // should not be provable
+}
+
+function g<a,b>(a, b) returns (int);
+
+
+axiom (forall x : int, y : bool :: g(x,y) == 13);
+axiom (forall<a> x : int, y : C a :: g(x,y) == 42);
+axiom (forall<a,z> x : C z, y : C a :: g(x,y) == 43);
+
+procedure R() returns () {
+
+ start:
+ assert g(7, true) == 13;
+ assert g(7, false) == 15; // should not be provable
+}
+
+procedure S<b>(y : C b) returns () {
+
+ start:
+ assert g(3, y) == f(y);
+ assert g(y, false) == 15; // should not be provable
+}
+
+procedure T<a,b>(y : C b, param : a) returns () {
+ var x : C a; var z : C b;
+
+ start:
+ assert g(y, x) == g(x, y);
+ assert g(y, x) == 43;
+ assert g(f(x), y) == 42;
+ assert g(y, z) == 15; // should not be provable
+}
+
+
+type D _ _;
+
+procedure U() returns () {
+ var u : D int bool, v : D bool int;
+
+ start:
+ assume (forall<a,b> x:D a b, y:b :: g(x, y) == -3);
+
+ assert g(v, 32) == -3;
+ assert g(v, 716371398712982312321) == -3;
+ assert g(u, 1) == -3; // should not be provable
+}
diff --git a/Test/test21/EmptyList.bpl b/Test/test21/EmptyList.bpl
new file mode 100644
index 00000000..a6b90638
--- /dev/null
+++ b/Test/test21/EmptyList.bpl
@@ -0,0 +1,47 @@
+
+
+type List _;
+
+function NIL<a>() returns (List a);
+function Cons<a>(a, List a) returns (List a);
+
+function car<a>(List a) returns (a);
+function cdr<a>(List a) returns (List a);
+
+axiom (forall<a> x:a, l:List a :: car(Cons(x, l)) == x);
+axiom (forall<a> x:a, l:List a :: cdr(Cons(x, l)) == l);
+
+axiom (forall<a> x:a, l:List a :: Cons(x, l) != NIL());
+
+var l:List bool;
+
+var m:List int;
+var mar:[int](List int);
+
+procedure P() returns ()
+ requires m != NIL();
+ requires mar[0] == m && (forall i:int :: i > 0 ==> mar[i] == cdr(mar[i-1]));
+ modifies l, m, mar; {
+
+ l := Cons(true, NIL());
+
+ assert l != NIL();
+ l := cdr(l);
+
+ assert l == NIL();
+ l := Cons(true, l);
+ l := Cons(false, l);
+
+ assert car(mar[1]) == car(cdr(m));
+ mar[0] := NIL();
+ assert mar[0] != m;
+
+ assert !car(l) && car(cdr(l));
+ l := cdr(cdr(l));
+
+ assert (forall i:int :: i > 0 ==> mar[i] == cdr(mar[i-1])); // error
+}
+
+procedure Q() returns () {
+ assert Cons(NIL(), NIL()) != NIL(); // warning, but provable
+} \ No newline at end of file
diff --git a/Test/test21/EmptySetBug.bpl b/Test/test21/EmptySetBug.bpl
new file mode 100644
index 00000000..424d998c
--- /dev/null
+++ b/Test/test21/EmptySetBug.bpl
@@ -0,0 +1,30 @@
+type ref;
+
+const null: ref;
+
+type Set T = [T]bool;
+
+function Set#Empty<T>() returns (Set T);
+
+axiom (forall<T> o: T :: { Set#Empty()[o] } !Set#Empty()[o]);
+
+function Set#Singleton<T>(T) returns (Set T);
+
+axiom (forall<T> r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]);
+
+axiom (forall<T> r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o);
+
+function Set#UnionOne<T>(Set T, T) returns (Set T);
+
+axiom (forall<T> a: Set T, x: T, o: T :: { Set#UnionOne(a, x)[o] } Set#UnionOne(a, x)[o] <==> o == x || a[o]);
+
+procedure Test(this: ref)
+{
+ var s: Set ref;
+
+ s := Set#UnionOne(Set#Empty(), this);
+ assert s[this];
+ assert !Set#Empty()[this];
+
+ assert Set#Singleton(this)[null]; // should not be provable
+}
diff --git a/Test/test21/Flattening.bpl b/Test/test21/Flattening.bpl
new file mode 100644
index 00000000..10899931
--- /dev/null
+++ b/Test/test21/Flattening.bpl
@@ -0,0 +1,13 @@
+
+
+function g(int) returns (int);
+function f(bool) returns (int);
+
+
+axiom (f((exists x:int :: g(x) >= 12)) == 3);
+axiom (f((exists x:int :: g(f((forall y:int :: g(x+y) >= 0))) >= 12)) == 3);
+
+
+procedure P() returns () {
+ assert false;
+} \ No newline at end of file
diff --git a/Test/test21/FunAxioms.bpl b/Test/test21/FunAxioms.bpl
new file mode 100644
index 00000000..850f4d08
--- /dev/null
+++ b/Test/test21/FunAxioms.bpl
@@ -0,0 +1,40 @@
+
+
+type Pair a b;
+
+function MP<a,b>(x:a, y:b) returns (Pair a b);
+function Left<a,b>(Pair a b) returns (a);
+function Right<a,b>(Pair a b) returns (b);
+
+axiom (forall<a,b> x:a, y:b :: Left(MP(x,y)) == x);
+axiom (forall<a,b> x:a, y:b :: Right(MP(x,y)) == y);
+
+type A, B;
+
+procedure P() returns () {
+
+ var x:A, y:B, z:A, p : Pair A B;
+
+ assert Left(MP(x,y)) == x;
+ assert Right(MP(x,y)) == y;
+ assert Right(MP(x,MP(x,y))) == MP(x,y);
+ assert Left(MP(x,MP(x,y))) == x;
+ assert Right(Right(MP(x,MP(x,y)))) == y;
+
+ p := MP(x, y);
+
+ p := MP(Left(p), y);
+
+ assert Left(p) == x && Right(p) == y;
+
+ assert Left(p) == z; // should not be provable
+
+}
+
+procedure Q() returns () {
+
+ assert Left(MP(1,3)) == 1;
+ assert Right(MP(1,3)) == 3;
+ assert Right(MP(1,true)) == true;
+
+} \ No newline at end of file
diff --git a/Test/test21/FunAxioms2.bpl b/Test/test21/FunAxioms2.bpl
new file mode 100644
index 00000000..f487dcab
--- /dev/null
+++ b/Test/test21/FunAxioms2.bpl
@@ -0,0 +1,21 @@
+
+type T;
+
+function f() returns (int); // functions without arguments
+function g() returns (T);
+
+
+const c : T;
+
+axiom (f() >= 13);
+axiom (g() != c);
+
+procedure P() returns () {
+ var x : int;
+
+ x := f();
+
+ assert x >= 0 && f() >= 7;
+ assert g() != c;
+ assert f() >= 20; // should not be provable
+} \ No newline at end of file
diff --git a/Test/test21/HeapAbstraction.bpl b/Test/test21/HeapAbstraction.bpl
new file mode 100644
index 00000000..1d2a7f99
--- /dev/null
+++ b/Test/test21/HeapAbstraction.bpl
@@ -0,0 +1,19 @@
+
+
+type Field a, Heap = <a>[ref, Field a]a;
+
+function f<b>(<a>[b, Field a]a) returns (int);
+
+axiom (forall x:<a>[int, Field a]a :: f(x) == 17);
+
+axiom (forall x:<a>[ref, Field a]a :: f(x) == 42);
+
+procedure P() returns () {
+ var h : Heap, g : <a>[bool, Field a]a;
+
+ assert f(h) == 42;
+ assert f(g) >= 0; // should not be provable
+}
+
+type ref;
+const null : ref;
diff --git a/Test/test21/HeapAxiom.bpl b/Test/test21/HeapAxiom.bpl
new file mode 100644
index 00000000..8972c6af
--- /dev/null
+++ b/Test/test21/HeapAxiom.bpl
@@ -0,0 +1,27 @@
+
+
+type Field a, Heap = <a>[ref, Field a]a;
+
+function IsHeap(Heap) returns (bool);
+const alloc : Field bool;
+
+axiom (forall H:Heap, o:ref, f:Field ref ::
+ IsHeap(H) && H[o,alloc] ==> H[H[o,f], alloc]);
+
+procedure P() returns () {
+ var h : Heap, o : ref, g : Field ref, i : Field ref, o2 : ref;
+ assume IsHeap(h) && h[o, alloc];
+
+ o2 := h[o, g];
+ assert h[o2, alloc];
+
+ o2 := h[o2, g];
+ assert h[o2, alloc];
+
+ h[o2, alloc] := false;
+
+ o2 := h[o2, g];
+ assert h[o2, alloc]; // should not be provable
+}
+
+type ref;
diff --git a/Test/test21/InterestingExamples0.bpl b/Test/test21/InterestingExamples0.bpl
new file mode 100644
index 00000000..d1b90d10
--- /dev/null
+++ b/Test/test21/InterestingExamples0.bpl
@@ -0,0 +1,8 @@
+
+procedure P() returns () {
+var a : <t>[t]int;
+
+a[5] := 0;
+a[true] := 1;
+assert a[5] == 0;
+} \ No newline at end of file
diff --git a/Test/test21/InterestingExamples1.bpl b/Test/test21/InterestingExamples1.bpl
new file mode 100644
index 00000000..3ec7449e
--- /dev/null
+++ b/Test/test21/InterestingExamples1.bpl
@@ -0,0 +1,27 @@
+
+type Set = <a> [a] bool;
+type Field a;
+type Heap = <b> [ref, Field b] b;
+
+
+const emptySet : Set;
+axiom (forall<t> x:t :: !emptySet[x]);
+
+procedure P() returns () {
+ var x : Set, f : Field Set, g : Field int, heap : Heap, o : ref;
+
+ x := emptySet;
+ heap[o, f] := x;
+ heap[o, g] := 13;
+ assert heap[o, f] == emptySet && heap[o, g] == 13;
+
+ heap[o, f] := heap[o, f][17 := true];
+ heap[o, f] := heap[o, f][g := true];
+
+ assert (forall<t> y:t :: heap[o, f][y] == (y == 17 || y == g));
+ assert (forall<t> y:t :: heap[o, f][y] == (y == 16 || y == g)); // should not hold
+
+}
+
+type ref;
+
diff --git a/Test/test21/InterestingExamples2.bpl b/Test/test21/InterestingExamples2.bpl
new file mode 100644
index 00000000..62374cb6
--- /dev/null
+++ b/Test/test21/InterestingExamples2.bpl
@@ -0,0 +1,14 @@
+
+
+procedure P() returns () {
+var m : <a>[a]ref;
+var n : <b>[b]b;
+var o : ref;
+
+m[5] := null;
+assert m[true := o][5] == null;
+assert m[n[true] := o][5] == null;
+}
+
+type ref;
+const null : ref;
diff --git a/Test/test21/InterestingExamples3.bpl b/Test/test21/InterestingExamples3.bpl
new file mode 100644
index 00000000..8eef3dff
--- /dev/null
+++ b/Test/test21/InterestingExamples3.bpl
@@ -0,0 +1,27 @@
+
+procedure P() returns () {
+
+ assume (forall<t> m : [t]bool :: // uses "infinitely many" map types
+ (forall x : t :: m[x] == false));
+
+}
+
+
+procedure Q() returns () {
+ var h : [int] bool;
+
+ assume (forall<t> m : [t]bool, x : t :: m[x] == false);
+ assert !h[42];
+ assert false; // should really be provable
+}
+
+
+
+procedure R() returns () {
+ var h : [int] bool;
+
+ assume (forall<t> m : [t]bool, x : t :: m[x] == false);
+ assert !h[42];
+ assert !h[42 := true][42];
+ assert false; // wow
+}
diff --git a/Test/test21/InterestingExamples4.bpl b/Test/test21/InterestingExamples4.bpl
new file mode 100644
index 00000000..371724f5
--- /dev/null
+++ b/Test/test21/InterestingExamples4.bpl
@@ -0,0 +1,42 @@
+// a property that should hold according to the Boogie semantics
+// (but no automatic theorem prover will be able to prove it)
+
+
+type C a;
+
+function sameType<a,b>(x:a, y:b) returns (bool);
+
+axiom (forall<a,b> x:a, y:b :: sameType(x,y) == (exists z:a :: y==z));
+
+// Will be defined to hold whenever the type of y (i.e., b)
+// can be reached from the type of x (a) by applying the type
+// constructor C a finite number of times. In order words,
+// b = C^n(a)
+function rel<a,b>(x:a, y:b) returns (bool);
+
+function relHelp<a,b>(x:a, y:b, int) returns (bool);
+
+axiom (forall<a, b> x:a, y:b :: relHelp(x, y, 0) == sameType(x, y));
+axiom (forall<a, b> n:int, x:a, y:b ::
+ (n >= 0 ==>
+ relHelp(x, y, n+1) ==
+ (exists<c> z:c, y' : C c :: relHelp(x, z, n) && y==y')));
+
+axiom (forall<a, b> x:a, y:b ::
+ rel(x, y) == (exists n:int :: n >= 0 && relHelp(x, y, n)));
+
+// Assert that from every type we can reach a type that is
+// minimal, i.e., that cannot be reached by applying C to some
+// other type. This will only hold in well-founded type
+// hierarchies
+
+procedure P() returns () {
+ var v : C int;
+
+ assert relHelp(7, 13, 0);
+ assert rel(7, 13);
+
+ assert (forall<b> y:b :: (exists<a> x:a :: // too hard for a theorem prover
+ rel(x, y) &&
+ (forall<c> z:c :: (rel(z, x) ==> sameType(z, x)))));
+}
diff --git a/Test/test21/InterestingExamples5.bpl b/Test/test21/InterestingExamples5.bpl
new file mode 100644
index 00000000..b6c48b63
--- /dev/null
+++ b/Test/test21/InterestingExamples5.bpl
@@ -0,0 +1,16 @@
+
+
+type C a;
+
+function f<a>(C a) returns (int);
+
+//axiom (forall<a> x:C a :: {f(x)} (exists y:C a :: f(y) == 42));
+
+function g<a>(C a) returns (C a);
+axiom (forall<a> x:C a :: f(g(x)) == 42);
+
+procedure P() returns () {
+ var z : C int;
+ assume g(z) == z;
+ assert (exists x : C int :: f(x) == 42);
+} \ No newline at end of file
diff --git a/Test/test21/Keywords.bpl b/Test/test21/Keywords.bpl
new file mode 100644
index 00000000..daf38b45
--- /dev/null
+++ b/Test/test21/Keywords.bpl
@@ -0,0 +1,9 @@
+
+
+function NOT(x:int) returns(int);
+
+axiom (forall x:int :: NOT(x) == 1 - x);
+
+procedure P() returns () {
+ assert NOT(5) == -4;
+} \ No newline at end of file
diff --git a/Test/test21/LargeLiterals0.bpl b/Test/test21/LargeLiterals0.bpl
new file mode 100644
index 00000000..a77ffadd
--- /dev/null
+++ b/Test/test21/LargeLiterals0.bpl
@@ -0,0 +1,20 @@
+
+
+var x : int;
+
+procedure P() modifies x; {
+
+ x := 1000000;
+ assert x > 0 && x < 2000000;
+
+ x := x + 256;
+ assert x == 1000256;
+
+ x := 1000000000000;
+ x := x + 100100;
+ x := x - 100;
+ assert x == 1000000100000;
+
+ assert x < -123456789; // error
+
+} \ No newline at end of file
diff --git a/Test/test21/LetSorting.bpl b/Test/test21/LetSorting.bpl
new file mode 100644
index 00000000..3dc59fde
--- /dev/null
+++ b/Test/test21/LetSorting.bpl
@@ -0,0 +1,15 @@
+
+
+procedure Array0() returns (z: int)
+ ensures z >= 5;
+{
+L0:
+ goto L1, L2;
+L1:
+ z := 10;
+L2:
+ z := 20;
+ return;
+}
+
+
diff --git a/Test/test21/MapAxiomsConsistency.bpl b/Test/test21/MapAxiomsConsistency.bpl
new file mode 100644
index 00000000..d5344449
--- /dev/null
+++ b/Test/test21/MapAxiomsConsistency.bpl
@@ -0,0 +1,97 @@
+// Dafny program verifier version 0.92, Copyright (c) 2003-2008, Microsoft.
+// Command Line Options: /trace /typeEncoding:arguments /print:test.bpl test.dfy
+
+type ref;
+
+const null: ref;
+
+type Set T = [T]bool;
+function Set#Empty<T>() returns (Set T);
+function Set#Singleton<T>(T) returns (Set T);
+function Set#UnionOne<T>(Set T, T) returns (Set T);
+function Set#Union<T>(Set T, Set T) returns (Set T);
+function Set#Intersection<T>(Set T, Set T) returns (Set T);
+function Set#Difference<T>(Set T, Set T) returns (Set T);
+function Set#Subset<T>(Set T, Set T) returns (bool);
+function Set#Equal<T>(Set T, Set T) returns (bool);
+function Set#Disjoint<T>(Set T, Set T) returns (bool);
+
+type Seq _;
+function Seq#Length<T>(Seq T) returns (int);
+function Seq#Empty<T>() returns (Seq T);
+function Seq#Singleton<T>(T) returns (Seq T);
+function Seq#Build<T>(s: Seq T, index: int, val: T, newLength: int) returns (Seq T);
+function Seq#Append<T>(Seq T, Seq T) returns (Seq T);
+function Seq#Index<T>(Seq T, int) returns (T);
+function Seq#Contains<T>(Seq T, T) returns (bool);
+function Seq#Equal<T>(Seq T, Seq T) returns (bool);
+function Seq#SameUntil<T>(Seq T, Seq T, int) returns (bool);
+function Seq#Take<T>(Seq T, howMany: int) returns (Seq T);
+function Seq#Drop<T>(Seq T, howMany: int) returns (Seq T);
+
+type Field _;
+type HeapType = <alpha>[ref,Field alpha]alpha;
+function $IsGoodHeap(HeapType) returns (bool);
+var $Heap: HeapType where $IsGoodHeap($Heap);
+const alloc: Field bool;
+function $HeapSucc(HeapType, HeapType) returns (bool);
+
+const unique Node.list: Field (Seq ref);
+const unique Node.footprint: Field [ref]bool;
+const unique Node.data: Field ref;
+const unique Node.next: Field ref;
+function Node.Valid($heap: HeapType, this: ref) returns (bool);
+
+
+
+
+axiom (forall<T> r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o);
+
+axiom (forall $Heap: HeapType, this: ref :: { Node.Valid($Heap, this) } this != null && $IsGoodHeap($Heap) ==> Node.Valid($Heap, this) == ($Heap[this, Node.footprint][this] && !$Heap[this, Node.footprint][null] && (forall n: ref :: $Heap[this, Node.footprint][n] ==> $Heap[n, Node.footprint][n] && !$Heap[n, Node.footprint][null] && Set#Subset($Heap[n, Node.footprint], $Heap[this, Node.footprint]) && ($Heap[n, Node.next] == null ==> Seq#Equal($Heap[n, Node.list], Seq#Build(Seq#Empty(), 0, $Heap[n, Node.data], 1))) && ($Heap[n, Node.next] != null ==> $Heap[n, Node.footprint][$Heap[n, Node.next]] && Set#Subset($Heap[$Heap[n, Node.next], Node.footprint], $Heap[n, Node.footprint]) && !$Heap[$Heap[n, Node.next], Node.footprint][n] && Seq#Equal($Heap[n, Node.list], Seq#Append(Seq#Build(Seq#Empty(), 0, $Heap[n, Node.data], 1), $Heap[$Heap[n, Node.next], Node.list])))) && ($Heap[this, Node.next] != null ==> Node.Valid($Heap, $Heap[this, Node.next]))));
+
+
+
+
+procedure Node.ReverseInPlace(this: ref where this != null && $Heap[this, alloc]) returns (reverse: ref where reverse == null || $Heap[reverse, alloc]);
+ // user-defined preconditions
+ free requires Node.Valid($Heap, this);
+ requires $Heap[this, Node.footprint][this];
+ requires !$Heap[this, Node.footprint][null];
+ requires $Heap[this, Node.next] != null ==> Node.Valid($Heap, $Heap[this, Node.next]);
+ modifies $Heap;
+ // frame condition
+ // boilerplate
+ free ensures $HeapSucc(old($Heap), $Heap);
+
+
+
+procedure CheckWellformed$$Node.Valid(this: ref where this != null && $Heap[this, alloc]);
+
+
+
+
+
+implementation Node.ReverseInPlace(this: ref) returns (reverse: ref)
+{
+ var current: ref where current == null || $Heap[current, alloc], $PreLoopHeap0: HeapType, nx: ref where nx == null || $Heap[nx, alloc];
+
+ // ----- var-declaration statement ----- test.dfy(28,9)
+ current := $Heap[this, Node.next];
+
+
+ // ----- assignment statement ----- test.dfy(29,13)
+ reverse := this;
+ // ----- assignment statement ----- test.dfy(30,18)
+ $Heap[reverse, Node.next] := null;
+ assume $IsGoodHeap($Heap);
+
+
+
+ // ----- assignment statement ----- test.dfy(31,23)
+ $Heap[reverse, Node.footprint] := // Set#UnionOne(Set#Empty(), reverse);
+ Set#Singleton(reverse);
+
+ assert current == null;
+}
+
+
diff --git a/Test/test21/MapOutputTypeParams.bpl b/Test/test21/MapOutputTypeParams.bpl
new file mode 100644
index 00000000..f0ca307f
--- /dev/null
+++ b/Test/test21/MapOutputTypeParams.bpl
@@ -0,0 +1,33 @@
+
+
+
+var p : <a>[int]a;
+
+procedure P() returns () modifies p; {
+ p[13] := 5;
+ p[17] := true;
+ p[13] := false;
+ p[17] := 8;
+
+ assert p[13] == 5 && !p[13] && p[17] == 8 && p[17];
+ assert p == p[28 := p]; // error
+}
+
+var q : <a, b>[int][a]b;
+
+procedure Q() returns () modifies q; {
+ q[17] := q[17][true := 13];
+ q[17] := q[17][true := false];
+ q[16] := q[17][true := 14];
+
+ assert q[17][true] == 13 && !q[17][true];
+ assert q[17][true] == 14; // error
+}
+
+procedure R() returns () modifies p; {
+ p[7] := 28;
+ p[5] := p[7];
+
+ assert p[7] == 28;
+ assert p[6] == 28; // error
+} \ No newline at end of file
diff --git a/Test/test21/Maps0.bpl b/Test/test21/Maps0.bpl
new file mode 100644
index 00000000..6c382a96
--- /dev/null
+++ b/Test/test21/Maps0.bpl
@@ -0,0 +1,56 @@
+
+
+const a : [int] bool;
+const b : [int, bool] int;
+
+function f<a>(a) returns (int);
+
+axiom (forall x : [int] bool :: f(x) == 7);
+axiom (forall y : [int, bool] int :: f(y) == 7);
+
+procedure P() returns () {
+ var x : [int] bool;
+
+ assert f(a) > 0;
+ assert f(b) > 0;
+
+ x := a;
+ x[17] := false;
+ x[16] := true;
+
+ assert x[15] == a[15] && !x[17];
+ assert f(x) == 7;
+ assert f(x) == 8; // should not be provable
+}
+
+
+type Field a;
+
+const heap : <a>[ref, Field a] a;
+
+procedure Q() returns () {
+ assert f(heap) > 0; // should not be provable
+}
+
+
+procedure R() returns () {
+ var o : ref;
+ var e : Field int, g : Field bool, h : Field (Field int), i : Field int;
+ var heap2 : <a>[ref, Field a] a;
+
+ heap2 := heap;
+ heap2[o, e] := 17;
+ assert heap2 == heap[o, e := 17];
+
+ heap2[o, g] := true;
+ assert heap2[o, e] == 17 && heap2[o, g];
+
+ heap2[o, h] := e;
+ assert heap2[o, heap2[o, h]] == 17;
+
+ heap2[o, i] := 16;
+ assert heap2[o, g];
+ assert heap2[o, heap2[o, h]] == 17; // should no longer be provable
+}
+
+type ref;
diff --git a/Test/test21/Maps1.bpl b/Test/test21/Maps1.bpl
new file mode 100644
index 00000000..94d29e32
--- /dev/null
+++ b/Test/test21/Maps1.bpl
@@ -0,0 +1,36 @@
+
+
+// different map type classes with the same arity
+
+const c : [int] bool;
+const d : [ref] bool;
+const e : <a> [a] bool;
+const f : <a> [a] a;
+
+axiom (c[17] ==> c[19]);
+axiom (forall<t> x:t :: e[x]);
+axiom (!d[null]);
+axiom (forall<t> x:t :: f[x] == x);
+
+procedure P() returns () {
+
+ var x : <a> [a] bool;
+
+ assume !c[19];
+ assert !c[17];
+
+ x := e;
+ x[true] := false;
+ x[17] := true;
+
+ assert !x[true];
+ assert !(forall<t> y:t :: x[y]);
+ assert x != e;
+
+ assert f[x] == x;
+ assert f[17] > 17; // should not be provable
+
+}
+
+type ref;
+const null : ref;
diff --git a/Test/test21/Maps2.bpl b/Test/test21/Maps2.bpl
new file mode 100644
index 00000000..3f055c1d
--- /dev/null
+++ b/Test/test21/Maps2.bpl
@@ -0,0 +1,24 @@
+
+type T;
+
+function f(x : [T][int]int) returns (int);
+
+axiom (forall x:[T][int]int :: {f(x)}
+ (exists t:T :: x[t][13] == 42) ==> f(x) == 5);
+
+procedure P() returns () {
+ var x : [T][int]int, t : T;
+
+ x[t] := x[t][13 := 42];
+
+ assert f(x) == 5;
+}
+
+
+type name;
+
+function Field(int) returns (name);
+function Unified([name][int]int) returns ([int]int);
+
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])}
+ Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
diff --git a/Test/test21/NameClash.bpl b/Test/test21/NameClash.bpl
new file mode 100644
index 00000000..6e1ade48
--- /dev/null
+++ b/Test/test21/NameClash.bpl
@@ -0,0 +1,8 @@
+
+
+function f(int) returns (int);
+axiom f(13) == 0;
+
+procedure P() returns () {
+ assert (exists f:int :: 0 == f(f));
+} \ No newline at end of file
diff --git a/Test/test21/Orderings.bpl b/Test/test21/Orderings.bpl
new file mode 100644
index 00000000..78439bc1
--- /dev/null
+++ b/Test/test21/Orderings.bpl
@@ -0,0 +1,20 @@
+
+
+const a, b:int;
+const c:int extends a, b;
+
+procedure P() returns () {
+ var x:int;
+
+ assert c <: a;
+
+ assume c <: x && x <: a;
+ assert x == c || a == x;
+
+ assert x == b; // should not be provable
+}
+
+procedure Q() returns () {
+ assume b <: a;
+ assert b == a;
+} \ No newline at end of file
diff --git a/Test/test21/Orderings2.bpl b/Test/test21/Orderings2.bpl
new file mode 100644
index 00000000..75becb2a
--- /dev/null
+++ b/Test/test21/Orderings2.bpl
@@ -0,0 +1,18 @@
+
+
+const b:int;
+const a:int extends b complete;
+
+const c:int extends a;
+const d:int extends a;
+
+procedure P() returns () {
+ var x:int;
+
+ assert c <: b && d <: a;
+
+ assume x <: a && !(x <: c) && x != a;
+ assert x <: d;
+
+ assert b <: x; // should not be provable
+} \ No newline at end of file
diff --git a/Test/test21/Orderings3.bpl b/Test/test21/Orderings3.bpl
new file mode 100644
index 00000000..c94d298c
--- /dev/null
+++ b/Test/test21/Orderings3.bpl
@@ -0,0 +1,38 @@
+// Example from the Boogie 2 language report
+
+
+type Wicket;
+
+
+const unique a: Wicket extends complete;
+const unique b: Wicket;
+const unique c: Wicket extends a, b complete;
+const unique d: Wicket extends c;
+const unique e: Wicket;
+
+procedure P() returns () {
+
+ assert !(exists x:Wicket :: a <: x && a != x);
+ assert (forall x:Wicket :: x <: a ==> x == a || x <: c);
+
+ assert c <: b && !(exists x:Wicket :: c <: x && x <: b && x != c && x != b);
+
+ assert !(b <: a) && !(b <: c);
+
+ assert c <: a && c <: b && d <: c;
+ assert (forall x:Wicket :: c <: x ==> c==x || a <: x || b <: x);
+ assert (forall x:Wicket :: x <: c ==> c==x || x <: d);
+
+ assert d <: c;
+ assert !(a <: d) && !(b <: d) && !(c <: d);
+
+ assert false; // unprovable
+}
+
+procedure Q() returns () {
+
+ assert (forall x:Wicket :: x <: b && x != b ==> x <: c); // unprovable
+
+ assert !(exists x:Wicket :: b <: x && b != x); // unprovable
+
+} \ No newline at end of file
diff --git a/Test/test21/Orderings4.bpl b/Test/test21/Orderings4.bpl
new file mode 100644
index 00000000..3058287f
--- /dev/null
+++ b/Test/test21/Orderings4.bpl
@@ -0,0 +1,11 @@
+
+
+type Wicket;
+
+const unique r: Wicket;
+const unique s, t: Wicket extends unique r;
+
+procedure P() returns () {
+ assert (forall x:Wicket, y:Wicket :: x <: s && y <: t ==> x != y);
+ assert false; // unprovable
+} \ No newline at end of file
diff --git a/Test/test21/Output b/Test/test21/Output
new file mode 100644
index 00000000..bda444d2
--- /dev/null
+++ b/Test/test21/Output
@@ -0,0 +1,1677 @@
+--------------------- TypeEncoding n ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+
+Boogie program verifier finished with 3 verified, 0 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+
+Boogie program verifier finished with 4 verified, 2 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(46,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(49,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(52,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples0.bpl ----------------------------
+InterestingExamples0.bpl(7,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples0.bpl(5,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples2.bpl ----------------------------
+InterestingExamples2.bpl(9,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples2.bpl(8,6): anon0
+InterestingExamples2.bpl(10,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples2.bpl(8,6): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+Colors.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File HeapAbstraction.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(28,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+EmptyList.bpl(46,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(46,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(10,3): anon0
+BooleanQuantification.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(27,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File NameClash.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- TypeEncoding p ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+DisjointDomains.bpl(14,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(11,3): start
+DisjointDomains.bpl(21,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(20,3): start
+DisjointDomains.bpl(27,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(26,3): start
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+DisjointDomains2.bpl(32,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(30,3): start
+DisjointDomains2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(37,3): start
+DisjointDomains2.bpl(49,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(45,3): start
+DisjointDomains2.bpl(63,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(58,3): start
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(32,3): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples0.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples2.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File HeapAbstraction.bpl ----------------------------
+HeapAbstraction.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAbstraction.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+Triggers1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers1.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(10,3): anon0
+BooleanQuantification.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File NameClash.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- TypeEncoding a ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+DisjointDomains.bpl(14,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(11,3): start
+DisjointDomains.bpl(21,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(20,3): start
+DisjointDomains.bpl(27,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(26,3): start
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+DisjointDomains2.bpl(32,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(30,3): start
+DisjointDomains2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(37,3): start
+DisjointDomains2.bpl(49,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(45,3): start
+DisjointDomains2.bpl(63,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(58,3): start
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(32,3): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples0.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples2.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+Colors.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File HeapAbstraction.bpl ----------------------------
+HeapAbstraction.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAbstraction.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+Triggers1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers1.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(10,3): anon0
+BooleanQuantification.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File NameClash.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- TypeEncoding n z3types ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+
+Boogie program verifier finished with 3 verified, 0 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+
+Boogie program verifier finished with 4 verified, 2 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(46,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(49,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(52,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 1 verified, 5 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples0.bpl ----------------------------
+InterestingExamples0.bpl(7,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples0.bpl(5,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples2.bpl ----------------------------
+InterestingExamples2.bpl(9,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples2.bpl(8,6): anon0
+InterestingExamples2.bpl(10,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples2.bpl(8,6): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+Colors.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File HeapAbstraction.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 2 verified, 2 errors
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(28,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+EmptyList.bpl(46,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(46,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(27,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- TypeEncoding p z3types ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+DisjointDomains.bpl(14,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(11,3): start
+DisjointDomains.bpl(21,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(20,3): start
+DisjointDomains.bpl(27,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(26,3): start
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+DisjointDomains2.bpl(32,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(30,3): start
+DisjointDomains2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(37,3): start
+DisjointDomains2.bpl(49,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(45,3): start
+DisjointDomains2.bpl(63,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(58,3): start
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(32,3): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples0.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples2.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File HeapAbstraction.bpl ----------------------------
+HeapAbstraction.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAbstraction.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+Triggers1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers1.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 2 verified, 2 errors
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- TypeEncoding a z3types ----------------------------
+--------------------- File DisjointDomains.bpl ----------------------------
+DisjointDomains.bpl(14,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(11,3): start
+DisjointDomains.bpl(21,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(20,3): start
+DisjointDomains.bpl(27,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains.bpl(26,3): start
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File DisjointDomains2.bpl ----------------------------
+DisjointDomains2.bpl(11,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(9,3): start
+DisjointDomains2.bpl(18,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(16,3): start
+DisjointDomains2.bpl(32,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(30,3): start
+DisjointDomains2.bpl(39,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(37,3): start
+DisjointDomains2.bpl(49,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(45,3): start
+DisjointDomains2.bpl(63,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ DisjointDomains2.bpl(58,3): start
+
+Boogie program verifier finished with 0 verified, 6 errors
+--------------------- File FunAxioms.bpl ----------------------------
+FunAxioms.bpl(30,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms.bpl(18,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File FunAxioms2.bpl ----------------------------
+FunAxioms2.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ FunAxioms2.bpl(16,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File PolyList.bpl ----------------------------
+PolyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(27,7): anon0
+PolyList.bpl(60,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ PolyList.bpl(49,7): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File Maps0.bpl ----------------------------
+Maps0.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(14,3): anon0
+Maps0.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(32,3): anon0
+Maps0.bpl(53,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps0.bpl(41,9): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Maps1.bpl ----------------------------
+Maps1.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Maps1.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples0.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples1.bpl ----------------------------
+InterestingExamples1.bpl(22,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples1.bpl(13,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File InterestingExamples2.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File InterestingExamples3.bpl ----------------------------
+InterestingExamples3.bpl(15,2): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples3.bpl(13,2): anon0
+
+Boogie program verifier finished with 2 verified, 1 error
+--------------------- File InterestingExamples4.bpl ----------------------------
+InterestingExamples4.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+InterestingExamples4.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ InterestingExamples4.bpl(36,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File InterestingExamples5.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Colors.bpl ----------------------------
+Colors.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(12,3): anon0
+Colors.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Colors.bpl(19,3): anon0
+
+Boogie program verifier finished with 0 verified, 2 errors
+--------------------- File HeapAbstraction.bpl ----------------------------
+HeapAbstraction.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAbstraction.bpl(14,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File HeapAxiom.bpl ----------------------------
+HeapAxiom.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ HeapAxiom.bpl(13,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Triggers0.bpl ----------------------------
+Triggers0.bpl(39,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+Triggers0.bpl(43,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers0.bpl(39,3): anon0
+
+Boogie program verifier finished with 1 verified, 2 errors
+--------------------- File Triggers1.bpl ----------------------------
+Triggers1.bpl(16,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Triggers1.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Keywords.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+--------------------- File Casts.bpl ----------------------------
+Casts.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Casts.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File BooleanQuantification.bpl ----------------------------
+BooleanQuantification.bpl(19,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(18,3): anon0
+BooleanQuantification.bpl(31,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification.bpl(29,3): anon0
+
+Boogie program verifier finished with 2 verified, 2 errors
+--------------------- File EmptyList.bpl ----------------------------
+EmptyList.bpl(46,9): Warning: type parameter a is ambiguous, instantiating to List int
+EmptyList.bpl(42,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptyList.bpl(26,5): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Boxing.bpl ----------------------------
+Boxing.bpl(20,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Boxing.bpl(15,6): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapOutputTypeParams.bpl ----------------------------
+MapOutputTypeParams.bpl(29,3): Warning: type parameter a is ambiguous, instantiating to int
+MapOutputTypeParams.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(7,9): anon0
+MapOutputTypeParams.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(19,9): anon0
+MapOutputTypeParams.bpl(32,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapOutputTypeParams.bpl(28,8): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File ParallelAssignment.bpl ----------------------------
+ParallelAssignment.bpl(26,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(35,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(15,5): anon0
+ParallelAssignment.bpl(54,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ ParallelAssignment.bpl(40,11): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File BooleanQuantification2.bpl ----------------------------
+BooleanQuantification2.bpl(13,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ BooleanQuantification2.bpl(10,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Flattening.bpl ----------------------------
+Flattening.bpl(12,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Flattening.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings.bpl ----------------------------
+Orderings.bpl(14,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings.bpl(9,3): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+--------------------- File Orderings2.bpl ----------------------------
+Orderings2.bpl(17,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings2.bpl(12,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Orderings3.bpl ----------------------------
+Orderings3.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(15,3): anon0
+Orderings3.bpl(34,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+Orderings3.bpl(36,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings3.bpl(34,3): anon0
+
+Boogie program verifier finished with 0 verified, 3 errors
+--------------------- File Orderings4.bpl ----------------------------
+Orderings4.bpl(10,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Orderings4.bpl(9,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File EmptySetBug.bpl ----------------------------
+EmptySetBug.bpl(29,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ EmptySetBug.bpl(25,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File Coercions2.bpl ----------------------------
+Coercions2.bpl(12,23): Warning: type parameter a is ambiguous, instantiating to int
+Coercions2.bpl(23,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ Coercions2.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File MapAxiomsConsistency.bpl ----------------------------
+MapAxiomsConsistency.bpl(94,5): Error BP5001: This assertion might not hold.
+Execution trace:
+ MapAxiomsConsistency.bpl(79,13): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LargeLiterals0.bpl ----------------------------
+LargeLiterals0.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ LargeLiterals0.bpl(7,5): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+--------------------- File LetSorting.bpl ----------------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/test21/ParallelAssignment.bpl b/Test/test21/ParallelAssignment.bpl
new file mode 100644
index 00000000..05791b8e
--- /dev/null
+++ b/Test/test21/ParallelAssignment.bpl
@@ -0,0 +1,56 @@
+// Examples from the Boogie2 language report
+
+type C, D;
+
+var x : int;
+var y : int;
+var z : int;
+var a : [int]int;
+var b : [int][C, D]int;
+
+procedure P(i:int, j:int, m:C, n:D) returns () modifies x, y, a, b; {
+ var x1 : int;
+ var y1 : int;
+
+ x := x+1;
+ a[i] := 12;
+
+ assert a[i] == 12;
+
+ x1 := x;
+ y1 := y;
+
+ x, y := y, x;
+
+ assert x == y1 && y == x1;
+ assert x == x1; // error
+
+ x, a[i] := x+1, x;
+ assert x == y1+1 && a[i] == y1;
+
+ b[i][m, n] := 17;
+ b[i][m, n], x := a[x], y;
+
+ assert b[i][m, n] == a[y1+1];
+ assert false; // error
+}
+
+procedure Q() returns () modifies x, y, z; {
+
+ x, y, z := 1, 2, 3;
+
+ x, y, z := y, z, x;
+ x, y, z := y, z, x;
+ x, y, z := y, z, x;
+
+ assert x == 1 && y == 2 && z == 3;
+
+ x, y, z := y+1, z+1, x+1;
+ x, y, z := y+1, z+1, x+1;
+ x, y, z := y+1, z+1, x+1;
+
+ assert x == 4 && y == 5 && z == 6;
+
+ assert a[x] == a[y]; // error
+
+} \ No newline at end of file
diff --git a/Test/test21/PolyList.bpl b/Test/test21/PolyList.bpl
new file mode 100644
index 00000000..49d515f9
--- /dev/null
+++ b/Test/test21/PolyList.bpl
@@ -0,0 +1,62 @@
+
+
+
+type List a;
+
+function Cons<a>(x:a, y:List a) returns (List a);
+
+// we need some argument ... ugly
+function Nil<a>(a) returns (List a);
+
+function Car<a>(List a) returns (a);
+function Cdr<a>(List a) returns (List a);
+
+axiom (forall<a> x:a, y:List a :: Car(Cons(x, y)) == x);
+axiom (forall<a> x:a, y:List a :: Cdr(Cons(x, y)) == y);
+
+function Len<a>(List a) returns (int);
+
+axiom (forall <a> x:a :: Len(Nil(x)) == 0);
+axiom (forall <a> x:a, y:List a :: Len(Cons(x, y)) == 1 + Len(y));
+
+
+
+procedure P<a>(param : a) returns () {
+ var x:a, NIL : List a, l : List a;
+
+ NIL := Nil(x);
+
+ assert Len(NIL) == 0;
+ assert Len(Cons(x,Cons(x,NIL))) == 2;
+
+ l := Cons(x,Cons(x,NIL));
+ assert Len(l) == 2;
+
+ l := Cons(x, l);
+ assert Len(l) == 3 && Car(l) == x && Len(Cdr(l)) < Len(l);
+ assert (forall m : List a, y : a :: Len(Cons(y, m)) > Len(m));
+
+ l := Cdr(l);
+ assert Len(l) == 2 && Car(l) == x;
+
+ assert Len(Cons(x,Cons(x,Cons(x,NIL)))) == 2; // should not be provable
+
+}
+
+procedure Q() returns () {
+ var NIL : List int, l : List int;
+
+ NIL := Nil(0);
+
+ assert Len(NIL) == 0;
+ assert Len(Cons(1,Cons(2,NIL))) == 2;
+
+ l := NIL;
+ l := Cons(42, l);
+ l := Cons(Car(l) + 17, Cdr(l));
+
+ assert Len(l) == 1 && Car(l) == 59;
+
+ assert Len(Cons(1,Cons(2,Cons(3,NIL)))) == 2; // should not be provable
+
+} \ No newline at end of file
diff --git a/Test/test21/Triggers0.bpl b/Test/test21/Triggers0.bpl
new file mode 100644
index 00000000..4f7a8d11
--- /dev/null
+++ b/Test/test21/Triggers0.bpl
@@ -0,0 +1,44 @@
+
+
+const ar : [int]bool;
+axiom (forall x:int :: {ar[x]} !ar[x]);
+
+type S, T, C a b;
+
+function m(T,S) returns (bool);
+function n(T,T) returns (bool);
+function f<a>(C a T, a) returns (int);
+function f2<a>(C a T, a) returns (int);
+function g(T) returns (T);
+function h<a>(a) returns (a);
+function k<a>(C a a) returns (bool);
+function l<a>(a) returns (bool);
+function o<a>(a) returns (bool);
+
+const con : T;
+const someConst : int;
+
+axiom (forall <b> x:C b b :: k(x));
+axiom (forall x:C S T, y : S :: f(x,y) == f2(x,y));
+axiom (forall x:S, y:T :: l(x) && n(y, con) == m(y,x));
+axiom (forall x:T :: {g(h(x))} {g(x)} x == x);
+axiom (forall <b> x:b :: {h(x)} x == x);
+axiom (forall <b> x:b, y:b :: {o(x), o(y)} o(x) ==> someConst == 42);
+axiom (forall <b> x:C b b :: {k(x)} k(x));
+
+procedure P() returns () {
+ var v0 : C S S, v1 : C S T, v2 : S, v3 : T;
+
+ assert ar[27] == false;
+ assert k(v0);
+ assert f(v1, v2) == f2(v1, v2);
+ assert n(v3, con) == m(v3, v2);
+}
+
+procedure Q<a>(x : a) returns () {
+ assert someConst == 42; // should not be provable
+
+ assume o(x) == o(x);
+ assert someConst == 42;
+ assert someConst == 43; // should not be provable
+} \ No newline at end of file
diff --git a/Test/test21/Triggers1.bpl b/Test/test21/Triggers1.bpl
new file mode 100644
index 00000000..3633e704
--- /dev/null
+++ b/Test/test21/Triggers1.bpl
@@ -0,0 +1,17 @@
+
+
+
+function f<a>(a) returns (bool);
+function g(int) returns (bool);
+
+axiom (forall x:int :: f(x));
+axiom (forall x:int :: g(x));
+
+procedure P() returns () {
+ var x : int, m : [int]int;
+ assert f(x);
+ assert f(m[x]);
+ assert g(x);
+ assert g(m[x]);
+ assert f(true); // should not be provable
+} \ No newline at end of file
diff --git a/Test/test21/runtest.bat b/Test/test21/runtest.bat
new file mode 100644
index 00000000..223f278b
--- /dev/null
+++ b/Test/test21/runtest.bat
@@ -0,0 +1,53 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+rem set BGEXE=mono ..\..\Binaries\Boogie.exe
+
+for %%m in (
+ n p a
+ ) do (
+echo --------------------- TypeEncoding %%m ----------------------------
+for %%f in (DisjointDomains.bpl DisjointDomains2.bpl FunAxioms.bpl
+ FunAxioms2.bpl PolyList.bpl Maps0.bpl Maps1.bpl
+ InterestingExamples0.bpl InterestingExamples1.bpl InterestingExamples2.bpl
+ InterestingExamples3.bpl InterestingExamples4.bpl InterestingExamples5.bpl
+ Colors.bpl HeapAbstraction.bpl HeapAxiom.bpl Triggers0.bpl Triggers1.bpl
+ Keywords.bpl Casts.bpl EmptyList.bpl Boxing.bpl MapOutputTypeParams.bpl
+ ParallelAssignment.bpl BooleanQuantification.bpl BooleanQuantification2.bpl
+ Flattening.bpl Orderings.bpl Orderings2.bpl Orderings3.bpl Orderings4.bpl
+ EmptySetBug.bpl Coercions2.bpl MapAxiomsConsistency.bpl LargeLiterals0.bpl) do (
+ echo --------------------- File %%f ----------------------------
+ %BGEXE% %* /typeEncoding:%%m /logPrefix:0%%m /bv:n %%f
+)
+
+echo --------------------- File NameClash.bpl ----------------------------
+%BGEXE% %* /typeEncoding:%%m /logPrefix:0%%m /logPrefix:S NameClash.bpl
+echo --------------------- File LetSorting.bpl ----------------------------
+%BGEXE% %* /typeEncoding:%%m /logPrefix:0%%m /logPrefix:S /vc:n LetSorting.bpl
+echo --------------------- File Keywords.bpl ----------------------------
+%BGEXE% %* /typeEncoding:%%m /logPrefix:0%%m /logPrefix:S Keywords.bpl
+echo --------------------- File LargeLiterals0.bpl ----------------------------
+%BGEXE% %* /typeEncoding:%%m /logPrefix:0%%m /logPrefix:S LargeLiterals0.bpl
+)
+
+for %%m in (
+ n p a
+ ) do (
+echo --------------------- TypeEncoding %%m z3types ----------------------------
+for %%f in (DisjointDomains.bpl DisjointDomains2.bpl FunAxioms.bpl
+ FunAxioms2.bpl PolyList.bpl Maps0.bpl Maps1.bpl
+ InterestingExamples0.bpl InterestingExamples1.bpl InterestingExamples2.bpl
+ InterestingExamples3.bpl InterestingExamples4.bpl InterestingExamples5.bpl
+ Colors.bpl HeapAbstraction.bpl HeapAxiom.bpl Triggers0.bpl Triggers1.bpl
+ Keywords.bpl Casts.bpl BooleanQuantification.bpl EmptyList.bpl Boxing.bpl
+ MapOutputTypeParams.bpl ParallelAssignment.bpl BooleanQuantification2.bpl
+ Flattening.bpl Orderings.bpl Orderings2.bpl Orderings3.bpl Orderings4.bpl
+ EmptySetBug.bpl Coercions2.bpl MapAxiomsConsistency.bpl LargeLiterals0.bpl) do (
+ echo --------------------- File %%f ----------------------------
+ %BGEXE% %* /typeEncoding:%%m /logPrefix:1%%m %%f
+)
+
+echo --------------------- File LetSorting.bpl ----------------------------
+%BGEXE% %* /typeEncoding:%%m /logPrefix:1%%m /logPrefix:z3t /z3types /vc:n LetSorting.bpl
+)
diff --git a/Test/test21/test3_AddMethod_conv.bpl b/Test/test21/test3_AddMethod_conv.bpl
new file mode 100644
index 00000000..1382fdeb
--- /dev/null
+++ b/Test/test21/test3_AddMethod_conv.bpl
@@ -0,0 +1,1820 @@
+// Spec# program verifier version 0.90, Copyright (c) 2003-2008, Microsoft.
+// Command Line Options: /print:debug.txt AddMethod.dll
+
+type real;
+
+type elements;
+
+type struct;
+
+type name;
+type any;
+
+type exposeVersionType;
+
+type Field a;
+type Heap = <x>[ref,Field x]x;
+
+var $Heap: Heap where IsHeap($Heap);
+
+type ActivityType;
+
+var $ActivityIndicator: ActivityType;
+
+function IsHeap(h: Heap) returns (bool);
+
+const unique $allocated: Field bool;
+
+const unique $elements: Field elements;
+
+function DeclType222<a>(Field a) returns (name);
+
+axiom DeclType222($elements) == System.Object;
+
+const unique $inv: Field name;
+
+const unique $localinv: Field name;
+
+const unique $exposeVersion: Field exposeVersionType;
+
+axiom DeclType222($exposeVersion) == System.Object;
+
+const unique $sharingMode: Field any;
+
+const unique $SharingMode_Unshared: any;
+
+const unique $SharingMode_LockProtected: any;
+
+const unique $ownerRef: Field ref;
+
+const unique $ownerFrame: Field name;
+
+const unique $PeerGroupPlaceholder: name;
+
+function ClassRepr(class: name) returns (ref);
+
+function ClassReprInv(ref) returns (name);
+
+axiom (forall c: name :: { ClassRepr(c) } ClassReprInv(ClassRepr(c)) == c);
+
+axiom (forall T: name :: !($typeof(ClassRepr(T)) <: System.Object));
+
+axiom (forall T: name :: ClassRepr(T) != null);
+
+axiom (forall T: name, h: Heap :: { h[ClassRepr(T), $ownerFrame] } IsHeap(h) ==> h[ClassRepr(T), $ownerFrame] == $PeerGroupPlaceholder);
+
+function IncludeInMainFrameCondition<a>(f: Field a) returns (bool);
+
+axiom IncludeInMainFrameCondition($allocated);
+
+axiom IncludeInMainFrameCondition($elements);
+
+axiom !IncludeInMainFrameCondition($inv);
+
+axiom !IncludeInMainFrameCondition($localinv);
+
+axiom IncludeInMainFrameCondition($ownerRef);
+
+axiom IncludeInMainFrameCondition($ownerFrame);
+
+axiom IncludeInMainFrameCondition($exposeVersion);
+
+axiom !IncludeInMainFrameCondition($FirstConsistentOwner);
+
+function IsStaticField<a>(f: Field a) returns (bool);
+
+axiom !IsStaticField($allocated);
+
+axiom !IsStaticField($elements);
+
+axiom !IsStaticField($inv);
+
+axiom !IsStaticField($localinv);
+
+axiom !IsStaticField($exposeVersion);
+
+function $IncludedInModifiesStar<a>(f: Field a) returns (bool);
+
+axiom !$IncludedInModifiesStar($ownerRef);
+
+axiom !$IncludedInModifiesStar($ownerFrame);
+
+axiom $IncludedInModifiesStar($exposeVersion);
+
+axiom $IncludedInModifiesStar($elements);
+
+function ValueArrayGet(elements, int) returns (any);
+
+function ValueArraySet(elements, int, any) returns (elements);
+
+function IntArrayGet(elements, int) returns (int);
+
+function IntArraySet(elements, int, int) returns (elements);
+
+function RefArrayGet(elements, int) returns (ref);
+
+function RefArraySet(elements, int, ref) returns (elements);
+
+axiom (forall A: elements, i: int, x: any :: ValueArrayGet(ValueArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: any :: i != j ==> ValueArrayGet(ValueArraySet(A, i, x), j) == ValueArrayGet(A, j));
+
+axiom (forall A: elements, i: int, x: int :: IntArrayGet(IntArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: int :: i != j ==> IntArrayGet(IntArraySet(A, i, x), j) == IntArrayGet(A, j));
+
+axiom (forall A: elements, i: int, x: ref :: RefArrayGet(RefArraySet(A, i, x), i) == x);
+
+axiom (forall A: elements, i: int, j: int, x: ref :: i != j ==> RefArrayGet(RefArraySet(A, i, x), j) == RefArrayGet(A, j));
+
+function ArrayIndex(arr: ref, dim: int, indexAtDim: int, remainingIndexContribution: int) returns (int);
+
+function ArrayIndexInvX(arrayIndex: int) returns (indexAtDim: int);
+
+function ArrayIndexInvY(arrayIndex: int) returns (remainingIndexContribution: int);
+
+axiom (forall a: ref, d: int, x: int, y: int :: { ArrayIndex(a, d, x, y) } ArrayIndexInvX(ArrayIndex(a, d, x, y)) == x);
+
+axiom (forall a: ref, d: int, x: int, y: int :: { ArrayIndex(a, d, x, y) } ArrayIndexInvY(ArrayIndex(a, d, x, y)) == y);
+
+axiom (forall a: ref, i: int, heap: Heap :: { IntArrayGet(heap[a, $elements], i) } IsHeap(heap) ==> InRange(IntArrayGet(heap[a, $elements], i), $ElementType($typeof(a))));
+
+axiom (forall a: ref, i: int, heap: Heap :: { $typeof(RefArrayGet(heap[a, $elements], i)) } IsHeap(heap) && RefArrayGet(heap[a, $elements], i) != null ==> $typeof(RefArrayGet(heap[a, $elements], i)) <: $ElementType($typeof(a)));
+
+axiom (forall a: ref, T: name, i: int, r: int, heap: Heap :: { $typeof(a) <: NonNullRefArray(T, r), RefArrayGet(heap[a, $elements], i) } IsHeap(heap) && $typeof(a) <: NonNullRefArray(T, r) ==> RefArrayGet(heap[a, $elements], i) != null);
+
+function $Rank(ref) returns (int);
+
+axiom (forall a: ref :: 1 <= $Rank(a));
+
+axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: RefArray(T, r) } a != null && $typeof(a) <: RefArray(T, r) ==> $Rank(a) == r);
+
+axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: NonNullRefArray(T, r) } a != null && $typeof(a) <: NonNullRefArray(T, r) ==> $Rank(a) == r);
+
+axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: ValueArray(T, r) } a != null && $typeof(a) <: ValueArray(T, r) ==> $Rank(a) == r);
+
+axiom (forall a: ref, T: name, r: int :: { $typeof(a) <: IntArray(T, r) } a != null && $typeof(a) <: IntArray(T, r) ==> $Rank(a) == r);
+
+function $Length(ref) returns (int);
+
+axiom (forall a: ref :: { $Length(a) } 0 <= $Length(a) && $Length(a) <= int#2147483647);
+
+function $DimLength(ref, int) returns (int);
+
+axiom (forall a: ref, i: int :: 0 <= $DimLength(a, i));
+
+axiom (forall a: ref :: { $DimLength(a, 0) } $Rank(a) == 1 ==> $DimLength(a, 0) == $Length(a));
+
+function $LBound(ref, int) returns (int);
+
+function $UBound(ref, int) returns (int);
+
+axiom (forall a: ref, i: int :: { $LBound(a, i) } $LBound(a, i) == 0);
+
+axiom (forall a: ref, i: int :: { $UBound(a, i) } $UBound(a, i) == $DimLength(a, i) - 1);
+
+const unique $ArrayCategoryValue: name;
+
+const unique $ArrayCategoryInt: name;
+
+const unique $ArrayCategoryRef: name;
+
+const unique $ArrayCategoryNonNullRef: name;
+
+function $ArrayCategory(arrayType: name) returns (arrayCategory: name);
+
+axiom (forall T: name, ET: name, r: int :: { T <: ValueArray(ET, r) } T <: ValueArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryValue);
+
+axiom (forall T: name, ET: name, r: int :: { T <: IntArray(ET, r) } T <: IntArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryInt);
+
+axiom (forall T: name, ET: name, r: int :: { T <: RefArray(ET, r) } T <: RefArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryRef);
+
+axiom (forall T: name, ET: name, r: int :: { T <: NonNullRefArray(ET, r) } T <: NonNullRefArray(ET, r) ==> $ArrayCategory(T) == $ArrayCategoryNonNullRef);
+
+const unique System.Array: name;
+
+axiom System.Array <: System.Object;
+
+function $ElementType(name) returns (name);
+
+function ValueArray(elementType: name, rank: int) returns (name);
+
+axiom (forall T: name, r: int :: { ValueArray(T, r) } ValueArray(T, r) <: ValueArray(T, r) && ValueArray(T, r) <: System.Array);
+
+function IntArray(elementType: name, rank: int) returns (name);
+
+axiom (forall T: name, r: int :: { IntArray(T, r) } IntArray(T, r) <: IntArray(T, r) && IntArray(T, r) <: System.Array);
+
+function RefArray(elementType: name, rank: int) returns (name);
+
+axiom (forall T: name, r: int :: { RefArray(T, r) } RefArray(T, r) <: RefArray(T, r) && RefArray(T, r) <: System.Array);
+
+function NonNullRefArray(elementType: name, rank: int) returns (name);
+
+axiom (forall T: name, r: int :: { NonNullRefArray(T, r) } NonNullRefArray(T, r) <: NonNullRefArray(T, r) && NonNullRefArray(T, r) <: System.Array);
+
+function NonNullRefArrayRaw(array: ref, elementType: name, rank: int) returns (bool);
+
+axiom (forall array: ref, elementType: name, rank: int :: { NonNullRefArrayRaw(array, elementType, rank) } NonNullRefArrayRaw(array, elementType, rank) ==> $typeof(array) <: System.Array && $Rank(array) == rank && elementType <: $ElementType($typeof(array)));
+
+axiom (forall T: name, U: name, r: int :: U <: T ==> RefArray(U, r) <: RefArray(T, r));
+
+axiom (forall T: name, U: name, r: int :: U <: T ==> NonNullRefArray(U, r) <: NonNullRefArray(T, r));
+
+axiom (forall A: name, r: int :: $ElementType(ValueArray(A, r)) == A);
+
+axiom (forall A: name, r: int :: $ElementType(IntArray(A, r)) == A);
+
+axiom (forall A: name, r: int :: $ElementType(RefArray(A, r)) == A);
+
+axiom (forall A: name, r: int :: $ElementType(NonNullRefArray(A, r)) == A);
+
+axiom (forall A: name, r: int, T: name :: { T <: RefArray(A, r) } T <: RefArray(A, r) ==> T != A && T == RefArray($ElementType(T), r) && $ElementType(T) <: A);
+
+axiom (forall A: name, r: int, T: name :: { T <: NonNullRefArray(A, r) } T <: NonNullRefArray(A, r) ==> T != A && T == NonNullRefArray($ElementType(T), r) && $ElementType(T) <: A);
+
+axiom (forall A: name, r: int, T: name :: { T <: ValueArray(A, r) } T <: ValueArray(A, r) ==> T == ValueArray(A, r));
+
+axiom (forall A: name, r: int, T: name :: { T <: IntArray(A, r) } T <: IntArray(A, r) ==> T == IntArray(A, r));
+
+axiom (forall A: name, r: int, T: name :: { RefArray(A, r) <: T } RefArray(A, r) <: T ==> System.Array <: T || (T == RefArray($ElementType(T), r) && A <: $ElementType(T)));
+
+axiom (forall A: name, r: int, T: name :: { NonNullRefArray(A, r) <: T } NonNullRefArray(A, r) <: T ==> System.Array <: T || (T == NonNullRefArray($ElementType(T), r) && A <: $ElementType(T)));
+
+axiom (forall A: name, r: int, T: name :: { ValueArray(A, r) <: T } ValueArray(A, r) <: T ==> System.Array <: T || T == ValueArray(A, r));
+
+axiom (forall A: name, r: int, T: name :: { IntArray(A, r) <: T } IntArray(A, r) <: T ==> System.Array <: T || T == IntArray(A, r));
+
+function $ArrayPtr(elementType: name) returns (name);
+
+function $ElementProxy(ref, int) returns (ref);
+
+function $ElementProxyStruct(struct, int) returns (ref);
+
+axiom (forall a: ref, i: int, heap: Heap :: { heap[RefArrayGet(heap[a, $elements], i), $ownerRef] } { heap[RefArrayGet(heap[a, $elements], i), $ownerFrame] } IsHeap(heap) && $typeof(a) <: System.Array ==> RefArrayGet(heap[a, $elements], i) == null || $IsImmutable($typeof(RefArrayGet(heap[a, $elements], i))) || (heap[RefArrayGet(heap[a, $elements], i), $ownerRef] == heap[$ElementProxy(a, 0 - 1), $ownerRef] && heap[RefArrayGet(heap[a, $elements], i), $ownerFrame] == heap[$ElementProxy(a, 0 - 1), $ownerFrame]));
+
+axiom (forall a: ref, heap: Heap :: { IsAllocated(heap, a) } IsHeap(heap) && IsAllocated(heap, a) && $typeof(a) <: System.Array ==> IsAllocated(heap, $ElementProxy(a, 0 - 1)));
+
+axiom (forall o: ref, pos: int :: { $typeof($ElementProxy(o, pos)) } $typeof($ElementProxy(o, pos)) == System.Object);
+
+axiom (forall o: struct, pos: int :: { $typeof($ElementProxyStruct(o, pos)) } $typeof($ElementProxyStruct(o, pos)) == System.Object);
+
+function $StructGet(struct, name) returns (any);
+
+function $StructSet(struct, name, any) returns (struct);
+
+axiom (forall s: struct, f: name, x: any :: $StructGet($StructSet(s, f, x), f) == x);
+
+axiom (forall s: struct, f: name, f': name, x: any :: f != f' ==> $StructGet($StructSet(s, f, x), f') == $StructGet(s, f'));
+
+function ZeroInit(s: struct, typ: name) returns (bool);
+
+function $typeof(ref) returns (name);
+
+function $BaseClass(sub: name) returns (base: name);
+
+axiom (forall T: name :: { $BaseClass(T) } T <: $BaseClass(T) && (T != System.Object ==> T != $BaseClass(T)));
+
+function AsDirectSubClass(sub: name, base: name) returns (sub': name);
+
+function OneClassDown(sub: name, base: name) returns (directSub: name);
+
+axiom (forall A: name, B: name, C: name :: { C <: AsDirectSubClass(B, A) } C <: AsDirectSubClass(B, A) ==> OneClassDown(C, A) == B);
+
+function $IsValueType(name) returns (bool);
+
+axiom (forall T: name :: $IsValueType(T) ==> (forall U: name :: T <: U ==> T == U) && (forall U: name :: U <: T ==> T == U));
+
+const unique System.Boolean: name;
+
+axiom $IsValueType(System.Boolean);
+
+const unique System.Object: name;
+
+function $IsTokenForType(struct, name) returns (bool);
+
+function TypeObject(name) returns (ref);
+
+const unique System.Type: name;
+
+axiom System.Type <: System.Object;
+
+axiom (forall T: name :: { TypeObject(T) } $IsNotNull(TypeObject(T), System.Type));
+
+function TypeName(ref) returns (name);
+
+axiom (forall T: name :: { TypeObject(T) } TypeName(TypeObject(T)) == T);
+
+function $Is(ref, name) returns (bool);
+
+axiom (forall o: ref, T: name :: { $Is(o, T) } $Is(o, T) <==> o == null || $typeof(o) <: T);
+
+function $IsNotNull(ref, name) returns (bool);
+
+axiom (forall o: ref, T: name :: { $IsNotNull(o, T) } $IsNotNull(o, T) <==> o != null && $Is(o, T));
+
+function $As(ref, name) returns (ref);
+
+axiom (forall o: ref, T: name :: $Is(o, T) ==> $As(o, T) == o);
+
+axiom (forall o: ref, T: name :: !$Is(o, T) ==> $As(o, T) == null);
+
+axiom (forall h: Heap, o: ref :: { $typeof(o) <: System.Array, h[o, $inv] } IsHeap(h) && o != null && $typeof(o) <: System.Array ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o));
+
+function IsAllocated<a>(h: Heap, o: a) returns (bool);
+
+axiom (forall<a> h: Heap, o: ref, f: Field a :: { IsAllocated(h, h[o, f]) } IsHeap(h) && h[o, $allocated] ==> IsAllocated(h, h[o, f]));
+
+axiom (forall h: Heap, o: ref, f: Field ref :: { h[h[o, f], $allocated] } IsHeap(h) && h[o, $allocated] ==> h[h[o, f], $allocated]);
+
+axiom (forall h: Heap, s: struct, f: name :: { IsAllocated(h, $StructGet(s, f)) } IsAllocated(h, s) ==> IsAllocated(h, $StructGet(s, f)));
+
+axiom (forall h: Heap, e: elements, i: int :: { IsAllocated(h, RefArrayGet(e, i)) } IsAllocated(h, e) ==> IsAllocated(h, RefArrayGet(e, i)));
+
+axiom (forall h: Heap, e: elements, i: int :: { IsAllocated(h, ValueArrayGet(e, i)) } IsAllocated(h, e) ==> IsAllocated(h, ValueArrayGet(e, i)));
+
+axiom (forall h: Heap, o: ref :: { h[o, $allocated] } IsAllocated(h, o) ==> h[o, $allocated]);
+
+axiom (forall h: Heap, c: name :: { h[ClassRepr(c), $allocated] } IsHeap(h) ==> h[ClassRepr(c), $allocated]);
+
+const $BeingConstructed: ref;
+
+const unique $NonNullFieldsAreInitialized: Field bool;
+
+const $PurityAxiomsCanBeAssumed: bool;
+
+axiom DeclType222($NonNullFieldsAreInitialized) == System.Object;
+
+
+
+function AsNonNullRefField(field: Field ref, T: name) returns (f: Field ref);
+
+function AsRefField(field: Field ref, T: name) returns (f: Field ref);
+
+function AsRangeField(field: Field int, T: name) returns (f: Field int);
+
+axiom (forall f: Field ref, T: name :: { AsNonNullRefField(f, T) } AsNonNullRefField(f, T) == f ==> AsRefField(f, T) == f);
+
+axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsRefField(f, T)] } IsHeap(h) ==> $Is(h[o, AsRefField(f, T)], T));
+
+axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsNonNullRefField(f, T)] } IsHeap(h) && o != null && (o != $BeingConstructed || h[$BeingConstructed, $NonNullFieldsAreInitialized] == true) ==> h[o, AsNonNullRefField(f, T)] != null);
+
+axiom (forall h: Heap, o: ref, f: Field int, T: name :: { h[o, AsRangeField(f, T)] } IsHeap(h) ==> InRange(h[o, AsRangeField(f, T)], T));
+
+function $IsMemberlessType(name) returns (bool);
+
+axiom (forall o: ref :: { $IsMemberlessType($typeof(o)) } !$IsMemberlessType($typeof(o)));
+
+function $AsInterface(name) returns (name);
+
+axiom (forall $J: name, s: any, b: ref :: { UnboxedType(Box(s, b)) <: $AsInterface($J) } $AsInterface($J) == $J && Box(s, b) == b && UnboxedType(Box(s, b)) <: $AsInterface($J) ==> $typeof(b) <: $J);
+
+function $HeapSucc(oldHeap: Heap, newHeap: Heap) returns (bool);
+
+function $IsImmutable(T: name) returns (bool);
+
+axiom !$IsImmutable(System.Object);
+
+function $AsImmutable(T: name) returns (theType: name);
+
+function $AsMutable(T: name) returns (theType: name);
+
+axiom (forall T: name, U: name :: { U <: $AsImmutable(T) } U <: $AsImmutable(T) ==> $IsImmutable(U) && $AsImmutable(U) == U);
+
+axiom (forall T: name, U: name :: { U <: $AsMutable(T) } U <: $AsMutable(T) ==> !$IsImmutable(U) && $AsMutable(U) == U);
+
+function AsOwner(string: ref, owner: ref) returns (theString: ref);
+
+axiom (forall o: ref, T: name :: { $typeof(o) <: $AsImmutable(T) } o != null && o != $BeingConstructed && $typeof(o) <: $AsImmutable(T) ==> (forall h: Heap :: { IsHeap(h) } IsHeap(h) ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o) && h[o, $ownerFrame] == $PeerGroupPlaceholder && AsOwner(o, h[o, $ownerRef]) == o && (forall t: ref :: { AsOwner(o, h[t, $ownerRef]) } AsOwner(o, h[t, $ownerRef]) == o ==> t == o || h[t, $ownerFrame] != $PeerGroupPlaceholder)));
+
+const unique System.String: name;
+
+function $StringLength(ref) returns (int);
+
+axiom (forall s: ref :: { $StringLength(s) } 0 <= $StringLength(s));
+
+function AsRepField(f: Field ref, declaringType: name) returns (theField: Field ref);
+
+axiom (forall h: Heap, o: ref, f: Field ref, T: name :: { h[o, AsRepField(f, T)] } IsHeap(h) && h[o, AsRepField(f, T)] != null ==> h[h[o, AsRepField(f, T)], $ownerRef] == o && h[h[o, AsRepField(f, T)], $ownerFrame] == T);
+
+function AsPeerField(f: Field ref) returns (theField: Field ref);
+
+axiom (forall h: Heap, o: ref, f: Field ref :: { h[o, AsPeerField(f)] } IsHeap(h) && h[o, AsPeerField(f)] != null ==> h[h[o, AsPeerField(f)], $ownerRef] == h[o, $ownerRef] && h[h[o, AsPeerField(f)], $ownerFrame] == h[o, $ownerFrame]);
+
+function AsElementsRepField(f: Field ref, declaringType: name, position: int) returns (theField: Field ref);
+
+axiom (forall h: Heap, o: ref, f: Field ref, T: name, i: int :: { h[o, AsElementsRepField(f, T, i)] } IsHeap(h) && h[o, AsElementsRepField(f, T, i)] != null ==> h[$ElementProxy(h[o, AsElementsRepField(f, T, i)], i), $ownerRef] == o && h[$ElementProxy(h[o, AsElementsRepField(f, T, i)], i), $ownerFrame] == T);
+
+function AsElementsPeerField(f: Field ref, position: int) returns (theField: Field ref);
+
+axiom (forall h: Heap, o: ref, f: Field ref, i: int :: { h[o, AsElementsPeerField(f, i)] } IsHeap(h) && h[o, AsElementsPeerField(f, i)] != null ==> h[$ElementProxy(h[o, AsElementsPeerField(f, i)], i), $ownerRef] == h[o, $ownerRef] && h[$ElementProxy(h[o, AsElementsPeerField(f, i)], i), $ownerFrame] == h[o, $ownerFrame]);
+
+axiom (forall h: Heap, o: ref :: { h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] } IsHeap(h) && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, $inv] == $typeof(o) && h[o, $localinv] == $typeof(o));
+
+procedure $SetOwner(o: ref, ow: ref, fr: name);
+ modifies $Heap;
+ ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[o, $ownerRef]) || old($Heap[p, $ownerFrame] != $Heap[o, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]);
+ ensures (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[o, $ownerRef]) && old($Heap[p, $ownerFrame] == $Heap[o, $ownerFrame]) ==> $Heap[p, $ownerRef] == ow && $Heap[p, $ownerFrame] == fr);
+ free ensures $HeapSucc(old($Heap), $Heap);
+
+
+
+procedure $UpdateOwnersForRep(o: ref, T: name, e: ref);
+ modifies $Heap;
+ ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[e, $ownerRef]) || old($Heap[p, $ownerFrame] != $Heap[e, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]);
+ ensures e == null ==> $Heap == old($Heap);
+ ensures e != null ==> (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[e, $ownerRef]) && old($Heap[p, $ownerFrame] == $Heap[e, $ownerFrame]) ==> $Heap[p, $ownerRef] == o && $Heap[p, $ownerFrame] == T);
+ free ensures $HeapSucc(old($Heap), $Heap);
+
+
+
+procedure $UpdateOwnersForPeer(c: ref, d: ref);
+ modifies $Heap;
+ ensures (forall<a> p: ref, F: Field a :: { $Heap[p, F] } (F != $ownerRef && F != $ownerFrame) || old($Heap[p, $ownerRef] != $Heap[d, $ownerRef] || $Heap[p, $ownerFrame] != $Heap[d, $ownerFrame]) ==> old($Heap[p, F]) == $Heap[p, F]);
+ ensures d == null ==> $Heap == old($Heap);
+ ensures d != null ==> (forall p: ref :: { $Heap[p, $ownerRef] } { $Heap[p, $ownerFrame] } old($Heap[p, $ownerRef] == $Heap[d, $ownerRef] && $Heap[p, $ownerFrame] == $Heap[d, $ownerFrame]) ==> $Heap[p, $ownerRef] == old($Heap)[c, $ownerRef] && $Heap[p, $ownerFrame] == old($Heap)[c, $ownerFrame]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+
+
+
+const unique $FirstConsistentOwner: Field ref;
+
+function $AsPureObject(ref) returns (ref);
+
+function ##FieldDependsOnFCO<a>(o: ref, f: Field a, ev: exposeVersionType) returns (value: any);
+
+axiom (forall<a> o: ref, f: Field a, h: Heap :: { h[$AsPureObject(o), f] } IsHeap(h) && o != null && h[o, $allocated] == true && $AsPureObject(o) == o && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, f] == ##FieldDependsOnFCO(o, f, h[h[o, $FirstConsistentOwner], $exposeVersion]));
+
+axiom (forall o: ref, h: Heap :: { h[o, $FirstConsistentOwner] } IsHeap(h) && o != null && h[o, $allocated] == true && h[o, $ownerFrame] != $PeerGroupPlaceholder && h[h[o, $ownerRef], $inv] <: h[o, $ownerFrame] && h[h[o, $ownerRef], $localinv] != $BaseClass(h[o, $ownerFrame]) ==> h[o, $FirstConsistentOwner] != null && h[h[o, $FirstConsistentOwner], $allocated] == true && (h[h[o, $FirstConsistentOwner], $ownerFrame] == $PeerGroupPlaceholder || !(h[h[h[o, $FirstConsistentOwner], $ownerRef], $inv] <: h[h[o, $FirstConsistentOwner], $ownerFrame]) || h[h[h[o, $FirstConsistentOwner], $ownerRef], $localinv] == $BaseClass(h[h[o, $FirstConsistentOwner], $ownerFrame])));
+
+function Box<a>(a, ref) returns (ref);
+
+function Unbox(ref) returns (any);
+
+type NondetType;
+
+function MeldNondets(NondetType, any) returns (NondetType);
+
+function BoxFunc<a>(value: a, typ: name) returns (boxedValue: ref);
+
+function AllocFunc(typ: name) returns (newValue: ref);
+
+function NewInstance(object: ref, occurrence: NondetType, activity: ActivityType) returns (newInstance: ref);
+
+axiom (forall value: any, typ: name, occurrence: NondetType, activity: ActivityType :: { NewInstance(BoxFunc(value, typ), occurrence, activity) } Box(value, NewInstance(BoxFunc(value, typ), occurrence, activity)) == NewInstance(BoxFunc(value, typ), occurrence, activity) && UnboxedType(NewInstance(BoxFunc(value, typ), occurrence, activity)) == typ);
+
+axiom (forall x: ref, typ: name, occurrence: NondetType, activity: ActivityType :: !$IsValueType(UnboxedType(x)) ==> NewInstance(BoxFunc(x, typ), occurrence, activity) == x);
+
+axiom (forall x: any, p: ref :: { Unbox(Box(x, p)) } Unbox(Box(x, p)) == x);
+
+function UnboxedType(ref) returns (name);
+
+axiom (forall p: ref :: { $IsValueType(UnboxedType(p)) } $IsValueType(UnboxedType(p)) ==> (forall heap: Heap, x: any :: { heap[Box(x, p), $inv] } IsHeap(heap) ==> heap[Box(x, p), $inv] == $typeof(Box(x, p)) && heap[Box(x, p), $localinv] == $typeof(Box(x, p))));
+
+axiom (forall<a> x: a, p: ref :: { UnboxedType(Box(x, p)) <: System.Object } UnboxedType(Box(x, p)) <: System.Object && Box(x, p) == p ==> x == p);
+
+function BoxTester(p: ref, typ: name) returns (ref);
+
+axiom (forall p: ref, typ: name :: { BoxTester(p, typ) } UnboxedType(p) == typ <==> BoxTester(p, typ) != null);
+
+axiom (forall p: ref, typ: name :: { BoxTester(p, typ) } BoxTester(p, typ) != null ==> Box(Unbox(p), p) == p);
+
+axiom (forall typ: name, occurrence: NondetType, activity: ActivityType :: { NewInstance(AllocFunc(typ), occurrence, activity) } $typeof(NewInstance(AllocFunc(typ), occurrence, activity)) == typ && NewInstance(AllocFunc(typ), occurrence, activity) != null);
+
+axiom (forall typ: name, occurrence: NondetType, activity: ActivityType, heap: Heap :: { heap[NewInstance(AllocFunc(typ), occurrence, activity), $allocated] } IsHeap(heap) ==> heap[NewInstance(AllocFunc(typ), occurrence, activity), $allocated]);
+
+const unique System.SByte: name;
+
+axiom $IsValueType(System.SByte);
+
+const unique System.Byte: name;
+
+axiom $IsValueType(System.Byte);
+
+const unique System.Int16: name;
+
+axiom $IsValueType(System.Int16);
+
+const unique System.UInt16: name;
+
+axiom $IsValueType(System.UInt16);
+
+const unique System.Int32: name;
+
+axiom $IsValueType(System.Int32);
+
+const unique System.UInt32: name;
+
+axiom $IsValueType(System.UInt32);
+
+const unique System.Int64: name;
+
+axiom $IsValueType(System.Int64);
+
+const unique System.UInt64: name;
+
+axiom $IsValueType(System.UInt64);
+
+const unique System.Char: name;
+
+axiom $IsValueType(System.Char);
+
+const unique System.UIntPtr: name;
+
+axiom $IsValueType(System.UIntPtr);
+
+const unique System.IntPtr: name;
+
+axiom $IsValueType(System.IntPtr);
+
+const int#m2147483648: int;
+
+const int#2147483647: int;
+
+const int#4294967295: int;
+
+const int#m9223372036854775808: int;
+
+const int#9223372036854775807: int;
+
+const int#18446744073709551615: int;
+
+axiom int#m9223372036854775808 < int#m2147483648;
+
+axiom int#m2147483648 < 0 - 100000;
+
+axiom 100000 < int#2147483647;
+
+axiom int#2147483647 < int#4294967295;
+
+axiom int#4294967295 < int#9223372036854775807;
+
+axiom int#9223372036854775807 < int#18446744073709551615;
+
+axiom int#m9223372036854775808 + 1 == 0 - int#9223372036854775807;
+
+axiom int#m2147483648 + 1 == 0 - int#2147483647;
+
+function InRange(i: int, T: name) returns (bool);
+
+axiom (forall i: int :: InRange(i, System.SByte) <==> 0 - 128 <= i && i < 128);
+
+axiom (forall i: int :: InRange(i, System.Byte) <==> 0 <= i && i < 256);
+
+axiom (forall i: int :: InRange(i, System.Int16) <==> 0 - 32768 <= i && i < 32768);
+
+axiom (forall i: int :: InRange(i, System.UInt16) <==> 0 <= i && i < 65536);
+
+axiom (forall i: int :: InRange(i, System.Int32) <==> int#m2147483648 <= i && i <= int#2147483647);
+
+axiom (forall i: int :: InRange(i, System.UInt32) <==> 0 <= i && i <= int#4294967295);
+
+axiom (forall i: int :: InRange(i, System.Int64) <==> int#m9223372036854775808 <= i && i <= int#9223372036854775807);
+
+axiom (forall i: int :: InRange(i, System.UInt64) <==> 0 <= i && i <= int#18446744073709551615);
+
+axiom (forall i: int :: InRange(i, System.Char) <==> 0 <= i && i < 65536);
+
+function $IntToInt(val: int, fromType: name, toType: name) returns (int);
+
+function $IntToReal(int, fromType: name, toType: name) returns (real);
+
+function $RealToInt(real, fromType: name, toType: name) returns (int);
+
+function $RealToReal(val: real, fromType: name, toType: name) returns (real);
+
+axiom (forall z: int, B: name, C: name :: InRange(z, C) ==> $IntToInt(z, B, C) == z);
+
+function $SizeIs(name, int) returns (bool);
+
+function $IfThenElse(bool, any, any) returns (any);
+
+axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } b ==> $IfThenElse(b, x, y) == x);
+
+axiom (forall b: bool, x: any, y: any :: { $IfThenElse(b, x, y) } !b ==> $IfThenElse(b, x, y) == y);
+
+function #neg(int) returns (int);
+
+function #and(int, int) returns (int);
+
+function #or(int, int) returns (int);
+
+function #xor(int, int) returns (int);
+
+function #shl(int, int) returns (int);
+
+function #shr(int, int) returns (int);
+
+function #rneg(real) returns (real);
+
+function #radd(real, real) returns (real);
+
+function #rsub(real, real) returns (real);
+
+function #rmul(real, real) returns (real);
+
+function #rdiv(real, real) returns (real);
+
+function #rmod(real, real) returns (real);
+
+function #rLess(real, real) returns (bool);
+
+function #rAtmost(real, real) returns (bool);
+
+function #rEq(real, real) returns (bool);
+
+function #rNeq(real, real) returns (bool);
+
+function #rAtleast(real, real) returns (bool);
+
+function #rGreater(real, real) returns (bool);
+
+axiom (forall x: int, y: int :: { x % y } { x / y } x % y == x - x / y * y);
+
+axiom (forall x: int, y: int :: { x % y } 0 <= x && 0 < y ==> 0 <= x % y && x % y < y);
+
+axiom (forall x: int, y: int :: { x % y } 0 <= x && y < 0 ==> 0 <= x % y && x % y < 0 - y);
+
+axiom (forall x: int, y: int :: { x % y } x <= 0 && 0 < y ==> 0 - y < x % y && x % y <= 0);
+
+axiom (forall x: int, y: int :: { x % y } x <= 0 && y < 0 ==> y < x % y && x % y <= 0);
+
+axiom (forall x: int, y: int :: { (x + y) % y } 0 <= x && 0 <= y ==> (x + y) % y == x % y);
+
+axiom (forall x: int, y: int :: { (y + x) % y } 0 <= x && 0 <= y ==> (y + x) % y == x % y);
+
+axiom (forall x: int, y: int :: { (x - y) % y } 0 <= x - y && 0 <= y ==> (x - y) % y == x % y);
+
+axiom (forall a: int, b: int, d: int :: { a % d, b % d } 2 <= d && a % d == b % d && a < b ==> a + d <= b);
+
+axiom (forall x: int, y: int :: { #and(x, y) } 0 <= x || 0 <= y ==> 0 <= #and(x, y));
+
+axiom (forall x: int, y: int :: { #or(x, y) } 0 <= x && 0 <= y ==> 0 <= #or(x, y) && #or(x, y) <= x + y);
+
+axiom (forall i: int :: { #shl(i, 0) } #shl(i, 0) == i);
+
+axiom (forall i: int, j: int :: { #shl(i, j) } 1 <= j ==> #shl(i, j) == #shl(i, j - 1) * 2);
+
+axiom (forall i: int, j: int :: { #shl(i, j) } 0 <= i && i < 32768 && 0 <= j && j <= 16 ==> 0 <= #shl(i, j) && #shl(i, j) <= int#2147483647);
+
+axiom (forall i: int :: { #shr(i, 0) } #shr(i, 0) == i);
+
+axiom (forall i: int, j: int :: { #shr(i, j) } 1 <= j ==> #shr(i, j) == #shr(i, j - 1) / 2);
+
+function #min(int, int) returns (int);
+
+function #max(int, int) returns (int);
+
+axiom (forall x: int, y: int :: { #min(x, y) } (#min(x, y) == x || #min(x, y) == y) && #min(x, y) <= x && #min(x, y) <= y);
+
+axiom (forall x: int, y: int :: { #max(x, y) } (#max(x, y) == x || #max(x, y) == y) && x <= #max(x, y) && y <= #max(x, y));
+
+function #System.String.IsInterned$System.String$notnull(Heap, ref) returns (ref);
+
+function #System.String.Equals$System.String(Heap, ref, ref) returns (bool);
+
+function #System.String.Equals$System.String$System.String(Heap, ref, ref) returns (bool);
+
+function ##StringEquals(ref, ref) returns (bool);
+
+axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String(h, a, b) } #System.String.Equals$System.String(h, a, b) == #System.String.Equals$System.String$System.String(h, a, b));
+
+axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String$System.String(h, a, b) } #System.String.Equals$System.String$System.String(h, a, b) == ##StringEquals(a, b) && #System.String.Equals$System.String$System.String(h, a, b) == ##StringEquals(b, a) && (a == b ==> ##StringEquals(a, b)));
+
+axiom (forall a: ref, b: ref, c: ref :: ##StringEquals(a, b) && ##StringEquals(b, c) ==> ##StringEquals(a, c));
+
+axiom (forall h: Heap, a: ref, b: ref :: { #System.String.Equals$System.String$System.String(h, a, b) } a != null && b != null && #System.String.Equals$System.String$System.String(h, a, b) ==> #System.String.IsInterned$System.String$notnull(h, a) == #System.String.IsInterned$System.String$notnull(h, b));
+
+const $UnknownRef: ref;
+
+const unique Bag.a: Field ref;
+
+const unique Bag.n: Field int;
+
+const unique Microsoft.Contracts.GuardException: name;
+
+const unique System.ICloneable: name;
+
+const unique Microsoft.Contracts.ObjectInvariantException: name;
+
+const unique System.Exception: name;
+
+const unique System.Collections.IEnumerable: name;
+
+const unique System.Collections.IList: name;
+
+const unique Microsoft.Contracts.ICheckedException: name;
+
+const unique System.Reflection.MemberInfo: name;
+
+const unique Bag: name;
+
+const unique System.Reflection.IReflect: name;
+
+const unique System.Runtime.InteropServices._MemberInfo: name;
+
+const unique System.Runtime.InteropServices._Type: name;
+
+const unique System.Collections.ICollection: name;
+
+const unique System.Runtime.InteropServices._Exception: name;
+
+const unique System.Runtime.Serialization.ISerializable: name;
+
+const unique System.Reflection.ICustomAttributeProvider: name;
+
+axiom !IsStaticField(Bag.n);
+
+axiom IncludeInMainFrameCondition(Bag.n);
+
+axiom $IncludedInModifiesStar(Bag.n);
+
+axiom DeclType222(Bag.n) == Bag;
+
+axiom AsRangeField(Bag.n, System.Int32) == Bag.n;
+
+axiom !IsStaticField(Bag.a);
+
+axiom IncludeInMainFrameCondition(Bag.a);
+
+axiom $IncludedInModifiesStar(Bag.a);
+
+axiom AsRepField(Bag.a, Bag) == Bag.a;
+
+axiom DeclType222(Bag.a) == Bag;
+
+axiom AsNonNullRefField(Bag.a, IntArray(System.Int32, 1)) == Bag.a;
+
+axiom Bag <: Bag;
+
+axiom $BaseClass(Bag) == System.Object && AsDirectSubClass(Bag, $BaseClass(Bag)) == Bag;
+
+axiom !$IsImmutable(Bag) && $AsMutable(Bag) == Bag;
+
+axiom System.Array <: System.Array;
+
+axiom $BaseClass(System.Array) == System.Object && AsDirectSubClass(System.Array, $BaseClass(System.Array)) == System.Array;
+
+axiom !$IsImmutable(System.Array) && $AsMutable(System.Array) == System.Array;
+
+axiom System.ICloneable <: System.ICloneable;
+
+axiom System.ICloneable <: System.Object;
+
+axiom $IsMemberlessType(System.ICloneable);
+
+axiom $AsInterface(System.ICloneable) == System.ICloneable;
+
+axiom System.Array <: System.ICloneable;
+
+axiom System.Collections.IList <: System.Collections.IList;
+
+axiom System.Collections.IList <: System.Object;
+
+axiom System.Collections.ICollection <: System.Collections.ICollection;
+
+axiom System.Collections.ICollection <: System.Object;
+
+axiom System.Collections.IEnumerable <: System.Collections.IEnumerable;
+
+axiom System.Collections.IEnumerable <: System.Object;
+
+axiom $IsMemberlessType(System.Collections.IEnumerable);
+
+axiom $AsInterface(System.Collections.IEnumerable) == System.Collections.IEnumerable;
+
+axiom System.Collections.ICollection <: System.Collections.IEnumerable;
+
+axiom $IsMemberlessType(System.Collections.ICollection);
+
+axiom $AsInterface(System.Collections.ICollection) == System.Collections.ICollection;
+
+axiom System.Collections.IList <: System.Collections.ICollection;
+
+axiom System.Collections.IList <: System.Collections.IEnumerable;
+
+axiom $IsMemberlessType(System.Collections.IList);
+
+axiom $AsInterface(System.Collections.IList) == System.Collections.IList;
+
+axiom System.Array <: System.Collections.IList;
+
+axiom System.Array <: System.Collections.ICollection;
+
+axiom System.Array <: System.Collections.IEnumerable;
+
+axiom $IsMemberlessType(System.Array);
+
+// System.Array object invariant
+axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Array } IsHeap($h) && $h[$oi, $inv] <: System.Array && $h[$oi, $localinv] != $BaseClass(System.Array) ==> true);
+
+// Bag object invariant
+axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Bag } IsHeap($h) && $h[$oi, $inv] <: Bag && $h[$oi, $localinv] != $BaseClass(Bag) ==> 0 <= $h[$oi, Bag.n] && $h[$oi, Bag.n] <= $Length($h[$oi, Bag.a]));
+
+procedure Bag.SpecSharp.CheckInvariant$System.Boolean(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], throwException$in: bool where true) returns ($result: bool where true);
+ // user-declared preconditions
+ requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this) && (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == this && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p));
+ free requires $BeingConstructed == null;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Bag.SpecSharp.CheckInvariant$System.Boolean(this: ref, throwException$in: bool) returns ($result: bool)
+{
+ var throwException: bool where true, stack0i: int, stack1i: int, stack0b: bool, stack1o: ref, return.value: bool where true, stack50000o: ref, stack0o: ref, SS$Display.Return.Local: bool where true;
+
+ entry:
+ throwException := throwException$in;
+ goto block2380;
+
+ block2380:
+ goto block2482;
+
+ block2482:
+ // ----- nop
+ // ----- load constant 0
+ stack0i := 0;
+ // ----- load field
+ assert this != null;
+ stack1i := $Heap[this, Bag.n];
+ // ----- binary operator
+ // ----- branch
+ goto true2482to2550, false2482to2414;
+
+ true2482to2550:
+ assume stack0i > stack1i;
+ goto block2550;
+
+ false2482to2414:
+ assume stack0i <= stack1i;
+ goto block2414;
+
+ block2550:
+ // ----- copy
+ stack0b := throwException;
+ // ----- unary operator
+ // ----- branch
+ goto true2550to2584, false2550to2601;
+
+ block2414:
+ // ----- load field
+ assert this != null;
+ stack0i := $Heap[this, Bag.n];
+ // ----- load field
+ assert this != null;
+ stack1o := $Heap[this, Bag.a];
+ // ----- unary operator
+ assert stack1o != null;
+ stack1i := $Length(stack1o);
+ // ----- unary operator
+ stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
+ // ----- binary operator
+ // ----- branch
+ goto true2414to2550, false2414to2465;
+
+ true2414to2550:
+ assume stack0i > stack1i;
+ goto block2550;
+
+ false2414to2465:
+ assume stack0i <= stack1i;
+ goto block2465;
+
+ block2465:
+ // ----- branch
+ goto block2448;
+
+ true2550to2584:
+ assume !stack0b;
+ goto block2584;
+
+ false2550to2601:
+ assume stack0b;
+ goto block2601;
+
+ block2584:
+ // ----- load constant 0
+ return.value := false;
+ // ----- branch
+ goto block2567;
+
+ block2601:
+ assume false;
+ // ----- new object
+ havoc stack50000o;
+ assume $Heap[stack50000o, $allocated] == false && stack50000o != null && $typeof(stack50000o) == Microsoft.Contracts.ObjectInvariantException;
+ assume $Heap[stack50000o, $ownerRef] == stack50000o && $Heap[stack50000o, $ownerFrame] == $PeerGroupPlaceholder;
+ // ----- call
+ assert stack50000o != null;
+ call Microsoft.Contracts.ObjectInvariantException..ctor(stack50000o);
+ // ----- copy
+ stack0o := stack50000o;
+ // ----- throw
+ assert stack0o != null;
+ assume false;
+ return;
+
+ block2448:
+ // ----- load constant 1
+ return.value := true;
+ // ----- branch
+ goto block2567;
+
+ block2567:
+ // ----- copy
+ SS$Display.Return.Local := return.value;
+ // ----- copy
+ stack0b := return.value;
+ // ----- return
+ $result := stack0b;
+ return;
+}
+
+
+
+axiom Microsoft.Contracts.ObjectInvariantException <: Microsoft.Contracts.ObjectInvariantException;
+
+axiom Microsoft.Contracts.GuardException <: Microsoft.Contracts.GuardException;
+
+axiom System.Exception <: System.Exception;
+
+axiom $BaseClass(System.Exception) == System.Object && AsDirectSubClass(System.Exception, $BaseClass(System.Exception)) == System.Exception;
+
+axiom !$IsImmutable(System.Exception) && $AsMutable(System.Exception) == System.Exception;
+
+axiom System.Runtime.Serialization.ISerializable <: System.Runtime.Serialization.ISerializable;
+
+axiom System.Runtime.Serialization.ISerializable <: System.Object;
+
+axiom $IsMemberlessType(System.Runtime.Serialization.ISerializable);
+
+axiom $AsInterface(System.Runtime.Serialization.ISerializable) == System.Runtime.Serialization.ISerializable;
+
+axiom System.Exception <: System.Runtime.Serialization.ISerializable;
+
+axiom System.Runtime.InteropServices._Exception <: System.Runtime.InteropServices._Exception;
+
+axiom System.Runtime.InteropServices._Exception <: System.Object;
+
+axiom $IsMemberlessType(System.Runtime.InteropServices._Exception);
+
+axiom $AsInterface(System.Runtime.InteropServices._Exception) == System.Runtime.InteropServices._Exception;
+
+axiom System.Exception <: System.Runtime.InteropServices._Exception;
+
+// System.Exception object invariant
+axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Exception } IsHeap($h) && $h[$oi, $inv] <: System.Exception && $h[$oi, $localinv] != $BaseClass(System.Exception) ==> true);
+
+axiom $BaseClass(Microsoft.Contracts.GuardException) == System.Exception && AsDirectSubClass(Microsoft.Contracts.GuardException, $BaseClass(Microsoft.Contracts.GuardException)) == Microsoft.Contracts.GuardException;
+
+axiom !$IsImmutable(Microsoft.Contracts.GuardException) && $AsMutable(Microsoft.Contracts.GuardException) == Microsoft.Contracts.GuardException;
+
+// Microsoft.Contracts.GuardException object invariant
+axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Microsoft.Contracts.GuardException } IsHeap($h) && $h[$oi, $inv] <: Microsoft.Contracts.GuardException && $h[$oi, $localinv] != $BaseClass(Microsoft.Contracts.GuardException) ==> true);
+
+axiom $BaseClass(Microsoft.Contracts.ObjectInvariantException) == Microsoft.Contracts.GuardException && AsDirectSubClass(Microsoft.Contracts.ObjectInvariantException, $BaseClass(Microsoft.Contracts.ObjectInvariantException)) == Microsoft.Contracts.ObjectInvariantException;
+
+axiom !$IsImmutable(Microsoft.Contracts.ObjectInvariantException) && $AsMutable(Microsoft.Contracts.ObjectInvariantException) == Microsoft.Contracts.ObjectInvariantException;
+
+// Microsoft.Contracts.ObjectInvariantException object invariant
+axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: Microsoft.Contracts.ObjectInvariantException } IsHeap($h) && $h[$oi, $inv] <: Microsoft.Contracts.ObjectInvariantException && $h[$oi, $localinv] != $BaseClass(Microsoft.Contracts.ObjectInvariantException) ==> true);
+
+procedure Microsoft.Contracts.ObjectInvariantException..ctor(this: ref where $IsNotNull(this, Microsoft.Contracts.ObjectInvariantException) && $Heap[this, $allocated]);
+ // object is fully unpacked: this.inv == Object
+ free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this);
+ // nothing is owned by [this,*] and 'this' is alone in its own peer group
+ free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder;
+ free requires $BeingConstructed == this;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // target object is allocated upon return
+ free ensures $Heap[this, $allocated];
+ // target object is additively exposable for Microsoft.Contracts.ObjectInvariantException
+ ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == Microsoft.Contracts.ObjectInvariantException && $Heap[this, $localinv] == $typeof(this);
+ ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame];
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(Microsoft.Contracts.ObjectInvariantException <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure Bag..ctor$System.Int32.array$notnull(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], initialElements$in: ref where $IsNotNull(initialElements$in, IntArray(System.Int32, 1)) && $Heap[initialElements$in, $allocated]);
+ // object is fully unpacked: this.inv == Object
+ free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this);
+ // initialElements is peer consistent
+ requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[initialElements$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[initialElements$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ // initialElements is peer consistent (owner must not be valid)
+ requires $Heap[initialElements$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[initialElements$in, $ownerRef], $inv] <: $Heap[initialElements$in, $ownerFrame]) || $Heap[$Heap[initialElements$in, $ownerRef], $localinv] == $BaseClass($Heap[initialElements$in, $ownerFrame]);
+ // nothing is owned by [this,*] and 'this' is alone in its own peer group
+ free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder;
+ free requires $BeingConstructed == this;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // target object is allocated upon return
+ free ensures $Heap[this, $allocated];
+ // target object is additively exposable for Bag
+ ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == Bag && $Heap[this, $localinv] == $typeof(this);
+ ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame];
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(Bag <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Bag..ctor$System.Int32.array$notnull(this: ref, initialElements$in: ref)
+{
+ var initialElements: ref where $IsNotNull(initialElements, IntArray(System.Int32, 1)) && $Heap[initialElements, $allocated], stack0o: ref, stack0i: int, temp0: exposeVersionType, temp1: ref, temp2: exposeVersionType, stack1i: int, temp3: ref;
+
+ entry:
+ initialElements := initialElements$in;
+ assume $Heap[this, Bag.n] == 0;
+ goto block3332;
+
+ block3332:
+ goto block3468;
+
+ block3468:
+ // ----- nop
+ // ----- copy ----- AddMethod.ssc(13,5)
+ stack0o := initialElements;
+ // ----- unary operator ----- AddMethod.ssc(13,5)
+ assert stack0o != null;
+ stack0i := $Length(stack0o);
+ // ----- unary operator ----- AddMethod.ssc(13,5)
+ stack0i := $IntToInt(stack0i, System.UIntPtr, System.Int32);
+ // ----- store field ----- AddMethod.ssc(13,5)
+ assert this != null;
+ assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ havoc temp0;
+ $Heap[this, $exposeVersion] := temp0;
+ $Heap[this, Bag.n] := stack0i;
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
+ assume IsHeap($Heap);
+ // ----- copy ----- AddMethod.ssc(14,5)
+ stack0o := initialElements;
+ // ----- unary operator ----- AddMethod.ssc(14,5)
+ assert stack0o != null;
+ stack0i := $Length(stack0o);
+ // ----- unary operator ----- AddMethod.ssc(14,5)
+ stack0i := $IntToInt(stack0i, System.UIntPtr, System.Int32);
+ // ----- new array ----- AddMethod.ssc(14,5)
+ assert 0 <= stack0i;
+ havoc temp1;
+ assume $Heap[temp1, $allocated] == false && $Length(temp1) == stack0i;
+ assume $Heap[$ElementProxy(temp1, -1), $allocated] == false && $ElementProxy(temp1, -1) != temp1 && $ElementProxy(temp1, -1) != null;
+ assume temp1 != null;
+ assume $typeof(temp1) == IntArray(System.Int32, 1);
+ assume $Heap[temp1, $ownerRef] == temp1 && $Heap[temp1, $ownerFrame] == $PeerGroupPlaceholder;
+ assume $Heap[$ElementProxy(temp1, -1), $ownerRef] == $ElementProxy(temp1, -1) && $Heap[$ElementProxy(temp1, -1), $ownerFrame] == $PeerGroupPlaceholder;
+ assume $Heap[temp1, $inv] == $typeof(temp1) && $Heap[temp1, $localinv] == $typeof(temp1);
+ assume (forall $i: int :: IntArrayGet($Heap[temp1, $elements], $i) == 0);
+ $Heap[temp1, $allocated] := true;
+ call System.Object..ctor($ElementProxy(temp1, -1));
+ stack0o := temp1;
+ assume IsHeap($Heap);
+ // ----- store field ----- AddMethod.ssc(14,5)
+ assert this != null;
+ assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ assert ($Heap[stack0o, $ownerRef] == this && $Heap[stack0o, $ownerFrame] == Bag) || $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder;
+ assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[stack0o, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[stack0o, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[stack0o, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[stack0o, $ownerFrame];
+ call $UpdateOwnersForRep(this, Bag, stack0o);
+ havoc temp2;
+ $Heap[this, $exposeVersion] := temp2;
+ $Heap[this, Bag.a] := stack0o;
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
+ assume IsHeap($Heap);
+ // ----- call ----- AddMethod.ssc(15,5)
+ assert this != null;
+ call System.Object..ctor(this);
+ $Heap[this, $NonNullFieldsAreInitialized] := true;
+ assume IsHeap($Heap);
+ goto block3417;
+
+ block3417:
+ // ----- load field ----- AddMethod.ssc(16,5)
+ assert this != null;
+ stack0o := $Heap[this, Bag.a];
+ // ----- load constant 0 ----- AddMethod.ssc(16,5)
+ stack1i := 0;
+ // ----- call ----- AddMethod.ssc(16,5)
+ assert initialElements != null;
+ call System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(initialElements, stack0o, stack1i);
+ // ----- FrameGuard processing ----- AddMethod.ssc(17,3)
+ temp3 := this;
+ // ----- classic pack ----- AddMethod.ssc(17,3)
+ assert temp3 != null;
+ assert $Heap[temp3, $inv] == System.Object && $Heap[temp3, $localinv] == $typeof(temp3);
+ assert 0 <= $Heap[temp3, Bag.n];
+ assert $Heap[temp3, Bag.n] <= $Length($Heap[temp3, Bag.a]);
+ assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp3 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p));
+ $Heap[temp3, $inv] := Bag;
+ assume IsHeap($Heap);
+ // ----- return
+ return;
+}
+
+
+
+procedure System.Object..ctor(this: ref where $IsNotNull(this, System.Object) && $Heap[this, $allocated]);
+ // object is fully unpacked: this.inv == Object
+ free requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this);
+ // nothing is owned by [this,*] and 'this' is alone in its own peer group
+ free requires (forall $o: ref :: $o != this ==> $Heap[$o, $ownerRef] != this) && $Heap[this, $ownerRef] == this && $Heap[this, $ownerFrame] == $PeerGroupPlaceholder;
+ free requires $BeingConstructed == this;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // target object is allocated upon return
+ free ensures $Heap[this, $allocated];
+ // target object is additively exposable for System.Object
+ ensures ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame])) && $Heap[this, $inv] == System.Object && $Heap[this, $localinv] == $typeof(this);
+ ensures $Heap[this, $ownerRef] == old($Heap)[this, $ownerRef] && $Heap[this, $ownerFrame] == old($Heap)[this, $ownerFrame];
+ ensures $Heap[this, $sharingMode] == $SharingMode_Unshared;
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && ($o != this || !(System.Object <: DeclType222($f))) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] && $o != this ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } $o == this || old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(this: ref where $IsNotNull(this, System.Array) && $Heap[this, $allocated], array$in: ref where $IsNotNull(array$in, System.Array) && $Heap[array$in, $allocated], index$in: int where InRange(index$in, System.Int32));
+ // user-declared preconditions
+ requires array$in != null;
+ requires $LBound(array$in, 0) <= index$in;
+ requires $Rank(this) == 1;
+ requires $Rank(array$in) == 1;
+ requires $Length(this) <= $UBound(array$in, 0) + 1 - index$in;
+ // target object is peer consistent
+ requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ // target object is peer consistent (owner must not be valid)
+ requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ // array is peer consistent
+ requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[array$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[array$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ // array is peer consistent (owner must not be valid)
+ requires $Heap[array$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[array$in, $ownerRef], $inv] <: $Heap[array$in, $ownerFrame]) || $Heap[$Heap[array$in, $ownerRef], $localinv] == $BaseClass($Heap[array$in, $ownerFrame]);
+ free requires $BeingConstructed == null;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // hard-coded postcondition
+ ensures (forall $k: int :: { ValueArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(ValueArrayGet($Heap[this, $elements], $k + 0 - index$in)) == ValueArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(ValueArrayGet($Heap[array$in, $elements], $k)) == ValueArrayGet($Heap[array$in, $elements], $k)));
+ ensures (forall $k: int :: { IntArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(IntArrayGet($Heap[this, $elements], $k + 0 - index$in)) == IntArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(IntArrayGet($Heap[array$in, $elements], $k)) == IntArrayGet($Heap[array$in, $elements], $k)));
+ ensures (forall $k: int :: { RefArrayGet($Heap[array$in, $elements], $k) } (index$in <= $k && $k < index$in + $Length(this) ==> old(RefArrayGet($Heap[this, $elements], $k + 0 - index$in)) == RefArrayGet($Heap[array$in, $elements], $k)) && (!(index$in <= $k && $k < index$in + $Length(this)) ==> old(RefArrayGet($Heap[array$in, $elements], $k)) == RefArrayGet($Heap[array$in, $elements], $k)));
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != array$in || !($typeof(array$in) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != array$in || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+procedure Bag.Add$System.Int32(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], x$in: int where InRange(x$in, System.Int32));
+ // target object is peer consistent
+ requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ // target object is peer consistent (owner must not be valid)
+ requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ free requires $BeingConstructed == null;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != this || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Bag.Add$System.Int32(this: ref, x$in: int)
+{
+ var x: int where InRange(x, System.Int32), temp0: ref, stack1s: struct, stack1o: ref, temp1: exposeVersionType, local2: ref where $Is(local2, System.Exception) && $Heap[local2, $allocated], stack0i: int, stack1i: int, stack0b: bool, b: ref where $Is(b, IntArray(System.Int32, 1)) && $Heap[b, $allocated], temp2: ref, stack0o: ref, stack2o: ref, stack3i: int, stack4o: ref, stack4i: int, temp3: exposeVersionType, local4: int where InRange(local4, System.Int32), temp4: exposeVersionType, stack0s: struct;
+
+ entry:
+ x := x$in;
+ goto block4335;
+
+ block4335:
+ goto block4488;
+
+ block4488:
+ // ----- nop
+ // ----- FrameGuard processing ----- AddMethod.ssc(22,13)
+ temp0 := this;
+ // ----- load token ----- AddMethod.ssc(22,13)
+ havoc stack1s;
+ assume $IsTokenForType(stack1s, Bag);
+ // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(22,13)
+ stack1o := TypeObject(Bag);
+ // ----- local unpack ----- AddMethod.ssc(22,13)
+ assert temp0 != null;
+ assert ($Heap[temp0, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[temp0, $ownerRef], $inv] <: $Heap[temp0, $ownerFrame]) || $Heap[$Heap[temp0, $ownerRef], $localinv] == $BaseClass($Heap[temp0, $ownerFrame])) && $Heap[temp0, $inv] <: Bag && $Heap[temp0, $localinv] == $typeof(temp0);
+ $Heap[temp0, $localinv] := System.Object;
+ havoc temp1;
+ $Heap[temp0, $exposeVersion] := temp1;
+ assume IsHeap($Heap);
+ local2 := null;
+ goto block4505;
+
+ block4505:
+ // ----- load field ----- AddMethod.ssc(24,7)
+ assert this != null;
+ stack0i := $Heap[this, Bag.n];
+ // ----- load field ----- AddMethod.ssc(24,7)
+ assert this != null;
+ stack1o := $Heap[this, Bag.a];
+ // ----- unary operator ----- AddMethod.ssc(24,7)
+ assert stack1o != null;
+ stack1i := $Length(stack1o);
+ // ----- unary operator ----- AddMethod.ssc(24,7)
+ stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
+ // ----- binary operator ----- AddMethod.ssc(24,7)
+ // ----- branch ----- AddMethod.ssc(24,7)
+ goto true4505to4539, false4505to4522;
+
+ true4505to4539:
+ assume stack0i != stack1i;
+ goto block4539;
+
+ false4505to4522:
+ assume stack0i == stack1i;
+ goto block4522;
+
+ block4539:
+ // ----- load field ----- AddMethod.ssc(30,7)
+ assert this != null;
+ stack0o := $Heap[this, Bag.a];
+ // ----- load field ----- AddMethod.ssc(30,7)
+ assert this != null;
+ stack1i := $Heap[this, Bag.n];
+ // ----- store element ----- AddMethod.ssc(30,7)
+ assert stack0o != null;
+ assert 0 <= stack1i;
+ assert stack1i < $Length(stack0o);
+ assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[stack0o, $ownerRef], $inv] <: $Heap[stack0o, $ownerFrame]) || $Heap[$Heap[stack0o, $ownerRef], $localinv] == $BaseClass($Heap[stack0o, $ownerFrame]);
+ $Heap[stack0o, $elements] := IntArraySet($Heap[stack0o, $elements], stack1i, x);
+ assume IsHeap($Heap);
+ // ----- load field ----- AddMethod.ssc(31,7)
+ assert this != null;
+ local4 := $Heap[this, Bag.n];
+ // ----- load constant 1 ----- AddMethod.ssc(31,7)
+ stack0i := 1;
+ // ----- binary operator ----- AddMethod.ssc(31,7)
+ stack0i := local4 + stack0i;
+ // ----- store field ----- AddMethod.ssc(31,7)
+ assert this != null;
+ assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ havoc temp4;
+ $Heap[this, $exposeVersion] := temp4;
+ $Heap[this, Bag.n] := stack0i;
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
+ assume IsHeap($Heap);
+ // ----- copy
+ stack0i := local4;
+ // ----- branch
+ goto block4658;
+
+ block4522:
+ // ----- load constant 2 ----- AddMethod.ssc(26,15)
+ stack0i := 2;
+ // ----- load field ----- AddMethod.ssc(26,15)
+ assert this != null;
+ stack1o := $Heap[this, Bag.a];
+ // ----- unary operator ----- AddMethod.ssc(26,15)
+ assert stack1o != null;
+ stack1i := $Length(stack1o);
+ // ----- unary operator ----- AddMethod.ssc(26,15)
+ stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
+ // ----- binary operator ----- AddMethod.ssc(26,15)
+ stack0i := stack0i * stack1i;
+ // ----- load constant 1 ----- AddMethod.ssc(26,15)
+ stack1i := 1;
+ // ----- binary operator ----- AddMethod.ssc(26,15)
+ stack0i := stack0i + stack1i;
+ // ----- new array ----- AddMethod.ssc(26,15)
+ assert 0 <= stack0i;
+ havoc temp2;
+ assume $Heap[temp2, $allocated] == false && $Length(temp2) == stack0i;
+ assume $Heap[$ElementProxy(temp2, -1), $allocated] == false && $ElementProxy(temp2, -1) != temp2 && $ElementProxy(temp2, -1) != null;
+ assume temp2 != null;
+ assume $typeof(temp2) == IntArray(System.Int32, 1);
+ assume $Heap[temp2, $ownerRef] == temp2 && $Heap[temp2, $ownerFrame] == $PeerGroupPlaceholder;
+ assume $Heap[$ElementProxy(temp2, -1), $ownerRef] == $ElementProxy(temp2, -1) && $Heap[$ElementProxy(temp2, -1), $ownerFrame] == $PeerGroupPlaceholder;
+ assume $Heap[temp2, $inv] == $typeof(temp2) && $Heap[temp2, $localinv] == $typeof(temp2);
+ assume (forall $i: int :: IntArrayGet($Heap[temp2, $elements], $i) == 0);
+ $Heap[temp2, $allocated] := true;
+ call System.Object..ctor($ElementProxy(temp2, -1));
+ b := temp2;
+ assume IsHeap($Heap);
+ // ----- load field ----- AddMethod.ssc(27,9)
+ assert this != null;
+ stack0o := $Heap[this, Bag.a];
+ // ----- load constant 0 ----- AddMethod.ssc(27,9)
+ stack1i := 0;
+ // ----- copy ----- AddMethod.ssc(27,9)
+ stack2o := b;
+ // ----- load constant 0 ----- AddMethod.ssc(27,9)
+ stack3i := 0;
+ // ----- load field ----- AddMethod.ssc(27,9)
+ assert this != null;
+ stack4o := $Heap[this, Bag.a];
+ // ----- unary operator ----- AddMethod.ssc(27,9)
+ assert stack4o != null;
+ stack4i := $Length(stack4o);
+ // ----- unary operator ----- AddMethod.ssc(27,9)
+ stack4i := $IntToInt(stack4i, System.UIntPtr, System.Int32);
+ // ----- call ----- AddMethod.ssc(27,9)
+ call System.Array.Copy$System.Array$notnull$System.Int32$System.Array$notnull$System.Int32$System.Int32(stack0o, stack1i, stack2o, stack3i, stack4i);
+ // ----- store field ----- AddMethod.ssc(28,9)
+ assert this != null;
+ assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ assert ($Heap[b, $ownerRef] == this && $Heap[b, $ownerFrame] == Bag) || $Heap[b, $ownerFrame] == $PeerGroupPlaceholder;
+ assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[b, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[b, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[b, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[b, $ownerFrame];
+ call $UpdateOwnersForRep(this, Bag, b);
+ havoc temp3;
+ $Heap[this, $exposeVersion] := temp3;
+ $Heap[this, Bag.a] := b;
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
+ assume IsHeap($Heap);
+ goto block4539;
+
+ block4658:
+ stack0o := null;
+ // ----- binary operator
+ // ----- branch
+ goto true4658to4624, false4658to4641;
+
+ true4658to4624:
+ assume local2 == stack0o;
+ goto block4624;
+
+ false4658to4641:
+ assume local2 != stack0o;
+ goto block4641;
+
+ block4624:
+ // ----- load token ----- AddMethod.ssc(32,5)
+ havoc stack0s;
+ assume $IsTokenForType(stack0s, Bag);
+ // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(32,5)
+ stack0o := TypeObject(Bag);
+ // ----- local pack ----- AddMethod.ssc(32,5)
+ assert temp0 != null;
+ assert $Heap[temp0, $localinv] == System.Object;
+ assert 0 <= $Heap[temp0, Bag.n];
+ assert $Heap[temp0, Bag.n] <= $Length($Heap[temp0, Bag.a]);
+ assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp0 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p));
+ $Heap[temp0, $localinv] := $typeof(temp0);
+ assume IsHeap($Heap);
+ goto block4726;
+
+ block4641:
+ // ----- is instance
+ // ----- branch
+ goto true4641to4624, false4641to4692;
+
+ true4641to4624:
+ assume $As(local2, Microsoft.Contracts.ICheckedException) != null;
+ goto block4624;
+
+ false4641to4692:
+ assume $As(local2, Microsoft.Contracts.ICheckedException) == null;
+ goto block4692;
+
+ block4692:
+ // ----- branch
+ goto block4726;
+
+ block4726:
+ // ----- nop
+ // ----- branch
+ goto block4590;
+
+ block4590:
+ // ----- return
+ return;
+}
+
+
+
+axiom System.Type <: System.Type;
+
+axiom System.Reflection.MemberInfo <: System.Reflection.MemberInfo;
+
+axiom $BaseClass(System.Reflection.MemberInfo) == System.Object && AsDirectSubClass(System.Reflection.MemberInfo, $BaseClass(System.Reflection.MemberInfo)) == System.Reflection.MemberInfo;
+
+axiom $IsImmutable(System.Reflection.MemberInfo) && $AsImmutable(System.Reflection.MemberInfo) == System.Reflection.MemberInfo;
+
+axiom System.Reflection.ICustomAttributeProvider <: System.Reflection.ICustomAttributeProvider;
+
+axiom System.Reflection.ICustomAttributeProvider <: System.Object;
+
+axiom $IsMemberlessType(System.Reflection.ICustomAttributeProvider);
+
+axiom $AsInterface(System.Reflection.ICustomAttributeProvider) == System.Reflection.ICustomAttributeProvider;
+
+axiom System.Reflection.MemberInfo <: System.Reflection.ICustomAttributeProvider;
+
+axiom System.Runtime.InteropServices._MemberInfo <: System.Runtime.InteropServices._MemberInfo;
+
+axiom System.Runtime.InteropServices._MemberInfo <: System.Object;
+
+axiom $IsMemberlessType(System.Runtime.InteropServices._MemberInfo);
+
+axiom $AsInterface(System.Runtime.InteropServices._MemberInfo) == System.Runtime.InteropServices._MemberInfo;
+
+axiom System.Reflection.MemberInfo <: System.Runtime.InteropServices._MemberInfo;
+
+axiom $IsMemberlessType(System.Reflection.MemberInfo);
+
+// System.Reflection.MemberInfo object invariant
+axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Reflection.MemberInfo } IsHeap($h) && $h[$oi, $inv] <: System.Reflection.MemberInfo && $h[$oi, $localinv] != $BaseClass(System.Reflection.MemberInfo) ==> true);
+
+axiom $BaseClass(System.Type) == System.Reflection.MemberInfo && AsDirectSubClass(System.Type, $BaseClass(System.Type)) == System.Type;
+
+axiom $IsImmutable(System.Type) && $AsImmutable(System.Type) == System.Type;
+
+axiom System.Runtime.InteropServices._Type <: System.Runtime.InteropServices._Type;
+
+axiom System.Runtime.InteropServices._Type <: System.Object;
+
+axiom $IsMemberlessType(System.Runtime.InteropServices._Type);
+
+axiom $AsInterface(System.Runtime.InteropServices._Type) == System.Runtime.InteropServices._Type;
+
+axiom System.Type <: System.Runtime.InteropServices._Type;
+
+axiom System.Reflection.IReflect <: System.Reflection.IReflect;
+
+axiom System.Reflection.IReflect <: System.Object;
+
+axiom $IsMemberlessType(System.Reflection.IReflect);
+
+axiom $AsInterface(System.Reflection.IReflect) == System.Reflection.IReflect;
+
+axiom System.Type <: System.Reflection.IReflect;
+
+axiom $IsMemberlessType(System.Type);
+
+// System.Type object invariant
+axiom (forall $oi: ref, $h: Heap :: { $h[$oi, $inv] <: System.Type } IsHeap($h) && $h[$oi, $inv] <: System.Type && $h[$oi, $localinv] != $BaseClass(System.Type) ==> true);
+
+procedure System.Array.Copy$System.Array$notnull$System.Int32$System.Array$notnull$System.Int32$System.Int32(sourceArray$in: ref where $IsNotNull(sourceArray$in, System.Array) && $Heap[sourceArray$in, $allocated], sourceIndex$in: int where InRange(sourceIndex$in, System.Int32), destinationArray$in: ref where $IsNotNull(destinationArray$in, System.Array) && $Heap[destinationArray$in, $allocated], destinationIndex$in: int where InRange(destinationIndex$in, System.Int32), length$in: int where InRange(length$in, System.Int32));
+ // user-declared preconditions
+ requires sourceArray$in != null;
+ requires destinationArray$in != null;
+ requires $Rank(sourceArray$in) == $Rank(destinationArray$in);
+ requires sourceIndex$in >= $LBound(sourceArray$in, 0);
+ requires destinationIndex$in >= $LBound(destinationArray$in, 0);
+ requires length$in >= 0;
+ requires sourceIndex$in + length$in <= $LBound(sourceArray$in, 0) + $Length(sourceArray$in);
+ requires destinationIndex$in + length$in <= $LBound(destinationArray$in, 0) + $Length(destinationArray$in);
+ // sourceArray is peer consistent
+ requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[sourceArray$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[sourceArray$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ // sourceArray is peer consistent (owner must not be valid)
+ requires $Heap[sourceArray$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[sourceArray$in, $ownerRef], $inv] <: $Heap[sourceArray$in, $ownerFrame]) || $Heap[$Heap[sourceArray$in, $ownerRef], $localinv] == $BaseClass($Heap[sourceArray$in, $ownerFrame]);
+ // destinationArray is peer consistent
+ requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[destinationArray$in, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[destinationArray$in, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ // destinationArray is peer consistent (owner must not be valid)
+ requires $Heap[destinationArray$in, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[destinationArray$in, $ownerRef], $inv] <: $Heap[destinationArray$in, $ownerFrame]) || $Heap[$Heap[destinationArray$in, $ownerRef], $localinv] == $BaseClass($Heap[destinationArray$in, $ownerFrame]);
+ free requires $BeingConstructed == null;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // hard-coded postcondition
+ ensures (forall $k: int :: { ValueArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(ValueArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == ValueArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(ValueArrayGet($Heap[destinationArray$in, $elements], $k)) == ValueArrayGet($Heap[destinationArray$in, $elements], $k)));
+ ensures (forall $k: int :: { IntArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(IntArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == IntArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(IntArrayGet($Heap[destinationArray$in, $elements], $k)) == IntArrayGet($Heap[destinationArray$in, $elements], $k)));
+ ensures (forall $k: int :: { RefArrayGet($Heap[destinationArray$in, $elements], $k) } (destinationIndex$in <= $k && $k < destinationIndex$in + length$in ==> old(RefArrayGet($Heap[sourceArray$in, $elements], $k + sourceIndex$in - destinationIndex$in)) == RefArrayGet($Heap[destinationArray$in, $elements], $k)) && (!(destinationIndex$in <= $k && $k < destinationIndex$in + length$in) ==> old(RefArrayGet($Heap[destinationArray$in, $elements], $k)) == RefArrayGet($Heap[destinationArray$in, $elements], $k)));
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != destinationArray$in || !($typeof(destinationArray$in) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != destinationArray$in || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+axiom Microsoft.Contracts.ICheckedException <: Microsoft.Contracts.ICheckedException;
+
+axiom Microsoft.Contracts.ICheckedException <: System.Object;
+
+axiom $IsMemberlessType(Microsoft.Contracts.ICheckedException);
+
+axiom $AsInterface(Microsoft.Contracts.ICheckedException) == Microsoft.Contracts.ICheckedException;
+
+procedure Bag.AddAgain$System.Int32(this: ref where $IsNotNull(this, Bag) && $Heap[this, $allocated], x$in: int where InRange(x$in, System.Int32));
+ // target object is peer consistent
+ requires (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[this, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[this, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ // target object is peer consistent (owner must not be valid)
+ requires $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ free requires $BeingConstructed == null;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old($o != this || !($typeof(this) <: DeclType222($f)) || !$IncludedInModifiesStar($f)) && old($o != this || $f != $exposeVersion) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Bag.AddAgain$System.Int32(this: ref, x$in: int)
+{
+ var x: int where InRange(x, System.Int32), temp0: ref, stack1s: struct, stack1o: ref, temp1: exposeVersionType, local2: ref where $Is(local2, System.Exception) && $Heap[local2, $allocated], stack0i: int, stack1i: int, stack0b: bool, stack0o: ref, local4: int where InRange(local4, System.Int32), temp2: exposeVersionType, b: ref where $Is(b, IntArray(System.Int32, 1)) && $Heap[b, $allocated], temp3: ref, stack2i: int, temp4: exposeVersionType, stack0s: struct;
+
+ entry:
+ x := x$in;
+ goto block6188;
+
+ block6188:
+ goto block6341;
+
+ block6341:
+ // ----- nop
+ // ----- FrameGuard processing ----- AddMethod.ssc(38,13)
+ temp0 := this;
+ // ----- load token ----- AddMethod.ssc(38,13)
+ havoc stack1s;
+ assume $IsTokenForType(stack1s, Bag);
+ // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(38,13)
+ stack1o := TypeObject(Bag);
+ // ----- local unpack ----- AddMethod.ssc(38,13)
+ assert temp0 != null;
+ assert ($Heap[temp0, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[temp0, $ownerRef], $inv] <: $Heap[temp0, $ownerFrame]) || $Heap[$Heap[temp0, $ownerRef], $localinv] == $BaseClass($Heap[temp0, $ownerFrame])) && $Heap[temp0, $inv] <: Bag && $Heap[temp0, $localinv] == $typeof(temp0);
+ $Heap[temp0, $localinv] := System.Object;
+ havoc temp1;
+ $Heap[temp0, $exposeVersion] := temp1;
+ assume IsHeap($Heap);
+ local2 := null;
+ goto block6358;
+
+ block6358:
+ // ----- load field ----- AddMethod.ssc(40,7)
+ assert this != null;
+ stack0i := $Heap[this, Bag.n];
+ // ----- load field ----- AddMethod.ssc(40,7)
+ assert this != null;
+ stack1o := $Heap[this, Bag.a];
+ // ----- unary operator ----- AddMethod.ssc(40,7)
+ assert stack1o != null;
+ stack1i := $Length(stack1o);
+ // ----- unary operator ----- AddMethod.ssc(40,7)
+ stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
+ // ----- binary operator ----- AddMethod.ssc(40,7)
+ // ----- branch ----- AddMethod.ssc(40,7)
+ goto true6358to6392, false6358to6375;
+
+ true6358to6392:
+ assume stack0i != stack1i;
+ goto block6392;
+
+ false6358to6375:
+ assume stack0i == stack1i;
+ goto block6375;
+
+ block6392:
+ // ----- load field ----- AddMethod.ssc(46,7)
+ assert this != null;
+ stack0o := $Heap[this, Bag.a];
+ // ----- load field ----- AddMethod.ssc(46,7)
+ assert this != null;
+ stack1i := $Heap[this, Bag.n];
+ // ----- store element ----- AddMethod.ssc(46,7)
+ assert stack0o != null;
+ assert 0 <= stack1i;
+ assert stack1i < $Length(stack0o);
+ assert $Heap[stack0o, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[stack0o, $ownerRef], $inv] <: $Heap[stack0o, $ownerFrame]) || $Heap[$Heap[stack0o, $ownerRef], $localinv] == $BaseClass($Heap[stack0o, $ownerFrame]);
+ $Heap[stack0o, $elements] := IntArraySet($Heap[stack0o, $elements], stack1i, x);
+ assume IsHeap($Heap);
+ // ----- load field ----- AddMethod.ssc(47,7)
+ assert this != null;
+ local4 := $Heap[this, Bag.n];
+ // ----- load constant 1 ----- AddMethod.ssc(47,7)
+ stack0i := 1;
+ // ----- binary operator ----- AddMethod.ssc(47,7)
+ stack0i := local4 + stack0i;
+ // ----- store field ----- AddMethod.ssc(47,7)
+ assert this != null;
+ assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ havoc temp2;
+ $Heap[this, $exposeVersion] := temp2;
+ $Heap[this, Bag.n] := stack0i;
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
+ assume IsHeap($Heap);
+ // ----- copy
+ stack0i := local4;
+ // ----- branch
+ goto block6562;
+
+ block6375:
+ // ----- load constant 2 ----- AddMethod.ssc(42,15)
+ stack0i := 2;
+ // ----- load field ----- AddMethod.ssc(42,15)
+ assert this != null;
+ stack1o := $Heap[this, Bag.a];
+ // ----- unary operator ----- AddMethod.ssc(42,15)
+ assert stack1o != null;
+ stack1i := $Length(stack1o);
+ // ----- unary operator ----- AddMethod.ssc(42,15)
+ stack1i := $IntToInt(stack1i, System.UIntPtr, System.Int32);
+ // ----- binary operator ----- AddMethod.ssc(42,15)
+ stack0i := stack0i * stack1i;
+ // ----- load constant 1 ----- AddMethod.ssc(42,15)
+ stack1i := 1;
+ // ----- binary operator ----- AddMethod.ssc(42,15)
+ stack0i := stack0i + stack1i;
+ // ----- new array ----- AddMethod.ssc(42,15)
+ assert 0 <= stack0i;
+ havoc temp3;
+ assume $Heap[temp3, $allocated] == false && $Length(temp3) == stack0i;
+ assume $Heap[$ElementProxy(temp3, -1), $allocated] == false && $ElementProxy(temp3, -1) != temp3 && $ElementProxy(temp3, -1) != null;
+ assume temp3 != null;
+ assume $typeof(temp3) == IntArray(System.Int32, 1);
+ assume $Heap[temp3, $ownerRef] == temp3 && $Heap[temp3, $ownerFrame] == $PeerGroupPlaceholder;
+ assume $Heap[$ElementProxy(temp3, -1), $ownerRef] == $ElementProxy(temp3, -1) && $Heap[$ElementProxy(temp3, -1), $ownerFrame] == $PeerGroupPlaceholder;
+ assume $Heap[temp3, $inv] == $typeof(temp3) && $Heap[temp3, $localinv] == $typeof(temp3);
+ assume (forall $i: int :: IntArrayGet($Heap[temp3, $elements], $i) == 0);
+ $Heap[temp3, $allocated] := true;
+ call System.Object..ctor($ElementProxy(temp3, -1));
+ b := temp3;
+ assume IsHeap($Heap);
+ // ----- load field ----- AddMethod.ssc(43,9)
+ assert this != null;
+ stack0o := $Heap[this, Bag.a];
+ // ----- copy ----- AddMethod.ssc(43,9)
+ stack1o := b;
+ // ----- load constant 0 ----- AddMethod.ssc(43,9)
+ stack2i := 0;
+ // ----- call ----- AddMethod.ssc(43,9)
+ assert stack0o != null;
+ call System.Array.CopyTo$System.Array$notnull$System.Int32$.Virtual.$(stack0o, stack1o, stack2i);
+ // ----- store field ----- AddMethod.ssc(44,9)
+ assert this != null;
+ assert $Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]) || $Heap[$Heap[this, $ownerRef], $localinv] == $BaseClass($Heap[this, $ownerFrame]);
+ assert ($Heap[b, $ownerRef] == this && $Heap[b, $ownerFrame] == Bag) || $Heap[b, $ownerFrame] == $PeerGroupPlaceholder;
+ assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> (forall $pc: ref :: { $typeof($pc) } { $Heap[$pc, $localinv] } { $Heap[$pc, $inv] } { $Heap[$pc, $ownerFrame] } { $Heap[$pc, $ownerRef] } $pc != null && $Heap[$pc, $allocated] && $Heap[$pc, $ownerRef] == $Heap[b, $ownerRef] && $Heap[$pc, $ownerFrame] == $Heap[b, $ownerFrame] ==> $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc));
+ assert $Heap[b, $ownerFrame] == $PeerGroupPlaceholder && $Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag) ==> $Heap[this, $ownerRef] != $Heap[b, $ownerRef] || $Heap[this, $ownerFrame] != $Heap[b, $ownerFrame];
+ call $UpdateOwnersForRep(this, Bag, b);
+ havoc temp4;
+ $Heap[this, $exposeVersion] := temp4;
+ $Heap[this, Bag.a] := b;
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || 0 <= $Heap[this, Bag.n];
+ assert !($Heap[this, $inv] <: Bag && $Heap[this, $localinv] != $BaseClass(Bag)) || $Heap[this, Bag.n] <= $Length($Heap[this, Bag.a]);
+ assume IsHeap($Heap);
+ goto block6392;
+
+ block6562:
+ stack0o := null;
+ // ----- binary operator
+ // ----- branch
+ goto true6562to6477, false6562to6579;
+
+ true6562to6477:
+ assume local2 == stack0o;
+ goto block6477;
+
+ false6562to6579:
+ assume local2 != stack0o;
+ goto block6579;
+
+ block6477:
+ // ----- load token ----- AddMethod.ssc(48,5)
+ havoc stack0s;
+ assume $IsTokenForType(stack0s, Bag);
+ // ----- statically resolved GetTypeFromHandle call ----- AddMethod.ssc(48,5)
+ stack0o := TypeObject(Bag);
+ // ----- local pack ----- AddMethod.ssc(48,5)
+ assert temp0 != null;
+ assert $Heap[temp0, $localinv] == System.Object;
+ assert 0 <= $Heap[temp0, Bag.n];
+ assert $Heap[temp0, Bag.n] <= $Length($Heap[temp0, Bag.a]);
+ assert (forall $p: ref :: $p != null && $Heap[$p, $allocated] && $Heap[$p, $ownerRef] == temp0 && $Heap[$p, $ownerFrame] == Bag ==> $Heap[$p, $inv] == $typeof($p) && $Heap[$p, $localinv] == $typeof($p));
+ $Heap[temp0, $localinv] := $typeof(temp0);
+ assume IsHeap($Heap);
+ goto block6545;
+
+ block6579:
+ // ----- is instance
+ // ----- branch
+ goto true6579to6477, false6579to6528;
+
+ true6579to6477:
+ assume $As(local2, Microsoft.Contracts.ICheckedException) != null;
+ goto block6477;
+
+ false6579to6528:
+ assume $As(local2, Microsoft.Contracts.ICheckedException) == null;
+ goto block6528;
+
+ block6528:
+ // ----- branch
+ goto block6545;
+
+ block6545:
+ // ----- nop
+ // ----- branch
+ goto block6443;
+
+ block6443:
+ // ----- return
+ return;
+}
+
+
+
+procedure Bag..cctor();
+ free requires $BeingConstructed == null;
+ free requires $PurityAxiomsCanBeAssumed;
+ modifies $Heap, $ActivityIndicator;
+ // newly allocated objects are fully valid
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o));
+ // first consistent owner unchanged if its exposeVersion is
+ free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]);
+ // frame condition
+ ensures (forall<a> $o: ref, $f: Field a :: { $Heap[$o, $f] } IncludeInMainFrameCondition($f) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame]) || old($Heap)[old($Heap)[$o, $ownerRef], $localinv] == $BaseClass(old($Heap)[$o, $ownerFrame])) && old(true) && old(true) ==> old($Heap)[$o, $f] == $Heap[$o, $f]);
+ free ensures $HeapSucc(old($Heap), $Heap);
+ // inv/localinv change only in blocks
+ free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]);
+ free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> $Heap[$ot, $ownerRef] == old($Heap)[$ot, $ownerRef] && $Heap[$ot, $ownerFrame] == old($Heap)[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
+ free ensures (forall $o: ref :: { $Heap[$o, $sharingMode] } old($Heap[$o, $sharingMode]) == $Heap[$o, $sharingMode]);
+
+
+
+implementation Bag..cctor()
+{
+
+ entry:
+ goto block7650;
+
+ block7650:
+ goto block7701;
+
+ block7701:
+ // ----- nop
+ // ----- return
+ return;
+}
+
+
diff --git a/Test/test7/Answer b/Test/test7/Answer
new file mode 100644
index 00000000..82c84446
--- /dev/null
+++ b/Test/test7/Answer
@@ -0,0 +1,64 @@
+------------------------------ NestedVC.bpl ---------------------
+NestedVC.bpl(15,4): Error BP5001: This assertion might not hold.
+Execution trace:
+ NestedVC.bpl(14,1): A
+ NestedVC.bpl(15,1): B
+
+Boogie program verifier finished with 1 verified, 1 error
+------------------------------ UnreachableBlocks.bpl ---------------------
+
+Boogie program verifier finished with 4 verified, 0 errors
+------------------------------ MultipleErrors.bpl ---------------------
+
+----- /vc:block
+MultipleErrors.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(6,1): A
+
+Boogie program verifier finished with 0 verified, 1 error
+
+----- /vc:local
+MultipleErrors.bpl(11,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(10,1): B
+
+Boogie program verifier finished with 0 verified, 1 error
+
+----- /vc:dag
+MultipleErrors.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(6,1): A
+
+Boogie program verifier finished with 0 verified, 1 error
+
+----- /errorLimit:10 /vc:local
+MultipleErrors.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(6,1): A
+MultipleErrors.bpl(11,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(10,1): B
+MultipleErrors.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(14,1): C
+
+Boogie program verifier finished with 0 verified, 3 errors
+
+----- /errorLimit:10 /vc:dag
+MultipleErrors.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(6,1): A
+MultipleErrors.bpl(11,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(10,1): B
+MultipleErrors.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(6,1): A
+ MultipleErrors.bpl(14,1): C
+
+Boogie program verifier finished with 0 verified, 3 errors
diff --git a/Test/test7/MultipleErrors.bpl b/Test/test7/MultipleErrors.bpl
new file mode 100644
index 00000000..5a2024d4
--- /dev/null
+++ b/Test/test7/MultipleErrors.bpl
@@ -0,0 +1,17 @@
+procedure P(x: int)
+{
+start:
+ goto A, B;
+
+A:
+ assert 0 <= x;
+ goto C;
+
+B:
+ assert x < 100;
+ goto C;
+
+C:
+ assert x == 87;
+ return;
+}
diff --git a/Test/test7/NestedVC.bpl b/Test/test7/NestedVC.bpl
new file mode 100644
index 00000000..d88eefea
--- /dev/null
+++ b/Test/test7/NestedVC.bpl
@@ -0,0 +1,21 @@
+procedure P()
+{
+A: goto B, C;
+B: goto G;
+C: goto D, E;
+D: goto F;
+E: goto F;
+F: goto G;
+G: return;
+}
+
+procedure Q(x: bool)
+{
+A: goto B, C;
+B: assert x; goto G;
+C: goto D, E;
+D: goto F;
+E: goto F;
+F: goto G;
+G: return;
+}
diff --git a/Test/test7/Output b/Test/test7/Output
new file mode 100644
index 00000000..82c84446
--- /dev/null
+++ b/Test/test7/Output
@@ -0,0 +1,64 @@
+------------------------------ NestedVC.bpl ---------------------
+NestedVC.bpl(15,4): Error BP5001: This assertion might not hold.
+Execution trace:
+ NestedVC.bpl(14,1): A
+ NestedVC.bpl(15,1): B
+
+Boogie program verifier finished with 1 verified, 1 error
+------------------------------ UnreachableBlocks.bpl ---------------------
+
+Boogie program verifier finished with 4 verified, 0 errors
+------------------------------ MultipleErrors.bpl ---------------------
+
+----- /vc:block
+MultipleErrors.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(6,1): A
+
+Boogie program verifier finished with 0 verified, 1 error
+
+----- /vc:local
+MultipleErrors.bpl(11,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(10,1): B
+
+Boogie program verifier finished with 0 verified, 1 error
+
+----- /vc:dag
+MultipleErrors.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(6,1): A
+
+Boogie program verifier finished with 0 verified, 1 error
+
+----- /errorLimit:10 /vc:local
+MultipleErrors.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(6,1): A
+MultipleErrors.bpl(11,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(10,1): B
+MultipleErrors.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(14,1): C
+
+Boogie program verifier finished with 0 verified, 3 errors
+
+----- /errorLimit:10 /vc:dag
+MultipleErrors.bpl(7,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(6,1): A
+MultipleErrors.bpl(11,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(10,1): B
+MultipleErrors.bpl(15,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ MultipleErrors.bpl(3,1): start
+ MultipleErrors.bpl(6,1): A
+ MultipleErrors.bpl(14,1): C
+
+Boogie program verifier finished with 0 verified, 3 errors
diff --git a/Test/test7/UnreachableBlocks.bpl b/Test/test7/UnreachableBlocks.bpl
new file mode 100644
index 00000000..6ed287a3
--- /dev/null
+++ b/Test/test7/UnreachableBlocks.bpl
@@ -0,0 +1,40 @@
+// In the following program, block "A" has no dominator, which would cause Boogie
+// to crash if Boogie didn't first remove unreachable blocks. That is essentially
+// what this test tests
+procedure P()
+{
+entry:
+ goto A;
+A:
+ return;
+B:
+ goto A;
+}
+
+procedure Q()
+{
+entry:
+ goto entry, A;
+A:
+ return;
+}
+
+procedure R()
+{
+entry:
+ return;
+A:
+ goto A;
+}
+
+procedure S()
+{
+entry:
+ return;
+A:
+ goto C;
+B:
+ goto C;
+C: // C has no dominator
+ return;
+}
diff --git a/Test/test7/runtest.bat b/Test/test7/runtest.bat
new file mode 100644
index 00000000..8da87233
--- /dev/null
+++ b/Test/test7/runtest.bat
@@ -0,0 +1,34 @@
+@echo off
+setlocal
+
+set BOOGIEDIR=..\..\Binaries
+set BGEXE=%BOOGIEDIR%\Boogie.exe
+
+echo ------------------------------ NestedVC.bpl ---------------------
+%BGEXE% %* /vc:nested NestedVC.bpl
+
+echo ------------------------------ UnreachableBlocks.bpl ---------------------
+%BGEXE% %* /vc:nested UnreachableBlocks.bpl
+
+echo ------------------------------ MultipleErrors.bpl ---------------------
+rem The following tests are rather fickle at the moment--different errors
+rem may be reported during different runs. Moreover, it is conceivable that
+rem the error trace would be reported in different orders, since we do not
+rem attempt to sort the trace labels at this time.
+rem An interesting thing is that /vc:local can with Simplify report more than one
+rem error for this file, even with /errorLimit:1. Other than that, only
+rem local and dag produce VCs to which Simplify actually produces different
+rem counterexamples.
+
+setlocal
+for %%f in (block local dag) do (
+ echo.
+ echo ----- /vc:%%f
+ %BGEXE% %* /errorLimit:1 /errorTrace:1 /vc:%%f /logPrefix:-1%%f MultipleErrors.bpl
+)
+for %%f in (local dag) do (
+ echo.
+ echo ----- /errorLimit:10 /vc:%%f
+ %BGEXE% %* /errorLimit:10 /errorTrace:1 /vc:%%f /logPrefix:-10%%f MultipleErrors.bpl
+)
+endlocal
diff --git a/Test/textbook/Answer b/Test/textbook/Answer
new file mode 100644
index 00000000..9e2227dc
--- /dev/null
+++ b/Test/textbook/Answer
@@ -0,0 +1,12 @@
+
+------------------------------ Find.bpl ---------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+------------------------------ DutchFlag.bpl ---------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+------------------------------ Bubble.bpl ---------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/textbook/Bubble.bpl b/Test/textbook/Bubble.bpl
new file mode 100644
index 00000000..51a8cefa
--- /dev/null
+++ b/Test/textbook/Bubble.bpl
@@ -0,0 +1,66 @@
+// Bubble sort, where specification says the output is a permutation of its input
+// Rustan Leino, 30 April 2009
+
+const N: int;
+axiom 0 <= N;
+
+var a: [int]int;
+
+procedure BubbleSort() returns (perm: [int]int)
+ modifies a;
+ // array is sorted
+ ensures (forall i, j: int :: 0 <= i && i <= j && j < N ==> a[i] <= a[j]);
+ // perm is a permutation
+ ensures (forall i: int :: 0 <= i && i < N ==> 0 <= perm[i] && perm[i] < N);
+ ensures (forall i, j: int :: 0 <= i && i < j && j < N ==> perm[i] != perm[j]);
+ // the final array is that permutation of the input array
+ ensures (forall i: int :: 0 <= i && i < N ==> a[i] == old(a)[perm[i]]);
+{
+ var n, p, tmp: int;
+
+ n := 0;
+ while (n < N)
+ invariant n <= N;
+ invariant (forall i: int :: 0 <= i && i < n ==> perm[i] == i);
+ {
+ perm[n] := n;
+ n := n + 1;
+ }
+
+ while (true)
+ invariant 0 <= n && n <= N;
+ // array is sorted from n onwards
+ invariant (forall i, k: int :: n <= i && i < N && 0 <= k && k < i ==> a[k] <= a[i]);
+ // perm is a permutation
+ invariant (forall i: int :: 0 <= i && i < N ==> 0 <= perm[i] && perm[i] < N);
+ invariant (forall i, j: int :: 0 <= i && i < j && j < N ==> perm[i] != perm[j]);
+ // the current array is that permutation of the input array
+ invariant (forall i: int :: 0 <= i && i < N ==> a[i] == old(a)[perm[i]]);
+ {
+ n := n - 1;
+ if (n < 0) {
+ break;
+ }
+
+ p := 0;
+ while (p < n)
+ invariant p <= n;
+ // array is sorted from n+1 onwards
+ invariant (forall i, k: int :: n+1 <= i && i < N && 0 <= k && k < i ==> a[k] <= a[i]);
+ // perm is a permutation
+ invariant (forall i: int :: 0 <= i && i < N ==> 0 <= perm[i] && perm[i] < N);
+ invariant (forall i, j: int :: 0 <= i && i < j && j < N ==> perm[i] != perm[j]);
+ // the current array is that permutation of the input array
+ invariant (forall i: int :: 0 <= i && i < N ==> a[i] == old(a)[perm[i]]);
+ // a[p] is at least as large as any of the first p elements
+ invariant (forall k: int :: 0 <= k && k < p ==> a[k] <= a[p]);
+ {
+ if (a[p+1] < a[p]) {
+ tmp := a[p]; a[p] := a[p+1]; a[p+1] := tmp;
+ tmp := perm[p]; perm[p] := perm[p+1]; perm[p+1] := tmp;
+ }
+
+ p := p + 1;
+ }
+ }
+}
diff --git a/Test/textbook/DutchFlag.bpl b/Test/textbook/DutchFlag.bpl
new file mode 100644
index 00000000..34065b7d
--- /dev/null
+++ b/Test/textbook/DutchFlag.bpl
@@ -0,0 +1,62 @@
+
+var A: [int]int;
+const N: int;
+
+procedure Partition(l: int, r: int) returns (result: int)
+ requires 0 <= l && l+2 <= r && r <= N;
+ modifies A;
+ ensures l <= result && result < r;
+ ensures (forall k: int, j: int :: l <= k && k < result && result <= j && j < r ==> A[k] <= A[j]);
+ ensures (forall k: int :: l <= k && k < result ==> A[k] <= old(A)[l]);
+ ensures (forall k: int :: result <= k && k < r ==> old(A)[l] <= A[k]);
+{
+ var pv: int;
+ var i: int;
+ var j: int;
+ var tmp: int;
+
+ start:
+ pv := A[l];
+ i := l;
+ j := r-1;
+ // swap A[l] and A[j]
+ tmp := A[l];
+ A[l] := A[j];
+ A[j] := tmp;
+ goto LoopHead;
+
+ LoopHead:
+ assert (forall k: int :: l <= k && k < i ==> A[k] <= pv);
+ assert (forall k: int :: j <= k && k < r ==> pv <= A[k]);
+ assert l <= i && i <= j && j < r;
+ goto A, B, C, exit;
+
+ A:
+ assume i < j;
+ assume A[i] <= pv;
+ i := i + 1;
+ goto LoopHead;
+
+ B:
+ assume i < j;
+ assume pv <= A[j-1];
+ j := j - 1;
+ goto LoopHead;
+
+ C:
+ assume i < j;
+ assume A[j-1] < pv && pv < A[i];
+ // swap A[j-1] and A[i]
+ tmp := A[i];
+ A[i] := A[j-1];
+ A[j-1] := tmp;
+ assert A[i] < pv && pv < A[j-1];
+ i := i + 1;
+ j := j - 1;
+ goto LoopHead;
+
+ exit:
+ assume i == j;
+ result := i;
+ return;
+}
diff --git a/Test/textbook/Find.bpl b/Test/textbook/Find.bpl
new file mode 100644
index 00000000..d84209e1
--- /dev/null
+++ b/Test/textbook/Find.bpl
@@ -0,0 +1,39 @@
+// This program is featured in KRML 168, the Marktoberdorf lecture notes
+// "A verifying compiler for a multi-threaded object-oriented language" by
+// Leino and Schulte.
+
+const K: int;
+function f(int) returns (int);
+axiom (exists k: int :: f(k) == K);
+
+procedure Find(a: int, b: int) returns (k: int);
+ requires a <= b;
+ requires (forall j: int :: a < j && j < b ==> f(j) != K);
+ ensures f(k) == K;
+
+implementation Find(a: int, b: int) returns (k: int)
+{
+ entry:
+ goto A, B, C;
+
+ A:
+ assume f(a) == K; k := a;
+ return;
+
+ B:
+ assume f(b) == K; k := b;
+ return;
+
+ C:
+ assume f(a) != K && f(b) != K;
+ call k := Find(a-1, b+1);
+ return;
+}
+
+procedure Main() returns (k: int)
+ ensures f(k) == K;
+{
+ entry:
+ call k := Find(0, 0);
+ return;
+}
diff --git a/Test/textbook/Output b/Test/textbook/Output
new file mode 100644
index 00000000..9e2227dc
--- /dev/null
+++ b/Test/textbook/Output
@@ -0,0 +1,12 @@
+
+------------------------------ Find.bpl ---------------------
+
+Boogie program verifier finished with 2 verified, 0 errors
+
+------------------------------ DutchFlag.bpl ---------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+------------------------------ Bubble.bpl ---------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/textbook/runtest.bat b/Test/textbook/runtest.bat
new file mode 100644
index 00000000..6e39e589
--- /dev/null
+++ b/Test/textbook/runtest.bat
@@ -0,0 +1,13 @@
+@echo off
+
+set BOOGIEDIR=..\..\Binaries
+set BPLEXE=%BOOGIEDIR%\Boogie.exe
+
+REM ======================
+REM ====================== Examples written in Boogie
+REM ======================
+for %%f in (Find.bpl DutchFlag.bpl Bubble.bpl) do (
+ echo.
+ echo ------------------------------ %%f ---------------------
+ %BPLEXE% %* %%f
+)
diff --git a/Test/z3api/Answer b/Test/z3api/Answer
new file mode 100644
index 00000000..782aa852
--- /dev/null
+++ b/Test/z3api/Answer
@@ -0,0 +1,187 @@
+
+-------------------- boog0.bpl --------------------
+boog0.bpl(51,1): Error BP5003: A postcondition might not hold at this return statement.
+boog0.bpl(45,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog0.bpl(48,7): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+
+-------------------- boog1.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog2.bpl --------------------
+boog2.bpl(23,1): Error BP5003: A postcondition might not hold at this return statement.
+boog2.bpl(19,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog2.bpl(22,8): anon0
+
+Boogie program verifier finished with 1 verified, 1 error
+
+-------------------- boog3.bpl --------------------
+boog3.bpl(6,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ boog3.bpl(6,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog4.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog5.bpl --------------------
+boog5.bpl(36,3): Error BP5003: A postcondition might not hold at this return statement.
+boog5.bpl(29,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog5.bpl(32,3): anon0
+ boog5.bpl(35,13): anon3_Else
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog6.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog7.bpl --------------------
+boog7.bpl(17,1): Error BP5003: A postcondition might not hold at this return statement.
+boog7.bpl(13,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog7.bpl(16,11): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog8.bpl --------------------
+boog8.bpl(7,12): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+boog8.bpl(7,18): Error: no bitvector handling specified, please use /bv:i or /bv:z flag
+2 type checking errors detected in boog8.bpl
+
+-------------------- boog9.bpl --------------------
+boog9.bpl(19,1): Error BP5003: A postcondition might not hold at this return statement.
+boog9.bpl(15,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog9.bpl(18,11): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog10.bpl --------------------
+boog10.bpl(18,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ boog10.bpl(18,3): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog11.bpl --------------------
+boog11.bpl(14,1): Error BP5003: A postcondition might not hold at this return statement.
+boog11.bpl(10,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog11.bpl(13,8): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog12.bpl --------------------
+boog12.bpl(18,1): Error BP5003: A postcondition might not hold at this return statement.
+boog12.bpl(13,3): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog12.bpl(16,16): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog13.bpl --------------------
+boog13.bpl(9,11): Error: more than one declaration of variable name: v
+1 name resolution errors detected in boog13.bpl
+
+-------------------- boog14.bpl --------------------
+boog14.bpl(11,1): Error BP5003: A postcondition might not hold at this return statement.
+boog14.bpl(8,1): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog14.bpl(10,8): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog15.bpl --------------------
+boog15.bpl(10,1): Error BP5003: A postcondition might not hold at this return statement.
+boog15.bpl(7,1): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog15.bpl(9,8): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog16.bpl --------------------
+boog16.bpl(11,1): Error BP5003: A postcondition might not hold at this return statement.
+boog16.bpl(8,1): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog16.bpl(10,8): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog17.bpl --------------------
+boog17.bpl(24,3): Error BP5001: This assertion might not hold.
+Execution trace:
+ boog17.bpl(15,1): start
+ boog17.bpl(19,1): label_3
+ boog17.bpl(22,1): label_4
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog18.bpl --------------------
+boog18.bpl(15,1): Error BP5003: A postcondition might not hold at this return statement.
+boog18.bpl(12,1): Related location: This is the postcondition that might not hold.
+Execution trace:
+ boog18.bpl(14,4): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog19.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog20.bpl --------------------
+boog20.bpl(15,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ boog20.bpl(15,1): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog21.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog22.bpl --------------------
+boog22.bpl(4,9): Error: more than one declaration of function/procedure name: f1
+1 name resolution errors detected in boog22.bpl
+
+-------------------- boog23.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog24.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog25.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog28.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog29.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog30.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
+
+-------------------- boog31.bpl --------------------
+boog31.bpl(12,1): Error BP5001: This assertion might not hold.
+Execution trace:
+ boog31.bpl(12,1): anon0
+
+Boogie program verifier finished with 0 verified, 1 error
+
+-------------------- boog34.bpl --------------------
+
+Boogie program verifier finished with 1 verified, 0 errors
diff --git a/Test/z3api/Boog24.bpl b/Test/z3api/Boog24.bpl
new file mode 100644
index 00000000..c5e2eea6
--- /dev/null
+++ b/Test/z3api/Boog24.bpl
@@ -0,0 +1,16 @@
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+procedure main ( )
+
+{
+var a : int;
+var b : int;
+var c : int;
+
+c := LIFT (b < a) ;
+assert (c != 0 <==> b < a);
+
+}
+
diff --git a/Test/z3api/boog0.bpl b/Test/z3api/boog0.bpl
new file mode 100644
index 00000000..1b9bee36
--- /dev/null
+++ b/Test/z3api/boog0.bpl
@@ -0,0 +1,48 @@
+type Wicket;
+const w: Wicket;
+var favorite: Wicket;
+function age(Wicket) returns (int);
+
+axiom age(w)==7;
+
+procedure NewFavorite(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation NewFavorite(l: Wicket) {
+ favorite:=l;
+}
+
+const myBool: bool;
+const myRef: ref;
+const v: Wicket;
+
+axiom 7 < 8;
+axiom 7 <= 8;
+axiom 8 > 7;
+axiom 8 >= 7;
+axiom 6 != 7;
+
+axiom 7+1==8;
+axiom 8-1==7;
+axiom 7/1==7;
+axiom 7%2==1;
+axiom 4*2==8;
+
+axiom ((7==7) || (8==8));
+axiom ((7==7) ==> (7<8));
+axiom ((7==7) <==> (10==10));
+axiom ((7==7) && (8==8));
+
+var favorite2: Wicket;
+procedure SwapFavorites()
+ modifies favorite,favorite2 ;
+
+ ensures (favorite==old(favorite2)) && (favorite2==old(favorite));
+{
+ var temp: Wicket;
+ temp:=favorite;
+ favorite:=favorite2;
+ // favorite2:=temp; // commenting this line seeds a bug
+}
diff --git a/Test/z3api/boog1.bpl b/Test/z3api/boog1.bpl
new file mode 100644
index 00000000..6b6cce75
--- /dev/null
+++ b/Test/z3api/boog1.bpl
@@ -0,0 +1,16 @@
+type Wicket;
+const w: Wicket;
+var favorite: Wicket;
+
+function age(Wicket) returns (int);
+
+axiom age(w)==7;
+
+procedure NewFavorite(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation NewFavorite(l: Wicket) {
+ favorite:=l;
+} \ No newline at end of file
diff --git a/Test/z3api/boog10.bpl b/Test/z3api/boog10.bpl
new file mode 100644
index 00000000..5ac43287
--- /dev/null
+++ b/Test/z3api/boog10.bpl
@@ -0,0 +1,22 @@
+// types
+type Color;
+const unique red: Color;
+const unique blue: Color;
+const unique green: Color;
+
+axiom (forall ce:Color :: ce==red || ce==blue || ce==green);
+var myColor: Color;
+
+// procedure
+procedure SetTo(c: Color);
+ modifies myColor ;
+
+ ensures myColor==c;
+
+implementation SetTo(c: Color) {
+ assert (blue==green);
+ myColor:=blue;
+}
+
+
+
diff --git a/Test/z3api/boog11.bpl b/Test/z3api/boog11.bpl
new file mode 100644
index 00000000..e66802ea
--- /dev/null
+++ b/Test/z3api/boog11.bpl
@@ -0,0 +1,16 @@
+// types
+const top: ref;
+var myRef: ref;
+
+// procedure
+procedure SetTo(r: ref);
+ modifies myRef ;
+
+ ensures myRef==r;
+
+implementation SetTo(c: ref) {
+ myRef:=top;
+}
+
+
+
diff --git a/Test/z3api/boog12.bpl b/Test/z3api/boog12.bpl
new file mode 100644
index 00000000..d20a8f35
--- /dev/null
+++ b/Test/z3api/boog12.bpl
@@ -0,0 +1,20 @@
+// types
+type Color;
+const blue: Color;
+
+var myArray:[int] Color;
+var myMatrix:[int,int] Color;
+
+// procedure
+procedure SetTo(c: Color);
+ modifies myArray, myMatrix ;
+
+ ensures myArray[0]==c;
+
+implementation SetTo(c: Color) {
+ myMatrix[0,1]:=c;
+ myArray[0]:=blue;
+}
+
+
+
diff --git a/Test/z3api/boog13.bpl b/Test/z3api/boog13.bpl
new file mode 100644
index 00000000..a4f854f5
--- /dev/null
+++ b/Test/z3api/boog13.bpl
@@ -0,0 +1,25 @@
+// types
+type Wicket;
+var favorite: Wicket;
+var v: Wicket;
+
+function age(w:Wicket) returns (int);
+
+axiom (exists v:Wicket :: age(v)<8 &&
+ (forall v:Wicket :: age(v)==7)
+
+ );
+
+
+// procedure
+procedure SetToSeven(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation SetToSeven(l: Wicket) {
+ favorite:=favorite;
+}
+
+
+
diff --git a/Test/z3api/boog14.bpl b/Test/z3api/boog14.bpl
new file mode 100644
index 00000000..c163ed18
--- /dev/null
+++ b/Test/z3api/boog14.bpl
@@ -0,0 +1,11 @@
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+
+
+var myInt:int;
+procedure main()
+modifies myInt;
+ensures myInt==5;
+{
+ myInt:=4;
+} \ No newline at end of file
diff --git a/Test/z3api/boog15.bpl b/Test/z3api/boog15.bpl
new file mode 100644
index 00000000..ef792b2b
--- /dev/null
+++ b/Test/z3api/boog15.bpl
@@ -0,0 +1,10 @@
+function AtLeast(int, int) returns ([int]bool);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+
+var myInt:int;
+procedure main()
+modifies myInt;
+ensures myInt==5;
+{
+ myInt:=4;
+} \ No newline at end of file
diff --git a/Test/z3api/boog16.bpl b/Test/z3api/boog16.bpl
new file mode 100644
index 00000000..48afd41d
--- /dev/null
+++ b/Test/z3api/boog16.bpl
@@ -0,0 +1,11 @@
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int ::
+ {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+var myInt:int;
+procedure main()
+modifies myInt;
+ensures myInt==5;
+{
+ myInt:=4;
+} \ No newline at end of file
diff --git a/Test/z3api/boog17.bpl b/Test/z3api/boog17.bpl
new file mode 100644
index 00000000..6f886f49
--- /dev/null
+++ b/Test/z3api/boog17.bpl
@@ -0,0 +1,25 @@
+const unique g : int;
+axiom(g != 0);
+
+const unique PINT4_name:name;
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function HasType(v:int, t:name) returns (bool);
+
+
+procedure main ( ) returns ($result.main$11.5$1$:int) {
+ var p : int;
+
+start:
+ assume(HasType(p, PINT4_name));
+ goto label_3;
+
+label_3:
+ goto label_4;
+
+label_4:
+ p := PLUS(g, 4, 55) ;
+ assert(HasType(p, PINT4_name));
+} \ No newline at end of file
diff --git a/Test/z3api/boog18.bpl b/Test/z3api/boog18.bpl
new file mode 100644
index 00000000..fe0cbc10
--- /dev/null
+++ b/Test/z3api/boog18.bpl
@@ -0,0 +1,15 @@
+const A100INT4_name:int;
+
+function Match(a:int, t:int) returns (int);
+function Array(int, int, int) returns (bool);
+
+axiom(forall a:int :: {Match(a, A100INT4_name)} Array(a, 4, 100));
+
+const myNull: int;
+var p: int;
+procedure main()
+modifies p;
+ensures p!=myNull;
+{
+ p:=myNull;
+} \ No newline at end of file
diff --git a/Test/z3api/boog19.bpl b/Test/z3api/boog19.bpl
new file mode 100644
index 00000000..17b199dd
--- /dev/null
+++ b/Test/z3api/boog19.bpl
@@ -0,0 +1,228 @@
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T), S[x]} S[x] ==> Union(S,T)[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T), T[x]} T[x] ==> Union(S,T)[x]);
+
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T), S[x]} S[x] && T[x] ==> Intersection(S,T)[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T), T[x]} S[x] && T[x] ==> Intersection(S,T)[x]);
+
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T), S[x]} S[x] ==> Difference(S,T)[x] || T[x]);
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x], Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x], Disjoint(S,T), T[x]} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name) returns (bool);
+function Values(t:name) returns ([int]bool);
+
+axiom(forall v:int, t:name :: {Values(t)[v]} Values(t)[v] ==> HasType(v, t));
+axiom(forall v:int, t:name :: {HasType(v, t), Values(t)} HasType(v, t) ==> Values(t)[v]);
+
+// Field declarations
+
+
+// Type declarations
+
+const unique A100INT4_name:name;
+const unique INT4_name:name;
+const unique PA100INT4_name:name;
+const unique PINT4_name:name;
+const unique PPINT4_name:name;
+
+// Field definitions
+
+// Type definitions
+
+axiom(forall a:int :: {Match(a, A100INT4_name)} Subset(Empty(), Array(a, 4, 100)));
+axiom(forall a:int, e:int :: {Match(a, A100INT4_name), Array(a, 4, 100)[e]}
+ Match(a, A100INT4_name) && Array(a, 4, 100)[e] ==> Match(e, INT4_name));
+
+axiom(forall a:int :: {Match(a, INT4_name)}
+ Match(a, INT4_name) <==> Field(a) == INT4_name);
+axiom(forall v:int :: HasType(v, INT4_name));
+
+axiom(forall a:int :: {Match(a, PA100INT4_name)}
+ Match(a, PA100INT4_name) <==> Field(a) == PA100INT4_name);
+axiom(forall v:int :: {HasType(v, PA100INT4_name)} {Match(v, A100INT4_name)}
+ HasType(v, PA100INT4_name) <==> (v == 0 || (v > 0 && Match(v, A100INT4_name))));
+
+axiom(forall a:int :: {Match(a, PINT4_name)}
+ Match(a, PINT4_name) <==> Field(a) == PINT4_name);
+axiom(forall v:int :: {HasType(v, PINT4_name)} {Match(v, INT4_name)}
+ HasType(v, PINT4_name) <==> (v == 0 || (v > 0 && Match(v, INT4_name))));
+
+axiom(forall a:int :: {Match(a, PPINT4_name)}
+ Match(a, PPINT4_name) <==> Field(a) == PPINT4_name);
+axiom(forall v:int :: {HasType(v, PPINT4_name)} {Match(v, PINT4_name)}
+ HasType(v, PPINT4_name) <==> (v == 0 || (v > 0 && Match(v, PINT4_name))));
+
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom(forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+/*
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+*/
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+const unique g : int;
+axiom(g != 0);
+
+
+procedure main ( ) returns ($result.main$11.5$1$:int)
+
+//TAG: requires __objectOf(g) != 0
+requires(Base(g) != 0);
+
+//TAG: requires __allocated(g)
+requires(alloc[Base(g)] == ALLOCATED);
+
+//TAG: requires __allocated(g + 55)
+requires(alloc[Base(PLUS(g, 4, 55))] == ALLOCATED);
+
+//TAG: Type Safety Precondition
+requires(forall a:int :: {Mem[Field(a)][a]} HasType(Mem[Field(a)][a], Field(a)));
+requires(HasType(g, PA100INT4_name));
+
+{
+var p : int;
+
+assume(HasType(p, PINT4_name));
+p := PLUS(g, 4, 55) ;
+assert(HasType(p, PINT4_name));
+
+}
+
diff --git a/Test/z3api/boog2.bpl b/Test/z3api/boog2.bpl
new file mode 100644
index 00000000..74c05a28
--- /dev/null
+++ b/Test/z3api/boog2.bpl
@@ -0,0 +1,22 @@
+type Wicket;
+
+var favorite: Wicket;
+var hate: Wicket;
+
+procedure NewFavorite(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation NewFavorite(l: Wicket) {
+ favorite:=l;
+}
+
+
+procedure Swap();
+ modifies favorite,hate;
+ ensures favorite==old(hate);
+
+implementation Swap() {
+ hate := favorite;
+} \ No newline at end of file
diff --git a/Test/z3api/boog20.bpl b/Test/z3api/boog20.bpl
new file mode 100644
index 00000000..fa714972
--- /dev/null
+++ b/Test/z3api/boog20.bpl
@@ -0,0 +1,17 @@
+
+function PLUS(int, int, int) returns (int);
+function Rep(int, int) returns (int);
+
+//PLUS(a,b,z)
+// ERROR
+
+axiom(forall a:int, b:int, z:int :: Rep(a,b) == Rep(a,0));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) == x));
+// END ERROR
+
+
+procedure main ( )
+{
+assert (PLUS(0, 4, 55)!=0);
+}
+
diff --git a/Test/z3api/boog21.bpl b/Test/z3api/boog21.bpl
new file mode 100644
index 00000000..1f4fa6dc
--- /dev/null
+++ b/Test/z3api/boog21.bpl
@@ -0,0 +1,17 @@
+
+function PLUS(int, int, int) returns (int);
+function Rep(int,int) returns (int);
+
+
+// ERROR
+
+axiom(forall a:int, b:int, z:int :: Rep(a,b) == PLUS(a,b,z ));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) == x));
+// END ERROR
+
+
+procedure main ( )
+{
+assert (PLUS(0, 4, 55)!=0);
+}
+
diff --git a/Test/z3api/boog22.bpl b/Test/z3api/boog22.bpl
new file mode 100644
index 00000000..95e45849
--- /dev/null
+++ b/Test/z3api/boog22.bpl
@@ -0,0 +1,10 @@
+type W;
+
+function f1(W,int) returns (int);
+function f1(W,int,int) returns (int);
+
+procedure main()
+{
+ var w: W;
+ assert(f1(w,0)==f1(w,0,0));
+} \ No newline at end of file
diff --git a/Test/z3api/boog23.bpl b/Test/z3api/boog23.bpl
new file mode 100644
index 00000000..41c68790
--- /dev/null
+++ b/Test/z3api/boog23.bpl
@@ -0,0 +1,410 @@
+type byte;
+function OneByteToInt(byte) returns (int);
+function TwoBytesToInt(byte, byte) returns (int);
+function FourBytesToInt(byte, byte, byte, byte) returns (int);
+axiom(forall b0:byte, c0:byte :: {OneByteToInt(b0), OneByteToInt(c0)} OneByteToInt(b0) == OneByteToInt(c0) ==> b0 == c0);
+axiom(forall b0:byte, b1: byte, c0:byte, c1:byte :: {TwoBytesToInt(b0, b1), TwoBytesToInt(c0, c1)} TwoBytesToInt(b0, b1) == TwoBytesToInt(c0, c1) ==> b0 == c0 && b1 == c1);
+axiom(forall b0:byte, b1: byte, b2:byte, b3:byte, c0:byte, c1:byte, c2:byte, c3:byte :: {FourBytesToInt(b0, b1, b2, b3), FourBytesToInt(c0, c1, c2, c3)} FourBytesToInt(b0, b1, b2, b3) == FourBytesToInt(c0, c1, c2, c3) ==> b0 == c0 && b1 == c1 && b2 == c2 && b3 == c3);
+
+// Mutable
+var Mem_BYTE:[int]byte;
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T), S[x]} S[x] ==> Union(S,T)[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T), T[x]} T[x] ==> Union(S,T)[x]);
+
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T), S[x]} S[x] && T[x] ==> Intersection(S,T)[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T), T[x]} S[x] && T[x] ==> Intersection(S,T)[x]);
+
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T), S[x]} S[x] ==> Difference(S,T)[x] || T[x]);
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x], Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x], Disjoint(S,T), T[x]} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name) returns (bool);
+function Values(t:name) returns ([int]bool);
+
+axiom(forall v:int, t:name :: {Values(t)[v]} Values(t)[v] ==> HasType(v, t));
+axiom(forall v:int, t:name :: {HasType(v, t), Values(t)} HasType(v, t) ==> Values(t)[v]);
+
+// Field declarations
+
+
+// Type declarations
+
+const unique INT4_name:name;
+const unique PINT4_name:name;
+
+// Field definitions
+
+// Type definitions
+
+axiom(forall a:int :: {Match(a, INT4_name)}
+ Match(a, INT4_name) <==> Field(a) == INT4_name);
+axiom(forall v:int :: HasType(v, INT4_name));
+
+axiom(forall a:int :: {Match(a, PINT4_name)}
+ Match(a, PINT4_name) <==> Field(a) == PINT4_name);
+axiom(forall v:int :: {HasType(v, PINT4_name)} {Match(v, INT4_name)}
+ HasType(v, PINT4_name) <==> (v == 0 || (v > 0 && Match(v, INT4_name))));
+
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom(forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:int, b:int) returns (x:int);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == 0);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == 0 || b == 0 ==> BIT_BAND(a,b) == 0);
+
+function BIT_BOR(a:int, b:int) returns (x:int);
+
+function BIT_BXOR(a:int, b:int) returns (x:int);
+
+function BIT_BNOT(a:int) returns (int);
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+procedure nondet_choice() returns (x:int);
+
+
+procedure havoc_assert(i:int);
+requires (i != 0);
+
+procedure havoc_assume(i:int);
+ensures (i != 0);
+
+procedure __HAVOC_free(a:int);
+modifies alloc;
+ensures (forall x:int :: {alloc[x]} x == a || old(alloc)[x] == alloc[x]);
+ensures (alloc[a] == FREED);
+// Additional checks guarded by tranlator flags
+// requires alloc[a] == ALLOCATED;
+// requires Base(a) == a;
+
+procedure __HAVOC_malloc(obj_size:int) returns (new:int);
+requires obj_size >= 0;
+modifies alloc;
+ensures (new > 0);
+ensures (forall x:int :: {Base(x)} new <= x && x < new+obj_size ==> Base(x) == new);
+ensures (forall x:int :: {alloc[x]} x == new || old(alloc)[x] == alloc[x]);
+ensures old(alloc)[new] == UNALLOCATED && alloc[new] == ALLOCATED;
+
+procedure _strdup(str:int) returns (new:int);
+
+procedure _xstrcasecmp(a0:int, a1:int) returns (ret:int);
+
+procedure _xstrcmp(a0:int, a1:int) returns (ret:int);
+
+
+
+
+
+procedure main ( ) returns ($result.main$3.5$1$:int)
+
+modifies alloc;
+//TAG: no freed locations
+ensures(forall f:int :: {alloc[Base(f)]} old(alloc)[Base(f)] == UNALLOCATED || old(alloc)[Base(f)] == alloc[Base(f)]);
+
+modifies Mem;
+//TAG: no updated memory locations
+ensures(forall f: name, m:int :: {Mem[f][m]} Mem[f][m] == old(Mem[f])[m]);
+free ensures(Mem[Field(0)][0] == old(Mem[Field(0)])[0]);
+
+//TAG: Type Safety Precondition
+requires(forall a:int :: {Mem[Field(a)][a]} HasType(Mem[Field(a)][a], Field(a)));
+//TAG: Type Safety Postcondition
+ensures(forall a:int :: {Mem[Field(a)][a]} HasType(Mem[Field(a)][a], Field(a)));
+ensures(HasType($result.main$3.5$1$, INT4_name));
+{
+var havoc_stringTemp:int;
+var condVal:int;
+var $a$1$4.6$main : int;
+var b : int;
+var c : int;
+var flag : int;
+var tempBoogie0:int;
+var tempBoogie1:int;
+var tempBoogie2:int;
+var tempBoogie3:int;
+var tempBoogie4:int;
+var tempBoogie5:int;
+var tempBoogie6:int;
+var tempBoogie7:int;
+var tempBoogie8:int;
+var tempBoogie9:int;
+var tempBoogie10:int;
+var tempBoogie11:int;
+var tempBoogie12:int;
+var tempBoogie13:int;
+var tempBoogie14:int;
+var tempBoogie15:int;
+var tempBoogie16:int;
+var tempBoogie17:int;
+var tempBoogie18:int;
+var tempBoogie19:int;
+
+
+start:
+
+assume(HasType($a$1$4.6$main, INT4_name));
+assume(HasType(b, INT4_name));
+assume(HasType(c, INT4_name));
+assume(HasType(flag, INT4_name));
+assume(HasType($result.main$3.5$1$, INT4_name));
+goto label_3;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(20)
+label_1:
+assume (forall m:int :: {Mem[Field(m)][m]} alloc[Base(m)] != ALLOCATED && old(alloc)[Base(m)] != ALLOCATED ==> Mem[Field(m)][m] == old(Mem[Field(m)])[m]);
+return;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(20)
+label_2:
+assume false;
+return;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(4)
+label_3:
+goto label_4;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(4)
+label_4:
+goto label_5;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(4)
+label_5:
+goto label_6;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(5)
+label_6:
+goto label_7;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(7)
+label_7:
+c := LIFT(b < $a$1$4.6$main) ;
+//TAG: Type Safety Assertion
+assert(forall a:int :: {Mem[Field(a)][a]} HasType(Mem[Field(a)][a], Field(a)));
+assert(HasType($a$1$4.6$main, INT4_name));
+assert(HasType(b, INT4_name));
+assert(HasType(c, INT4_name));
+assert(HasType(flag, INT4_name));
+goto label_8;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(9)
+label_8:
+goto label_8_true , label_8_false ;
+
+
+label_8_true :
+assume (c != 0);
+goto label_10;
+
+
+label_8_false :
+assume (c == 0);
+goto label_9;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(12)
+label_9:
+flag := 0 ;
+//TAG: Type Safety Assertion
+assert(forall a:int :: {Mem[Field(a)][a]} HasType(Mem[Field(a)][a], Field(a)));
+assert(HasType($a$1$4.6$main, INT4_name));
+assert(HasType(b, INT4_name));
+assert(HasType(c, INT4_name));
+assert(HasType(flag, INT4_name));
+goto label_11;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(10)
+label_10:
+flag := 1 ;
+//TAG: Type Safety Assertion
+assert(forall a:int :: {Mem[Field(a)][a]} HasType(Mem[Field(a)][a], Field(a)));
+assert(HasType($a$1$4.6$main, INT4_name));
+assert(HasType(b, INT4_name));
+assert(HasType(c, INT4_name));
+assert(HasType(flag, INT4_name));
+goto label_11;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(15)
+label_11:
+goto label_11_true , label_11_false ;
+
+
+label_11_true :
+assume (b < $a$1$4.6$main);
+goto label_13;
+
+
+label_11_false :
+assume !(b < $a$1$4.6$main);
+goto label_12;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(18)
+label_12:
+//TAG: flag == 0
+assert (flag == 0);
+goto label_1;
+
+
+// c:\espmain1\esp\tests\hvregr\split_memory\014\bool_vals_gt.c(16)
+label_13:
+//TAG: flag == 1
+assert (flag == 1);
+goto label_1;
+
+}
+
diff --git a/Test/z3api/boog25.bpl b/Test/z3api/boog25.bpl
new file mode 100644
index 00000000..0a8b5e92
--- /dev/null
+++ b/Test/z3api/boog25.bpl
@@ -0,0 +1,282 @@
+type byte;
+function OneByteToInt(byte) returns (int);
+function TwoBytesToInt(byte, byte) returns (int);
+function FourBytesToInt(byte, byte, byte, byte) returns (int);
+axiom(forall b0:byte, c0:byte :: {OneByteToInt(b0), OneByteToInt(c0)} OneByteToInt(b0) == OneByteToInt(c0) ==> b0 == c0);
+axiom(forall b0:byte, b1: byte, c0:byte, c1:byte :: {TwoBytesToInt(b0, b1), TwoBytesToInt(c0, c1)} TwoBytesToInt(b0, b1) == TwoBytesToInt(c0, c1) ==> b0 == c0 && b1 == c1);
+axiom(forall b0:byte, b1: byte, b2:byte, b3:byte, c0:byte, c1:byte, c2:byte, c3:byte :: {FourBytesToInt(b0, b1, b2, b3), FourBytesToInt(c0, c1, c2, c3)} FourBytesToInt(b0, b1, b2, b3) == FourBytesToInt(c0, c1, c2, c3) ==> b0 == c0 && b1 == c1 && b2 == c2 && b3 == c3);
+
+// Mutable
+var Mem_BYTE:[int]byte;
+var alloc:[int]name;
+
+
+function Field(int) returns (name);
+function Base(int) returns (int);
+
+// Constants
+const unique UNALLOCATED:name;
+const unique ALLOCATED: name;
+const unique FREED:name;
+
+const unique BYTE:name;
+
+function Equal([int]bool, [int]bool) returns (bool);
+function Subset([int]bool, [int]bool) returns (bool);
+function Disjoint([int]bool, [int]bool) returns (bool);
+
+function Empty() returns ([int]bool);
+function Singleton(int) returns ([int]bool);
+function Reachable([int,int]bool, int) returns ([int]bool);
+function Union([int]bool, [int]bool) returns ([int]bool);
+function Intersection([int]bool, [int]bool) returns ([int]bool);
+function Difference([int]bool, [int]bool) returns ([int]bool);
+function Dereference([int]bool, [int]int) returns ([int]bool);
+function Inverse(f:[int]int, x:int) returns ([int]bool);
+
+function AtLeast(int, int) returns ([int]bool);
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x)[y]} AtLeast(n,x)[y] ==> x <= y && Rep(n,x) == Rep(n,y));
+axiom(forall n:int, x:int, y:int :: {AtLeast(n,x),Rep(n,x),Rep(n,y)} x <= y && Rep(n,x) == Rep(n,y) ==> AtLeast(n,x)[y]);
+axiom(forall n:int, x:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} Rep(n,x) == Rep(n,PLUS(x,n,z)));
+axiom(forall n:int, x:int :: {Rep(n,x)} (exists k:int :: Rep(n,x) - x == n*k));
+
+/*
+function AtLeast(int, int) returns ([int]bool);
+function ModEqual(int, int, int) returns (bool);
+axiom(forall n:int, x:int :: ModEqual(n,x,x));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> ModEqual(n,y,x));
+axiom(forall n:int, x:int, y:int, z:int :: {ModEqual(n,x,y), ModEqual(n,y,z)} ModEqual(n,x,y) && ModEqual(n,y,z) ==> ModEqual(n,x,z));
+axiom(forall n:int, x:int, z:int :: {PLUS(x,n,z)} ModEqual(n,x,PLUS(x,n,z)));
+axiom(forall n:int, x:int, y:int :: {ModEqual(n,x,y)} ModEqual(n,x,y) ==> (exists k:int :: x - y == n*k));
+axiom(forall x:int, n:int, y:int :: {AtLeast(n,x)[y]}{ModEqual(n,x,y)} AtLeast(n,x)[y] <==> x <= y && ModEqual(n,x,y));
+axiom(forall x:int, n:int :: {AtLeast(n,x)} AtLeast(n,x)[x]);
+*/
+
+function Array(int, int, int) returns ([int]bool);
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z <= 0 ==> Equal(Array(x,n,z), Empty()));
+axiom(forall x:int, n:int, z:int :: {Array(x,n,z)} z > 0 ==> Equal(Array(x,n,z), Difference(AtLeast(n,x),AtLeast(n,PLUS(x,n,z)))));
+
+
+axiom(forall x:int :: !Empty()[x]);
+
+axiom(forall x:int, y:int :: {Singleton(y)[x]} Singleton(y)[x] <==> x == y);
+axiom(forall y:int :: {Singleton(y)} Singleton(y)[y]);
+
+/* this formulation of Union IS more complete than the earlier one */
+/* (A U B)[e], A[d], A U B = Singleton(c), d != e */
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T)[x]} Union(S,T)[x] <==> S[x] || T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T), S[x]} S[x] ==> Union(S,T)[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Union(S,T), T[x]} T[x] ==> Union(S,T)[x]);
+
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T)[x]} Intersection(S,T)[x] <==> S[x] && T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T), S[x]} S[x] && T[x] ==> Intersection(S,T)[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Intersection(S,T), T[x]} S[x] && T[x] ==> Intersection(S,T)[x]);
+
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T)[x]} Difference(S,T)[x] <==> S[x] && !T[x]);
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {Difference(S,T), S[x]} S[x] ==> Difference(S,T)[x] || T[x]);
+
+axiom(forall x:int, S:[int]bool, M:[int]int :: {Dereference(S,M)[x]} Dereference(S,M)[x] ==> (exists y:int :: x == M[y] && S[y]));
+axiom(forall x:int, S:[int]bool, M:[int]int :: {M[x], S[x], Dereference(S,M)} S[x] ==> Dereference(S,M)[M[x]]);
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])} !S[x] ==> Equal(Dereference(S,M[x := y]), Dereference(S,M)));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Difference(Dereference(S,M), Singleton(M[x])), Singleton(y))));
+axiom(forall x:int, y:int, S:[int]bool, M:[int]int :: {Dereference(S,M[x := y])}
+ S[x] && !Equal(Intersection(Inverse(M,M[x]), S), Singleton(x)) ==> Equal(Dereference(S,M[x := y]), Union(Dereference(S,M), Singleton(y))));
+
+axiom(forall f:[int]int, x:int :: {Inverse(f,f[x])} Inverse(f,f[x])[x]);
+axiom(forall f:[int]int, x:int, y:int :: {Inverse(f[x := y],y)} Equal(Inverse(f[x := y],y), Union(Inverse(f,y), Singleton(x))));
+axiom(forall f:[int]int, x:int, y:int, z:int :: {Inverse(f[x := y],z)} y == z || Equal(Inverse(f[x := y],z), Difference(Inverse(f,z), Singleton(x))));
+
+axiom(forall S:[int]bool, T:[int]bool :: {Equal(S,T)} Equal(S,T) <==> Subset(S,T) && Subset(T,S));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x], Subset(S,T)} S[x] && Subset(S,T) ==> T[x]);
+axiom(forall S:[int]bool, T:[int]bool :: {Subset(S,T)} Subset(S,T) || (exists x:int :: S[x] && !T[x]));
+axiom(forall x:int, S:[int]bool, T:[int]bool :: {S[x], Disjoint(S,T), T[x]} !(S[x] && Disjoint(S,T) && T[x]));
+axiom(forall S:[int]bool, T:[int]bool :: {Disjoint(S,T)} Disjoint(S,T) || (exists x:int :: S[x] && T[x]));
+
+function Unified([name][int]int) returns ([int]int);
+axiom(forall M:[name][int]int, x:int :: {Unified(M)[x]} Unified(M)[x] == M[Field(x)][x]);
+axiom(forall M:[name][int]int, x:int, y:int :: {Unified(M[Field(x) := M[Field(x)][x := y]])} Unified(M[Field(x) := M[Field(x)][x := y]]) == Unified(M)[x := y]);
+// Memory model
+
+var Mem: [name][int]int;
+
+function Match(a:int, t:name) returns (bool);
+function HasType(v:int, t:name) returns (bool);
+function Values(t:name) returns ([int]bool);
+
+axiom(forall v:int, t:name :: {Values(t)[v]} Values(t)[v] ==> HasType(v, t));
+axiom(forall v:int, t:name :: {HasType(v, t), Values(t)} HasType(v, t) ==> Values(t)[v]);
+
+// Field declarations
+
+
+// Type declarations
+
+const unique INT4_name:name;
+const unique PINT4_name:name;
+
+// Field definitions
+
+// Type definitions
+
+axiom(forall a:int :: {Match(a, INT4_name)}
+ Match(a, INT4_name) <==> Field(a) == INT4_name);
+axiom(forall v:int :: HasType(v, INT4_name));
+
+axiom(forall a:int :: {Match(a, PINT4_name)}
+ Match(a, PINT4_name) <==> Field(a) == PINT4_name);
+axiom(forall v:int :: {HasType(v, PINT4_name)} {Match(v, INT4_name)}
+ HasType(v, PINT4_name) <==> (v == 0 || (v > 0 && Match(v, INT4_name))));
+
+function MINUS_BOTH_PTR_OR_BOTH_INT(a:int, b:int, size:int) returns (int);
+axiom(forall a:int, b:int, size:int :: {MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size)}
+size * MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) <= a - b && a - b < size * (MINUS_BOTH_PTR_OR_BOTH_INT(a,b,size) + 1));
+
+function MINUS_LEFT_PTR(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {MINUS_LEFT_PTR(a,a_size,b)} MINUS_LEFT_PTR(a,a_size,b) == a - a_size * b);
+
+function PLUS(a:int, a_size:int, b:int) returns (int);
+axiom(forall a:int, a_size:int, b:int :: {PLUS(a,a_size,b)} PLUS(a,a_size,b) == a + a_size * b);
+
+function MULT(a:int, b:int) returns (int); // a*b
+axiom(forall a:int, b:int :: {MULT(a,b)} MULT(a,b) == a * b);
+
+function DIV(a:int, b:int) returns (int); // a/b
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b > 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) + 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a >= 0 && b < 0 ==> b * DIV(a,b) <= a && a < b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b > 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) - 1)
+);
+
+axiom(forall a:int, b:int :: {DIV(a,b)}
+a < 0 && b < 0 ==> b * DIV(a,b) >= a && a > b * (DIV(a,b) + 1)
+);
+
+function BINARY_BOTH_INT(a:int, b:int) returns (int);
+
+function POW2(a:int) returns (bool);
+axiom POW2(1);
+axiom POW2(2);
+axiom POW2(4);
+axiom POW2(8);
+axiom POW2(16);
+axiom POW2(32);
+axiom POW2(64);
+axiom POW2(128);
+axiom POW2(256);
+axiom POW2(512);
+axiom POW2(1024);
+axiom POW2(2048);
+axiom POW2(4096);
+axiom POW2(8192);
+axiom POW2(16384);
+axiom POW2(32768);
+axiom POW2(65536);
+axiom POW2(131072);
+axiom POW2(262144);
+axiom POW2(524288);
+axiom POW2(1048576);
+axiom POW2(2097152);
+axiom POW2(4194304);
+axiom POW2(8388608);
+axiom POW2(16777216);
+axiom POW2(33554432);
+
+function choose(a:bool, b:int, c:int) returns (x:int);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} a ==> choose(a,b,c) == b);
+axiom(forall a:bool, b:int, c:int :: {choose(a,b,c)} !a ==> choose(a,b,c) == c);
+
+function BIT_BAND(a:int, b:int) returns (x:int);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == b ==> BIT_BAND(a,b) == a);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} POW2(a) && POW2(b) && a != b ==> BIT_BAND(a,b) == 0);
+axiom(forall a:int, b:int :: {BIT_BAND(a,b)} a == 0 || b == 0 ==> BIT_BAND(a,b) == 0);
+
+function BIT_BOR(a:int, b:int) returns (x:int);
+
+function BIT_BXOR(a:int, b:int) returns (x:int);
+
+function BIT_BNOT(a:int) returns (int);
+
+function LIFT(a:bool) returns (int);
+axiom(forall a:bool :: {LIFT(a)} a <==> LIFT(a) != 0);
+
+function NOT(a:int) returns (int);
+axiom(forall a:int :: {NOT(a)} a == 0 ==> NOT(a) != 0);
+axiom(forall a:int :: {NOT(a)} a != 0 ==> NOT(a) == 0);
+
+function NULL_CHECK(a:int) returns (int);
+axiom(forall a:int :: {NULL_CHECK(a)} a == 0 ==> NULL_CHECK(a) != 0);
+axiom(forall a:int :: {NULL_CHECK(a)} a != 0 ==> NULL_CHECK(a) == 0);
+
+procedure nondet_choice() returns (x:int);
+
+
+procedure havoc_assert(i:int);
+requires (i != 0);
+
+procedure havoc_assume(i:int);
+ensures (i != 0);
+
+procedure __HAVOC_free(a:int);
+modifies alloc;
+ensures (forall x:int :: {alloc[x]} x == a || old(alloc)[x] == alloc[x]);
+ensures (alloc[a] == FREED);
+// Additional checks guarded by tranlator flags
+// requires alloc[a] == ALLOCATED;
+// requires Base(a) == a;
+
+procedure __HAVOC_malloc(obj_size:int) returns (new:int);
+requires obj_size >= 0;
+modifies alloc;
+ensures (new > 0);
+ensures (forall x:int :: {Base(x)} new <= x && x < new+obj_size ==> Base(x) == new);
+ensures (forall x:int :: {alloc[x]} x == new || old(alloc)[x] == alloc[x]);
+ensures old(alloc)[new] == UNALLOCATED && alloc[new] == ALLOCATED;
+
+procedure _strdup(str:int) returns (new:int);
+
+procedure _xstrcasecmp(a0:int, a1:int) returns (ret:int);
+
+procedure _xstrcmp(a0:int, a1:int) returns (ret:int);
+
+
+
+
+
+procedure main ( ) returns ($result.main$3.5$1$:int)
+
+modifies alloc;
+//TAG: no freed locations
+ensures(forall f:int :: {alloc[Base(f)]} old(alloc)[Base(f)] == UNALLOCATED || old(alloc)[Base(f)] == alloc[Base(f)]);
+
+modifies Mem;
+//TAG: no updated memory locations
+ensures(forall f: name, m:int :: {Mem[f][m]} Mem[f][m] == old(Mem[f])[m]);
+free ensures(Mem[Field(0)][0] == old(Mem[Field(0)])[0]);
+
+//TAG: Type Safety Precondition
+requires(forall a:int :: {Mem[Field(a)][a]} HasType(Mem[Field(a)][a], Field(a)));
+//TAG: Type Safety Postcondition
+ensures(forall a:int :: {Mem[Field(a)][a]} HasType(Mem[Field(a)][a], Field(a)));
+ensures(HasType($result.main$3.5$1$, INT4_name));
+{
+
+var a : int;
+var b : int;
+var c : int;
+
+c := LIFT (b < a) ;
+assert (c != 0 <==> b < a);
+
+
+}
+
diff --git a/Test/z3api/boog28.bpl b/Test/z3api/boog28.bpl
new file mode 100644
index 00000000..989dbf75
--- /dev/null
+++ b/Test/z3api/boog28.bpl
@@ -0,0 +1,16 @@
+
+function LIFT(x:bool) returns (int);
+axiom(forall x:bool :: {LIFT(x)} x <==> LIFT(x) != 0);
+
+procedure main ( )
+
+{
+var a : int;
+var b : int;
+var c : int;
+
+c := LIFT (b == a) ;
+assert (c != 0 <==> b == a);
+
+}
+
diff --git a/Test/z3api/boog29.bpl b/Test/z3api/boog29.bpl
new file mode 100644
index 00000000..8a97944d
--- /dev/null
+++ b/Test/z3api/boog29.bpl
@@ -0,0 +1,19 @@
+
+function LIFT(x:bool) returns (int);
+axiom(forall x:bool :: {LIFT(x)} x <==> LIFT(x) != 0);
+
+procedure main ( )
+
+{
+var c: int;
+c := LIFT(false);
+assert (c==0);
+
+c := LIFT(true);
+assert (c!=0);
+/*
+c := LIFT(1==5);
+assert (c==0);
+*/
+}
+
diff --git a/Test/z3api/boog3.bpl b/Test/z3api/boog3.bpl
new file mode 100644
index 00000000..9e04ac5b
--- /dev/null
+++ b/Test/z3api/boog3.bpl
@@ -0,0 +1,7 @@
+type Wicket;
+
+procedure Dummy();
+implementation Dummy() {
+ var x: Wicket;
+ assert (x!=x);
+} \ No newline at end of file
diff --git a/Test/z3api/boog30.bpl b/Test/z3api/boog30.bpl
new file mode 100644
index 00000000..ae682156
--- /dev/null
+++ b/Test/z3api/boog30.bpl
@@ -0,0 +1,13 @@
+
+function LIFT(x:bool) returns (int);
+axiom(forall x:bool :: {LIFT(x)} x <==> LIFT(x) != 0);
+
+procedure main ( )
+
+{
+var c: int;
+
+c := LIFT(1==5);
+assert (c==0);
+}
+
diff --git a/Test/z3api/boog31.bpl b/Test/z3api/boog31.bpl
new file mode 100644
index 00000000..219effce
--- /dev/null
+++ b/Test/z3api/boog31.bpl
@@ -0,0 +1,14 @@
+
+const b1:bool;
+const b2:bool;
+const b3:bool;
+
+axiom (b1==true && b2==false && b3==true);
+
+procedure main ( )
+
+{
+var c: int;
+assert (c==0);
+}
+
diff --git a/Test/z3api/boog34.bpl b/Test/z3api/boog34.bpl
new file mode 100644
index 00000000..62e7e82b
--- /dev/null
+++ b/Test/z3api/boog34.bpl
@@ -0,0 +1,10 @@
+
+function Rep(int, int) returns (int);
+axiom(forall n:int, x:int :: {Rep(n,x)}
+ (exists k:int :: Rep(n,x) - x == n*k));
+
+procedure main(x:int)
+{
+assert((Rep(0,x)==x));
+return;
+} \ No newline at end of file
diff --git a/Test/z3api/boog4.bpl b/Test/z3api/boog4.bpl
new file mode 100644
index 00000000..46eda549
--- /dev/null
+++ b/Test/z3api/boog4.bpl
@@ -0,0 +1,40 @@
+type Wicket;
+
+const w: Wicket;
+const myBool: bool;
+const v: Wicket;
+
+var favorite: Wicket;
+
+function age(Wicket) returns (int);
+
+axiom age(w)==7;
+axiom 7 < 8;
+axiom 7 <= 8;
+axiom 8 > 7;
+axiom 8 >= 7;
+axiom 6 != 7;
+axiom 7+1==8;
+axiom 8-1==7;
+axiom 7/1==7;
+axiom 7%2==1;
+axiom 4*2==8;
+axiom ((7==7) || (8==8));
+axiom ((7==7) ==> (7<8));
+axiom ((7==7) <==> (10==10));
+axiom ((7==7) && (8==8));
+
+axiom 7!=7;
+
+
+procedure NewFavorite(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation NewFavorite(l: Wicket) {
+ favorite:=l;
+}
+
+
+
diff --git a/Test/z3api/boog5.bpl b/Test/z3api/boog5.bpl
new file mode 100644
index 00000000..0db94bba
--- /dev/null
+++ b/Test/z3api/boog5.bpl
@@ -0,0 +1,40 @@
+// types
+type Wicket;
+
+// consts
+const w: Wicket;
+const myBool: bool;
+const v: Wicket;
+const u: Wicket;
+const x: Wicket;
+
+
+// vars
+var favorite: Wicket;
+
+// functions
+function age(Wicket) returns (int);
+
+// axioms
+axiom age(w)==6;
+axiom age(u)==5;
+axiom age(x)==4;
+
+
+// procedure
+procedure SetToSeven(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation SetToSeven(l: Wicket) {
+ if (age(w)==7) {
+ favorite:=l;
+ } else {
+ favorite:=v;
+ }
+
+}
+
+
+
diff --git a/Test/z3api/boog6.bpl b/Test/z3api/boog6.bpl
new file mode 100644
index 00000000..55c1dc7e
--- /dev/null
+++ b/Test/z3api/boog6.bpl
@@ -0,0 +1,22 @@
+// types
+type Wicket;
+
+// consts
+var favorite: Wicket;
+
+// axioms
+const b: bool;
+axiom b==true;
+
+// procedure
+procedure SetToSeven(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation SetToSeven(l: Wicket) {
+ favorite:=l;
+}
+
+
+
diff --git a/Test/z3api/boog7.bpl b/Test/z3api/boog7.bpl
new file mode 100644
index 00000000..36f952d1
--- /dev/null
+++ b/Test/z3api/boog7.bpl
@@ -0,0 +1,19 @@
+// consts
+const w: int;
+
+
+// vars
+var favorite: int;
+
+// procedure
+procedure SetToSeven(p: int);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation SetToSeven(l: int) {
+ favorite:=w;
+}
+
+
+
diff --git a/Test/z3api/boog8.bpl b/Test/z3api/boog8.bpl
new file mode 100644
index 00000000..0ac4f163
--- /dev/null
+++ b/Test/z3api/boog8.bpl
@@ -0,0 +1,24 @@
+// types
+type Wicket;
+var favorite: Wicket;
+
+
+const myBv: bv5;
+axiom myBv==1bv2++2bv3;
+
+const myBool: bool;
+axiom myBool==true;
+
+
+// procedure
+procedure SetToSeven(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation SetToSeven(l: Wicket) {
+ favorite:=favorite;
+}
+
+
+
diff --git a/Test/z3api/boog9.bpl b/Test/z3api/boog9.bpl
new file mode 100644
index 00000000..55897a1d
--- /dev/null
+++ b/Test/z3api/boog9.bpl
@@ -0,0 +1,21 @@
+// types
+type Wicket;
+var favorite: Wicket;
+
+function age(w:Wicket) returns (int);
+axiom (forall v:Wicket :: age(v)==7);
+axiom (exists v:Wicket :: age(v)<8);
+
+
+// procedure
+procedure SetToSeven(p: Wicket);
+ modifies favorite ;
+
+ ensures favorite==p;
+
+implementation SetToSeven(l: Wicket) {
+ favorite:=favorite;
+}
+
+
+
diff --git a/Test/z3api/runtest.bat b/Test/z3api/runtest.bat
new file mode 100644
index 00000000..5daa36c0
--- /dev/null
+++ b/Test/z3api/runtest.bat
@@ -0,0 +1,10 @@
+@echo off
+setlocal
+
+set BGEXE=..\..\Binaries\Boogie.exe
+
+for %%f in (boog0.bpl boog1.bpl boog2.bpl boog3.bpl boog4.bpl boog5.bpl boog6.bpl boog7.bpl boog8.bpl boog9.bpl boog10.bpl boog11.bpl boog12.bpl boog13.bpl boog14.bpl boog15.bpl boog16.bpl boog17.bpl boog18.bpl boog19.bpl boog20.bpl boog21.bpl boog22.bpl boog23.bpl boog24.bpl boog25.bpl boog28.bpl boog29.bpl boog30.bpl boog31.bpl boog34.bpl) do (
+ echo.
+ echo -------------------- %%f --------------------
+ %BGEXE% %* /nologo /prover:z3api %%f
+)