(get-info :version) ; (:version "4.8.7") ; Started: 2022-09-01 14:37:53 ; Silicon.version: 1.1-SNAPSHOT (09888100+@(detached)) ; Input file: /home/bobe/PhD/students/Andrej Pistek (2022-06)/Ford-FulkersonAlgorithm/1.0-Lukas-tinker-2-minimized-array.vpr ; Verifier id: 00 ; ------------------------------------------------------------ ; Begin preamble ; ////////// Static preamble ; ; ; /z3config.smt2 (set-option :print-success true) ; Boogie: false (set-option :global-decls true) ; Boogie: default (set-option :auto_config false) ; Usually a good idea (set-option :smt.restart_strategy 0) (set-option :smt.restart_factor |1.5|) (set-option :smt.case_split 3) (set-option :smt.delay_units true) (set-option :smt.delay_units_threshold 16) (set-option :nnf.sk_hack true) (set-option :type_check true) (set-option :smt.bv.reflect true) (set-option :smt.mbqi false) (set-option :smt.qi.eager_threshold 100) (set-option :smt.qi.cost "(+ weight generation)") (set-option :smt.qi.max_multi_patterns 1000) (set-option :smt.phase_selection 0) ; default: 3, Boogie: 0 (set-option :sat.phase caching) (set-option :sat.random_seed 0) (set-option :nlsat.randomize true) (set-option :nlsat.seed 0) (set-option :nlsat.shuffle_vars false) (set-option :fp.spacer.order_children 0) ; Not available with Z3 4.5 (set-option :fp.spacer.random_seed 0) ; Not available with Z3 4.5 (set-option :smt.arith.random_initial_value true) ; Boogie: true (set-option :smt.random_seed 0) (set-option :sls.random_offset true) (set-option :sls.random_seed 0) (set-option :sls.restart_init false) (set-option :sls.walksat_ucb true) (set-option :model.v2 true) ; ; ; /preamble.smt2 (declare-datatypes (($Snap 0)) (( ($Snap.unit) ($Snap.combine ($Snap.first $Snap) ($Snap.second $Snap))))) (declare-sort $Ref 0) (declare-const $Ref.null $Ref) (declare-sort $FPM 0) (declare-sort $PPM 0) (define-sort $Perm () Real) (define-const $Perm.Write $Perm 1.0) (define-const $Perm.No $Perm 0.0) (define-fun $Perm.isValidVar ((p $Perm)) Bool (<= $Perm.No p)) (define-fun $Perm.isReadVar ((p $Perm)) Bool (and ($Perm.isValidVar p) (not (= p $Perm.No)))) (define-fun $Perm.min ((p1 $Perm) (p2 $Perm)) Real (ite (<= p1 p2) p1 p2)) (define-fun $Math.min ((a Int) (b Int)) Int (ite (<= a b) a b)) (define-fun $Math.clip ((a Int)) Int (ite (< a 0) 0 a)) ; ////////// Sorts (declare-sort Seq> 0) (declare-sort Seq 0) (declare-sort Set 0) (declare-sort Set 0) (declare-sort Set<$Ref> 0) (declare-sort Set<$Snap> 0) (declare-sort array 0) (declare-sort $FVF 0) (declare-sort $FVF<$Ref> 0) ; ////////// Sort wrappers ; Declaring additional sort wrappers (declare-fun $SortWrappers.IntTo$Snap (Int) $Snap) (declare-fun $SortWrappers.$SnapToInt ($Snap) Int) (assert (forall ((x Int)) (! (= x ($SortWrappers.$SnapToInt($SortWrappers.IntTo$Snap x))) :pattern (($SortWrappers.IntTo$Snap x)) :qid |$Snap.$SnapToIntTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.IntTo$Snap($SortWrappers.$SnapToInt x))) :pattern (($SortWrappers.$SnapToInt x)) :qid |$Snap.IntTo$SnapToInt| ))) (declare-fun $SortWrappers.BoolTo$Snap (Bool) $Snap) (declare-fun $SortWrappers.$SnapToBool ($Snap) Bool) (assert (forall ((x Bool)) (! (= x ($SortWrappers.$SnapToBool($SortWrappers.BoolTo$Snap x))) :pattern (($SortWrappers.BoolTo$Snap x)) :qid |$Snap.$SnapToBoolTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.BoolTo$Snap($SortWrappers.$SnapToBool x))) :pattern (($SortWrappers.$SnapToBool x)) :qid |$Snap.BoolTo$SnapToBool| ))) (declare-fun $SortWrappers.$RefTo$Snap ($Ref) $Snap) (declare-fun $SortWrappers.$SnapTo$Ref ($Snap) $Ref) (assert (forall ((x $Ref)) (! (= x ($SortWrappers.$SnapTo$Ref($SortWrappers.$RefTo$Snap x))) :pattern (($SortWrappers.$RefTo$Snap x)) :qid |$Snap.$SnapTo$RefTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.$RefTo$Snap($SortWrappers.$SnapTo$Ref x))) :pattern (($SortWrappers.$SnapTo$Ref x)) :qid |$Snap.$RefTo$SnapTo$Ref| ))) (declare-fun $SortWrappers.$PermTo$Snap ($Perm) $Snap) (declare-fun $SortWrappers.$SnapTo$Perm ($Snap) $Perm) (assert (forall ((x $Perm)) (! (= x ($SortWrappers.$SnapTo$Perm($SortWrappers.$PermTo$Snap x))) :pattern (($SortWrappers.$PermTo$Snap x)) :qid |$Snap.$SnapTo$PermTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.$PermTo$Snap($SortWrappers.$SnapTo$Perm x))) :pattern (($SortWrappers.$SnapTo$Perm x)) :qid |$Snap.$PermTo$SnapTo$Perm| ))) ; Declaring additional sort wrappers (declare-fun $SortWrappers.Seq>To$Snap (Seq>) $Snap) (declare-fun $SortWrappers.$SnapToSeq> ($Snap) Seq>) (assert (forall ((x Seq>)) (! (= x ($SortWrappers.$SnapToSeq>($SortWrappers.Seq>To$Snap x))) :pattern (($SortWrappers.Seq>To$Snap x)) :qid |$Snap.$SnapToSeq>To$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.Seq>To$Snap($SortWrappers.$SnapToSeq> x))) :pattern (($SortWrappers.$SnapToSeq> x)) :qid |$Snap.Seq>To$SnapToSeq>| ))) (declare-fun $SortWrappers.SeqTo$Snap (Seq) $Snap) (declare-fun $SortWrappers.$SnapToSeq ($Snap) Seq) (assert (forall ((x Seq)) (! (= x ($SortWrappers.$SnapToSeq($SortWrappers.SeqTo$Snap x))) :pattern (($SortWrappers.SeqTo$Snap x)) :qid |$Snap.$SnapToSeqTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.SeqTo$Snap($SortWrappers.$SnapToSeq x))) :pattern (($SortWrappers.$SnapToSeq x)) :qid |$Snap.SeqTo$SnapToSeq| ))) ; Declaring additional sort wrappers (declare-fun $SortWrappers.SetTo$Snap (Set) $Snap) (declare-fun $SortWrappers.$SnapToSet ($Snap) Set) (assert (forall ((x Set)) (! (= x ($SortWrappers.$SnapToSet($SortWrappers.SetTo$Snap x))) :pattern (($SortWrappers.SetTo$Snap x)) :qid |$Snap.$SnapToSetTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.SetTo$Snap($SortWrappers.$SnapToSet x))) :pattern (($SortWrappers.$SnapToSet x)) :qid |$Snap.SetTo$SnapToSet| ))) (declare-fun $SortWrappers.SetTo$Snap (Set) $Snap) (declare-fun $SortWrappers.$SnapToSet ($Snap) Set) (assert (forall ((x Set)) (! (= x ($SortWrappers.$SnapToSet($SortWrappers.SetTo$Snap x))) :pattern (($SortWrappers.SetTo$Snap x)) :qid |$Snap.$SnapToSetTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.SetTo$Snap($SortWrappers.$SnapToSet x))) :pattern (($SortWrappers.$SnapToSet x)) :qid |$Snap.SetTo$SnapToSet| ))) (declare-fun $SortWrappers.Set<$Ref>To$Snap (Set<$Ref>) $Snap) (declare-fun $SortWrappers.$SnapToSet<$Ref> ($Snap) Set<$Ref>) (assert (forall ((x Set<$Ref>)) (! (= x ($SortWrappers.$SnapToSet<$Ref>($SortWrappers.Set<$Ref>To$Snap x))) :pattern (($SortWrappers.Set<$Ref>To$Snap x)) :qid |$Snap.$SnapToSet<$Ref>To$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.Set<$Ref>To$Snap($SortWrappers.$SnapToSet<$Ref> x))) :pattern (($SortWrappers.$SnapToSet<$Ref> x)) :qid |$Snap.Set<$Ref>To$SnapToSet<$Ref>| ))) (declare-fun $SortWrappers.Set<$Snap>To$Snap (Set<$Snap>) $Snap) (declare-fun $SortWrappers.$SnapToSet<$Snap> ($Snap) Set<$Snap>) (assert (forall ((x Set<$Snap>)) (! (= x ($SortWrappers.$SnapToSet<$Snap>($SortWrappers.Set<$Snap>To$Snap x))) :pattern (($SortWrappers.Set<$Snap>To$Snap x)) :qid |$Snap.$SnapToSet<$Snap>To$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.Set<$Snap>To$Snap($SortWrappers.$SnapToSet<$Snap> x))) :pattern (($SortWrappers.$SnapToSet<$Snap> x)) :qid |$Snap.Set<$Snap>To$SnapToSet<$Snap>| ))) ; Declaring additional sort wrappers (declare-fun $SortWrappers.arrayTo$Snap (array) $Snap) (declare-fun $SortWrappers.$SnapToarray ($Snap) array) (assert (forall ((x array)) (! (= x ($SortWrappers.$SnapToarray($SortWrappers.arrayTo$Snap x))) :pattern (($SortWrappers.arrayTo$Snap x)) :qid |$Snap.$SnapToarrayTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.arrayTo$Snap($SortWrappers.$SnapToarray x))) :pattern (($SortWrappers.$SnapToarray x)) :qid |$Snap.arrayTo$SnapToarray| ))) ; Declaring additional sort wrappers (declare-fun $SortWrappers.$FVFTo$Snap ($FVF) $Snap) (declare-fun $SortWrappers.$SnapTo$FVF ($Snap) $FVF) (assert (forall ((x $FVF)) (! (= x ($SortWrappers.$SnapTo$FVF($SortWrappers.$FVFTo$Snap x))) :pattern (($SortWrappers.$FVFTo$Snap x)) :qid |$Snap.$SnapTo$FVFTo$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.$FVFTo$Snap($SortWrappers.$SnapTo$FVF x))) :pattern (($SortWrappers.$SnapTo$FVF x)) :qid |$Snap.$FVFTo$SnapTo$FVF| ))) (declare-fun $SortWrappers.$FVF<$Ref>To$Snap ($FVF<$Ref>) $Snap) (declare-fun $SortWrappers.$SnapTo$FVF<$Ref> ($Snap) $FVF<$Ref>) (assert (forall ((x $FVF<$Ref>)) (! (= x ($SortWrappers.$SnapTo$FVF<$Ref>($SortWrappers.$FVF<$Ref>To$Snap x))) :pattern (($SortWrappers.$FVF<$Ref>To$Snap x)) :qid |$Snap.$SnapTo$FVF<$Ref>To$Snap| ))) (assert (forall ((x $Snap)) (! (= x ($SortWrappers.$FVF<$Ref>To$Snap($SortWrappers.$SnapTo$FVF<$Ref> x))) :pattern (($SortWrappers.$SnapTo$FVF<$Ref> x)) :qid |$Snap.$FVF<$Ref>To$SnapTo$FVF<$Ref>| ))) ; ////////// Symbols (declare-fun Set_in (array Set) Bool) (declare-fun Set_card (Set) Int) (declare-const Set_empty Set) (declare-fun Set_singleton (array) Set) (declare-fun Set_unionone (Set array) Set) (declare-fun Set_union (Set Set) Set) (declare-fun Set_disjoint (Set Set) Bool) (declare-fun Set_difference (Set Set) Set) (declare-fun Set_intersection (Set Set) Set) (declare-fun Set_subset (Set Set) Bool) (declare-fun Set_equal (Set Set) Bool) (declare-fun Set_in (Int Set) Bool) (declare-fun Set_card (Set) Int) (declare-const Set_empty Set) (declare-fun Set_singleton (Int) Set) (declare-fun Set_unionone (Set Int) Set) (declare-fun Set_union (Set Set) Set) (declare-fun Set_disjoint (Set Set) Bool) (declare-fun Set_difference (Set Set) Set) (declare-fun Set_intersection (Set Set) Set) (declare-fun Set_subset (Set Set) Bool) (declare-fun Set_equal (Set Set) Bool) (declare-fun Set_in ($Ref Set<$Ref>) Bool) (declare-fun Set_card (Set<$Ref>) Int) (declare-const Set_empty Set<$Ref>) (declare-fun Set_singleton ($Ref) Set<$Ref>) (declare-fun Set_unionone (Set<$Ref> $Ref) Set<$Ref>) (declare-fun Set_union (Set<$Ref> Set<$Ref>) Set<$Ref>) (declare-fun Set_disjoint (Set<$Ref> Set<$Ref>) Bool) (declare-fun Set_difference (Set<$Ref> Set<$Ref>) Set<$Ref>) (declare-fun Set_intersection (Set<$Ref> Set<$Ref>) Set<$Ref>) (declare-fun Set_subset (Set<$Ref> Set<$Ref>) Bool) (declare-fun Set_equal (Set<$Ref> Set<$Ref>) Bool) (declare-fun Set_in ($Snap Set<$Snap>) Bool) (declare-fun Set_card (Set<$Snap>) Int) (declare-const Set_empty Set<$Snap>) (declare-fun Set_singleton ($Snap) Set<$Snap>) (declare-fun Set_unionone (Set<$Snap> $Snap) Set<$Snap>) (declare-fun Set_union (Set<$Snap> Set<$Snap>) Set<$Snap>) (declare-fun Set_disjoint (Set<$Snap> Set<$Snap>) Bool) (declare-fun Set_difference (Set<$Snap> Set<$Snap>) Set<$Snap>) (declare-fun Set_intersection (Set<$Snap> Set<$Snap>) Set<$Snap>) (declare-fun Set_subset (Set<$Snap> Set<$Snap>) Bool) (declare-fun Set_equal (Set<$Snap> Set<$Snap>) Bool) (declare-fun Seq_length (Seq>) Int) (declare-const Seq_empty Seq>) (declare-fun Seq_singleton (Seq) Seq>) (declare-fun Seq_build (Seq> Seq) Seq>) (declare-fun Seq_index (Seq> Int) Seq) (declare-fun Seq_append (Seq> Seq>) Seq>) (declare-fun Seq_update (Seq> Int Seq) Seq>) (declare-fun Seq_contains (Seq> Seq) Bool) (declare-fun Seq_take (Seq> Int) Seq>) (declare-fun Seq_drop (Seq> Int) Seq>) (declare-fun Seq_equal (Seq> Seq>) Bool) (declare-fun Seq_sameuntil (Seq> Seq> Int) Bool) (declare-fun Seq_length (Seq) Int) (declare-const Seq_empty Seq) (declare-fun Seq_singleton (Int) Seq) (declare-fun Seq_build (Seq Int) Seq) (declare-fun Seq_index (Seq Int) Int) (declare-fun Seq_append (Seq Seq) Seq) (declare-fun Seq_update (Seq Int Int) Seq) (declare-fun Seq_contains (Seq Int) Bool) (declare-fun Seq_take (Seq Int) Seq) (declare-fun Seq_drop (Seq Int) Seq) (declare-fun Seq_equal (Seq Seq) Bool) (declare-fun Seq_sameuntil (Seq Seq Int) Bool) (declare-fun Seq_range (Int Int) Seq) (declare-fun array_loc (array Int) $Ref) (declare-fun alen (array) Int) (declare-fun loc_inv_1 ($Ref) array) (declare-fun loc_inv_2 ($Ref) Int) ; /field_value_functions_declarations.smt2 [oa: array] (declare-fun $FVF.domain_oa ($FVF) Set<$Ref>) (declare-fun $FVF.lookup_oa ($FVF $Ref) array) (declare-fun $FVF.after_oa ($FVF $FVF) Bool) (declare-fun $FVF.loc_oa (array $Ref) Bool) (declare-fun $FVF.perm_oa ($FPM $Ref) $Perm) (declare-const $fvfTOP_oa $FVF) ; Declaring symbols related to program functions (from program analysis) (declare-fun SquareIntMatrix ($Snap Seq> Int) Bool) (declare-fun SquareIntMatrix%limited ($Snap Seq> Int) Bool) (declare-fun SquareIntMatrix%stateless (Seq> Int) Bool) (declare-fun aloc ($Snap array Int) $Ref) (declare-fun aloc%limited ($Snap array Int) $Ref) (declare-fun aloc%stateless (array Int) Bool) (declare-fun NonNegativeCapacities ($Snap Seq> Int) Bool) (declare-fun NonNegativeCapacities%limited ($Snap Seq> Int) Bool) (declare-fun NonNegativeCapacities%stateless (Seq> Int) Bool) (declare-fun matrixValues ($Snap array Int) Seq>) (declare-fun matrixValues%limited ($Snap array Int) Seq>) (declare-fun matrixValues%stateless (array Int) Bool) (declare-fun SumIncomingFlow ($Snap Seq> Int) Int) (declare-fun SumIncomingFlow%limited ($Snap Seq> Int) Int) (declare-fun SumIncomingFlow%stateless (Seq> Int) Bool) ; Snapshot variable to be used during function verification (declare-fun s@$ () $Snap) ; Declaring predicate trigger functions ; ////////// Uniqueness assumptions from domains ; ////////// Axioms (assert (forall ((s Seq>)) (! (<= 0 (Seq_length s)) :pattern ((Seq_length s)) :qid |$Seq[Seq[Int]]_prog.seq_length_non_negative|))) (assert (= (Seq_length (as Seq_empty Seq>)) 0)) (assert (forall ((s Seq>)) (! (=> (= (Seq_length s) 0) (= s (as Seq_empty Seq>))) :pattern ((Seq_length s)) :qid |$Seq[Seq[Int]]_prog.only_empty_seq_length_zero|))) (assert (forall ((e Seq)) (! (= (Seq_length (Seq_singleton e)) 1) :pattern ((Seq_length (Seq_singleton e))) :qid |$Seq[Seq[Int]]_prog.length_singleton_seq|))) (assert (forall ((s Seq>) (e Seq)) (! (= (Seq_length (Seq_build s e)) (+ 1 (Seq_length s))) :pattern ((Seq_length (Seq_build s e))) :qid |$Seq[Seq[Int]]_prog.length_seq_build_inc_by_one|))) (assert (forall ((s Seq>) (i Int) (e Seq)) (! (ite (= i (Seq_length s)) (= (Seq_index (Seq_build s e) i) e) (= (Seq_index (Seq_build s e) i) (Seq_index s i))) :pattern ((Seq_index (Seq_build s e) i)) :qid |$Seq[Seq[Int]]_prog.seq_index_over_build|))) (assert (forall ((s1 Seq>) (s2 Seq>)) (! (=> (and (not (= s1 (as Seq_empty Seq>))) (not (= s2 (as Seq_empty Seq>)))) (= (Seq_length (Seq_append s1 s2)) (+ (Seq_length s1) (Seq_length s2)))) :pattern ((Seq_length (Seq_append s1 s2))) :qid |$Seq[Seq[Int]]_prog.seq_length_over_append|))) (assert (forall ((e Seq)) (! (= (Seq_index (Seq_singleton e) 0) e) :pattern ((Seq_singleton e)) :qid |$Seq[Seq[Int]]_prog.seq_index_over_singleton|))) (assert (forall ((e1 Seq) (e2 Seq)) (! (= (Seq_contains (Seq_singleton e1) e2) (= e1 e2)) :pattern ((Seq_contains (Seq_singleton e1) e2)) :qid |$Seq[Seq[Int]]_prog.seq_contains_over_singleton|))) (assert (forall ((s Seq>)) (! (= (Seq_append (as Seq_empty Seq>) s) s) :pattern ((Seq_append (as Seq_empty Seq>) s)) :qid |$Seq[Seq[Int]]_prog.seq_append_empty_left|))) (assert (forall ((s Seq>)) (! (= (Seq_append s (as Seq_empty Seq>)) s) :pattern ((Seq_append s (as Seq_empty Seq>))) :qid |$Seq[Seq[Int]]_prog.seq_append_empty_right|))) (assert (forall ((s1 Seq>) (s2 Seq>) (i Int)) (! (=> (and (not (= s1 (as Seq_empty Seq>))) (not (= s2 (as Seq_empty Seq>)))) (ite (< i (Seq_length s1)) (= (Seq_index (Seq_append s1 s2) i) (Seq_index s1 i)) (= (Seq_index (Seq_append s1 s2) i) (Seq_index s2 (- i (Seq_length s1)))))) :pattern ((Seq_index (Seq_append s1 s2) i)) :pattern ((Seq_index s1 i) (Seq_append s1 s2)) :qid |$Seq[Seq[Int]]_prog.seq_index_over_append|))) (assert (forall ((s Seq>) (i Int) (e Seq)) (! (=> (and (<= 0 i) (< i (Seq_length s))) (= (Seq_length (Seq_update s i e)) (Seq_length s))) :pattern ((Seq_length (Seq_update s i e))) :qid |$Seq[Seq[Int]]_prog.seq_length_invariant_over_update|))) (assert (forall ((s Seq>) (i Int) (e Seq) (j Int)) (! (ite (=> (and (<= 0 i) (< i (Seq_length s))) (= i j)) (= (Seq_index (Seq_update s i e) j) e) (= (Seq_index (Seq_update s i e) j) (Seq_index s j))) :pattern ((Seq_index (Seq_update s i e) j)) :qid |$Seq[Seq[Int]]_prog.seq_index_over_update|))) (assert (forall ((s Seq>) (e Seq)) (! (= (Seq_contains s e) (exists ((i Int)) (! (and (<= 0 i) (and (< i (Seq_length s)) (= (Seq_index s i) e))) :pattern ((Seq_index s i)) ))) :pattern ((Seq_contains s e)) :qid |$Seq[Seq[Int]]_prog.seq_element_contains_index_exists|))) (assert (forall ((e Seq)) (! (not (Seq_contains (as Seq_empty Seq>) e)) :pattern ((Seq_contains (as Seq_empty Seq>) e)) :qid |$Seq[Seq[Int]]_prog.empty_seq_contains_nothing|))) (assert (forall ((s1 Seq>) (s2 Seq>) (e Seq)) (! (= (Seq_contains (Seq_append s1 s2) e) (or (Seq_contains s1 e) (Seq_contains s2 e))) :pattern ((Seq_contains (Seq_append s1 s2) e)) :qid |$Seq[Seq[Int]]_prog.seq_contains_over_append|))) (assert (forall ((s Seq>) (e1 Seq) (e2 Seq)) (! (= (Seq_contains (Seq_build s e1) e2) (or (= e1 e2) (Seq_contains s e2))) :pattern ((Seq_contains (Seq_build s e1) e2)) :qid |$Seq[Seq[Int]]_prog.seq_contains_over_build|))) (assert (forall ((s Seq>) (n Int)) (! (=> (<= n 0) (= (Seq_take s n) (as Seq_empty Seq>))) :pattern ((Seq_take s n)) :qid |$Seq[Seq[Int]]_prog.seq_take_negative_length|))) (assert (forall ((s Seq>) (n Int) (e Seq)) (! (= (Seq_contains (Seq_take s n) e) (exists ((i Int)) (! (and (<= 0 i) (and (< i n) (and (< i (Seq_length s)) (= (Seq_index s i) e)))) :pattern ((Seq_index s i)) ))) :pattern ((Seq_contains (Seq_take s n) e)) :qid |$Seq[Seq[Int]]_prog.seq_contains_over_take_index_exists|))) (assert (forall ((s Seq>) (n Int)) (! (=> (<= n 0) (= (Seq_drop s n) s)) :pattern ((Seq_drop s n)) :qid |$Seq[Seq[Int]]_prog.seq_drop_negative_length|))) (assert (forall ((s Seq>) (n Int) (e Seq)) (! (= (Seq_contains (Seq_drop s n) e) (exists ((i Int)) (! (and (<= 0 i) (and (<= n i) (and (< i (Seq_length s)) (= (Seq_index s i) e)))) :pattern ((Seq_index s i)) ))) :pattern ((Seq_contains (Seq_drop s n) e)) :qid |$Seq[Seq[Int]]_prog.seq_contains_over_drop_index_exists|))) (assert (forall ((s1 Seq>) (s2 Seq>)) (! (= (Seq_equal s1 s2) (and (= (Seq_length s1) (Seq_length s2)) (forall ((i Int)) (! (=> (and (<= 0 i) (< i (Seq_length s1))) (= (Seq_index s1 i) (Seq_index s2 i))) :pattern ((Seq_index s1 i)) :pattern ((Seq_index s2 i)) )))) :pattern ((Seq_equal s1 s2)) :qid |$Seq[Seq[Int]]_prog.extensional_seq_equality|))) (assert (forall ((s1 Seq>) (s2 Seq>)) (! (=> (Seq_equal s1 s2) (= s1 s2)) :pattern ((Seq_equal s1 s2)) :qid |$Seq[Seq[Int]]_prog.seq_equality_identity|))) (assert (forall ((s1 Seq>) (s2 Seq>) (n Int)) (! (= (Seq_sameuntil s1 s2 n) (forall ((i Int)) (! (=> (and (<= 0 i) (< i n)) (= (Seq_index s1 i) (Seq_index s2 i))) :pattern ((Seq_index s1 i)) :pattern ((Seq_index s2 i)) ))) :pattern ((Seq_sameuntil s1 s2 n)) :qid |$Seq[Seq[Int]]_prog.extensional_seq_equality_prefix|))) (assert (forall ((s Seq>) (n Int)) (! (=> (<= 0 n) (ite (<= n (Seq_length s)) (= (Seq_length (Seq_take s n)) n) (= (Seq_length (Seq_take s n)) (Seq_length s)))) :pattern ((Seq_length (Seq_take s n))) :qid |$Seq[Seq[Int]]_prog.seq_length_over_take|))) (assert (forall ((s Seq>) (n Int) (i Int)) (! (=> (and (<= 0 i) (and (< i n) (< i (Seq_length s)))) (= (Seq_index (Seq_take s n) i) (Seq_index s i))) :pattern ((Seq_index (Seq_take s n) i)) :pattern ((Seq_index s i) (Seq_take s n)) :qid |$Seq[Seq[Int]]_prog.seq_index_over_take|))) (assert (forall ((s Seq>) (n Int)) (! (=> (<= 0 n) (ite (<= n (Seq_length s)) (= (Seq_length (Seq_drop s n)) (- (Seq_length s) n)) (= (Seq_length (Seq_drop s n)) 0))) :pattern ((Seq_length (Seq_drop s n))) :qid |$Seq[Seq[Int]]_prog.seq_length_over_drop|))) (assert (forall ((s Seq>) (n Int) (i Int)) (! (=> (and (<= 0 n) (and (<= 0 i) (< i (- (Seq_length s) n)))) (= (Seq_index (Seq_drop s n) i) (Seq_index s (+ i n)))) :pattern ((Seq_index (Seq_drop s n) i)) :qid |$Seq[Seq[Int]]_prog.seq_index_over_drop_1|))) (assert (forall ((s Seq>) (n Int) (i Int)) (! (=> (and (<= 0 n) (and (<= n i) (< i (Seq_length s)))) (= (Seq_index (Seq_drop s n) (- i n)) (Seq_index s i))) :pattern ((Seq_index s i) (Seq_drop s n)) :qid |$Seq[Seq[Int]]_prog.seq_index_over_drop_2|))) (assert (forall ((s Seq>) (i Int) (e Seq) (n Int)) (! (=> (and (<= 0 i) (and (< i n) (< n (Seq_length s)))) (= (Seq_take (Seq_update s i e) n) (Seq_update (Seq_take s n) i e))) :pattern ((Seq_take (Seq_update s i e) n)) :qid |$Seq[Seq[Int]]_prog.seq_take_over_update_1|))) (assert (forall ((s Seq>) (i Int) (e Seq) (n Int)) (! (=> (and (<= n i) (< i (Seq_length s))) (= (Seq_take (Seq_update s i e) n) (Seq_take s n))) :pattern ((Seq_take (Seq_update s i e) n)) :qid |$Seq[Seq[Int]]_prog.seq_take_over_update_2|))) (assert (forall ((s Seq>) (i Int) (e Seq) (n Int)) (! (=> (and (<= 0 n) (and (<= n i) (< i (Seq_length s)))) (= (Seq_drop (Seq_update s i e) n) (Seq_update (Seq_drop s n) (- i n) e))) :pattern ((Seq_drop (Seq_update s i e) n)) :qid |$Seq[Seq[Int]]_prog.seq_drop_over_update_1|))) (assert (forall ((s Seq>) (i Int) (e Seq) (n Int)) (! (=> (and (<= 0 i) (and (< i n) (< n (Seq_length s)))) (= (Seq_drop (Seq_update s i e) n) (Seq_drop s n))) :pattern ((Seq_drop (Seq_update s i e) n)) :qid |$Seq[Seq[Int]]_prog.seq_drop_over_update_2|))) (assert (forall ((s Seq>) (e Seq) (n Int)) (! (=> (and (<= 0 n) (<= n (Seq_length s))) (= (Seq_drop (Seq_build s e) n) (Seq_build (Seq_drop s n) e))) :pattern ((Seq_drop (Seq_build s e) n)) :qid |$Seq[Seq[Int]]_prog.seq_drop_over_build|))) (assert (forall ((s Seq)) (! (<= 0 (Seq_length s)) :pattern ((Seq_length s)) :qid |$Seq[Int]_prog.seq_length_non_negative|))) (assert (= (Seq_length (as Seq_empty Seq)) 0)) (assert (forall ((s Seq)) (! (=> (= (Seq_length s) 0) (= s (as Seq_empty Seq))) :pattern ((Seq_length s)) :qid |$Seq[Int]_prog.only_empty_seq_length_zero|))) (assert (forall ((e Int)) (! (= (Seq_length (Seq_singleton e)) 1) :pattern ((Seq_length (Seq_singleton e))) :qid |$Seq[Int]_prog.length_singleton_seq|))) (assert (forall ((s Seq) (e Int)) (! (= (Seq_length (Seq_build s e)) (+ 1 (Seq_length s))) :pattern ((Seq_length (Seq_build s e))) :qid |$Seq[Int]_prog.length_seq_build_inc_by_one|))) (assert (forall ((s Seq) (i Int) (e Int)) (! (ite (= i (Seq_length s)) (= (Seq_index (Seq_build s e) i) e) (= (Seq_index (Seq_build s e) i) (Seq_index s i))) :pattern ((Seq_index (Seq_build s e) i)) :qid |$Seq[Int]_prog.seq_index_over_build|))) (assert (forall ((s1 Seq) (s2 Seq)) (! (=> (and (not (= s1 (as Seq_empty Seq))) (not (= s2 (as Seq_empty Seq)))) (= (Seq_length (Seq_append s1 s2)) (+ (Seq_length s1) (Seq_length s2)))) :pattern ((Seq_length (Seq_append s1 s2))) :qid |$Seq[Int]_prog.seq_length_over_append|))) (assert (forall ((e Int)) (! (= (Seq_index (Seq_singleton e) 0) e) :pattern ((Seq_singleton e)) :qid |$Seq[Int]_prog.seq_index_over_singleton|))) (assert (forall ((e1 Int) (e2 Int)) (! (= (Seq_contains (Seq_singleton e1) e2) (= e1 e2)) :pattern ((Seq_contains (Seq_singleton e1) e2)) :qid |$Seq[Int]_prog.seq_contains_over_singleton|))) (assert (forall ((s Seq)) (! (= (Seq_append (as Seq_empty Seq) s) s) :pattern ((Seq_append (as Seq_empty Seq) s)) :qid |$Seq[Int]_prog.seq_append_empty_left|))) (assert (forall ((s Seq)) (! (= (Seq_append s (as Seq_empty Seq)) s) :pattern ((Seq_append s (as Seq_empty Seq))) :qid |$Seq[Int]_prog.seq_append_empty_right|))) (assert (forall ((s1 Seq) (s2 Seq) (i Int)) (! (=> (and (not (= s1 (as Seq_empty Seq))) (not (= s2 (as Seq_empty Seq)))) (ite (< i (Seq_length s1)) (= (Seq_index (Seq_append s1 s2) i) (Seq_index s1 i)) (= (Seq_index (Seq_append s1 s2) i) (Seq_index s2 (- i (Seq_length s1)))))) :pattern ((Seq_index (Seq_append s1 s2) i)) :pattern ((Seq_index s1 i) (Seq_append s1 s2)) :qid |$Seq[Int]_prog.seq_index_over_append|))) (assert (forall ((s Seq) (i Int) (e Int)) (! (=> (and (<= 0 i) (< i (Seq_length s))) (= (Seq_length (Seq_update s i e)) (Seq_length s))) :pattern ((Seq_length (Seq_update s i e))) :qid |$Seq[Int]_prog.seq_length_invariant_over_update|))) (assert (forall ((s Seq) (i Int) (e Int) (j Int)) (! (ite (=> (and (<= 0 i) (< i (Seq_length s))) (= i j)) (= (Seq_index (Seq_update s i e) j) e) (= (Seq_index (Seq_update s i e) j) (Seq_index s j))) :pattern ((Seq_index (Seq_update s i e) j)) :qid |$Seq[Int]_prog.seq_index_over_update|))) (assert (forall ((s Seq) (e Int)) (! (= (Seq_contains s e) (exists ((i Int)) (! (and (<= 0 i) (and (< i (Seq_length s)) (= (Seq_index s i) e))) :pattern ((Seq_index s i)) ))) :pattern ((Seq_contains s e)) :qid |$Seq[Int]_prog.seq_element_contains_index_exists|))) (assert (forall ((e Int)) (! (not (Seq_contains (as Seq_empty Seq) e)) :pattern ((Seq_contains (as Seq_empty Seq) e)) :qid |$Seq[Int]_prog.empty_seq_contains_nothing|))) (assert (forall ((s1 Seq) (s2 Seq) (e Int)) (! (= (Seq_contains (Seq_append s1 s2) e) (or (Seq_contains s1 e) (Seq_contains s2 e))) :pattern ((Seq_contains (Seq_append s1 s2) e)) :qid |$Seq[Int]_prog.seq_contains_over_append|))) (assert (forall ((s Seq) (e1 Int) (e2 Int)) (! (= (Seq_contains (Seq_build s e1) e2) (or (= e1 e2) (Seq_contains s e2))) :pattern ((Seq_contains (Seq_build s e1) e2)) :qid |$Seq[Int]_prog.seq_contains_over_build|))) (assert (forall ((s Seq) (n Int)) (! (=> (<= n 0) (= (Seq_take s n) (as Seq_empty Seq))) :pattern ((Seq_take s n)) :qid |$Seq[Int]_prog.seq_take_negative_length|))) (assert (forall ((s Seq) (n Int) (e Int)) (! (= (Seq_contains (Seq_take s n) e) (exists ((i Int)) (! (and (<= 0 i) (and (< i n) (and (< i (Seq_length s)) (= (Seq_index s i) e)))) :pattern ((Seq_index s i)) ))) :pattern ((Seq_contains (Seq_take s n) e)) :qid |$Seq[Int]_prog.seq_contains_over_take_index_exists|))) (assert (forall ((s Seq) (n Int)) (! (=> (<= n 0) (= (Seq_drop s n) s)) :pattern ((Seq_drop s n)) :qid |$Seq[Int]_prog.seq_drop_negative_length|))) (assert (forall ((s Seq) (n Int) (e Int)) (! (= (Seq_contains (Seq_drop s n) e) (exists ((i Int)) (! (and (<= 0 i) (and (<= n i) (and (< i (Seq_length s)) (= (Seq_index s i) e)))) :pattern ((Seq_index s i)) ))) :pattern ((Seq_contains (Seq_drop s n) e)) :qid |$Seq[Int]_prog.seq_contains_over_drop_index_exists|))) (assert (forall ((s1 Seq) (s2 Seq)) (! (= (Seq_equal s1 s2) (and (= (Seq_length s1) (Seq_length s2)) (forall ((i Int)) (! (=> (and (<= 0 i) (< i (Seq_length s1))) (= (Seq_index s1 i) (Seq_index s2 i))) :pattern ((Seq_index s1 i)) :pattern ((Seq_index s2 i)) )))) :pattern ((Seq_equal s1 s2)) :qid |$Seq[Int]_prog.extensional_seq_equality|))) (assert (forall ((s1 Seq) (s2 Seq)) (! (=> (Seq_equal s1 s2) (= s1 s2)) :pattern ((Seq_equal s1 s2)) :qid |$Seq[Int]_prog.seq_equality_identity|))) (assert (forall ((s1 Seq) (s2 Seq) (n Int)) (! (= (Seq_sameuntil s1 s2 n) (forall ((i Int)) (! (=> (and (<= 0 i) (< i n)) (= (Seq_index s1 i) (Seq_index s2 i))) :pattern ((Seq_index s1 i)) :pattern ((Seq_index s2 i)) ))) :pattern ((Seq_sameuntil s1 s2 n)) :qid |$Seq[Int]_prog.extensional_seq_equality_prefix|))) (assert (forall ((s Seq) (n Int)) (! (=> (<= 0 n) (ite (<= n (Seq_length s)) (= (Seq_length (Seq_take s n)) n) (= (Seq_length (Seq_take s n)) (Seq_length s)))) :pattern ((Seq_length (Seq_take s n))) :qid |$Seq[Int]_prog.seq_length_over_take|))) (assert (forall ((s Seq) (n Int) (i Int)) (! (=> (and (<= 0 i) (and (< i n) (< i (Seq_length s)))) (= (Seq_index (Seq_take s n) i) (Seq_index s i))) :pattern ((Seq_index (Seq_take s n) i)) :pattern ((Seq_index s i) (Seq_take s n)) :qid |$Seq[Int]_prog.seq_index_over_take|))) (assert (forall ((s Seq) (n Int)) (! (=> (<= 0 n) (ite (<= n (Seq_length s)) (= (Seq_length (Seq_drop s n)) (- (Seq_length s) n)) (= (Seq_length (Seq_drop s n)) 0))) :pattern ((Seq_length (Seq_drop s n))) :qid |$Seq[Int]_prog.seq_length_over_drop|))) (assert (forall ((s Seq) (n Int) (i Int)) (! (=> (and (<= 0 n) (and (<= 0 i) (< i (- (Seq_length s) n)))) (= (Seq_index (Seq_drop s n) i) (Seq_index s (+ i n)))) :pattern ((Seq_index (Seq_drop s n) i)) :qid |$Seq[Int]_prog.seq_index_over_drop_1|))) (assert (forall ((s Seq) (n Int) (i Int)) (! (=> (and (<= 0 n) (and (<= n i) (< i (Seq_length s)))) (= (Seq_index (Seq_drop s n) (- i n)) (Seq_index s i))) :pattern ((Seq_index s i) (Seq_drop s n)) :qid |$Seq[Int]_prog.seq_index_over_drop_2|))) (assert (forall ((s Seq) (i Int) (e Int) (n Int)) (! (=> (and (<= 0 i) (and (< i n) (< n (Seq_length s)))) (= (Seq_take (Seq_update s i e) n) (Seq_update (Seq_take s n) i e))) :pattern ((Seq_take (Seq_update s i e) n)) :qid |$Seq[Int]_prog.seq_take_over_update_1|))) (assert (forall ((s Seq) (i Int) (e Int) (n Int)) (! (=> (and (<= n i) (< i (Seq_length s))) (= (Seq_take (Seq_update s i e) n) (Seq_take s n))) :pattern ((Seq_take (Seq_update s i e) n)) :qid |$Seq[Int]_prog.seq_take_over_update_2|))) (assert (forall ((s Seq) (i Int) (e Int) (n Int)) (! (=> (and (<= 0 n) (and (<= n i) (< i (Seq_length s)))) (= (Seq_drop (Seq_update s i e) n) (Seq_update (Seq_drop s n) (- i n) e))) :pattern ((Seq_drop (Seq_update s i e) n)) :qid |$Seq[Int]_prog.seq_drop_over_update_1|))) (assert (forall ((s Seq) (i Int) (e Int) (n Int)) (! (=> (and (<= 0 i) (and (< i n) (< n (Seq_length s)))) (= (Seq_drop (Seq_update s i e) n) (Seq_drop s n))) :pattern ((Seq_drop (Seq_update s i e) n)) :qid |$Seq[Int]_prog.seq_drop_over_update_2|))) (assert (forall ((s Seq) (e Int) (n Int)) (! (=> (and (<= 0 n) (<= n (Seq_length s))) (= (Seq_drop (Seq_build s e) n) (Seq_build (Seq_drop s n) e))) :pattern ((Seq_drop (Seq_build s e) n)) :qid |$Seq[Int]_prog.seq_drop_over_build|))) (assert (forall ((min_ Int) (max Int)) (! (ite (< min_ max) (= (Seq_length (Seq_range min_ max)) (- max min_)) (= (Seq_length (Seq_range min_ max)) 0)) :pattern ((Seq_length (Seq_range min_ max))) :qid |$Seq[Int]_prog.ranged_seq_length|))) (assert (forall ((min_ Int) (max Int) (i Int)) (! (=> (and (<= 0 i) (< i (- max min_))) (= (Seq_index (Seq_range min_ max) i) (+ min_ i))) :pattern ((Seq_index (Seq_range min_ max) i)) :qid |$Seq[Int]_prog.ranged_seq_index|))) (assert (forall ((min_ Int) (max Int) (e Int)) (! (= (Seq_contains (Seq_range min_ max) e) (and (<= min_ e) (< e max))) :pattern ((Seq_contains (Seq_range min_ max) e)) :qid |$Seq[Int]_prog.ranged_seq_contains|))) (assert (forall ((s Set)) (! (<= 0 (Set_card s)) :pattern ((Set_card s)) :qid |$Set[array]_prog.card_non_negative|))) (assert (forall ((e array)) (! (not (Set_in e (as Set_empty Set))) :pattern ((Set_in e (as Set_empty Set))) :qid |$Set[array]_prog.in_empty_set|))) (assert (forall ((s Set)) (! (and (= (= (Set_card s) 0) (= s (as Set_empty Set))) (=> (not (= (Set_card s) 0)) (exists ((e array)) (! (Set_in e s) :pattern ((Set_in e s)) )))) :pattern ((Set_card s)) :qid |$Set[array]_prog.empty_set_cardinality|))) (assert (forall ((e array)) (! (Set_in e (Set_singleton e)) :pattern ((Set_singleton e)) :qid |$Set[array]_prog.in_singleton_set|))) (assert (forall ((e1 array) (e2 array)) (! (= (Set_in e1 (Set_singleton e2)) (= e1 e2)) :pattern ((Set_in e1 (Set_singleton e2))) :qid |$Set[array]_prog.in_singleton_set_equality|))) (assert (forall ((e array)) (! (= (Set_card (Set_singleton e)) 1) :pattern ((Set_card (Set_singleton e))) :qid |$Set[array]_prog.singleton_set_cardinality|))) (assert (forall ((s Set) (e array)) (! (Set_in e (Set_unionone s e)) :pattern ((Set_unionone s e)) :qid |$Set[array]_prog.in_unionone_same|))) (assert (forall ((s Set) (e1 array) (e2 array)) (! (= (Set_in e1 (Set_unionone s e2)) (or (= e1 e2) (Set_in e1 s))) :pattern ((Set_in e1 (Set_unionone s e2))) :qid |$Set[array]_prog.in_unionone_other|))) (assert (forall ((s Set) (e1 array) (e2 array)) (! (=> (Set_in e1 s) (Set_in e1 (Set_unionone s e2))) :pattern ((Set_in e1 s) (Set_unionone s e2)) :qid |$Set[array]_prog.invariance_in_unionone|))) (assert (forall ((s Set) (e array)) (! (=> (Set_in e s) (= (Set_card (Set_unionone s e)) (Set_card s))) :pattern ((Set_card (Set_unionone s e))) :qid |$Set[array]_prog.unionone_cardinality_invariant|))) (assert (forall ((s Set) (e array)) (! (=> (not (Set_in e s)) (= (Set_card (Set_unionone s e)) (+ (Set_card s) 1))) :pattern ((Set_card (Set_unionone s e))) :qid |$Set[array]_prog.unionone_cardinality_changed|))) (assert (forall ((s1 Set) (s2 Set) (e array)) (! (= (Set_in e (Set_union s1 s2)) (or (Set_in e s1) (Set_in e s2))) :pattern ((Set_in e (Set_union s1 s2))) :qid |$Set[array]_prog.in_union_in_one|))) (assert (forall ((s1 Set) (s2 Set) (e array)) (! (=> (Set_in e s1) (Set_in e (Set_union s1 s2))) :pattern ((Set_in e s1) (Set_union s1 s2)) :qid |$Set[array]_prog.in_left_in_union|))) (assert (forall ((s1 Set) (s2 Set) (e array)) (! (=> (Set_in e s2) (Set_in e (Set_union s1 s2))) :pattern ((Set_in e s2) (Set_union s1 s2)) :qid |$Set[array]_prog.in_right_in_union|))) (assert (forall ((s1 Set) (s2 Set) (e array)) (! (= (Set_in e (Set_intersection s1 s2)) (and (Set_in e s1) (Set_in e s2))) :pattern ((Set_in e (Set_intersection s1 s2))) :pattern ((Set_intersection s1 s2) (Set_in e s1)) :pattern ((Set_intersection s1 s2) (Set_in e s2)) :qid |$Set[array]_prog.in_intersection_in_both|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_union s1 (Set_union s1 s2)) (Set_union s1 s2)) :pattern ((Set_union s1 (Set_union s1 s2))) :qid |$Set[array]_prog.union_left_idempotency|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_union (Set_union s1 s2) s2) (Set_union s1 s2)) :pattern ((Set_union (Set_union s1 s2) s2)) :qid |$Set[array]_prog.union_right_idempotency|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_intersection s1 (Set_intersection s1 s2)) (Set_intersection s1 s2)) :pattern ((Set_intersection s1 (Set_intersection s1 s2))) :qid |$Set[array]_prog.intersection_left_idempotency|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_intersection (Set_intersection s1 s2) s2) (Set_intersection s1 s2)) :pattern ((Set_intersection (Set_intersection s1 s2) s2)) :qid |$Set[array]_prog.intersection_right_idempotency|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (+ (Set_card (Set_union s1 s2)) (Set_card (Set_intersection s1 s2))) (+ (Set_card s1) (Set_card s2))) :pattern ((Set_card (Set_union s1 s2))) :pattern ((Set_card (Set_intersection s1 s2))) :qid |$Set[array]_prog.cardinality_sums|))) (assert (forall ((s1 Set) (s2 Set) (e array)) (! (= (Set_in e (Set_difference s1 s2)) (and (Set_in e s1) (not (Set_in e s2)))) :pattern ((Set_in e (Set_difference s1 s2))) :qid |$Set[array]_prog.in_difference|))) (assert (forall ((s1 Set) (s2 Set) (e array)) (! (=> (Set_in e s2) (not (Set_in e (Set_difference s1 s2)))) :pattern ((Set_difference s1 s2) (Set_in e s2)) :qid |$Set[array]_prog.not_in_difference|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_subset s1 s2) (forall ((e array)) (! (=> (Set_in e s1) (Set_in e s2)) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_subset s1 s2)) :qid |$Set[array]_prog.subset_definition|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_equal s1 s2) (forall ((e array)) (! (= (Set_in e s1) (Set_in e s2)) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_equal s1 s2)) :qid |$Set[array]_prog.equality_definition|))) (assert (forall ((s1 Set) (s2 Set)) (! (=> (Set_equal s1 s2) (= s1 s2)) :pattern ((Set_equal s1 s2)) :qid |$Set[array]_prog.native_equality|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_disjoint s1 s2) (forall ((e array)) (! (or (not (Set_in e s1)) (not (Set_in e s2))) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_disjoint s1 s2)) :qid |$Set[array]_prog.disjointness_definition|))) (assert (forall ((s1 Set) (s2 Set)) (! (and (= (+ (+ (Set_card (Set_difference s1 s2)) (Set_card (Set_difference s2 s1))) (Set_card (Set_intersection s1 s2))) (Set_card (Set_union s1 s2))) (= (Set_card (Set_difference s1 s2)) (- (Set_card s1) (Set_card (Set_intersection s1 s2))))) :pattern ((Set_card (Set_difference s1 s2))) :qid |$Set[array]_prog.cardinality_difference|))) (assert (forall ((s Set)) (! (<= 0 (Set_card s)) :pattern ((Set_card s)) :qid |$Set[Int]_prog.card_non_negative|))) (assert (forall ((e Int)) (! (not (Set_in e (as Set_empty Set))) :pattern ((Set_in e (as Set_empty Set))) :qid |$Set[Int]_prog.in_empty_set|))) (assert (forall ((s Set)) (! (and (= (= (Set_card s) 0) (= s (as Set_empty Set))) (=> (not (= (Set_card s) 0)) (exists ((e Int)) (! (Set_in e s) :pattern ((Set_in e s)) )))) :pattern ((Set_card s)) :qid |$Set[Int]_prog.empty_set_cardinality|))) (assert (forall ((e Int)) (! (Set_in e (Set_singleton e)) :pattern ((Set_singleton e)) :qid |$Set[Int]_prog.in_singleton_set|))) (assert (forall ((e1 Int) (e2 Int)) (! (= (Set_in e1 (Set_singleton e2)) (= e1 e2)) :pattern ((Set_in e1 (Set_singleton e2))) :qid |$Set[Int]_prog.in_singleton_set_equality|))) (assert (forall ((e Int)) (! (= (Set_card (Set_singleton e)) 1) :pattern ((Set_card (Set_singleton e))) :qid |$Set[Int]_prog.singleton_set_cardinality|))) (assert (forall ((s Set) (e Int)) (! (Set_in e (Set_unionone s e)) :pattern ((Set_unionone s e)) :qid |$Set[Int]_prog.in_unionone_same|))) (assert (forall ((s Set) (e1 Int) (e2 Int)) (! (= (Set_in e1 (Set_unionone s e2)) (or (= e1 e2) (Set_in e1 s))) :pattern ((Set_in e1 (Set_unionone s e2))) :qid |$Set[Int]_prog.in_unionone_other|))) (assert (forall ((s Set) (e1 Int) (e2 Int)) (! (=> (Set_in e1 s) (Set_in e1 (Set_unionone s e2))) :pattern ((Set_in e1 s) (Set_unionone s e2)) :qid |$Set[Int]_prog.invariance_in_unionone|))) (assert (forall ((s Set) (e Int)) (! (=> (Set_in e s) (= (Set_card (Set_unionone s e)) (Set_card s))) :pattern ((Set_card (Set_unionone s e))) :qid |$Set[Int]_prog.unionone_cardinality_invariant|))) (assert (forall ((s Set) (e Int)) (! (=> (not (Set_in e s)) (= (Set_card (Set_unionone s e)) (+ (Set_card s) 1))) :pattern ((Set_card (Set_unionone s e))) :qid |$Set[Int]_prog.unionone_cardinality_changed|))) (assert (forall ((s1 Set) (s2 Set) (e Int)) (! (= (Set_in e (Set_union s1 s2)) (or (Set_in e s1) (Set_in e s2))) :pattern ((Set_in e (Set_union s1 s2))) :qid |$Set[Int]_prog.in_union_in_one|))) (assert (forall ((s1 Set) (s2 Set) (e Int)) (! (=> (Set_in e s1) (Set_in e (Set_union s1 s2))) :pattern ((Set_in e s1) (Set_union s1 s2)) :qid |$Set[Int]_prog.in_left_in_union|))) (assert (forall ((s1 Set) (s2 Set) (e Int)) (! (=> (Set_in e s2) (Set_in e (Set_union s1 s2))) :pattern ((Set_in e s2) (Set_union s1 s2)) :qid |$Set[Int]_prog.in_right_in_union|))) (assert (forall ((s1 Set) (s2 Set) (e Int)) (! (= (Set_in e (Set_intersection s1 s2)) (and (Set_in e s1) (Set_in e s2))) :pattern ((Set_in e (Set_intersection s1 s2))) :pattern ((Set_intersection s1 s2) (Set_in e s1)) :pattern ((Set_intersection s1 s2) (Set_in e s2)) :qid |$Set[Int]_prog.in_intersection_in_both|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_union s1 (Set_union s1 s2)) (Set_union s1 s2)) :pattern ((Set_union s1 (Set_union s1 s2))) :qid |$Set[Int]_prog.union_left_idempotency|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_union (Set_union s1 s2) s2) (Set_union s1 s2)) :pattern ((Set_union (Set_union s1 s2) s2)) :qid |$Set[Int]_prog.union_right_idempotency|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_intersection s1 (Set_intersection s1 s2)) (Set_intersection s1 s2)) :pattern ((Set_intersection s1 (Set_intersection s1 s2))) :qid |$Set[Int]_prog.intersection_left_idempotency|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_intersection (Set_intersection s1 s2) s2) (Set_intersection s1 s2)) :pattern ((Set_intersection (Set_intersection s1 s2) s2)) :qid |$Set[Int]_prog.intersection_right_idempotency|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (+ (Set_card (Set_union s1 s2)) (Set_card (Set_intersection s1 s2))) (+ (Set_card s1) (Set_card s2))) :pattern ((Set_card (Set_union s1 s2))) :pattern ((Set_card (Set_intersection s1 s2))) :qid |$Set[Int]_prog.cardinality_sums|))) (assert (forall ((s1 Set) (s2 Set) (e Int)) (! (= (Set_in e (Set_difference s1 s2)) (and (Set_in e s1) (not (Set_in e s2)))) :pattern ((Set_in e (Set_difference s1 s2))) :qid |$Set[Int]_prog.in_difference|))) (assert (forall ((s1 Set) (s2 Set) (e Int)) (! (=> (Set_in e s2) (not (Set_in e (Set_difference s1 s2)))) :pattern ((Set_difference s1 s2) (Set_in e s2)) :qid |$Set[Int]_prog.not_in_difference|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_subset s1 s2) (forall ((e Int)) (! (=> (Set_in e s1) (Set_in e s2)) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_subset s1 s2)) :qid |$Set[Int]_prog.subset_definition|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_equal s1 s2) (forall ((e Int)) (! (= (Set_in e s1) (Set_in e s2)) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_equal s1 s2)) :qid |$Set[Int]_prog.equality_definition|))) (assert (forall ((s1 Set) (s2 Set)) (! (=> (Set_equal s1 s2) (= s1 s2)) :pattern ((Set_equal s1 s2)) :qid |$Set[Int]_prog.native_equality|))) (assert (forall ((s1 Set) (s2 Set)) (! (= (Set_disjoint s1 s2) (forall ((e Int)) (! (or (not (Set_in e s1)) (not (Set_in e s2))) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_disjoint s1 s2)) :qid |$Set[Int]_prog.disjointness_definition|))) (assert (forall ((s1 Set) (s2 Set)) (! (and (= (+ (+ (Set_card (Set_difference s1 s2)) (Set_card (Set_difference s2 s1))) (Set_card (Set_intersection s1 s2))) (Set_card (Set_union s1 s2))) (= (Set_card (Set_difference s1 s2)) (- (Set_card s1) (Set_card (Set_intersection s1 s2))))) :pattern ((Set_card (Set_difference s1 s2))) :qid |$Set[Int]_prog.cardinality_difference|))) (assert (forall ((s Set<$Ref>)) (! (<= 0 (Set_card s)) :pattern ((Set_card s)) :qid |$Set[Ref]_prog.card_non_negative|))) (assert (forall ((e $Ref)) (! (not (Set_in e (as Set_empty Set<$Ref>))) :pattern ((Set_in e (as Set_empty Set<$Ref>))) :qid |$Set[Ref]_prog.in_empty_set|))) (assert (forall ((s Set<$Ref>)) (! (and (= (= (Set_card s) 0) (= s (as Set_empty Set<$Ref>))) (=> (not (= (Set_card s) 0)) (exists ((e $Ref)) (! (Set_in e s) :pattern ((Set_in e s)) )))) :pattern ((Set_card s)) :qid |$Set[Ref]_prog.empty_set_cardinality|))) (assert (forall ((e $Ref)) (! (Set_in e (Set_singleton e)) :pattern ((Set_singleton e)) :qid |$Set[Ref]_prog.in_singleton_set|))) (assert (forall ((e1 $Ref) (e2 $Ref)) (! (= (Set_in e1 (Set_singleton e2)) (= e1 e2)) :pattern ((Set_in e1 (Set_singleton e2))) :qid |$Set[Ref]_prog.in_singleton_set_equality|))) (assert (forall ((e $Ref)) (! (= (Set_card (Set_singleton e)) 1) :pattern ((Set_card (Set_singleton e))) :qid |$Set[Ref]_prog.singleton_set_cardinality|))) (assert (forall ((s Set<$Ref>) (e $Ref)) (! (Set_in e (Set_unionone s e)) :pattern ((Set_unionone s e)) :qid |$Set[Ref]_prog.in_unionone_same|))) (assert (forall ((s Set<$Ref>) (e1 $Ref) (e2 $Ref)) (! (= (Set_in e1 (Set_unionone s e2)) (or (= e1 e2) (Set_in e1 s))) :pattern ((Set_in e1 (Set_unionone s e2))) :qid |$Set[Ref]_prog.in_unionone_other|))) (assert (forall ((s Set<$Ref>) (e1 $Ref) (e2 $Ref)) (! (=> (Set_in e1 s) (Set_in e1 (Set_unionone s e2))) :pattern ((Set_in e1 s) (Set_unionone s e2)) :qid |$Set[Ref]_prog.invariance_in_unionone|))) (assert (forall ((s Set<$Ref>) (e $Ref)) (! (=> (Set_in e s) (= (Set_card (Set_unionone s e)) (Set_card s))) :pattern ((Set_card (Set_unionone s e))) :qid |$Set[Ref]_prog.unionone_cardinality_invariant|))) (assert (forall ((s Set<$Ref>) (e $Ref)) (! (=> (not (Set_in e s)) (= (Set_card (Set_unionone s e)) (+ (Set_card s) 1))) :pattern ((Set_card (Set_unionone s e))) :qid |$Set[Ref]_prog.unionone_cardinality_changed|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>) (e $Ref)) (! (= (Set_in e (Set_union s1 s2)) (or (Set_in e s1) (Set_in e s2))) :pattern ((Set_in e (Set_union s1 s2))) :qid |$Set[Ref]_prog.in_union_in_one|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>) (e $Ref)) (! (=> (Set_in e s1) (Set_in e (Set_union s1 s2))) :pattern ((Set_in e s1) (Set_union s1 s2)) :qid |$Set[Ref]_prog.in_left_in_union|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>) (e $Ref)) (! (=> (Set_in e s2) (Set_in e (Set_union s1 s2))) :pattern ((Set_in e s2) (Set_union s1 s2)) :qid |$Set[Ref]_prog.in_right_in_union|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>) (e $Ref)) (! (= (Set_in e (Set_intersection s1 s2)) (and (Set_in e s1) (Set_in e s2))) :pattern ((Set_in e (Set_intersection s1 s2))) :pattern ((Set_intersection s1 s2) (Set_in e s1)) :pattern ((Set_intersection s1 s2) (Set_in e s2)) :qid |$Set[Ref]_prog.in_intersection_in_both|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (= (Set_union s1 (Set_union s1 s2)) (Set_union s1 s2)) :pattern ((Set_union s1 (Set_union s1 s2))) :qid |$Set[Ref]_prog.union_left_idempotency|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (= (Set_union (Set_union s1 s2) s2) (Set_union s1 s2)) :pattern ((Set_union (Set_union s1 s2) s2)) :qid |$Set[Ref]_prog.union_right_idempotency|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (= (Set_intersection s1 (Set_intersection s1 s2)) (Set_intersection s1 s2)) :pattern ((Set_intersection s1 (Set_intersection s1 s2))) :qid |$Set[Ref]_prog.intersection_left_idempotency|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (= (Set_intersection (Set_intersection s1 s2) s2) (Set_intersection s1 s2)) :pattern ((Set_intersection (Set_intersection s1 s2) s2)) :qid |$Set[Ref]_prog.intersection_right_idempotency|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (= (+ (Set_card (Set_union s1 s2)) (Set_card (Set_intersection s1 s2))) (+ (Set_card s1) (Set_card s2))) :pattern ((Set_card (Set_union s1 s2))) :pattern ((Set_card (Set_intersection s1 s2))) :qid |$Set[Ref]_prog.cardinality_sums|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>) (e $Ref)) (! (= (Set_in e (Set_difference s1 s2)) (and (Set_in e s1) (not (Set_in e s2)))) :pattern ((Set_in e (Set_difference s1 s2))) :qid |$Set[Ref]_prog.in_difference|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>) (e $Ref)) (! (=> (Set_in e s2) (not (Set_in e (Set_difference s1 s2)))) :pattern ((Set_difference s1 s2) (Set_in e s2)) :qid |$Set[Ref]_prog.not_in_difference|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (= (Set_subset s1 s2) (forall ((e $Ref)) (! (=> (Set_in e s1) (Set_in e s2)) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_subset s1 s2)) :qid |$Set[Ref]_prog.subset_definition|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (= (Set_equal s1 s2) (forall ((e $Ref)) (! (= (Set_in e s1) (Set_in e s2)) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_equal s1 s2)) :qid |$Set[Ref]_prog.equality_definition|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (=> (Set_equal s1 s2) (= s1 s2)) :pattern ((Set_equal s1 s2)) :qid |$Set[Ref]_prog.native_equality|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (= (Set_disjoint s1 s2) (forall ((e $Ref)) (! (or (not (Set_in e s1)) (not (Set_in e s2))) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_disjoint s1 s2)) :qid |$Set[Ref]_prog.disjointness_definition|))) (assert (forall ((s1 Set<$Ref>) (s2 Set<$Ref>)) (! (and (= (+ (+ (Set_card (Set_difference s1 s2)) (Set_card (Set_difference s2 s1))) (Set_card (Set_intersection s1 s2))) (Set_card (Set_union s1 s2))) (= (Set_card (Set_difference s1 s2)) (- (Set_card s1) (Set_card (Set_intersection s1 s2))))) :pattern ((Set_card (Set_difference s1 s2))) :qid |$Set[Ref]_prog.cardinality_difference|))) (assert (forall ((s Set<$Snap>)) (! (<= 0 (Set_card s)) :pattern ((Set_card s)) :qid |$Set[Snap]_prog.card_non_negative|))) (assert (forall ((e $Snap)) (! (not (Set_in e (as Set_empty Set<$Snap>))) :pattern ((Set_in e (as Set_empty Set<$Snap>))) :qid |$Set[Snap]_prog.in_empty_set|))) (assert (forall ((s Set<$Snap>)) (! (and (= (= (Set_card s) 0) (= s (as Set_empty Set<$Snap>))) (=> (not (= (Set_card s) 0)) (exists ((e $Snap)) (! (Set_in e s) :pattern ((Set_in e s)) )))) :pattern ((Set_card s)) :qid |$Set[Snap]_prog.empty_set_cardinality|))) (assert (forall ((e $Snap)) (! (Set_in e (Set_singleton e)) :pattern ((Set_singleton e)) :qid |$Set[Snap]_prog.in_singleton_set|))) (assert (forall ((e1 $Snap) (e2 $Snap)) (! (= (Set_in e1 (Set_singleton e2)) (= e1 e2)) :pattern ((Set_in e1 (Set_singleton e2))) :qid |$Set[Snap]_prog.in_singleton_set_equality|))) (assert (forall ((e $Snap)) (! (= (Set_card (Set_singleton e)) 1) :pattern ((Set_card (Set_singleton e))) :qid |$Set[Snap]_prog.singleton_set_cardinality|))) (assert (forall ((s Set<$Snap>) (e $Snap)) (! (Set_in e (Set_unionone s e)) :pattern ((Set_unionone s e)) :qid |$Set[Snap]_prog.in_unionone_same|))) (assert (forall ((s Set<$Snap>) (e1 $Snap) (e2 $Snap)) (! (= (Set_in e1 (Set_unionone s e2)) (or (= e1 e2) (Set_in e1 s))) :pattern ((Set_in e1 (Set_unionone s e2))) :qid |$Set[Snap]_prog.in_unionone_other|))) (assert (forall ((s Set<$Snap>) (e1 $Snap) (e2 $Snap)) (! (=> (Set_in e1 s) (Set_in e1 (Set_unionone s e2))) :pattern ((Set_in e1 s) (Set_unionone s e2)) :qid |$Set[Snap]_prog.invariance_in_unionone|))) (assert (forall ((s Set<$Snap>) (e $Snap)) (! (=> (Set_in e s) (= (Set_card (Set_unionone s e)) (Set_card s))) :pattern ((Set_card (Set_unionone s e))) :qid |$Set[Snap]_prog.unionone_cardinality_invariant|))) (assert (forall ((s Set<$Snap>) (e $Snap)) (! (=> (not (Set_in e s)) (= (Set_card (Set_unionone s e)) (+ (Set_card s) 1))) :pattern ((Set_card (Set_unionone s e))) :qid |$Set[Snap]_prog.unionone_cardinality_changed|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>) (e $Snap)) (! (= (Set_in e (Set_union s1 s2)) (or (Set_in e s1) (Set_in e s2))) :pattern ((Set_in e (Set_union s1 s2))) :qid |$Set[Snap]_prog.in_union_in_one|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>) (e $Snap)) (! (=> (Set_in e s1) (Set_in e (Set_union s1 s2))) :pattern ((Set_in e s1) (Set_union s1 s2)) :qid |$Set[Snap]_prog.in_left_in_union|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>) (e $Snap)) (! (=> (Set_in e s2) (Set_in e (Set_union s1 s2))) :pattern ((Set_in e s2) (Set_union s1 s2)) :qid |$Set[Snap]_prog.in_right_in_union|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>) (e $Snap)) (! (= (Set_in e (Set_intersection s1 s2)) (and (Set_in e s1) (Set_in e s2))) :pattern ((Set_in e (Set_intersection s1 s2))) :pattern ((Set_intersection s1 s2) (Set_in e s1)) :pattern ((Set_intersection s1 s2) (Set_in e s2)) :qid |$Set[Snap]_prog.in_intersection_in_both|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (= (Set_union s1 (Set_union s1 s2)) (Set_union s1 s2)) :pattern ((Set_union s1 (Set_union s1 s2))) :qid |$Set[Snap]_prog.union_left_idempotency|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (= (Set_union (Set_union s1 s2) s2) (Set_union s1 s2)) :pattern ((Set_union (Set_union s1 s2) s2)) :qid |$Set[Snap]_prog.union_right_idempotency|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (= (Set_intersection s1 (Set_intersection s1 s2)) (Set_intersection s1 s2)) :pattern ((Set_intersection s1 (Set_intersection s1 s2))) :qid |$Set[Snap]_prog.intersection_left_idempotency|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (= (Set_intersection (Set_intersection s1 s2) s2) (Set_intersection s1 s2)) :pattern ((Set_intersection (Set_intersection s1 s2) s2)) :qid |$Set[Snap]_prog.intersection_right_idempotency|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (= (+ (Set_card (Set_union s1 s2)) (Set_card (Set_intersection s1 s2))) (+ (Set_card s1) (Set_card s2))) :pattern ((Set_card (Set_union s1 s2))) :pattern ((Set_card (Set_intersection s1 s2))) :qid |$Set[Snap]_prog.cardinality_sums|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>) (e $Snap)) (! (= (Set_in e (Set_difference s1 s2)) (and (Set_in e s1) (not (Set_in e s2)))) :pattern ((Set_in e (Set_difference s1 s2))) :qid |$Set[Snap]_prog.in_difference|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>) (e $Snap)) (! (=> (Set_in e s2) (not (Set_in e (Set_difference s1 s2)))) :pattern ((Set_difference s1 s2) (Set_in e s2)) :qid |$Set[Snap]_prog.not_in_difference|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (= (Set_subset s1 s2) (forall ((e $Snap)) (! (=> (Set_in e s1) (Set_in e s2)) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_subset s1 s2)) :qid |$Set[Snap]_prog.subset_definition|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (= (Set_equal s1 s2) (forall ((e $Snap)) (! (= (Set_in e s1) (Set_in e s2)) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_equal s1 s2)) :qid |$Set[Snap]_prog.equality_definition|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (=> (Set_equal s1 s2) (= s1 s2)) :pattern ((Set_equal s1 s2)) :qid |$Set[Snap]_prog.native_equality|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (= (Set_disjoint s1 s2) (forall ((e $Snap)) (! (or (not (Set_in e s1)) (not (Set_in e s2))) :pattern ((Set_in e s1)) :pattern ((Set_in e s2)) ))) :pattern ((Set_disjoint s1 s2)) :qid |$Set[Snap]_prog.disjointness_definition|))) (assert (forall ((s1 Set<$Snap>) (s2 Set<$Snap>)) (! (and (= (+ (+ (Set_card (Set_difference s1 s2)) (Set_card (Set_difference s2 s1))) (Set_card (Set_intersection s1 s2))) (Set_card (Set_union s1 s2))) (= (Set_card (Set_difference s1 s2)) (- (Set_card s1) (Set_card (Set_intersection s1 s2))))) :pattern ((Set_card (Set_difference s1 s2))) :qid |$Set[Snap]_prog.cardinality_difference|))) (assert (forall ((a2 array)) (forall ((i1 Int)) (! (and (= (loc_inv_1 (array_loc a2 i1)) a2) (= (loc_inv_2 (array_loc a2 i1)) i1)) :pattern ((array_loc a2 i1)) )))) (assert (forall ((a2 array)) (! (>= (alen a2) 0) :pattern ((alen a2)) ))) ; /field_value_functions_axioms.smt2 [oa: array] (assert (forall ((vs $FVF) (ws $FVF)) (! (=> (and (Set_equal ($FVF.domain_oa vs) ($FVF.domain_oa ws)) (forall ((x $Ref)) (! (=> (Set_in x ($FVF.domain_oa vs)) (= ($FVF.lookup_oa vs x) ($FVF.lookup_oa ws x))) :pattern (($FVF.lookup_oa vs x) ($FVF.lookup_oa ws x)) :qid |qp.$FVF-eq-inner| ))) (= vs ws)) :pattern (($SortWrappers.$FVFTo$Snap vs) ($SortWrappers.$FVFTo$Snap ws) ) :qid |qp.$FVF-eq-outer| ))) (assert (forall ((r $Ref) (pm $FPM)) (! ($Perm.isValidVar ($FVF.perm_oa pm r)) :pattern (($FVF.perm_oa pm r))))) (assert (forall ((r $Ref) (f array)) (! (= ($FVF.loc_oa f r) true) :pattern (($FVF.loc_oa f r))))) ; End preamble ; ------------------------------------------------------------ ; State saturation: after preamble (set-option :timeout 100) (check-sat) ; unknown ; ------------------------------------------------------------ ; Begin function- and predicate-related preamble ; Declaring symbols related to program functions (from verification) (declare-fun $k@17@00 () $Perm) (declare-fun inv@18@00 ($Snap array Int $Ref) Int) (assert (forall ((s@$ $Snap) (G@0@00 Seq>) (V@1@00 Int)) (! (= (SquareIntMatrix%limited s@$ G@0@00 V@1@00) (SquareIntMatrix s@$ G@0@00 V@1@00)) :pattern ((SquareIntMatrix s@$ G@0@00 V@1@00)) ))) (assert (forall ((s@$ $Snap) (G@0@00 Seq>) (V@1@00 Int)) (! (SquareIntMatrix%stateless G@0@00 V@1@00) :pattern ((SquareIntMatrix%limited s@$ G@0@00 V@1@00)) ))) (assert (forall ((s@$ $Snap) (G@0@00 Seq>) (V@1@00 Int)) (! (= (SquareIntMatrix s@$ G@0@00 V@1@00) (= (Seq_length G@0@00) V@1@00)) :pattern ((SquareIntMatrix s@$ G@0@00 V@1@00)) ))) (assert (forall ((s@$ $Snap) (a2@3@00 array) (i1@4@00 Int)) (! (= (aloc%limited s@$ a2@3@00 i1@4@00) (aloc s@$ a2@3@00 i1@4@00)) :pattern ((aloc s@$ a2@3@00 i1@4@00)) ))) (assert (forall ((s@$ $Snap) (a2@3@00 array) (i1@4@00 Int)) (! (aloc%stateless a2@3@00 i1@4@00) :pattern ((aloc%limited s@$ a2@3@00 i1@4@00)) ))) (assert (forall ((s@$ $Snap) (a2@3@00 array) (i1@4@00 Int)) (! (let ((result@5@00 (aloc%limited s@$ a2@3@00 i1@4@00))) (=> (and (<= 0 i1@4@00) (< i1@4@00 (alen a2@3@00))) (and (= (loc_inv_1 result@5@00) a2@3@00) (= (loc_inv_2 result@5@00) i1@4@00)))) :pattern ((aloc%limited s@$ a2@3@00 i1@4@00)) ))) (assert (forall ((s@$ $Snap) (a2@3@00 array) (i1@4@00 Int)) (! (=> (and (<= 0 i1@4@00) (< i1@4@00 (alen a2@3@00))) (= (aloc s@$ a2@3@00 i1@4@00) (array_loc a2@3@00 i1@4@00))) :pattern ((aloc s@$ a2@3@00 i1@4@00)) ))) (assert (forall ((s@$ $Snap) (G@6@00 Seq>) (V@7@00 Int)) (! (= (NonNegativeCapacities%limited s@$ G@6@00 V@7@00) (NonNegativeCapacities s@$ G@6@00 V@7@00)) :pattern ((NonNegativeCapacities s@$ G@6@00 V@7@00)) ))) (assert (forall ((s@$ $Snap) (G@6@00 Seq>) (V@7@00 Int)) (! (NonNegativeCapacities%stateless G@6@00 V@7@00) :pattern ((NonNegativeCapacities%limited s@$ G@6@00 V@7@00)) ))) (assert (forall ((s@$ $Snap) (a2@9@00 array) (V@10@00 Int)) (! (Seq_equal (matrixValues%limited s@$ a2@9@00 V@10@00) (matrixValues s@$ a2@9@00 V@10@00)) :pattern ((matrixValues s@$ a2@9@00 V@10@00)) ))) (assert (forall ((s@$ $Snap) (a2@9@00 array) (V@10@00 Int)) (! (matrixValues%stateless a2@9@00 V@10@00) :pattern ((matrixValues%limited s@$ a2@9@00 V@10@00)) ))) (assert (forall ((s@$ $Snap) (a2@9@00 array) (V@10@00 Int)) (! (let ((result@11@00 (matrixValues%limited s@$ a2@9@00 V@10@00))) (and (forall ((i1@16@00 Int)) (! (=> (and (and (< i1@16@00 V@10@00) (<= 0 i1@16@00)) (< $Perm.No $k@17@00)) (= (inv@18@00 s@$ a2@9@00 V@10@00 (aloc ($Snap.combine $Snap.unit $Snap.unit) a2@9@00 i1@16@00)) i1@16@00)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) a2@9@00 i1@16@00)) )) (forall ((r $Ref)) (! (=> (and (and (< (inv@18@00 s@$ a2@9@00 V@10@00 r) V@10@00) (<= 0 (inv@18@00 s@$ a2@9@00 V@10@00 r))) (< $Perm.No $k@17@00)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) a2@9@00 (inv@18@00 s@$ a2@9@00 V@10@00 r)) r)) :pattern ((inv@18@00 s@$ a2@9@00 V@10@00 r)) :qid |oa-fctOfInv|)) ($Perm.isReadVar $k@17@00) (=> (= (alen a2@9@00) V@10@00) (SquareIntMatrix $Snap.unit result@11@00 V@10@00)))) :pattern ((matrixValues%limited s@$ a2@9@00 V@10@00)) ))) (assert (forall ((s@$ $Snap) (G@12@00 Seq>) (V@13@00 Int)) (! (= (SumIncomingFlow%limited s@$ G@12@00 V@13@00) (SumIncomingFlow s@$ G@12@00 V@13@00)) :pattern ((SumIncomingFlow s@$ G@12@00 V@13@00)) ))) (assert (forall ((s@$ $Snap) (G@12@00 Seq>) (V@13@00 Int)) (! (SumIncomingFlow%stateless G@12@00 V@13@00) :pattern ((SumIncomingFlow%limited s@$ G@12@00 V@13@00)) ))) ; End function- and predicate-related preamble ; ------------------------------------------------------------ ; ---------- maxFlow ---------- (declare-const tid@0@01 Int) (declare-const G@1@01 array) (declare-const V@2@01 Int) (declare-const exc@3@01 $Ref) (declare-const res@4@01 Int) (declare-const tid@5@01 Int) (declare-const G@6@01 array) (declare-const V@7@01 Int) (declare-const exc@8@01 $Ref) (declare-const res@9@01 Int) (push) ; 1 (declare-const $t@10@01 $Snap) (assert (= $t@10@01 ($Snap.combine ($Snap.first $t@10@01) ($Snap.second $t@10@01)))) (assert (= ($Snap.first $t@10@01) $Snap.unit)) ; [eval] alen(G) == V ; [eval] alen(G) (assert (= (alen G@6@01) V@7@01)) (assert (= ($Snap.second $t@10@01) ($Snap.combine ($Snap.first ($Snap.second $t@10@01)) ($Snap.second ($Snap.second $t@10@01))))) (declare-const i1@11@01 Int) (push) ; 2 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 3 ; [then-branch: 0 | 0 <= i1@11@01 | live] ; [else-branch: 0 | !(0 <= i1@11@01) | live] (push) ; 4 ; [then-branch: 0 | 0 <= i1@11@01] (assert (<= 0 i1@11@01)) ; [eval] i1 < V (pop) ; 4 (push) ; 4 ; [else-branch: 0 | !(0 <= i1@11@01)] (assert (not (<= 0 i1@11@01))) (pop) ; 4 (pop) ; 3 ; Joined path conditions ; Joined path conditions (assert (and (< i1@11@01 V@7@01) (<= 0 i1@11@01))) ; [eval] aloc(G, i1) (push) ; 3 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (set-option :timeout 0) (push) ; 4 (assert (not (< i1@11@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 4 ; 0.00s ; (get-info :all-statistics) (assert (< i1@11@01 (alen G@6@01))) (pop) ; 3 ; Joined path conditions (assert (< i1@11@01 (alen G@6@01))) (declare-const $k@12@01 $Perm) (assert ($Perm.isReadVar $k@12@01)) (pop) ; 2 (declare-fun inv@13@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@12@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@11@01 Int)) (! (< i1@11@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@11@01)) :qid |oa-aux|))) (push) ; 2 (assert (not (forall ((i1@11@01 Int)) (=> (and (< i1@11@01 V@7@01) (<= 0 i1@11@01)) (or (= $k@12@01 $Perm.No) (< $Perm.No $k@12@01)))))) (check-sat) ; unsat (pop) ; 2 ; 0.00s ; (get-info :all-statistics) ; Check receiver injectivity (push) ; 2 (assert (not (forall ((i11@11@01 Int) (i12@11@01 Int)) (! (=> (and (and (and (< i11@11@01 V@7@01) (<= 0 i11@11@01)) (< $Perm.No $k@12@01)) (and (and (< i12@11@01 V@7@01) (<= 0 i12@11@01)) (< $Perm.No $k@12@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@11@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@11@01))) (= i11@11@01 i12@11@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 2 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@11@01 Int)) (! (=> (and (and (< i1@11@01 V@7@01) (<= 0 i1@11@01)) (< $Perm.No $k@12@01)) (= (inv@13@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@11@01)) i1@11@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@11@01)) ))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@13@01 r)) r)) :pattern ((inv@13@01 r)) :qid |oa-fctOfInv|))) ; Permissions are non-negative (assert (forall ((i1@11@01 Int)) (! (<= $Perm.No $k@12@01) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@11@01)) :qid |oa-permAtLeastZero|))) ; Field permissions are at most one (assert (forall ((i1@11@01 Int)) (! (<= $k@12@01 $Perm.Write) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@11@01)) :qid |oa-permAtMostOne|))) ; Permission implies non-null receiver (assert (forall ((i1@11@01 Int)) (! (=> (and (and (< i1@11@01 V@7@01) (<= 0 i1@11@01)) (< $Perm.No $k@12@01)) (not (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@11@01) $Ref.null))) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@11@01)) :qid |oa-permImpliesNonNull|))) (declare-const sm@14@01 $FVF) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@14@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@14@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef0|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@14@01 $FVF) r)) :qid |qp.fvfResTrgDef1|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@14@01 $FVF) r) r)) :pattern ((inv@13@01 r)) ))) (assert (= ($Snap.second ($Snap.second $t@10@01)) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second $t@10@01))) ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))) (assert (= ($Snap.first ($Snap.second ($Snap.second $t@10@01))) $Snap.unit)) ; [eval] NonNegativeCapacities(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@15@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 1 | 0 <= i1@15@01 | live] ; [else-branch: 1 | !(0 <= i1@15@01) | live] (push) ; 5 ; [then-branch: 1 | 0 <= i1@15@01] (assert (<= 0 i1@15@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 1 | !(0 <= i1@15@01)] (assert (not (<= 0 i1@15@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@15@01 V@7@01) (<= 0 i1@15@01))) (declare-const $k@16@01 $Perm) (assert ($Perm.isReadVar $k@16@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@15@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@15@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@15@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@17@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@16@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@15@01 Int)) (! (< i1@15@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@15@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@15@01 Int)) (=> (and (< i1@15@01 V@7@01) (<= 0 i1@15@01)) (or (= $k@16@01 $Perm.No) (< $Perm.No $k@16@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@15@01 Int) (i12@15@01 Int)) (! (=> (and (and (and (and (< i11@15@01 V@7@01) (<= 0 i11@15@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@14@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@15@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@15@01))) (< $Perm.No $k@16@01)) (and (and (and (< i12@15@01 V@7@01) (<= 0 i12@15@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@14@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@15@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@15@01))) (< $Perm.No $k@16@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@15@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@15@01))) (= i11@15@01 i12@15@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@15@01 Int)) (! (=> (and (and (< i1@15@01 V@7@01) (<= 0 i1@15@01)) (< $Perm.No $k@16@01)) (= (inv@17@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@15@01)) i1@15@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@15@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (< $Perm.No $k@16@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@17@01 r)) r)) :pattern ((inv@17@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@14@01 $FVF) r) r)) :pattern ((inv@17@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@18@01 ((r $Ref)) $Perm (ite (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@16@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@16@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) $k@16@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) $k@16@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@17@01 r)) :qid |qp.srp2|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (= (- $k@16@01 (pTaken@18@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@19@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@19@01 $FVF))) (and (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (< $Perm.No $k@16@01))) (=> (and (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (< $Perm.No $k@16@01)) (Set_in r ($FVF.domain_oa (as sm@19@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@19@01 $FVF)))) :qid |qp.fvfDomDef5|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (< $Perm.No $k@16@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@19@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@19@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef3|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@19@01 $FVF) r)) :qid |qp.fvfResTrgDef4|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@16@01)) (assert (forall ((i1@15@01 Int)) (! (=> (and (and (< i1@15@01 V@7@01) (<= 0 i1@15@01)) (< $Perm.No $k@16@01)) (= (inv@17@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@15@01)) i1@15@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@15@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (< $Perm.No $k@16@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@17@01 r)) r)) :pattern ((inv@17@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@19@01 $FVF))) (and (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (< $Perm.No $k@16@01))) (=> (and (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (< $Perm.No $k@16@01)) (Set_in r ($FVF.domain_oa (as sm@19@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@19@01 $FVF)))) :qid |qp.fvfDomDef5|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) (< $Perm.No $k@16@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@19@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@19@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef3|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@19@01 $FVF) r)) :qid |qp.fvfResTrgDef4|))) (assert (and (forall ((i1@15@01 Int)) (! (< i1@15@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@15@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@14@01 $FVF) r) r)) :pattern ((inv@17@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) $k@16@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@17@01 r) V@7@01) (<= 0 (inv@17@01 r))) $k@16@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@17@01 r)) :qid |qp.srp2|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@19@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@19@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@19@01 $FVF))) G@6@01 V@7@01) V@7@01)) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@19@01 $FVF))) G@6@01 V@7@01) V@7@01)) (assert (= ($Snap.second ($Snap.second ($Snap.second $t@10@01))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second $t@10@01)))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second $t@10@01)))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@20@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 2 | 0 <= i1@20@01 | live] ; [else-branch: 2 | !(0 <= i1@20@01) | live] (push) ; 5 ; [then-branch: 2 | 0 <= i1@20@01] (assert (<= 0 i1@20@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 2 | !(0 <= i1@20@01)] (assert (not (<= 0 i1@20@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@20@01 V@7@01) (<= 0 i1@20@01))) (declare-const $k@21@01 $Perm) (assert ($Perm.isReadVar $k@21@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@20@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@20@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@20@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@22@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@21@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@20@01 Int)) (! (< i1@20@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@20@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@20@01 Int)) (=> (and (< i1@20@01 V@7@01) (<= 0 i1@20@01)) (or (= $k@21@01 $Perm.No) (< $Perm.No $k@21@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@23@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@23@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@23@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef6|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@23@01 $FVF) r)) :qid |qp.fvfResTrgDef7|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@20@01 Int) (i12@20@01 Int)) (! (=> (and (and (and (and (< i11@20@01 V@7@01) (<= 0 i11@20@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@23@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@20@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@20@01))) (< $Perm.No $k@21@01)) (and (and (and (< i12@20@01 V@7@01) (<= 0 i12@20@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@23@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@20@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@20@01))) (< $Perm.No $k@21@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@20@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@20@01))) (= i11@20@01 i12@20@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@20@01 Int)) (! (=> (and (and (< i1@20@01 V@7@01) (<= 0 i1@20@01)) (< $Perm.No $k@21@01)) (= (inv@22@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@20@01)) i1@20@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@20@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (< $Perm.No $k@21@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@22@01 r)) r)) :pattern ((inv@22@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@23@01 $FVF) r) r)) :pattern ((inv@22@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@24@01 ((r $Ref)) $Perm (ite (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@21@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@21@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) $k@21@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) $k@21@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@22@01 r)) :qid |qp.srp8|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (= (- $k@21@01 (pTaken@24@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@25@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@25@01 $FVF))) (and (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (< $Perm.No $k@21@01))) (=> (and (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (< $Perm.No $k@21@01)) (Set_in r ($FVF.domain_oa (as sm@25@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@25@01 $FVF)))) :qid |qp.fvfDomDef11|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (< $Perm.No $k@21@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@25@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@25@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef9|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@25@01 $FVF) r)) :qid |qp.fvfResTrgDef10|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@21@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@23@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@23@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef6|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@23@01 $FVF) r)) :qid |qp.fvfResTrgDef7|))) (assert (forall ((i1@20@01 Int)) (! (=> (and (and (< i1@20@01 V@7@01) (<= 0 i1@20@01)) (< $Perm.No $k@21@01)) (= (inv@22@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@20@01)) i1@20@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@20@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (< $Perm.No $k@21@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@22@01 r)) r)) :pattern ((inv@22@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@25@01 $FVF))) (and (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (< $Perm.No $k@21@01))) (=> (and (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (< $Perm.No $k@21@01)) (Set_in r ($FVF.domain_oa (as sm@25@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@25@01 $FVF)))) :qid |qp.fvfDomDef11|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) (< $Perm.No $k@21@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@25@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@25@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef9|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@25@01 $FVF) r)) :qid |qp.fvfResTrgDef10|))) (assert (and (forall ((i1@20@01 Int)) (! (< i1@20@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@20@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@23@01 $FVF) r) r)) :pattern ((inv@22@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) $k@21@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@22@01 r) V@7@01) (<= 0 (inv@22@01 r))) $k@21@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@22@01 r)) :qid |qp.srp8|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@25@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@25@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@25@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@25@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@25@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@25@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@26@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 3 | 0 <= i1@26@01 | live] ; [else-branch: 3 | !(0 <= i1@26@01) | live] (push) ; 5 ; [then-branch: 3 | 0 <= i1@26@01] (assert (<= 0 i1@26@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 3 | !(0 <= i1@26@01)] (assert (not (<= 0 i1@26@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@26@01 V@7@01) (<= 0 i1@26@01))) (declare-const $k@27@01 $Perm) (assert ($Perm.isReadVar $k@27@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@26@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@26@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@26@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@28@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@27@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@26@01 Int)) (! (< i1@26@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@26@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@26@01 Int)) (=> (and (< i1@26@01 V@7@01) (<= 0 i1@26@01)) (or (= $k@27@01 $Perm.No) (< $Perm.No $k@27@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@29@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@29@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@29@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef12|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@29@01 $FVF) r)) :qid |qp.fvfResTrgDef13|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@26@01 Int) (i12@26@01 Int)) (! (=> (and (and (and (and (< i11@26@01 V@7@01) (<= 0 i11@26@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@29@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@26@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@26@01))) (< $Perm.No $k@27@01)) (and (and (and (< i12@26@01 V@7@01) (<= 0 i12@26@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@29@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@26@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@26@01))) (< $Perm.No $k@27@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@26@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@26@01))) (= i11@26@01 i12@26@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@26@01 Int)) (! (=> (and (and (< i1@26@01 V@7@01) (<= 0 i1@26@01)) (< $Perm.No $k@27@01)) (= (inv@28@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@26@01)) i1@26@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@26@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (< $Perm.No $k@27@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@28@01 r)) r)) :pattern ((inv@28@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@29@01 $FVF) r) r)) :pattern ((inv@28@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@30@01 ((r $Ref)) $Perm (ite (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@27@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@27@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) $k@27@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) $k@27@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@28@01 r)) :qid |qp.srp14|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (= (- $k@27@01 (pTaken@30@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@31@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@31@01 $FVF))) (and (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (< $Perm.No $k@27@01))) (=> (and (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (< $Perm.No $k@27@01)) (Set_in r ($FVF.domain_oa (as sm@31@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@31@01 $FVF)))) :qid |qp.fvfDomDef17|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (< $Perm.No $k@27@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@31@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@31@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef15|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@31@01 $FVF) r)) :qid |qp.fvfResTrgDef16|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@27@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@29@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@29@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef12|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@29@01 $FVF) r)) :qid |qp.fvfResTrgDef13|))) (assert (forall ((i1@26@01 Int)) (! (=> (and (and (< i1@26@01 V@7@01) (<= 0 i1@26@01)) (< $Perm.No $k@27@01)) (= (inv@28@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@26@01)) i1@26@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@26@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (< $Perm.No $k@27@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@28@01 r)) r)) :pattern ((inv@28@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@31@01 $FVF))) (and (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (< $Perm.No $k@27@01))) (=> (and (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (< $Perm.No $k@27@01)) (Set_in r ($FVF.domain_oa (as sm@31@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@31@01 $FVF)))) :qid |qp.fvfDomDef17|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) (< $Perm.No $k@27@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@31@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@31@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef15|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@31@01 $FVF) r)) :qid |qp.fvfResTrgDef16|))) (assert (and (forall ((i1@26@01 Int)) (! (< i1@26@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@26@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@29@01 $FVF) r) r)) :pattern ((inv@28@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) $k@27@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@28@01 r) V@7@01) (<= 0 (inv@28@01 r))) $k@27@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@28@01 r)) :qid |qp.srp14|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@31@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@31@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@31@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@31@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@31@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@31@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@25@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@31@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@32@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 4 | 0 <= i1@32@01 | live] ; [else-branch: 4 | !(0 <= i1@32@01) | live] (push) ; 5 ; [then-branch: 4 | 0 <= i1@32@01] (assert (<= 0 i1@32@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 4 | !(0 <= i1@32@01)] (assert (not (<= 0 i1@32@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@32@01 V@7@01) (<= 0 i1@32@01))) (declare-const $k@33@01 $Perm) (assert ($Perm.isReadVar $k@33@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@32@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@32@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@32@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@34@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@33@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@32@01 Int)) (! (< i1@32@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@32@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@32@01 Int)) (=> (and (< i1@32@01 V@7@01) (<= 0 i1@32@01)) (or (= $k@33@01 $Perm.No) (< $Perm.No $k@33@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@35@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@35@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@35@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef18|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@35@01 $FVF) r)) :qid |qp.fvfResTrgDef19|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@32@01 Int) (i12@32@01 Int)) (! (=> (and (and (and (and (< i11@32@01 V@7@01) (<= 0 i11@32@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@35@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@32@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@32@01))) (< $Perm.No $k@33@01)) (and (and (and (< i12@32@01 V@7@01) (<= 0 i12@32@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@35@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@32@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@32@01))) (< $Perm.No $k@33@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@32@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@32@01))) (= i11@32@01 i12@32@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@32@01 Int)) (! (=> (and (and (< i1@32@01 V@7@01) (<= 0 i1@32@01)) (< $Perm.No $k@33@01)) (= (inv@34@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@32@01)) i1@32@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@32@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (< $Perm.No $k@33@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@34@01 r)) r)) :pattern ((inv@34@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@35@01 $FVF) r) r)) :pattern ((inv@34@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@36@01 ((r $Ref)) $Perm (ite (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@33@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@33@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) $k@33@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) $k@33@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@34@01 r)) :qid |qp.srp20|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (= (- $k@33@01 (pTaken@36@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@37@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@37@01 $FVF))) (and (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (< $Perm.No $k@33@01))) (=> (and (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (< $Perm.No $k@33@01)) (Set_in r ($FVF.domain_oa (as sm@37@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@37@01 $FVF)))) :qid |qp.fvfDomDef23|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (< $Perm.No $k@33@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@37@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@37@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef21|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@37@01 $FVF) r)) :qid |qp.fvfResTrgDef22|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@33@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@35@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@35@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef18|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@35@01 $FVF) r)) :qid |qp.fvfResTrgDef19|))) (assert (forall ((i1@32@01 Int)) (! (=> (and (and (< i1@32@01 V@7@01) (<= 0 i1@32@01)) (< $Perm.No $k@33@01)) (= (inv@34@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@32@01)) i1@32@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@32@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (< $Perm.No $k@33@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@34@01 r)) r)) :pattern ((inv@34@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@37@01 $FVF))) (and (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (< $Perm.No $k@33@01))) (=> (and (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (< $Perm.No $k@33@01)) (Set_in r ($FVF.domain_oa (as sm@37@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@37@01 $FVF)))) :qid |qp.fvfDomDef23|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) (< $Perm.No $k@33@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@37@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@37@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef21|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@37@01 $FVF) r)) :qid |qp.fvfResTrgDef22|))) (assert (and (forall ((i1@32@01 Int)) (! (< i1@32@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@32@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@35@01 $FVF) r) r)) :pattern ((inv@34@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) $k@33@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@34@01 r) V@7@01) (<= 0 (inv@34@01 r))) $k@33@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@34@01 r)) :qid |qp.srp20|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@37@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@37@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@37@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@37@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@37@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@37@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@38@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 5 | 0 <= i1@38@01 | live] ; [else-branch: 5 | !(0 <= i1@38@01) | live] (push) ; 5 ; [then-branch: 5 | 0 <= i1@38@01] (assert (<= 0 i1@38@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 5 | !(0 <= i1@38@01)] (assert (not (<= 0 i1@38@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@38@01 V@7@01) (<= 0 i1@38@01))) (declare-const $k@39@01 $Perm) (assert ($Perm.isReadVar $k@39@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@38@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@38@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@38@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@40@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@39@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@38@01 Int)) (! (< i1@38@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@38@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@38@01 Int)) (=> (and (< i1@38@01 V@7@01) (<= 0 i1@38@01)) (or (= $k@39@01 $Perm.No) (< $Perm.No $k@39@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@41@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@41@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@41@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef24|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@41@01 $FVF) r)) :qid |qp.fvfResTrgDef25|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@38@01 Int) (i12@38@01 Int)) (! (=> (and (and (and (and (< i11@38@01 V@7@01) (<= 0 i11@38@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@41@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@38@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@38@01))) (< $Perm.No $k@39@01)) (and (and (and (< i12@38@01 V@7@01) (<= 0 i12@38@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@41@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@38@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@38@01))) (< $Perm.No $k@39@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@38@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@38@01))) (= i11@38@01 i12@38@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@38@01 Int)) (! (=> (and (and (< i1@38@01 V@7@01) (<= 0 i1@38@01)) (< $Perm.No $k@39@01)) (= (inv@40@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@38@01)) i1@38@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@38@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (< $Perm.No $k@39@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@40@01 r)) r)) :pattern ((inv@40@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@41@01 $FVF) r) r)) :pattern ((inv@40@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@42@01 ((r $Ref)) $Perm (ite (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@39@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@39@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) $k@39@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) $k@39@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@40@01 r)) :qid |qp.srp26|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (= (- $k@39@01 (pTaken@42@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@43@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@43@01 $FVF))) (and (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (< $Perm.No $k@39@01))) (=> (and (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (< $Perm.No $k@39@01)) (Set_in r ($FVF.domain_oa (as sm@43@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@43@01 $FVF)))) :qid |qp.fvfDomDef29|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (< $Perm.No $k@39@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@43@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@43@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef27|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@43@01 $FVF) r)) :qid |qp.fvfResTrgDef28|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@39@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@41@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@41@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef24|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@41@01 $FVF) r)) :qid |qp.fvfResTrgDef25|))) (assert (forall ((i1@38@01 Int)) (! (=> (and (and (< i1@38@01 V@7@01) (<= 0 i1@38@01)) (< $Perm.No $k@39@01)) (= (inv@40@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@38@01)) i1@38@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@38@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (< $Perm.No $k@39@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@40@01 r)) r)) :pattern ((inv@40@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@43@01 $FVF))) (and (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (< $Perm.No $k@39@01))) (=> (and (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (< $Perm.No $k@39@01)) (Set_in r ($FVF.domain_oa (as sm@43@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@43@01 $FVF)))) :qid |qp.fvfDomDef29|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) (< $Perm.No $k@39@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@43@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@43@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef27|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@43@01 $FVF) r)) :qid |qp.fvfResTrgDef28|))) (assert (and (forall ((i1@38@01 Int)) (! (< i1@38@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@38@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@41@01 $FVF) r) r)) :pattern ((inv@40@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) $k@39@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@40@01 r) V@7@01) (<= 0 (inv@40@01 r))) $k@39@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@40@01 r)) :qid |qp.srp26|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@43@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@43@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@43@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.02s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@43@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@43@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@43@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@37@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@43@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@44@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 6 | 0 <= i1@44@01 | live] ; [else-branch: 6 | !(0 <= i1@44@01) | live] (push) ; 5 ; [then-branch: 6 | 0 <= i1@44@01] (assert (<= 0 i1@44@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 6 | !(0 <= i1@44@01)] (assert (not (<= 0 i1@44@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@44@01 V@7@01) (<= 0 i1@44@01))) (declare-const $k@45@01 $Perm) (assert ($Perm.isReadVar $k@45@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@44@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@44@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@44@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@46@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@45@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@44@01 Int)) (! (< i1@44@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@44@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@44@01 Int)) (=> (and (< i1@44@01 V@7@01) (<= 0 i1@44@01)) (or (= $k@45@01 $Perm.No) (< $Perm.No $k@45@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@47@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@47@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@47@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef30|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@47@01 $FVF) r)) :qid |qp.fvfResTrgDef31|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@44@01 Int) (i12@44@01 Int)) (! (=> (and (and (and (and (< i11@44@01 V@7@01) (<= 0 i11@44@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@47@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@44@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@44@01))) (< $Perm.No $k@45@01)) (and (and (and (< i12@44@01 V@7@01) (<= 0 i12@44@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@47@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@44@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@44@01))) (< $Perm.No $k@45@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@44@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@44@01))) (= i11@44@01 i12@44@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@44@01 Int)) (! (=> (and (and (< i1@44@01 V@7@01) (<= 0 i1@44@01)) (< $Perm.No $k@45@01)) (= (inv@46@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@44@01)) i1@44@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@44@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (< $Perm.No $k@45@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@46@01 r)) r)) :pattern ((inv@46@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@47@01 $FVF) r) r)) :pattern ((inv@46@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@48@01 ((r $Ref)) $Perm (ite (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@45@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@45@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) $k@45@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) $k@45@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@46@01 r)) :qid |qp.srp32|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (= (- $k@45@01 (pTaken@48@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@49@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@49@01 $FVF))) (and (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (< $Perm.No $k@45@01))) (=> (and (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (< $Perm.No $k@45@01)) (Set_in r ($FVF.domain_oa (as sm@49@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@49@01 $FVF)))) :qid |qp.fvfDomDef35|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (< $Perm.No $k@45@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@49@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@49@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef33|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@49@01 $FVF) r)) :qid |qp.fvfResTrgDef34|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@45@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@47@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@47@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef30|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@47@01 $FVF) r)) :qid |qp.fvfResTrgDef31|))) (assert (forall ((i1@44@01 Int)) (! (=> (and (and (< i1@44@01 V@7@01) (<= 0 i1@44@01)) (< $Perm.No $k@45@01)) (= (inv@46@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@44@01)) i1@44@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@44@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (< $Perm.No $k@45@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@46@01 r)) r)) :pattern ((inv@46@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@49@01 $FVF))) (and (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (< $Perm.No $k@45@01))) (=> (and (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (< $Perm.No $k@45@01)) (Set_in r ($FVF.domain_oa (as sm@49@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@49@01 $FVF)))) :qid |qp.fvfDomDef35|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) (< $Perm.No $k@45@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@49@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@49@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef33|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@49@01 $FVF) r)) :qid |qp.fvfResTrgDef34|))) (assert (and (forall ((i1@44@01 Int)) (! (< i1@44@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@44@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@47@01 $FVF) r) r)) :pattern ((inv@46@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) $k@45@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@46@01 r) V@7@01) (<= 0 (inv@46@01 r))) $k@45@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@46@01 r)) :qid |qp.srp32|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@49@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@49@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@49@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.03s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@49@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@49@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@49@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@50@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 7 | 0 <= i1@50@01 | live] ; [else-branch: 7 | !(0 <= i1@50@01) | live] (push) ; 5 ; [then-branch: 7 | 0 <= i1@50@01] (assert (<= 0 i1@50@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 7 | !(0 <= i1@50@01)] (assert (not (<= 0 i1@50@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@50@01 V@7@01) (<= 0 i1@50@01))) (declare-const $k@51@01 $Perm) (assert ($Perm.isReadVar $k@51@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@50@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@50@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@50@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@52@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@51@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@50@01 Int)) (! (< i1@50@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@50@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@50@01 Int)) (=> (and (< i1@50@01 V@7@01) (<= 0 i1@50@01)) (or (= $k@51@01 $Perm.No) (< $Perm.No $k@51@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@53@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@53@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@53@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef36|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@53@01 $FVF) r)) :qid |qp.fvfResTrgDef37|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@50@01 Int) (i12@50@01 Int)) (! (=> (and (and (and (and (< i11@50@01 V@7@01) (<= 0 i11@50@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@53@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@50@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@50@01))) (< $Perm.No $k@51@01)) (and (and (and (< i12@50@01 V@7@01) (<= 0 i12@50@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@53@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@50@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@50@01))) (< $Perm.No $k@51@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@50@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@50@01))) (= i11@50@01 i12@50@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@50@01 Int)) (! (=> (and (and (< i1@50@01 V@7@01) (<= 0 i1@50@01)) (< $Perm.No $k@51@01)) (= (inv@52@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@50@01)) i1@50@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@50@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (< $Perm.No $k@51@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@52@01 r)) r)) :pattern ((inv@52@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@53@01 $FVF) r) r)) :pattern ((inv@52@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@54@01 ((r $Ref)) $Perm (ite (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@51@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@51@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) $k@51@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) $k@51@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@52@01 r)) :qid |qp.srp38|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (= (- $k@51@01 (pTaken@54@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@55@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@55@01 $FVF))) (and (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (< $Perm.No $k@51@01))) (=> (and (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (< $Perm.No $k@51@01)) (Set_in r ($FVF.domain_oa (as sm@55@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@55@01 $FVF)))) :qid |qp.fvfDomDef41|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (< $Perm.No $k@51@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@55@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@55@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef39|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@55@01 $FVF) r)) :qid |qp.fvfResTrgDef40|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@51@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@53@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@53@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef36|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@53@01 $FVF) r)) :qid |qp.fvfResTrgDef37|))) (assert (forall ((i1@50@01 Int)) (! (=> (and (and (< i1@50@01 V@7@01) (<= 0 i1@50@01)) (< $Perm.No $k@51@01)) (= (inv@52@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@50@01)) i1@50@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@50@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (< $Perm.No $k@51@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@52@01 r)) r)) :pattern ((inv@52@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@55@01 $FVF))) (and (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (< $Perm.No $k@51@01))) (=> (and (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (< $Perm.No $k@51@01)) (Set_in r ($FVF.domain_oa (as sm@55@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@55@01 $FVF)))) :qid |qp.fvfDomDef41|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) (< $Perm.No $k@51@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@55@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@55@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef39|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@55@01 $FVF) r)) :qid |qp.fvfResTrgDef40|))) (assert (and (forall ((i1@50@01 Int)) (! (< i1@50@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@50@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@53@01 $FVF) r) r)) :pattern ((inv@52@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) $k@51@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@52@01 r) V@7@01) (<= 0 (inv@52@01 r))) $k@51@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@52@01 r)) :qid |qp.srp38|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@55@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@55@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@55@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.04s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@55@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@55@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@55@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@49@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@55@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@56@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 8 | 0 <= i1@56@01 | live] ; [else-branch: 8 | !(0 <= i1@56@01) | live] (push) ; 5 ; [then-branch: 8 | 0 <= i1@56@01] (assert (<= 0 i1@56@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 8 | !(0 <= i1@56@01)] (assert (not (<= 0 i1@56@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@56@01 V@7@01) (<= 0 i1@56@01))) (declare-const $k@57@01 $Perm) (assert ($Perm.isReadVar $k@57@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@56@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@56@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@56@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@58@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@57@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@56@01 Int)) (! (< i1@56@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@56@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@56@01 Int)) (=> (and (< i1@56@01 V@7@01) (<= 0 i1@56@01)) (or (= $k@57@01 $Perm.No) (< $Perm.No $k@57@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@59@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@59@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@59@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef42|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@59@01 $FVF) r)) :qid |qp.fvfResTrgDef43|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@56@01 Int) (i12@56@01 Int)) (! (=> (and (and (and (and (< i11@56@01 V@7@01) (<= 0 i11@56@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@59@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@56@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@56@01))) (< $Perm.No $k@57@01)) (and (and (and (< i12@56@01 V@7@01) (<= 0 i12@56@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@59@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@56@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@56@01))) (< $Perm.No $k@57@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@56@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@56@01))) (= i11@56@01 i12@56@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@56@01 Int)) (! (=> (and (and (< i1@56@01 V@7@01) (<= 0 i1@56@01)) (< $Perm.No $k@57@01)) (= (inv@58@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@56@01)) i1@56@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@56@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (< $Perm.No $k@57@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@58@01 r)) r)) :pattern ((inv@58@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@59@01 $FVF) r) r)) :pattern ((inv@58@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@60@01 ((r $Ref)) $Perm (ite (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@57@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@57@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) $k@57@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) $k@57@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@58@01 r)) :qid |qp.srp44|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (= (- $k@57@01 (pTaken@60@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@61@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@61@01 $FVF))) (and (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (< $Perm.No $k@57@01))) (=> (and (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (< $Perm.No $k@57@01)) (Set_in r ($FVF.domain_oa (as sm@61@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@61@01 $FVF)))) :qid |qp.fvfDomDef47|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (< $Perm.No $k@57@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@61@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@61@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef45|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@61@01 $FVF) r)) :qid |qp.fvfResTrgDef46|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@57@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@59@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@59@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef42|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@59@01 $FVF) r)) :qid |qp.fvfResTrgDef43|))) (assert (forall ((i1@56@01 Int)) (! (=> (and (and (< i1@56@01 V@7@01) (<= 0 i1@56@01)) (< $Perm.No $k@57@01)) (= (inv@58@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@56@01)) i1@56@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@56@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (< $Perm.No $k@57@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@58@01 r)) r)) :pattern ((inv@58@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@61@01 $FVF))) (and (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (< $Perm.No $k@57@01))) (=> (and (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (< $Perm.No $k@57@01)) (Set_in r ($FVF.domain_oa (as sm@61@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@61@01 $FVF)))) :qid |qp.fvfDomDef47|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) (< $Perm.No $k@57@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@61@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@61@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef45|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@61@01 $FVF) r)) :qid |qp.fvfResTrgDef46|))) (assert (and (forall ((i1@56@01 Int)) (! (< i1@56@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@56@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@59@01 $FVF) r) r)) :pattern ((inv@58@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) $k@57@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@58@01 r) V@7@01) (<= 0 (inv@58@01 r))) $k@57@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@58@01 r)) :qid |qp.srp44|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@61@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@61@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@61@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.06s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@61@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@61@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@61@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@62@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 9 | 0 <= i1@62@01 | live] ; [else-branch: 9 | !(0 <= i1@62@01) | live] (push) ; 5 ; [then-branch: 9 | 0 <= i1@62@01] (assert (<= 0 i1@62@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 9 | !(0 <= i1@62@01)] (assert (not (<= 0 i1@62@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@62@01 V@7@01) (<= 0 i1@62@01))) (declare-const $k@63@01 $Perm) (assert ($Perm.isReadVar $k@63@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@62@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@62@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@62@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@64@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@63@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@62@01 Int)) (! (< i1@62@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@62@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@62@01 Int)) (=> (and (< i1@62@01 V@7@01) (<= 0 i1@62@01)) (or (= $k@63@01 $Perm.No) (< $Perm.No $k@63@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@65@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@65@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@65@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef48|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@65@01 $FVF) r)) :qid |qp.fvfResTrgDef49|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@62@01 Int) (i12@62@01 Int)) (! (=> (and (and (and (and (< i11@62@01 V@7@01) (<= 0 i11@62@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@65@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@62@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@62@01))) (< $Perm.No $k@63@01)) (and (and (and (< i12@62@01 V@7@01) (<= 0 i12@62@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@65@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@62@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@62@01))) (< $Perm.No $k@63@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@62@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@62@01))) (= i11@62@01 i12@62@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@62@01 Int)) (! (=> (and (and (< i1@62@01 V@7@01) (<= 0 i1@62@01)) (< $Perm.No $k@63@01)) (= (inv@64@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@62@01)) i1@62@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@62@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (< $Perm.No $k@63@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@64@01 r)) r)) :pattern ((inv@64@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@65@01 $FVF) r) r)) :pattern ((inv@64@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@66@01 ((r $Ref)) $Perm (ite (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@63@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@63@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) $k@63@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) $k@63@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@64@01 r)) :qid |qp.srp50|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (= (- $k@63@01 (pTaken@66@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@67@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@67@01 $FVF))) (and (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (< $Perm.No $k@63@01))) (=> (and (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (< $Perm.No $k@63@01)) (Set_in r ($FVF.domain_oa (as sm@67@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@67@01 $FVF)))) :qid |qp.fvfDomDef53|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (< $Perm.No $k@63@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@67@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@67@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef51|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@67@01 $FVF) r)) :qid |qp.fvfResTrgDef52|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@63@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@65@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@65@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef48|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@65@01 $FVF) r)) :qid |qp.fvfResTrgDef49|))) (assert (forall ((i1@62@01 Int)) (! (=> (and (and (< i1@62@01 V@7@01) (<= 0 i1@62@01)) (< $Perm.No $k@63@01)) (= (inv@64@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@62@01)) i1@62@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@62@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (< $Perm.No $k@63@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@64@01 r)) r)) :pattern ((inv@64@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@67@01 $FVF))) (and (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (< $Perm.No $k@63@01))) (=> (and (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (< $Perm.No $k@63@01)) (Set_in r ($FVF.domain_oa (as sm@67@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@67@01 $FVF)))) :qid |qp.fvfDomDef53|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) (< $Perm.No $k@63@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@67@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@67@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef51|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@67@01 $FVF) r)) :qid |qp.fvfResTrgDef52|))) (assert (and (forall ((i1@62@01 Int)) (! (< i1@62@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@62@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@65@01 $FVF) r) r)) :pattern ((inv@64@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) $k@63@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@64@01 r) V@7@01) (<= 0 (inv@64@01 r))) $k@63@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@64@01 r)) :qid |qp.srp50|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@67@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@67@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@67@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.09s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@67@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@67@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@67@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@61@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@67@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@68@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 10 | 0 <= i1@68@01 | live] ; [else-branch: 10 | !(0 <= i1@68@01) | live] (push) ; 5 ; [then-branch: 10 | 0 <= i1@68@01] (assert (<= 0 i1@68@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 10 | !(0 <= i1@68@01)] (assert (not (<= 0 i1@68@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@68@01 V@7@01) (<= 0 i1@68@01))) (declare-const $k@69@01 $Perm) (assert ($Perm.isReadVar $k@69@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@68@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@68@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@68@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@70@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@69@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@68@01 Int)) (! (< i1@68@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@68@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@68@01 Int)) (=> (and (< i1@68@01 V@7@01) (<= 0 i1@68@01)) (or (= $k@69@01 $Perm.No) (< $Perm.No $k@69@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@71@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@71@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@71@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef54|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@71@01 $FVF) r)) :qid |qp.fvfResTrgDef55|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@68@01 Int) (i12@68@01 Int)) (! (=> (and (and (and (and (< i11@68@01 V@7@01) (<= 0 i11@68@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@71@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@68@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@68@01))) (< $Perm.No $k@69@01)) (and (and (and (< i12@68@01 V@7@01) (<= 0 i12@68@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@71@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@68@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@68@01))) (< $Perm.No $k@69@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@68@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@68@01))) (= i11@68@01 i12@68@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@68@01 Int)) (! (=> (and (and (< i1@68@01 V@7@01) (<= 0 i1@68@01)) (< $Perm.No $k@69@01)) (= (inv@70@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@68@01)) i1@68@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@68@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (< $Perm.No $k@69@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@70@01 r)) r)) :pattern ((inv@70@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@71@01 $FVF) r) r)) :pattern ((inv@70@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@72@01 ((r $Ref)) $Perm (ite (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@69@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@69@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) $k@69@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) $k@69@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@70@01 r)) :qid |qp.srp56|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (= (- $k@69@01 (pTaken@72@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@73@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@73@01 $FVF))) (and (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (< $Perm.No $k@69@01))) (=> (and (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (< $Perm.No $k@69@01)) (Set_in r ($FVF.domain_oa (as sm@73@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@73@01 $FVF)))) :qid |qp.fvfDomDef59|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (< $Perm.No $k@69@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@73@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@73@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef57|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@73@01 $FVF) r)) :qid |qp.fvfResTrgDef58|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@69@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@71@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@71@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef54|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@71@01 $FVF) r)) :qid |qp.fvfResTrgDef55|))) (assert (forall ((i1@68@01 Int)) (! (=> (and (and (< i1@68@01 V@7@01) (<= 0 i1@68@01)) (< $Perm.No $k@69@01)) (= (inv@70@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@68@01)) i1@68@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@68@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (< $Perm.No $k@69@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@70@01 r)) r)) :pattern ((inv@70@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@73@01 $FVF))) (and (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (< $Perm.No $k@69@01))) (=> (and (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (< $Perm.No $k@69@01)) (Set_in r ($FVF.domain_oa (as sm@73@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@73@01 $FVF)))) :qid |qp.fvfDomDef59|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) (< $Perm.No $k@69@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@73@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@73@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef57|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@73@01 $FVF) r)) :qid |qp.fvfResTrgDef58|))) (assert (and (forall ((i1@68@01 Int)) (! (< i1@68@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@68@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@71@01 $FVF) r) r)) :pattern ((inv@70@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) $k@69@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@70@01 r) V@7@01) (<= 0 (inv@70@01 r))) $k@69@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@70@01 r)) :qid |qp.srp56|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@73@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@73@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@73@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.10s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@73@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@73@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@73@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@74@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 11 | 0 <= i1@74@01 | live] ; [else-branch: 11 | !(0 <= i1@74@01) | live] (push) ; 5 ; [then-branch: 11 | 0 <= i1@74@01] (assert (<= 0 i1@74@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 11 | !(0 <= i1@74@01)] (assert (not (<= 0 i1@74@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@74@01 V@7@01) (<= 0 i1@74@01))) (declare-const $k@75@01 $Perm) (assert ($Perm.isReadVar $k@75@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@74@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@74@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@74@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@76@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@75@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@74@01 Int)) (! (< i1@74@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@74@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@74@01 Int)) (=> (and (< i1@74@01 V@7@01) (<= 0 i1@74@01)) (or (= $k@75@01 $Perm.No) (< $Perm.No $k@75@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@77@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@77@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@77@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef60|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@77@01 $FVF) r)) :qid |qp.fvfResTrgDef61|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@74@01 Int) (i12@74@01 Int)) (! (=> (and (and (and (and (< i11@74@01 V@7@01) (<= 0 i11@74@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@77@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@74@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@74@01))) (< $Perm.No $k@75@01)) (and (and (and (< i12@74@01 V@7@01) (<= 0 i12@74@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@77@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@74@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@74@01))) (< $Perm.No $k@75@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@74@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@74@01))) (= i11@74@01 i12@74@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@74@01 Int)) (! (=> (and (and (< i1@74@01 V@7@01) (<= 0 i1@74@01)) (< $Perm.No $k@75@01)) (= (inv@76@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@74@01)) i1@74@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@74@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (< $Perm.No $k@75@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@76@01 r)) r)) :pattern ((inv@76@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@77@01 $FVF) r) r)) :pattern ((inv@76@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@78@01 ((r $Ref)) $Perm (ite (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@75@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@75@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) $k@75@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) $k@75@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@76@01 r)) :qid |qp.srp62|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (= (- $k@75@01 (pTaken@78@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@79@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@79@01 $FVF))) (and (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (< $Perm.No $k@75@01))) (=> (and (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (< $Perm.No $k@75@01)) (Set_in r ($FVF.domain_oa (as sm@79@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@79@01 $FVF)))) :qid |qp.fvfDomDef65|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (< $Perm.No $k@75@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@79@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@79@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef63|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@79@01 $FVF) r)) :qid |qp.fvfResTrgDef64|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@75@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@77@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@77@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef60|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@77@01 $FVF) r)) :qid |qp.fvfResTrgDef61|))) (assert (forall ((i1@74@01 Int)) (! (=> (and (and (< i1@74@01 V@7@01) (<= 0 i1@74@01)) (< $Perm.No $k@75@01)) (= (inv@76@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@74@01)) i1@74@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@74@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (< $Perm.No $k@75@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@76@01 r)) r)) :pattern ((inv@76@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@79@01 $FVF))) (and (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (< $Perm.No $k@75@01))) (=> (and (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (< $Perm.No $k@75@01)) (Set_in r ($FVF.domain_oa (as sm@79@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@79@01 $FVF)))) :qid |qp.fvfDomDef65|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) (< $Perm.No $k@75@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@79@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@79@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef63|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@79@01 $FVF) r)) :qid |qp.fvfResTrgDef64|))) (assert (and (forall ((i1@74@01 Int)) (! (< i1@74@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@74@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@77@01 $FVF) r) r)) :pattern ((inv@76@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) $k@75@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@76@01 r) V@7@01) (<= 0 (inv@76@01 r))) $k@75@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@76@01 r)) :qid |qp.srp62|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@79@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@79@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@79@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.11s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@79@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@79@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@79@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@73@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@79@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@80@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 12 | 0 <= i1@80@01 | live] ; [else-branch: 12 | !(0 <= i1@80@01) | live] (push) ; 5 ; [then-branch: 12 | 0 <= i1@80@01] (assert (<= 0 i1@80@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 12 | !(0 <= i1@80@01)] (assert (not (<= 0 i1@80@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@80@01 V@7@01) (<= 0 i1@80@01))) (declare-const $k@81@01 $Perm) (assert ($Perm.isReadVar $k@81@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@80@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@80@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@80@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@82@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@81@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@80@01 Int)) (! (< i1@80@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@80@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@80@01 Int)) (=> (and (< i1@80@01 V@7@01) (<= 0 i1@80@01)) (or (= $k@81@01 $Perm.No) (< $Perm.No $k@81@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@83@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@83@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@83@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef66|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@83@01 $FVF) r)) :qid |qp.fvfResTrgDef67|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@80@01 Int) (i12@80@01 Int)) (! (=> (and (and (and (and (< i11@80@01 V@7@01) (<= 0 i11@80@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@83@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@80@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@80@01))) (< $Perm.No $k@81@01)) (and (and (and (< i12@80@01 V@7@01) (<= 0 i12@80@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@83@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@80@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@80@01))) (< $Perm.No $k@81@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@80@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@80@01))) (= i11@80@01 i12@80@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@80@01 Int)) (! (=> (and (and (< i1@80@01 V@7@01) (<= 0 i1@80@01)) (< $Perm.No $k@81@01)) (= (inv@82@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@80@01)) i1@80@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@80@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (< $Perm.No $k@81@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@82@01 r)) r)) :pattern ((inv@82@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@83@01 $FVF) r) r)) :pattern ((inv@82@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@84@01 ((r $Ref)) $Perm (ite (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@81@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@81@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) $k@81@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) $k@81@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@82@01 r)) :qid |qp.srp68|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (= (- $k@81@01 (pTaken@84@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@85@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@85@01 $FVF))) (and (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (< $Perm.No $k@81@01))) (=> (and (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (< $Perm.No $k@81@01)) (Set_in r ($FVF.domain_oa (as sm@85@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@85@01 $FVF)))) :qid |qp.fvfDomDef71|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (< $Perm.No $k@81@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@85@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@85@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef69|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@85@01 $FVF) r)) :qid |qp.fvfResTrgDef70|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@81@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@83@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@83@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef66|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@83@01 $FVF) r)) :qid |qp.fvfResTrgDef67|))) (assert (forall ((i1@80@01 Int)) (! (=> (and (and (< i1@80@01 V@7@01) (<= 0 i1@80@01)) (< $Perm.No $k@81@01)) (= (inv@82@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@80@01)) i1@80@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@80@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (< $Perm.No $k@81@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@82@01 r)) r)) :pattern ((inv@82@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@85@01 $FVF))) (and (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (< $Perm.No $k@81@01))) (=> (and (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (< $Perm.No $k@81@01)) (Set_in r ($FVF.domain_oa (as sm@85@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@85@01 $FVF)))) :qid |qp.fvfDomDef71|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) (< $Perm.No $k@81@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@85@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@85@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef69|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@85@01 $FVF) r)) :qid |qp.fvfResTrgDef70|))) (assert (and (forall ((i1@80@01 Int)) (! (< i1@80@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@80@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@83@01 $FVF) r) r)) :pattern ((inv@82@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) $k@81@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@82@01 r) V@7@01) (<= 0 (inv@82@01 r))) $k@81@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@82@01 r)) :qid |qp.srp68|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@85@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@85@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@85@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.16s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@85@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@85@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@85@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@86@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 13 | 0 <= i1@86@01 | live] ; [else-branch: 13 | !(0 <= i1@86@01) | live] (push) ; 5 ; [then-branch: 13 | 0 <= i1@86@01] (assert (<= 0 i1@86@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 13 | !(0 <= i1@86@01)] (assert (not (<= 0 i1@86@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@86@01 V@7@01) (<= 0 i1@86@01))) (declare-const $k@87@01 $Perm) (assert ($Perm.isReadVar $k@87@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@86@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@86@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@86@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@88@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@87@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@86@01 Int)) (! (< i1@86@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@86@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@86@01 Int)) (=> (and (< i1@86@01 V@7@01) (<= 0 i1@86@01)) (or (= $k@87@01 $Perm.No) (< $Perm.No $k@87@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@89@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@89@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@89@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef72|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@89@01 $FVF) r)) :qid |qp.fvfResTrgDef73|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@86@01 Int) (i12@86@01 Int)) (! (=> (and (and (and (and (< i11@86@01 V@7@01) (<= 0 i11@86@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@89@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@86@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@86@01))) (< $Perm.No $k@87@01)) (and (and (and (< i12@86@01 V@7@01) (<= 0 i12@86@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@89@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@86@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@86@01))) (< $Perm.No $k@87@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@86@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@86@01))) (= i11@86@01 i12@86@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@86@01 Int)) (! (=> (and (and (< i1@86@01 V@7@01) (<= 0 i1@86@01)) (< $Perm.No $k@87@01)) (= (inv@88@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@86@01)) i1@86@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@86@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (< $Perm.No $k@87@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@88@01 r)) r)) :pattern ((inv@88@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@89@01 $FVF) r) r)) :pattern ((inv@88@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@90@01 ((r $Ref)) $Perm (ite (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@87@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@87@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) $k@87@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) $k@87@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@88@01 r)) :qid |qp.srp74|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (= (- $k@87@01 (pTaken@90@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@91@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@91@01 $FVF))) (and (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (< $Perm.No $k@87@01))) (=> (and (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (< $Perm.No $k@87@01)) (Set_in r ($FVF.domain_oa (as sm@91@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@91@01 $FVF)))) :qid |qp.fvfDomDef77|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (< $Perm.No $k@87@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@91@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@91@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef75|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@91@01 $FVF) r)) :qid |qp.fvfResTrgDef76|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@87@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@89@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@89@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef72|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@89@01 $FVF) r)) :qid |qp.fvfResTrgDef73|))) (assert (forall ((i1@86@01 Int)) (! (=> (and (and (< i1@86@01 V@7@01) (<= 0 i1@86@01)) (< $Perm.No $k@87@01)) (= (inv@88@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@86@01)) i1@86@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@86@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (< $Perm.No $k@87@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@88@01 r)) r)) :pattern ((inv@88@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@91@01 $FVF))) (and (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (< $Perm.No $k@87@01))) (=> (and (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (< $Perm.No $k@87@01)) (Set_in r ($FVF.domain_oa (as sm@91@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@91@01 $FVF)))) :qid |qp.fvfDomDef77|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) (< $Perm.No $k@87@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@91@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@91@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef75|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@91@01 $FVF) r)) :qid |qp.fvfResTrgDef76|))) (assert (and (forall ((i1@86@01 Int)) (! (< i1@86@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@86@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@89@01 $FVF) r) r)) :pattern ((inv@88@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) $k@87@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@88@01 r) V@7@01) (<= 0 (inv@88@01 r))) $k@87@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@88@01 r)) :qid |qp.srp74|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@91@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@91@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@91@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.20s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@91@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@91@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@91@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@85@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@91@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@92@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 14 | 0 <= i1@92@01 | live] ; [else-branch: 14 | !(0 <= i1@92@01) | live] (push) ; 5 ; [then-branch: 14 | 0 <= i1@92@01] (assert (<= 0 i1@92@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 14 | !(0 <= i1@92@01)] (assert (not (<= 0 i1@92@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@92@01 V@7@01) (<= 0 i1@92@01))) (declare-const $k@93@01 $Perm) (assert ($Perm.isReadVar $k@93@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@92@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@92@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@92@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@94@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@93@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@92@01 Int)) (! (< i1@92@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@92@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@92@01 Int)) (=> (and (< i1@92@01 V@7@01) (<= 0 i1@92@01)) (or (= $k@93@01 $Perm.No) (< $Perm.No $k@93@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@95@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@95@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@95@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef78|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@95@01 $FVF) r)) :qid |qp.fvfResTrgDef79|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@92@01 Int) (i12@92@01 Int)) (! (=> (and (and (and (and (< i11@92@01 V@7@01) (<= 0 i11@92@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@95@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@92@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@92@01))) (< $Perm.No $k@93@01)) (and (and (and (< i12@92@01 V@7@01) (<= 0 i12@92@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@95@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@92@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@92@01))) (< $Perm.No $k@93@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@92@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@92@01))) (= i11@92@01 i12@92@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@92@01 Int)) (! (=> (and (and (< i1@92@01 V@7@01) (<= 0 i1@92@01)) (< $Perm.No $k@93@01)) (= (inv@94@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@92@01)) i1@92@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@92@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (< $Perm.No $k@93@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@94@01 r)) r)) :pattern ((inv@94@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@95@01 $FVF) r) r)) :pattern ((inv@94@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@96@01 ((r $Ref)) $Perm (ite (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@93@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@93@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) $k@93@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) $k@93@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@94@01 r)) :qid |qp.srp80|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (= (- $k@93@01 (pTaken@96@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@97@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@97@01 $FVF))) (and (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (< $Perm.No $k@93@01))) (=> (and (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (< $Perm.No $k@93@01)) (Set_in r ($FVF.domain_oa (as sm@97@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@97@01 $FVF)))) :qid |qp.fvfDomDef83|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (< $Perm.No $k@93@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@97@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@97@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef81|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@97@01 $FVF) r)) :qid |qp.fvfResTrgDef82|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@93@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@95@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@95@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef78|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@95@01 $FVF) r)) :qid |qp.fvfResTrgDef79|))) (assert (forall ((i1@92@01 Int)) (! (=> (and (and (< i1@92@01 V@7@01) (<= 0 i1@92@01)) (< $Perm.No $k@93@01)) (= (inv@94@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@92@01)) i1@92@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@92@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (< $Perm.No $k@93@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@94@01 r)) r)) :pattern ((inv@94@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@97@01 $FVF))) (and (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (< $Perm.No $k@93@01))) (=> (and (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (< $Perm.No $k@93@01)) (Set_in r ($FVF.domain_oa (as sm@97@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@97@01 $FVF)))) :qid |qp.fvfDomDef83|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) (< $Perm.No $k@93@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@97@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@97@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef81|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@97@01 $FVF) r)) :qid |qp.fvfResTrgDef82|))) (assert (and (forall ((i1@92@01 Int)) (! (< i1@92@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@92@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@95@01 $FVF) r) r)) :pattern ((inv@94@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) $k@93@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@94@01 r) V@7@01) (<= 0 (inv@94@01 r))) $k@93@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@94@01 r)) :qid |qp.srp80|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@97@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@97@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@97@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.24s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@97@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@97@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@97@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@98@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 15 | 0 <= i1@98@01 | live] ; [else-branch: 15 | !(0 <= i1@98@01) | live] (push) ; 5 ; [then-branch: 15 | 0 <= i1@98@01] (assert (<= 0 i1@98@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 15 | !(0 <= i1@98@01)] (assert (not (<= 0 i1@98@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@98@01 V@7@01) (<= 0 i1@98@01))) (declare-const $k@99@01 $Perm) (assert ($Perm.isReadVar $k@99@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@98@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@98@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@98@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@100@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@99@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@98@01 Int)) (! (< i1@98@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@98@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@98@01 Int)) (=> (and (< i1@98@01 V@7@01) (<= 0 i1@98@01)) (or (= $k@99@01 $Perm.No) (< $Perm.No $k@99@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@101@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@101@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@101@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef84|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@101@01 $FVF) r)) :qid |qp.fvfResTrgDef85|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@98@01 Int) (i12@98@01 Int)) (! (=> (and (and (and (and (< i11@98@01 V@7@01) (<= 0 i11@98@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@101@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@98@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@98@01))) (< $Perm.No $k@99@01)) (and (and (and (< i12@98@01 V@7@01) (<= 0 i12@98@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@101@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@98@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@98@01))) (< $Perm.No $k@99@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@98@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@98@01))) (= i11@98@01 i12@98@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@98@01 Int)) (! (=> (and (and (< i1@98@01 V@7@01) (<= 0 i1@98@01)) (< $Perm.No $k@99@01)) (= (inv@100@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@98@01)) i1@98@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@98@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (< $Perm.No $k@99@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@100@01 r)) r)) :pattern ((inv@100@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@101@01 $FVF) r) r)) :pattern ((inv@100@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@102@01 ((r $Ref)) $Perm (ite (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@99@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@99@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) $k@99@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) $k@99@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@100@01 r)) :qid |qp.srp86|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (= (- $k@99@01 (pTaken@102@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@103@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@103@01 $FVF))) (and (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (< $Perm.No $k@99@01))) (=> (and (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (< $Perm.No $k@99@01)) (Set_in r ($FVF.domain_oa (as sm@103@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@103@01 $FVF)))) :qid |qp.fvfDomDef89|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (< $Perm.No $k@99@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@103@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@103@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef87|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@103@01 $FVF) r)) :qid |qp.fvfResTrgDef88|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@99@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@101@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@101@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef84|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@101@01 $FVF) r)) :qid |qp.fvfResTrgDef85|))) (assert (forall ((i1@98@01 Int)) (! (=> (and (and (< i1@98@01 V@7@01) (<= 0 i1@98@01)) (< $Perm.No $k@99@01)) (= (inv@100@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@98@01)) i1@98@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@98@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (< $Perm.No $k@99@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@100@01 r)) r)) :pattern ((inv@100@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@103@01 $FVF))) (and (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (< $Perm.No $k@99@01))) (=> (and (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (< $Perm.No $k@99@01)) (Set_in r ($FVF.domain_oa (as sm@103@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@103@01 $FVF)))) :qid |qp.fvfDomDef89|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) (< $Perm.No $k@99@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@103@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@103@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef87|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@103@01 $FVF) r)) :qid |qp.fvfResTrgDef88|))) (assert (and (forall ((i1@98@01 Int)) (! (< i1@98@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@98@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@101@01 $FVF) r) r)) :pattern ((inv@100@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) $k@99@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@100@01 r) V@7@01) (<= 0 (inv@100@01 r))) $k@99@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@100@01 r)) :qid |qp.srp86|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@103@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@103@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@103@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.30s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@103@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@103@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@103@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@97@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@103@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@104@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 16 | 0 <= i1@104@01 | live] ; [else-branch: 16 | !(0 <= i1@104@01) | live] (push) ; 5 ; [then-branch: 16 | 0 <= i1@104@01] (assert (<= 0 i1@104@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 16 | !(0 <= i1@104@01)] (assert (not (<= 0 i1@104@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@104@01 V@7@01) (<= 0 i1@104@01))) (declare-const $k@105@01 $Perm) (assert ($Perm.isReadVar $k@105@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@104@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@104@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@104@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@106@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@105@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@104@01 Int)) (! (< i1@104@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@104@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@104@01 Int)) (=> (and (< i1@104@01 V@7@01) (<= 0 i1@104@01)) (or (= $k@105@01 $Perm.No) (< $Perm.No $k@105@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@107@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@107@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@107@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef90|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@107@01 $FVF) r)) :qid |qp.fvfResTrgDef91|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@104@01 Int) (i12@104@01 Int)) (! (=> (and (and (and (and (< i11@104@01 V@7@01) (<= 0 i11@104@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@107@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@104@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@104@01))) (< $Perm.No $k@105@01)) (and (and (and (< i12@104@01 V@7@01) (<= 0 i12@104@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@107@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@104@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@104@01))) (< $Perm.No $k@105@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@104@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@104@01))) (= i11@104@01 i12@104@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@104@01 Int)) (! (=> (and (and (< i1@104@01 V@7@01) (<= 0 i1@104@01)) (< $Perm.No $k@105@01)) (= (inv@106@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@104@01)) i1@104@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@104@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (< $Perm.No $k@105@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@106@01 r)) r)) :pattern ((inv@106@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@107@01 $FVF) r) r)) :pattern ((inv@106@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@108@01 ((r $Ref)) $Perm (ite (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@105@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@105@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) $k@105@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) $k@105@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@106@01 r)) :qid |qp.srp92|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (= (- $k@105@01 (pTaken@108@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@109@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@109@01 $FVF))) (and (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (< $Perm.No $k@105@01))) (=> (and (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (< $Perm.No $k@105@01)) (Set_in r ($FVF.domain_oa (as sm@109@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@109@01 $FVF)))) :qid |qp.fvfDomDef95|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (< $Perm.No $k@105@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@109@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@109@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef93|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@109@01 $FVF) r)) :qid |qp.fvfResTrgDef94|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@105@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@107@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@107@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef90|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@107@01 $FVF) r)) :qid |qp.fvfResTrgDef91|))) (assert (forall ((i1@104@01 Int)) (! (=> (and (and (< i1@104@01 V@7@01) (<= 0 i1@104@01)) (< $Perm.No $k@105@01)) (= (inv@106@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@104@01)) i1@104@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@104@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (< $Perm.No $k@105@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@106@01 r)) r)) :pattern ((inv@106@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@109@01 $FVF))) (and (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (< $Perm.No $k@105@01))) (=> (and (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (< $Perm.No $k@105@01)) (Set_in r ($FVF.domain_oa (as sm@109@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@109@01 $FVF)))) :qid |qp.fvfDomDef95|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) (< $Perm.No $k@105@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@109@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@109@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef93|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@109@01 $FVF) r)) :qid |qp.fvfResTrgDef94|))) (assert (and (forall ((i1@104@01 Int)) (! (< i1@104@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@104@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@107@01 $FVF) r) r)) :pattern ((inv@106@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) $k@105@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@106@01 r) V@7@01) (<= 0 (inv@106@01 r))) $k@105@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@106@01 r)) :qid |qp.srp92|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@109@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@109@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@109@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.37s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@109@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@109@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@109@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@110@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 17 | 0 <= i1@110@01 | live] ; [else-branch: 17 | !(0 <= i1@110@01) | live] (push) ; 5 ; [then-branch: 17 | 0 <= i1@110@01] (assert (<= 0 i1@110@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 17 | !(0 <= i1@110@01)] (assert (not (<= 0 i1@110@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@110@01 V@7@01) (<= 0 i1@110@01))) (declare-const $k@111@01 $Perm) (assert ($Perm.isReadVar $k@111@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@110@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@110@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@110@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@112@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@111@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@110@01 Int)) (! (< i1@110@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@110@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@110@01 Int)) (=> (and (< i1@110@01 V@7@01) (<= 0 i1@110@01)) (or (= $k@111@01 $Perm.No) (< $Perm.No $k@111@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@113@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@113@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@113@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef96|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@113@01 $FVF) r)) :qid |qp.fvfResTrgDef97|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@110@01 Int) (i12@110@01 Int)) (! (=> (and (and (and (and (< i11@110@01 V@7@01) (<= 0 i11@110@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@113@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@110@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@110@01))) (< $Perm.No $k@111@01)) (and (and (and (< i12@110@01 V@7@01) (<= 0 i12@110@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@113@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@110@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@110@01))) (< $Perm.No $k@111@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@110@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@110@01))) (= i11@110@01 i12@110@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@110@01 Int)) (! (=> (and (and (< i1@110@01 V@7@01) (<= 0 i1@110@01)) (< $Perm.No $k@111@01)) (= (inv@112@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@110@01)) i1@110@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@110@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (< $Perm.No $k@111@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@112@01 r)) r)) :pattern ((inv@112@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@113@01 $FVF) r) r)) :pattern ((inv@112@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@114@01 ((r $Ref)) $Perm (ite (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@111@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@111@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) $k@111@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) $k@111@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@112@01 r)) :qid |qp.srp98|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (= (- $k@111@01 (pTaken@114@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.02s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@115@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@115@01 $FVF))) (and (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (< $Perm.No $k@111@01))) (=> (and (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (< $Perm.No $k@111@01)) (Set_in r ($FVF.domain_oa (as sm@115@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@115@01 $FVF)))) :qid |qp.fvfDomDef101|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (< $Perm.No $k@111@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@115@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@115@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef99|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@115@01 $FVF) r)) :qid |qp.fvfResTrgDef100|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@111@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@113@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@113@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef96|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@113@01 $FVF) r)) :qid |qp.fvfResTrgDef97|))) (assert (forall ((i1@110@01 Int)) (! (=> (and (and (< i1@110@01 V@7@01) (<= 0 i1@110@01)) (< $Perm.No $k@111@01)) (= (inv@112@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@110@01)) i1@110@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@110@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (< $Perm.No $k@111@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@112@01 r)) r)) :pattern ((inv@112@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@115@01 $FVF))) (and (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (< $Perm.No $k@111@01))) (=> (and (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (< $Perm.No $k@111@01)) (Set_in r ($FVF.domain_oa (as sm@115@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@115@01 $FVF)))) :qid |qp.fvfDomDef101|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) (< $Perm.No $k@111@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@115@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@115@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef99|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@115@01 $FVF) r)) :qid |qp.fvfResTrgDef100|))) (assert (and (forall ((i1@110@01 Int)) (! (< i1@110@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@110@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@113@01 $FVF) r) r)) :pattern ((inv@112@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) $k@111@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@112@01 r) V@7@01) (<= 0 (inv@112@01 r))) $k@111@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@112@01 r)) :qid |qp.srp98|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@115@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@115@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@115@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.42s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@115@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@115@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@115@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@109@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@115@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@116@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 18 | 0 <= i1@116@01 | live] ; [else-branch: 18 | !(0 <= i1@116@01) | live] (push) ; 5 ; [then-branch: 18 | 0 <= i1@116@01] (assert (<= 0 i1@116@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 18 | !(0 <= i1@116@01)] (assert (not (<= 0 i1@116@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@116@01 V@7@01) (<= 0 i1@116@01))) (declare-const $k@117@01 $Perm) (assert ($Perm.isReadVar $k@117@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@116@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@116@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@116@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@118@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@117@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@116@01 Int)) (! (< i1@116@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@116@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@116@01 Int)) (=> (and (< i1@116@01 V@7@01) (<= 0 i1@116@01)) (or (= $k@117@01 $Perm.No) (< $Perm.No $k@117@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@119@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@119@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@119@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef102|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@119@01 $FVF) r)) :qid |qp.fvfResTrgDef103|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@116@01 Int) (i12@116@01 Int)) (! (=> (and (and (and (and (< i11@116@01 V@7@01) (<= 0 i11@116@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@119@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@116@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@116@01))) (< $Perm.No $k@117@01)) (and (and (and (< i12@116@01 V@7@01) (<= 0 i12@116@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@119@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@116@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@116@01))) (< $Perm.No $k@117@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@116@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@116@01))) (= i11@116@01 i12@116@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@116@01 Int)) (! (=> (and (and (< i1@116@01 V@7@01) (<= 0 i1@116@01)) (< $Perm.No $k@117@01)) (= (inv@118@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@116@01)) i1@116@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@116@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (< $Perm.No $k@117@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@118@01 r)) r)) :pattern ((inv@118@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@119@01 $FVF) r) r)) :pattern ((inv@118@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@120@01 ((r $Ref)) $Perm (ite (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@117@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@117@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) $k@117@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) $k@117@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@118@01 r)) :qid |qp.srp104|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (= (- $k@117@01 (pTaken@120@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.02s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@121@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@121@01 $FVF))) (and (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (< $Perm.No $k@117@01))) (=> (and (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (< $Perm.No $k@117@01)) (Set_in r ($FVF.domain_oa (as sm@121@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@121@01 $FVF)))) :qid |qp.fvfDomDef107|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (< $Perm.No $k@117@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@121@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@121@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef105|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@121@01 $FVF) r)) :qid |qp.fvfResTrgDef106|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@117@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@119@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@119@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef102|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@119@01 $FVF) r)) :qid |qp.fvfResTrgDef103|))) (assert (forall ((i1@116@01 Int)) (! (=> (and (and (< i1@116@01 V@7@01) (<= 0 i1@116@01)) (< $Perm.No $k@117@01)) (= (inv@118@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@116@01)) i1@116@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@116@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (< $Perm.No $k@117@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@118@01 r)) r)) :pattern ((inv@118@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@121@01 $FVF))) (and (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (< $Perm.No $k@117@01))) (=> (and (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (< $Perm.No $k@117@01)) (Set_in r ($FVF.domain_oa (as sm@121@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@121@01 $FVF)))) :qid |qp.fvfDomDef107|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) (< $Perm.No $k@117@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@121@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@121@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef105|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@121@01 $FVF) r)) :qid |qp.fvfResTrgDef106|))) (assert (and (forall ((i1@116@01 Int)) (! (< i1@116@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@116@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@119@01 $FVF) r) r)) :pattern ((inv@118@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) $k@117@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@118@01 r) V@7@01) (<= 0 (inv@118@01 r))) $k@117@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@118@01 r)) :qid |qp.srp104|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@121@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@121@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@121@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.51s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@121@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@121@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@121@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@122@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 19 | 0 <= i1@122@01 | live] ; [else-branch: 19 | !(0 <= i1@122@01) | live] (push) ; 5 ; [then-branch: 19 | 0 <= i1@122@01] (assert (<= 0 i1@122@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 19 | !(0 <= i1@122@01)] (assert (not (<= 0 i1@122@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@122@01 V@7@01) (<= 0 i1@122@01))) (declare-const $k@123@01 $Perm) (assert ($Perm.isReadVar $k@123@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@122@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@122@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@122@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@124@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@123@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@122@01 Int)) (! (< i1@122@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@122@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@122@01 Int)) (=> (and (< i1@122@01 V@7@01) (<= 0 i1@122@01)) (or (= $k@123@01 $Perm.No) (< $Perm.No $k@123@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@125@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@125@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@125@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef108|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@125@01 $FVF) r)) :qid |qp.fvfResTrgDef109|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@122@01 Int) (i12@122@01 Int)) (! (=> (and (and (and (and (< i11@122@01 V@7@01) (<= 0 i11@122@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@125@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@122@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@122@01))) (< $Perm.No $k@123@01)) (and (and (and (< i12@122@01 V@7@01) (<= 0 i12@122@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@125@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@122@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@122@01))) (< $Perm.No $k@123@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@122@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@122@01))) (= i11@122@01 i12@122@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@122@01 Int)) (! (=> (and (and (< i1@122@01 V@7@01) (<= 0 i1@122@01)) (< $Perm.No $k@123@01)) (= (inv@124@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@122@01)) i1@122@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@122@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (< $Perm.No $k@123@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@124@01 r)) r)) :pattern ((inv@124@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@125@01 $FVF) r) r)) :pattern ((inv@124@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@126@01 ((r $Ref)) $Perm (ite (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@123@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@123@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) $k@123@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) $k@123@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@124@01 r)) :qid |qp.srp110|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (= (- $k@123@01 (pTaken@126@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@127@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@127@01 $FVF))) (and (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (< $Perm.No $k@123@01))) (=> (and (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (< $Perm.No $k@123@01)) (Set_in r ($FVF.domain_oa (as sm@127@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@127@01 $FVF)))) :qid |qp.fvfDomDef113|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (< $Perm.No $k@123@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@127@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@127@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef111|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@127@01 $FVF) r)) :qid |qp.fvfResTrgDef112|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@123@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@125@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@125@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef108|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@125@01 $FVF) r)) :qid |qp.fvfResTrgDef109|))) (assert (forall ((i1@122@01 Int)) (! (=> (and (and (< i1@122@01 V@7@01) (<= 0 i1@122@01)) (< $Perm.No $k@123@01)) (= (inv@124@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@122@01)) i1@122@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@122@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (< $Perm.No $k@123@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@124@01 r)) r)) :pattern ((inv@124@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@127@01 $FVF))) (and (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (< $Perm.No $k@123@01))) (=> (and (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (< $Perm.No $k@123@01)) (Set_in r ($FVF.domain_oa (as sm@127@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@127@01 $FVF)))) :qid |qp.fvfDomDef113|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) (< $Perm.No $k@123@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@127@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@127@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef111|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@127@01 $FVF) r)) :qid |qp.fvfResTrgDef112|))) (assert (and (forall ((i1@122@01 Int)) (! (< i1@122@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@122@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@125@01 $FVF) r) r)) :pattern ((inv@124@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) $k@123@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@124@01 r) V@7@01) (<= 0 (inv@124@01 r))) $k@123@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@124@01 r)) :qid |qp.srp110|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@127@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@127@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@127@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 1.38s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@127@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@127@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@127@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@121@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@127@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))))) ($Snap.combine ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))))) ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01)))))))))))))))) (assert (= ($Snap.first ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@128@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 20 | 0 <= i1@128@01 | live] ; [else-branch: 20 | !(0 <= i1@128@01) | live] (push) ; 5 ; [then-branch: 20 | 0 <= i1@128@01] (assert (<= 0 i1@128@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 20 | !(0 <= i1@128@01)] (assert (not (<= 0 i1@128@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@128@01 V@7@01) (<= 0 i1@128@01))) (declare-const $k@129@01 $Perm) (assert ($Perm.isReadVar $k@129@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@128@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@128@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@128@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@130@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@129@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@128@01 Int)) (! (< i1@128@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@128@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@128@01 Int)) (=> (and (< i1@128@01 V@7@01) (<= 0 i1@128@01)) (or (= $k@129@01 $Perm.No) (< $Perm.No $k@129@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@131@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@131@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@131@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef114|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@131@01 $FVF) r)) :qid |qp.fvfResTrgDef115|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@128@01 Int) (i12@128@01 Int)) (! (=> (and (and (and (and (< i11@128@01 V@7@01) (<= 0 i11@128@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@131@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@128@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@128@01))) (< $Perm.No $k@129@01)) (and (and (and (< i12@128@01 V@7@01) (<= 0 i12@128@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@131@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@128@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@128@01))) (< $Perm.No $k@129@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@128@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@128@01))) (= i11@128@01 i12@128@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@128@01 Int)) (! (=> (and (and (< i1@128@01 V@7@01) (<= 0 i1@128@01)) (< $Perm.No $k@129@01)) (= (inv@130@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@128@01)) i1@128@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@128@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (< $Perm.No $k@129@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@130@01 r)) r)) :pattern ((inv@130@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@131@01 $FVF) r) r)) :pattern ((inv@130@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@132@01 ((r $Ref)) $Perm (ite (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@129@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@129@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) $k@129@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) $k@129@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@130@01 r)) :qid |qp.srp116|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (= (- $k@129@01 (pTaken@132@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.02s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@133@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@133@01 $FVF))) (and (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (< $Perm.No $k@129@01))) (=> (and (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (< $Perm.No $k@129@01)) (Set_in r ($FVF.domain_oa (as sm@133@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@133@01 $FVF)))) :qid |qp.fvfDomDef119|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (< $Perm.No $k@129@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@133@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@133@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef117|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@133@01 $FVF) r)) :qid |qp.fvfResTrgDef118|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@129@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@131@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@131@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef114|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@131@01 $FVF) r)) :qid |qp.fvfResTrgDef115|))) (assert (forall ((i1@128@01 Int)) (! (=> (and (and (< i1@128@01 V@7@01) (<= 0 i1@128@01)) (< $Perm.No $k@129@01)) (= (inv@130@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@128@01)) i1@128@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@128@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (< $Perm.No $k@129@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@130@01 r)) r)) :pattern ((inv@130@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@133@01 $FVF))) (and (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (< $Perm.No $k@129@01))) (=> (and (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (< $Perm.No $k@129@01)) (Set_in r ($FVF.domain_oa (as sm@133@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@133@01 $FVF)))) :qid |qp.fvfDomDef119|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) (< $Perm.No $k@129@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@133@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@133@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef117|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@133@01 $FVF) r)) :qid |qp.fvfResTrgDef118|))) (assert (and (forall ((i1@128@01 Int)) (! (< i1@128@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@128@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@131@01 $FVF) r) r)) :pattern ((inv@130@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) $k@129@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@130@01 r) V@7@01) (<= 0 (inv@130@01 r))) $k@129@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@130@01 r)) :qid |qp.srp116|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@133@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@133@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@133@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 1.43s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@133@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@133@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@133@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@134@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 21 | 0 <= i1@134@01 | live] ; [else-branch: 21 | !(0 <= i1@134@01) | live] (push) ; 5 ; [then-branch: 21 | 0 <= i1@134@01] (assert (<= 0 i1@134@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 21 | !(0 <= i1@134@01)] (assert (not (<= 0 i1@134@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@134@01 V@7@01) (<= 0 i1@134@01))) (declare-const $k@135@01 $Perm) (assert ($Perm.isReadVar $k@135@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@134@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@134@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@134@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@136@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@135@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@134@01 Int)) (! (< i1@134@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@134@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@134@01 Int)) (=> (and (< i1@134@01 V@7@01) (<= 0 i1@134@01)) (or (= $k@135@01 $Perm.No) (< $Perm.No $k@135@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@137@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@137@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@137@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef120|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@137@01 $FVF) r)) :qid |qp.fvfResTrgDef121|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@134@01 Int) (i12@134@01 Int)) (! (=> (and (and (and (and (< i11@134@01 V@7@01) (<= 0 i11@134@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@137@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@134@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@134@01))) (< $Perm.No $k@135@01)) (and (and (and (< i12@134@01 V@7@01) (<= 0 i12@134@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@137@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@134@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@134@01))) (< $Perm.No $k@135@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@134@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@134@01))) (= i11@134@01 i12@134@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@134@01 Int)) (! (=> (and (and (< i1@134@01 V@7@01) (<= 0 i1@134@01)) (< $Perm.No $k@135@01)) (= (inv@136@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@134@01)) i1@134@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@134@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (< $Perm.No $k@135@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@136@01 r)) r)) :pattern ((inv@136@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@137@01 $FVF) r) r)) :pattern ((inv@136@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@138@01 ((r $Ref)) $Perm (ite (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@135@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@135@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) $k@135@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) $k@135@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@136@01 r)) :qid |qp.srp122|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (= (- $k@135@01 (pTaken@138@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.03s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@139@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@139@01 $FVF))) (and (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (< $Perm.No $k@135@01))) (=> (and (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (< $Perm.No $k@135@01)) (Set_in r ($FVF.domain_oa (as sm@139@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@139@01 $FVF)))) :qid |qp.fvfDomDef125|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (< $Perm.No $k@135@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@139@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@139@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef123|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@139@01 $FVF) r)) :qid |qp.fvfResTrgDef124|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@135@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@137@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@137@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef120|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@137@01 $FVF) r)) :qid |qp.fvfResTrgDef121|))) (assert (forall ((i1@134@01 Int)) (! (=> (and (and (< i1@134@01 V@7@01) (<= 0 i1@134@01)) (< $Perm.No $k@135@01)) (= (inv@136@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@134@01)) i1@134@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@134@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (< $Perm.No $k@135@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@136@01 r)) r)) :pattern ((inv@136@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@139@01 $FVF))) (and (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (< $Perm.No $k@135@01))) (=> (and (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (< $Perm.No $k@135@01)) (Set_in r ($FVF.domain_oa (as sm@139@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@139@01 $FVF)))) :qid |qp.fvfDomDef125|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) (< $Perm.No $k@135@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@139@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@139@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef123|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@139@01 $FVF) r)) :qid |qp.fvfResTrgDef124|))) (assert (and (forall ((i1@134@01 Int)) (! (< i1@134@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@134@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@137@01 $FVF) r) r)) :pattern ((inv@136@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) $k@135@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@136@01 r) V@7@01) (<= 0 (inv@136@01 r))) $k@135@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@136@01 r)) :qid |qp.srp122|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@139@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@139@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@139@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 2.42s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@139@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@139@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@139@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@133@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@139@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (= ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second ($Snap.second $t@10@01))))))))))))) $Snap.unit)) ; [eval] SumIncomingFlow(matrixValues(G, V), V) <= SumIncomingFlow(matrixValues(G, V), V) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@140@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 22 | 0 <= i1@140@01 | live] ; [else-branch: 22 | !(0 <= i1@140@01) | live] (push) ; 5 ; [then-branch: 22 | 0 <= i1@140@01] (assert (<= 0 i1@140@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 22 | !(0 <= i1@140@01)] (assert (not (<= 0 i1@140@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@140@01 V@7@01) (<= 0 i1@140@01))) (declare-const $k@141@01 $Perm) (assert ($Perm.isReadVar $k@141@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@140@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@140@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@140@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@142@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@141@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@140@01 Int)) (! (< i1@140@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@140@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@140@01 Int)) (=> (and (< i1@140@01 V@7@01) (<= 0 i1@140@01)) (or (= $k@141@01 $Perm.No) (< $Perm.No $k@141@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@143@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@143@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@143@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef126|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@143@01 $FVF) r)) :qid |qp.fvfResTrgDef127|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@140@01 Int) (i12@140@01 Int)) (! (=> (and (and (and (and (< i11@140@01 V@7@01) (<= 0 i11@140@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@143@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@140@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@140@01))) (< $Perm.No $k@141@01)) (and (and (and (< i12@140@01 V@7@01) (<= 0 i12@140@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@143@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@140@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@140@01))) (< $Perm.No $k@141@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@140@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@140@01))) (= i11@140@01 i12@140@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@140@01 Int)) (! (=> (and (and (< i1@140@01 V@7@01) (<= 0 i1@140@01)) (< $Perm.No $k@141@01)) (= (inv@142@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@140@01)) i1@140@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@140@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (< $Perm.No $k@141@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@142@01 r)) r)) :pattern ((inv@142@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@143@01 $FVF) r) r)) :pattern ((inv@142@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@144@01 ((r $Ref)) $Perm (ite (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@141@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@141@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) $k@141@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) $k@141@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@142@01 r)) :qid |qp.srp128|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (= (- $k@141@01 (pTaken@144@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.03s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@145@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@145@01 $FVF))) (and (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (< $Perm.No $k@141@01))) (=> (and (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (< $Perm.No $k@141@01)) (Set_in r ($FVF.domain_oa (as sm@145@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@145@01 $FVF)))) :qid |qp.fvfDomDef131|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (< $Perm.No $k@141@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@145@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@145@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef129|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@145@01 $FVF) r)) :qid |qp.fvfResTrgDef130|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@141@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@143@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@143@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef126|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@143@01 $FVF) r)) :qid |qp.fvfResTrgDef127|))) (assert (forall ((i1@140@01 Int)) (! (=> (and (and (< i1@140@01 V@7@01) (<= 0 i1@140@01)) (< $Perm.No $k@141@01)) (= (inv@142@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@140@01)) i1@140@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@140@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (< $Perm.No $k@141@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@142@01 r)) r)) :pattern ((inv@142@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@145@01 $FVF))) (and (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (< $Perm.No $k@141@01))) (=> (and (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (< $Perm.No $k@141@01)) (Set_in r ($FVF.domain_oa (as sm@145@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@145@01 $FVF)))) :qid |qp.fvfDomDef131|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) (< $Perm.No $k@141@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@145@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@145@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef129|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@145@01 $FVF) r)) :qid |qp.fvfResTrgDef130|))) (assert (and (forall ((i1@140@01 Int)) (! (< i1@140@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@140@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@143@01 $FVF) r) r)) :pattern ((inv@142@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) $k@141@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@142@01 r) V@7@01) (<= 0 (inv@142@01 r))) $k@141@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@142@01 r)) :qid |qp.srp128|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@145@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@145@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@145@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 2.12s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@145@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@145@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@145@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; [eval] SumIncomingFlow(matrixValues(G, V), V) ; [eval] matrixValues(G, V) (push) ; 2 ; [eval] alen(a2) == V ; [eval] alen(a2) (declare-const i1@146@01 Int) (push) ; 3 ; [eval] 0 <= i1 && i1 < V ; [eval] 0 <= i1 (push) ; 4 ; [then-branch: 23 | 0 <= i1@146@01 | live] ; [else-branch: 23 | !(0 <= i1@146@01) | live] (push) ; 5 ; [then-branch: 23 | 0 <= i1@146@01] (assert (<= 0 i1@146@01)) ; [eval] i1 < V (pop) ; 5 (push) ; 5 ; [else-branch: 23 | !(0 <= i1@146@01)] (assert (not (<= 0 i1@146@01))) (pop) ; 5 (pop) ; 4 ; Joined path conditions ; Joined path conditions (assert (and (< i1@146@01 V@7@01) (<= 0 i1@146@01))) (declare-const $k@147@01 $Perm) (assert ($Perm.isReadVar $k@147@01)) ; [eval] aloc(a2, i1) (push) ; 4 ; [eval] 0 <= i1 ; [eval] i1 < alen(a2) ; [eval] alen(a2) (push) ; 5 (assert (not (< i1@146@01 (alen G@6@01)))) (check-sat) ; unsat (pop) ; 5 ; 0.00s ; (get-info :all-statistics) (assert (< i1@146@01 (alen G@6@01))) (pop) ; 4 ; Joined path conditions (assert (< i1@146@01 (alen G@6@01))) (pop) ; 3 (declare-fun inv@148@01 ($Ref) Int) ; Nested auxiliary terms: globals (assert ($Perm.isReadVar $k@147@01)) ; Nested auxiliary terms: non-globals (assert (forall ((i1@146@01 Int)) (! (< i1@146@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@146@01)) :qid |oa-aux|))) (push) ; 3 (assert (not (forall ((i1@146@01 Int)) (=> (and (< i1@146@01 V@7@01) (<= 0 i1@146@01)) (or (= $k@147@01 $Perm.No) (< $Perm.No $k@147@01)))))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (declare-const sm@149@01 $FVF) ; Definitional axioms for snapshot map domain ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@149@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@149@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef132|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@149@01 $FVF) r)) :qid |qp.fvfResTrgDef133|))) ; Check receiver injectivity (push) ; 3 (assert (not (forall ((i11@146@01 Int) (i12@146@01 Int)) (! (=> (and (and (and (and (< i11@146@01 V@7@01) (<= 0 i11@146@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@149@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@146@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@146@01))) (< $Perm.No $k@147@01)) (and (and (and (< i12@146@01 V@7@01) (<= 0 i12@146@01)) ($FVF.loc_oa ($FVF.lookup_oa (as sm@149@01 $FVF) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@146@01)) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@146@01))) (< $Perm.No $k@147@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i11@146@01) (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i12@146@01))) (= i11@146@01 i12@146@01)) :qid |oa-rcvrInj|)))) (check-sat) ; unsat (pop) ; 3 ; 0.01s ; (get-info :all-statistics) ; Definitional axioms for inverse functions (assert (forall ((i1@146@01 Int)) (! (=> (and (and (< i1@146@01 V@7@01) (<= 0 i1@146@01)) (< $Perm.No $k@147@01)) (= (inv@148@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@146@01)) i1@146@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@146@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (< $Perm.No $k@147@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@148@01 r)) r)) :pattern ((inv@148@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (=> (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@149@01 $FVF) r) r)) :pattern ((inv@148@01 r)) ))) ; Precomputing data for removing quantified permissions (define-fun pTaken@150@01 ((r $Ref)) $Perm (ite (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) ($Perm.min (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $k@147@01) $Perm.No)) ; Done precomputing, updating quantified chunks ; State saturation: before repetition (set-option :timeout 10) (check-sat) ; unknown ; Constrain original permissions $k@147@01 (assert (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) $k@147@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) $k@147@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@148@01 r)) :qid |qp.srp134|))) ; Intermediate check if already taken enough permissions (set-option :timeout 500) (push) ; 3 (assert (not (forall ((r $Ref)) (=> (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (= (- $k@147@01 (pTaken@150@01 r)) $Perm.No))))) (check-sat) ; unsat (pop) ; 3 ; 0.03s ; (get-info :all-statistics) ; Final check if taken enough permissions ; Done removing quantified permissions (declare-const sm@151@01 $FVF) ; Definitional axioms for snapshot map domain (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@151@01 $FVF))) (and (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (< $Perm.No $k@147@01))) (=> (and (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (< $Perm.No $k@147@01)) (Set_in r ($FVF.domain_oa (as sm@151@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@151@01 $FVF)))) :qid |qp.fvfDomDef137|))) ; Definitional axioms for snapshot map values (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (< $Perm.No $k@147@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@151@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@151@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef135|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@151@01 $FVF) r)) :qid |qp.fvfResTrgDef136|))) (pop) ; 2 ; Joined path conditions (assert ($Perm.isReadVar $k@147@01)) (assert (forall ((r $Ref)) (! (=> (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false) (= ($FVF.lookup_oa (as sm@149@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@149@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef132|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@149@01 $FVF) r)) :qid |qp.fvfResTrgDef133|))) (assert (forall ((i1@146@01 Int)) (! (=> (and (and (< i1@146@01 V@7@01) (<= 0 i1@146@01)) (< $Perm.No $k@147@01)) (= (inv@148@01 (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@146@01)) i1@146@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@146@01)) :qid |oa-invOfFct|))) (assert (forall ((r $Ref)) (! (=> (and (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (< $Perm.No $k@147@01)) (= (aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 (inv@148@01 r)) r)) :pattern ((inv@148@01 r)) :qid |oa-fctOfInv|))) (assert (forall ((r $Ref)) (! (and (=> (Set_in r ($FVF.domain_oa (as sm@151@01 $FVF))) (and (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (< $Perm.No $k@147@01))) (=> (and (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (< $Perm.No $k@147@01)) (Set_in r ($FVF.domain_oa (as sm@151@01 $FVF))))) :pattern ((Set_in r ($FVF.domain_oa (as sm@151@01 $FVF)))) :qid |qp.fvfDomDef137|))) (assert (forall ((r $Ref)) (! (=> (and (and (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) (< $Perm.No $k@147@01)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< $Perm.No $k@12@01) false)) (= ($FVF.lookup_oa (as sm@151@01 $FVF) r) ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r))) :pattern (($FVF.lookup_oa (as sm@151@01 $FVF) r)) :pattern (($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r)) :qid |qp.fvfValDef135|))) (assert (forall ((r $Ref)) (! ($FVF.loc_oa ($FVF.lookup_oa ($SortWrappers.$SnapTo$FVF ($Snap.first ($Snap.second $t@10@01))) r) r) :pattern (($FVF.lookup_oa (as sm@151@01 $FVF) r)) :qid |qp.fvfResTrgDef136|))) (assert (and (forall ((i1@146@01 Int)) (! (< i1@146@01 (alen G@6@01)) :pattern ((aloc ($Snap.combine $Snap.unit $Snap.unit) G@6@01 i1@146@01)) :qid |oa-aux|)) (forall ((r $Ref)) (! (=> (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) ($FVF.loc_oa ($FVF.lookup_oa (as sm@149@01 $FVF) r) r)) :pattern ((inv@148@01 r)) )) (forall ((r $Ref)) (! (=> (not (= (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) $k@12@01 $Perm.No) $Perm.No)) (ite (and (< (inv@13@01 r) V@7@01) (<= 0 (inv@13@01 r))) (< (ite (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) $k@147@01 $Perm.No) $k@12@01) (< (ite (and (< (inv@148@01 r) V@7@01) (<= 0 (inv@148@01 r))) $k@147@01 $Perm.No) $Perm.No))) :pattern ((inv@13@01 r)) :pattern ((inv@148@01 r)) :qid |qp.srp134|)))) (push) ; 2 ; [eval] SquareIntMatrix(G, V) (push) ; 3 (pop) ; 3 ; Joined path conditions (set-option :timeout 0) (push) ; 3 (assert (not (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@151@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 0.00s ; (get-info :all-statistics) (assert (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@151@01 $FVF))) G@6@01 V@7@01) V@7@01)) ; [eval] NonNegativeCapacities(G, V) (push) ; 3 ; [eval] SquareIntMatrix(G, V) (push) ; 4 (pop) ; 4 ; Joined path conditions (pop) ; 3 ; Joined path conditions (push) ; 3 (assert (not (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@151@01 $FVF))) G@6@01 V@7@01) V@7@01))) (check-sat) ; unsat (pop) ; 3 ; 2.50s ; (get-info :all-statistics) (assert (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@151@01 $FVF))) G@6@01 V@7@01) V@7@01)) (pop) ; 2 ; Joined path conditions (assert (and (SquareIntMatrix $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@151@01 $FVF))) G@6@01 V@7@01) V@7@01) (NonNegativeCapacities $Snap.unit (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@151@01 $FVF))) G@6@01 V@7@01) V@7@01))) (assert (<= (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@145@01 $FVF))) G@6@01 V@7@01) V@7@01) (SumIncomingFlow ($Snap.combine $Snap.unit $Snap.unit) (matrixValues ($Snap.combine $Snap.unit ($SortWrappers.$FVFTo$Snap (as sm@151@01 $FVF))) G@6@01 V@7@01) V@7@01))) ; State saturation: after contract (set-option :timeout 50) (check-sat) ; unknown (push) ; 2 (pop) ; 2 (push) ; 2 ; [exec] ; inhale false (pop) ; 2 (pop) ; 1