From 8a6f9e754506d514e653d1dc1d02fde3d9bd8183 Mon Sep 17 00:00:00 2001
From: Jean-Christophe Filliatre <Jean-Christophe.Filliatre@lri.fr>
Date: Wed, 6 Jun 2018 12:47:53 +0200
Subject: [PATCH] tortoise and hare example totally revamped

this is much closer now to TAOCP, vol 2, exercise 6 page 7
---
 examples/tortoise_and_hare.mlw             | 216 ++++++++----
 examples/tortoise_and_hare/why3session.xml | 374 ++++++++++++++++++++-
 examples/tortoise_and_hare/why3shapes.gz   | Bin 456 -> 3519 bytes
 3 files changed, 502 insertions(+), 88 deletions(-)

diff --git a/examples/tortoise_and_hare.mlw b/examples/tortoise_and_hare.mlw
index cbfd1deb6..d80e2ab81 100644
--- a/examples/tortoise_and_hare.mlw
+++ b/examples/tortoise_and_hare.mlw
@@ -3,88 +3,162 @@
 
    See The Art of Computer Programming, vol 2, exercise 6 page 7. *)
 
-module TortoiseAndHare
+module TortoiseAndHareAlgorithm
 
   use import int.Int
-  use int.Iter
+  use import int.EuclideanDivision
+  use import int.Iter
+  use import seq.Seq
+  use import seq.Distinct
+  use import ref.Refint
+  use import pigeon.Pigeonhole
 
-  type t
-  val predicate eq (x y : t)
-    ensures { result <-> x = y }
+  val function f int : int
 
-  (* let f be a function from t to t *)
-  val function f t : t
+  (* f maps 0..m-1 to 0..m-1 *)
+  constant m: int
+  axiom m_positive: m > 0
+
+  axiom f_range: forall x. 0 <= x < m -> 0 <= f x < m
 
   (* given some initial value x0 *)
-  val constant x0: t
+  val constant x0: int
+    ensures { 0 <= result < m }
 
   (* we can build the infinite sequence defined by x{i+1} = f(xi) *)
-  function x (i: int): t = Iter.iter f i x0
-
-  (* let use assume now that the sequence (x_i) has finitely many distinct
-     values (e.g. f is an integer function with values in 0..m)
-
-     it means that there exists values lambda and mu such that
-     (1) x0, x1, ... x{mu+lambda-1} are all distinct,
-     and
-     (2) x{n+lambda} = x_n when n >= mu. *)
-
-  (* lambda and mu are skomlemized *)
-  constant mu     : int
-  constant lambda : int
-
-  (* they are axiomatized as follows *)
-  axiom mu_range: 0 <= mu
-
-  axiom lambda_range: 1 <= lambda
-
-  axiom distinct:
-    forall i j: int. 0 <= i < mu+lambda -> 0 <= j < mu+lambda ->
-    i <> j -> x i <> x j
-
-  axiom cycle: forall n: int. mu <= n -> x (n + lambda) = x n
-
-  lemma cycle_induction:
-    forall n: int. mu <= n -> forall k: int. 0 <= k -> x (n + lambda * k) = x n
-
-  (* Now comes the code.
-     Two references, tortoise and hare, traverses the sequence (xi)
-     at speed 1 and 2 respectively. We stop whenever they are equal.
-
-     The challenge is to prove termination.
-     Actually, we even prove that the code runs in time O(lambda + mu). *)
-
-  use import ref.Ref
-  use import relations.WellFounded
-
-  (* the minimal distance between x i and x j *)
-  function dist int int : int
-
-  (* it is defined as soon as i,j >= mu *)
-  axiom dist_def: forall i j: int. mu <= i -> mu <= j ->
-    dist i j >= 0 /\
-    x (i + dist i j) = x j /\
-    forall k: int. 0 <= k -> x (i + k) = x j -> dist i j <= k
-
-  predicate rel (t2 t1: t) =
-    exists i: int. t1 = x i /\ t2 = x (i+1) /\ 1 <= i <= mu + lambda /\
-                   (i >= mu -> dist (2*i+2) (i+1) < dist (2*i) i)
-
-  axiom wfrel: well_founded rel
-
-  let tortoise_hare () =
+  function x (i: int): int = iter f i x0
+
+  let rec lemma x_in_range (n: int)
+    requires { 0 <= n } ensures { 0 <= x n < m }
+    variant  { n }
+  = if n > 0 then x_in_range (n - 1)
+
+  (* First, we prove the existence of mu and lambda, with a ghost program.
+     Starting with x0, we repeteadly apply f, storing the elements in
+     a sequence, until we find a repetition. *)
+  let ghost periodicity () : (int, int)
+    returns { mu, lambda ->
+      0 <= mu < m /\ 1 <= lambda <= m /\ mu + lambda <= m /\
+      x (mu + lambda) = x mu /\
+      forall i j. 0 <= i < j < mu + lambda -> x i <> x j
+    }
+  = let s = ref (singleton x0) in
+    let cur = ref x0 in
+    for k = 1 to m do
+      invariant { 1 <= length !s = k <= m /\ !cur = !s[length !s - 1] }
+      invariant { forall i. 0 <= i < length !s -> !s[i] = x i }
+      invariant { distinct !s }
+      cur := f !cur;
+      (* look for a repetition *)
+      for mu = 0 to length !s - 1 do
+        invariant { forall i. 0 <= i < mu -> !s[i] <> !cur }
+        if !cur = !s[mu] then return (mu, length !s - mu)
+      done;
+      s := snoc !s !cur;
+      if k = m then pigeonhole (m+1) m (pure { fun i -> !s[i] })
+    done;
+    absurd
+
+  (* Then we can state the condition for two elements to be equal. *)
+  let lemma equality (mu lambda: int)
+    requires { 0 <= mu < m /\ 1 <= lambda <= m /\ mu + lambda <= m /\
+               x (mu + lambda) = x mu }
+    requires { forall i j. 0 <= i < j < mu + lambda -> x i <> x j }
+    ensures  { forall r n. r > n >= 0 ->
+               x r = x n <-> n >= mu /\ exists k. k >= 1 /\ r-n = k*lambda }
+  = let rec lemma plus_lambda (n: int) variant { n }
+      requires { mu <= n }
+      ensures  { x (n + lambda) = x n } =
+      if n > mu then plus_lambda (n - 1) in
+    let rec lemma plus_lambdas (n k: int) variant { k }
+      requires { mu <= n } requires { 0 <= k }
+      ensures  { x (n + k * lambda) = x n } =
+      if k > 0 then begin
+        plus_lambdas n (k - 1); plus_lambda (n + (k - 1) * lambda) end in
+    let decomp (i: int) : (int, int)
+      requires { i >= mu }
+      returns  { qi,mi -> i = mu + qi * lambda + mi && qi >= 0 &&
+                 0 <= mi < lambda && x i = x (mu + mi) } =
+      let qi = div (i - mu) lambda in
+      let mi = mod (i - mu) lambda in
+      plus_lambdas (mu + mi) qi;
+      qi, mi in
+    let lemma equ (r n: int)
+      requires { r > n >= 0 } requires { x r = x n }
+      ensures  { n >= mu /\ exists k. k >= 1 /\ r-n = k*lambda } =
+      if n < mu then (if r >= mu then let _ = decomp r in absurd)
+      else begin
+        let qr,mr = decomp r in let qn, mn = decomp n in
+        assert { mr = mn };
+        assert { r-n = (qr-qn) * lambda }
+      end in
+    ()
+
+  (* Finally, we implement the tortoise and hare algorithm that computes
+     the values of mu and lambda in linear time and constant space *)
+  let tortoise_and_hare () : (int, int)
+    returns { mu, lambda ->
+      0 <= mu < m /\ 1 <= lambda <= m /\ mu + lambda <= m /\
+      x (mu + lambda) = x mu /\
+      forall i j. 0 <= i < j < mu + lambda -> x i <> x j
+    }
+  = let mu, lambda = periodicity () in
+    equality mu lambda;
+    (* the first loop implements the tortoise and hare,
+       and finds the smallest n >= 1 such that x n = x (2n) *)
     let tortoise = ref (f x0) in
     let hare = ref (f (f x0)) in
-    while not (eq !tortoise !hare) do
+    let n = ref 1 in
+    while !tortoise <> !hare do
       invariant {
-        exists t: int.
-        1 <= t <= mu+lambda /\ !tortoise = x t /\ !hare = x (2 * t) /\
-        forall i: int. 1 <= i < t -> x i <> x (2*i) }
-      variant { !tortoise with rel }
+        1 <= !n <= mu+lambda /\ !tortoise = x !n /\ !hare = x (2 * !n) /\
+        forall i. 1 <= i < !n -> x i <> x (2*i) }
+      variant { mu + lambda - !n }
       tortoise := f !tortoise;
-      hare     := f (f !hare)
-    done
-
-  (* TODO: code to find out lambda and mu. See wikipedia.  *)
+      hare     := f (f !hare);
+      incr n;
+      if !n > mu + lambda then begin
+        let m = lambda - mod mu lambda in
+        let i = mu + m in
+        assert { 2*i - i = (div mu lambda + 1) * lambda };
+        absurd
+      end
+    done;
+    let n = !n in
+    assert { n >= mu };
+    assert { exists k. k >= 1 /\ n = k * lambda >= 1 };
+    assert { forall j. j >= mu -> x j = x (j + n) };
+    let xn = !tortoise in
+    (* a first loop to find mu *)
+    let i   = ref 0  in
+    let xi  = ref x0 in (* = x i     *)
+    let xni = ref xn in (* = x (n+i) *)
+    while !xi <> !xni do
+      invariant { 0 <= !i <= mu }
+      invariant { !xi = x !i /\ !xni = x (n + !i) }
+      invariant { forall j. 0 <= j < !i -> x j <> x (n + j) }
+      variant   { mu - !i }
+      xi  := f !xi;
+      xni := f !xni;
+      incr i;
+    done;
+    let m = !i in
+    assert { m = mu };
+    (* and a second loop to find lambda
+       (this is slightly less efficient than the argument in TAOCP,
+       but since the first loop is already O(mu+lambda), using two loops
+       respectively O(mu) and O(lambda) is not a problem). *)
+    i := 1;
+    xni := f xn;
+    while !xni <> xn do
+      invariant { !xni = x (n + !i) }
+      invariant { forall j. 1 <= j < !i -> x (n + j) <> x n }
+      invariant { 1 <= !i <= lambda }
+      variant   { lambda - !i }
+      xni := f !xni;
+      incr i
+    done;
+    assert { !i = lambda };
+    m, !i
 
 end
diff --git a/examples/tortoise_and_hare/why3session.xml b/examples/tortoise_and_hare/why3session.xml
index dc0139e7f..193523bdf 100644
--- a/examples/tortoise_and_hare/why3session.xml
+++ b/examples/tortoise_and_hare/why3session.xml
@@ -2,30 +2,370 @@
 <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
 "http://why3.lri.fr/why3session.dtd">
 <why3session shape_version="4">
-<prover id="0" name="Coq" version="8.7.1" timelimit="5" steplimit="0" memlimit="1000"/>
-<prover id="1" name="Coq" version="8.7.2" timelimit="5" steplimit="0" memlimit="0"/>
-<prover id="3" name="Alt-Ergo" version="1.30" timelimit="5" steplimit="0" memlimit="1000"/>
-<prover id="4" name="Z3" version="4.5.0" timelimit="5" steplimit="0" memlimit="1000"/>
+<prover id="2" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/>
+<prover id="5" name="Z3" version="4.4.0" timelimit="1" steplimit="0" memlimit="1000"/>
+<prover id="6" name="CVC4" version="1.5" timelimit="1" steplimit="0" memlimit="1000"/>
+<prover id="7" name="Eprover" version="1.8-001" timelimit="16" steplimit="0" memlimit="1000"/>
 <file name="../tortoise_and_hare.mlw" proved="true">
-<theory name="TortoiseAndHare" proved="true">
+<theory name="TortoiseAndHareAlgorithm" proved="true">
  <goal name="VC x0" expl="VC for x0" proved="true">
- <transf name="split_goal_right" proved="true" >
+ <proof prover="6"><result status="valid" time="0.02"/></proof>
+ </goal>
+ <goal name="VC x_in_range" expl="VC for x_in_range" proved="true">
+ <proof prover="2"><result status="valid" time="0.36" steps="311"/></proof>
+ </goal>
+ <goal name="VC periodicity" expl="VC for periodicity" proved="true">
+ <transf name="split_vc" proved="true" >
+  <goal name="VC periodicity.0" expl="loop invariant init" proved="true">
+  <proof prover="6"><result status="valid" time="0.02"/></proof>
+  </goal>
+  <goal name="VC periodicity.1" expl="loop invariant init" proved="true">
+  <proof prover="6"><result status="valid" time="0.18"/></proof>
+  </goal>
+  <goal name="VC periodicity.2" expl="loop invariant init" proved="true">
+  <proof prover="6"><result status="valid" time="0.06"/></proof>
+  </goal>
+  <goal name="VC periodicity.3" expl="loop invariant init" proved="true">
+  <proof prover="2"><result status="valid" time="0.01" steps="16"/></proof>
+  </goal>
+  <goal name="VC periodicity.4" expl="VC for periodicity" proved="true">
+  <proof prover="6"><result status="valid" time="0.19"/></proof>
+  </goal>
+  <goal name="VC periodicity.5" expl="loop invariant preservation" proved="true">
+  <proof prover="6"><result status="valid" time="0.07"/></proof>
+  </goal>
+  <goal name="VC periodicity.6" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.03"/></proof>
+  </goal>
+  <goal name="VC periodicity.7" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.19"/></proof>
+  </goal>
+  <goal name="VC periodicity.8" expl="loop invariant preservation" proved="true">
+  <proof prover="6"><result status="valid" time="1.24"/></proof>
+  </goal>
+  <goal name="VC periodicity.9" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.92" steps="823"/></proof>
+  </goal>
+  <goal name="VC periodicity.10" expl="loop invariant preservation" proved="true">
+  <proof prover="6"><result status="valid" time="0.16"/></proof>
+  </goal>
+  <goal name="VC periodicity.11" expl="VC for periodicity" proved="true">
+  <proof prover="6"><result status="valid" time="0.05"/></proof>
+  </goal>
+  <goal name="VC periodicity.12" expl="unreachable point" proved="true">
+  <proof prover="6"><result status="valid" time="0.02"/></proof>
+  </goal>
+  <goal name="VC periodicity.13" expl="unreachable point" proved="true">
+  <proof prover="6"><result status="valid" time="0.06"/></proof>
+  </goal>
  </transf>
  </goal>
- <goal name="cycle_induction" proved="true">
- <proof prover="0" edited="tortoise_and_hare_WP_TortoiseAndHare_cycle_induction_1.v"><result status="valid" time="0.36"/></proof>
+ <goal name="VC equality" expl="VC for equality" proved="true">
+ <transf name="split_vc" proved="true" >
+  <goal name="VC equality.0" expl="variant decrease" proved="true">
+  <proof prover="6"><result status="valid" time="0.02"/></proof>
+  </goal>
+  <goal name="VC equality.1" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.03"/></proof>
+  </goal>
+  <goal name="VC equality.2" expl="postcondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.03"/></proof>
+  </goal>
+  <goal name="VC equality.3" expl="variant decrease" proved="true">
+  <proof prover="6"><result status="valid" time="0.07"/></proof>
+  </goal>
+  <goal name="VC equality.4" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.05"/></proof>
+  </goal>
+  <goal name="VC equality.5" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.05"/></proof>
+  </goal>
+  <goal name="VC equality.6" expl="precondition" proved="true">
+  <transf name="assert" proved="true" arg1="((k-1)*lambda &gt;= 0)">
+   <goal name="VC equality.6.0" proved="true">
+   <proof prover="7"><result status="valid" time="2.45"/></proof>
+   </goal>
+   <goal name="VC equality.6.1" expl="precondition" proved="true">
+   <proof prover="6"><result status="valid" time="0.03"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC equality.7" expl="postcondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.06"/></proof>
+  </goal>
+  <goal name="VC equality.8" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.02"/></proof>
+  </goal>
+  <goal name="VC equality.9" expl="precondition" proved="true">
+  <transf name="split_all_full" proved="true" >
+   <goal name="VC equality.9.0" expl="precondition" proved="true">
+   <proof prover="6"><result status="valid" time="0.09"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC equality.10" expl="precondition" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="VC equality.10.0" expl="precondition" proved="true">
+   <proof prover="6"><result status="valid" time="0.05"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC equality.11" expl="precondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.02"/></proof>
+  </goal>
+  <goal name="VC equality.12" expl="postcondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.18"/></proof>
+  </goal>
+  <goal name="VC equality.13" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.04"/></proof>
+  </goal>
+  <goal name="VC equality.14" expl="unreachable point" proved="true">
+  <transf name="split_all_full" proved="true" >
+   <goal name="VC equality.14.0" expl="unreachable point" proved="true">
+   <proof prover="6"><result status="valid" time="0.04"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC equality.15" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.03"/></proof>
+  </goal>
+  <goal name="VC equality.16" expl="precondition" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="VC equality.16.0" expl="precondition" proved="true">
+   <proof prover="7"><result status="valid" time="0.03"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC equality.17" expl="assertion" proved="true">
+  <proof prover="6"><result status="valid" time="0.03"/></proof>
+  </goal>
+  <goal name="VC equality.18" expl="assertion" proved="true">
+  <proof prover="5"><result status="valid" time="0.21"/></proof>
+  </goal>
+  <goal name="VC equality.19" expl="postcondition" proved="true">
+  <proof prover="2"><result status="valid" time="0.03" steps="73"/></proof>
+  </goal>
+  <goal name="VC equality.20" expl="postcondition" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="VC equality.20.0" expl="VC for equality" proved="true">
+   <proof prover="6"><result status="valid" time="0.08"/></proof>
+   </goal>
+   <goal name="VC equality.20.1" expl="VC for equality" proved="true">
+   <proof prover="2"><result status="valid" time="0.01" steps="15"/></proof>
+   </goal>
+   <goal name="VC equality.20.2" expl="VC for equality" proved="true">
+   <transf name="assert" proved="true" arg1="((k-1) * lambda &gt;= 0)">
+    <goal name="VC equality.20.2.0" proved="true">
+    <proof prover="7"><result status="valid" time="5.90"/></proof>
+    </goal>
+    <goal name="VC equality.20.2.1" expl="VC for equality" proved="true">
+    <proof prover="7"><result status="valid" time="0.22"/></proof>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
+  </goal>
+ </transf>
  </goal>
- <goal name="VC tortoise_hare" expl="VC for tortoise_hare" proved="true">
- <transf name="split_goal_right" proved="true" >
-  <goal name="VC tortoise_hare.0" expl="loop invariant init" proved="true">
-  <proof prover="3"><result status="valid" time="0.02" steps="77"/></proof>
-  <proof prover="4" obsolete="true"><result status="valid" time="0.02"/></proof>
+ <goal name="VC tortoise_and_hare" expl="VC for tortoise_and_hare" proved="true">
+ <transf name="split_vc" proved="true" >
+  <goal name="VC tortoise_and_hare.0" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.02"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.1" expl="precondition" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="VC tortoise_and_hare.1.0" expl="precondition" proved="true">
+   <transf name="split_all_full" proved="true" >
+    <goal name="VC tortoise_and_hare.1.0.0" expl="precondition" proved="true">
+    <proof prover="6"><result status="valid" time="0.05"/></proof>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC tortoise_and_hare.2" expl="loop invariant init" proved="true">
+  <proof prover="6"><result status="valid" time="0.07"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.3" expl="precondition" proved="true">
+  <proof prover="6"><result status="valid" time="0.04"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.4" expl="assertion" proved="true">
+  <proof prover="2"><result status="valid" time="0.02" steps="20"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.5" expl="unreachable point" proved="true">
+  <proof prover="2"><result status="valid" time="0.63" steps="396"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.6" expl="loop variant decrease" proved="true">
+  <proof prover="6"><result status="valid" time="0.02"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.7" expl="loop invariant preservation" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="VC tortoise_and_hare.7.0" expl="VC for tortoise_and_hare" proved="true">
+   <proof prover="6"><result status="valid" time="0.04"/></proof>
+   </goal>
+   <goal name="VC tortoise_and_hare.7.1" expl="VC for tortoise_and_hare" proved="true">
+   <proof prover="6"><result status="valid" time="0.03"/></proof>
+   </goal>
+   <goal name="VC tortoise_and_hare.7.2" expl="VC for tortoise_and_hare" proved="true">
+   <proof prover="6"><result status="valid" time="0.29"/></proof>
+   </goal>
+   <goal name="VC tortoise_and_hare.7.3" expl="VC for tortoise_and_hare" proved="true">
+   <proof prover="6"><result status="valid" time="0.12"/></proof>
+   </goal>
+   <goal name="VC tortoise_and_hare.7.4" expl="VC for tortoise_and_hare" proved="true">
+   <proof prover="6"><result status="valid" time="0.10"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC tortoise_and_hare.8" expl="assertion" proved="true">
+  <proof prover="5"><result status="valid" time="0.04"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.9" expl="assertion" proved="true">
+  <transf name="instantiate" proved="true" arg1="H7" arg2="(n+n),n">
+   <goal name="VC tortoise_and_hare.9.0" expl="assertion" proved="true">
+   <proof prover="2"><result status="valid" time="0.01" steps="33"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC tortoise_and_hare.10" expl="assertion" proved="true">
+  <transf name="destruct" proved="true" arg1="H1">
+   <goal name="VC tortoise_and_hare.10.0" expl="assertion" proved="true">
+   <transf name="replace" proved="true" arg1="n" arg2="(k*lambda)">
+    <goal name="VC tortoise_and_hare.10.0.0" expl="assertion" proved="true">
+    <transf name="instantiate" proved="true" arg1="H10" arg2="(j+n),j">
+     <goal name="VC tortoise_and_hare.10.0.0.0" expl="assertion" proved="true">
+     <proof prover="6"><result status="valid" time="0.12"/></proof>
+     </goal>
+    </transf>
+    </goal>
+    <goal name="VC tortoise_and_hare.10.0.1" proved="true">
+    <proof prover="6"><result status="valid" time="0.04"/></proof>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC tortoise_and_hare.11" expl="loop invariant init" proved="true">
+  <transf name="split_all_full" proved="true" >
+   <goal name="VC tortoise_and_hare.11.0" expl="VC for tortoise_and_hare" proved="true">
+   <proof prover="2"><result status="valid" time="0.01" steps="19"/></proof>
+   </goal>
+   <goal name="VC tortoise_and_hare.11.1" expl="VC for tortoise_and_hare" proved="true">
+   <proof prover="6"><result status="valid" time="0.05"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC tortoise_and_hare.12" expl="loop invariant init" proved="true">
+  <proof prover="6"><result status="valid" time="0.25"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.13" expl="loop invariant init" proved="true">
+  <proof prover="5"><result status="valid" time="0.01"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.14" expl="loop variant decrease" proved="true">
+  <transf name="case" proved="true" arg1="(i = mu+1)">
+   <goal name="VC tortoise_and_hare.14.0" expl="true case (loop variant decrease)" proved="true">
+   <transf name="assert" proved="true" arg1="(x mu = x (mu + n))">
+    <goal name="VC tortoise_and_hare.14.0.0" proved="true">
+    <proof prover="6"><result status="valid" time="0.05"/></proof>
+    </goal>
+    <goal name="VC tortoise_and_hare.14.0.1" expl="true case (loop variant decrease)" proved="true">
+    <proof prover="6"><result status="valid" time="0.12"/></proof>
+    </goal>
+   </transf>
+   </goal>
+   <goal name="VC tortoise_and_hare.14.1" expl="false case (loop variant decrease)" proved="true">
+   <proof prover="5"><result status="valid" time="0.03"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC tortoise_and_hare.15" expl="loop invariant preservation" proved="true">
+  <transf name="replace" proved="true" arg1="n" arg2="(2*n - n)">
+   <goal name="VC tortoise_and_hare.15.0" expl="loop invariant preservation" proved="true">
+   <proof prover="2"><result status="valid" time="0.01" steps="36"/></proof>
+   </goal>
+   <goal name="VC tortoise_and_hare.15.1" proved="true">
+   <proof prover="6"><result status="valid" time="0.02"/></proof>
+   </goal>
+  </transf>
+  </goal>
+  <goal name="VC tortoise_and_hare.16" expl="loop invariant preservation" proved="true">
+  <proof prover="6"><result status="valid" time="0.27"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.17" expl="loop invariant preservation" proved="true">
+  <proof prover="6"><result status="valid" time="0.07"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.18" expl="assertion" proved="true">
+  <proof prover="6"><result status="valid" time="0.60"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.19" expl="loop invariant init" proved="true">
+  <proof prover="6"><result status="valid" time="0.09"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.20" expl="loop invariant init" proved="true">
+  <proof prover="6"><result status="valid" time="0.03"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.21" expl="loop invariant init" proved="true">
+  <proof prover="6"><result status="valid" time="0.05"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.22" expl="loop variant decrease" proved="true">
+  <proof prover="6"><result status="valid" time="0.04"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.23" expl="loop invariant preservation" proved="true">
+  <proof prover="6"><result status="valid" time="0.06"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.24" expl="loop invariant preservation" proved="true">
+  <proof prover="2"><result status="valid" time="0.02" steps="41"/></proof>
+  </goal>
+  <goal name="VC tortoise_and_hare.25" expl="loop invariant preservation" proved="true">
+  <transf name="split_vc" proved="true" >
+   <goal name="VC tortoise_and_hare.25.0" expl="VC for tortoise_and_hare" proved="true">
+   <proof prover="6"><result status="valid" time="0.03"/></proof>
+   </goal>
+   <goal name="VC tortoise_and_hare.25.1" expl="VC for tortoise_and_hare" proved="true">
+   <transf name="assert" proved="true" arg1="(x (n+lambda) = x n)">
+    <goal name="VC tortoise_and_hare.25.1.0" proved="true">
+    <proof prover="6"><result status="valid" time="0.39"/></proof>
+    </goal>
+    <goal name="VC tortoise_and_hare.25.1.1" expl="VC for tortoise_and_hare" proved="true">
+    <proof prover="5"><result status="valid" time="0.02"/></proof>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
   </goal>
-  <goal name="VC tortoise_hare.1" expl="loop variant decrease" proved="true">
-  <proof prover="1" memlimit="1000" edited="tortoise_and_hare_WP_TortoiseAndHare_WP_parameter_tortoise_hare_1.v"><result status="valid" time="0.43"/></proof>
+  <goal name="VC tortoise_and_hare.26" expl="assertion" proved="true">
+  <transf name="instantiate" proved="true" arg1="H23" arg2="(n+i),n">
+   <goal name="VC tortoise_and_hare.26.0" expl="assertion" proved="true">
+   <transf name="assert" proved="true" arg1="(exists k. k &gt;= 1 /\ i = k * lambda)">
+    <goal name="VC tortoise_and_hare.26.0.0" proved="true">
+    <proof prover="6"><result status="valid" time="0.04"/></proof>
+    </goal>
+    <goal name="VC tortoise_and_hare.26.0.1" expl="assertion" proved="true">
+    <transf name="destruct" proved="true" arg1="h">
+     <goal name="VC tortoise_and_hare.26.0.1.0" expl="assertion" proved="true">
+     <transf name="case" proved="true" arg1="(k=1)">
+      <goal name="VC tortoise_and_hare.26.0.1.0.0" expl="true case (assertion)" proved="true">
+      <proof prover="6"><result status="valid" time="0.04"/></proof>
+      </goal>
+      <goal name="VC tortoise_and_hare.26.0.1.0.1" expl="false case (assertion)" proved="true">
+      <transf name="assert" proved="true" arg1="(x (n + (k-1) * lambda) = x n)">
+       <goal name="VC tortoise_and_hare.26.0.1.0.1.0" proved="true">
+       <proof prover="6"><result status="valid" time="0.52"/></proof>
+       </goal>
+       <goal name="VC tortoise_and_hare.26.0.1.0.1.1" expl="false case (assertion)" proved="true">
+       <proof prover="6"><result status="valid" time="0.60"/></proof>
+       </goal>
+      </transf>
+      </goal>
+     </transf>
+     </goal>
+    </transf>
+    </goal>
+   </transf>
+   </goal>
+  </transf>
   </goal>
-  <goal name="VC tortoise_hare.2" expl="loop invariant preservation" proved="true">
-  <proof prover="1" timelimit="10" edited="tortoise_and_hare_WP_TortoiseAndHare_WP_parameter_tortoise_hare_2.v"><result status="valid" time="0.56"/></proof>
+  <goal name="VC tortoise_and_hare.27" expl="postcondition" proved="true">
+  <proof prover="5"><result status="valid" time="0.24"/></proof>
   </goal>
  </transf>
  </goal>
diff --git a/examples/tortoise_and_hare/why3shapes.gz b/examples/tortoise_and_hare/why3shapes.gz
index 018df525ad04fa02c183c9992cd539081db4946d..93fa28bc56a5fbd5c1b12e88ef3845e4a9d5e570 100644
GIT binary patch
literal 3519
zcmV;w4M6fAiwFP!00000|HWF{jvTiUeebWB$2f)o7B58-h>RFP3<wCEw|NNyp;#pC
zv7}jRcV#GlpTpJ8O!rRD>?X1kU8kp;#bUAQ)H&>}rnwM>edg><7pcLf%GOmEso1#L
z{$<l|Za1II{Zy2KG1m6fSUdMdt|ZObaphu_j?cc??cdzW{>LV}ecyfB{7F7-jlBQv
zaQRBj_~!NOHl5w3zdc@mvo%V8|KaiKTU?p>qg#8t+S={%mRZ<%JvZ@s@!a=Qt%`+5
z<|^HJ+k7ZNEQJty>s-TOalf?N-A&!;?*3o>Xi(|#)7M+X;XB-@ySw|{UhlX5;Lt01
zzxy;k{NtZnzYSPnIQoFgcWwXU{ZFUIAN&g6A4hN9eEeZq$6=WDIB@REDXg!K&n|pD
zO-C~yj_%Vjps%Ksn3~vVttmD)mkg<>X>39h-^1qJ&CM^H-Tqg(-O2tQpLX}h$v>Hs
z|8n!hf4O<$$(h$@PaM9UI)!8kx601sM7bg{GyX)=d{k4edbMy#KFMwpn|fhQsD;L2
zObVeH>ro@w)uwjU+#y_W2i}PBrD#hocz9u$G=~(m!_$`5#{aP5&mH{HkGE58Rhq9{
zOCX^ZJBevRj<Zb~60hXt$=oPARMIKWj(IBYKgv6KU#gs{$82d?J*Vs&p?NwG-@X5M
zo^`VaW+lDy)!4+P2V>|G2Ht<1V(l%sSZ%NrDQ82-LQXkJO~LTl{{C{??%M6Ia=*LT
zUkfY+slv6DT7v}U&ORh7o~aZknT8>~+1K4LboB5>ZWa#SOi7}zzHm*oXWKOO9tN5k
z!j;LoZs+s=e||{2rN!BusV0x2tG1+8JY`reHL-Y$)tlPlwY49Yj>RsQzbw7GHRzDH
zt3`M>zrR+Fcaspa2b5+cz4215V8c*C+>1myFUM7vm%BB}(!xL>8<ImP2m$s!*-%3w
zlPYrKs@Y?C-c1g;m2+fMOHZYQlzQ%jstVRf>vg4^X2VyoT<*5ZW`@f{FfLZp|8z@U
zABQ}q)|R$*_Su~fz#WWD=!K~VLp__02AC4{8i0V-H8LTX&By(16a7ibySDk|X1BlZ
zQ|&HMwN;V%fYDYPz!PDu9s5?QT^%zZG8@w{$XhK`)T7K%iyQ?|df1Ql0jM%IW4V@Z
z(DDyX{}FBV7=dqJjh^_|*`?c>4>Mr2`0HNJZl74ix5Mc7Ps8@jHf;GgRa{IJms9a6
z9mZ6n*Yo`Ld@2~7CB|W@w9SX9rW##BbR5|lV`TwHBd!`dm`MT!+Z=Kp?FsR{JF%`C
z*)O1FKS_x$CN4gjYFiYgD6JS&LYLqGrfXpJYT)wCB#A=w#h~SLD8gL;%_+B-tMS-F
zZ0X(o)4}u3u|GAA{gep%+|gvC=9a|OT3iRlMWhaQYp$*8?P67LC*)-7NHB{YVUls7
zR+oJ<uAA6GUx(m_RqdzX8sdw%1Ta1jU-Vg<9HHZu9ue#Hu@A^!3&G!HB;-^}WQXxC
zD*8#Ks+=xQdy2^8CLa;t?XfFP3U=LnuSpP;#vY5J3N8{HBGq%;95d>Q6*ZG9Irxai
zBpOQV)`LHk#xVx;6l3!jx><q)hE_O<z?Tl_*9zdM*w^f1)EA`1!TQ^If>?+WrzIs5
zmD#C_cJycb2L5+#3%5^={<!Rh`p7n@16*OL%yzIQgIIt-b(5bP55Cq?aTeX8Shh*L
z%Oz5$LR~-)pB;~fjpybQ^B~S38-qxWrWJau?OLgQ$=FnyRgVT20$7Okq@(?I)4|oj
zCi=yM{s6uq2o=zvvbqX_AxT+-^`JMU<KN4Bxg?11cQa16drI>jh~4f4h?x0=h)Cw6
zrJ2P;ihS4|ndG2HEdW0N8zs36I4l~yrU*Flbu{yprDD3<K`T8dgw5Iwx>GT^<-k6&
zEsCy#FqgGvB@WC11rKhY5oQCNu%>2IRT8A7TN^`4022Tce5*Yga-ecRxYE3pBH@~k
zuJhP@f|3x^tD;9~0~B<VY{Zsc7`y+{u?Ql79Y_y=i=5#;xTX)lMB5~2*~lHp)snHn
z;XQ(im4QOHWPql{mP|et$QA=2@G2_<4~TNRf-)a&<-?(AOhL#h+f1ebY!$Fwl&}!^
z13V;qAvag-4~DkLNc3d0=-{8jkiB%u9DUBrH5!SzE4S>62Nw$IH=l9FPcV9bAQ}sT
zSgQKYrJ)L&S4Bl91#jY7FVLgI3XG=Uk#9Lmb-^?+a^G@Fg&LS$q377uOV%)TFf|9V
z<x?{i?s;gRV304AgSMP6PI6de><F#*jB+SwP2iY@V#y9`q!^-kX`>4S(9@<0M}&h<
zYGPJNEjuVEy}a6kBc`W@h8v7kG&M;`+NcPA0zx>b_=AD_o7?-F-CcVl`}*c5xox}M
zZZ5iMkV|qi*?lC|gE*dOI-bP6g-js3rn(=7!Dw7L<$1U@lg&>ql@>F`rNTa09OI7X
z1H(#K90%ZD_-<14V2=iz0D~n93d1;&p~|Qw<meiz{67y5tar(}h-|3n6fU9=46-32
z9ZEGNUTET<8`{rbI@~o@=ygpFbREb+-dcxViiCtXYVyo*%1te#QA=R8&Wd&zNRhzg
zd=K$V{V$J_9?pIa1*3MMP?t(^Ax%4ee_D(@J^bqN-V>pDws-TpN|TMuy;(>H)D<`h
zLeOHejD;bM^0Q3J0eiLE1R@f06jJN~h<XoAz|efS(p8R&7_8z6dVCFG|Le)=8S##Z
zv>Np#Mv~Y7`pf~K(ph}!vexFo2f$a+>p&3DCkj^BNWs}b+Q2;@&nGTwnx((<GT2|c
zw{mc_`W%RzubJ2wsBx1)mrQXSI5@BoKyQ25A=<T+S~#;zsezF5ai>RL$pK0S{>}=1
ze?6&&ZbNvh?+$VndKS1J)JNA-$0k)V<sw!u&1BH9Qc?*6=phkocM;U0q02*WIrqGo
zHD9M<3EDP-Ie|2>4^|_zx`8GQpit_cGrJ7TR8fTu3^LUYTCTnJ;w5F)Xh8+KJa6uN
z52h5+>uLdgiW<5BiEadq6<IBpY%crw6scxKHje)k>MvImZ2<SM2K2*0mc!Y>3eRfw
zKvl>_a63Y^h3MG=EwBUNDqzVO+P<v~e9BDbNcB8#aiHUv1Y)5u2_^~-+zP~%0l5;~
zZ$D!$IgW69pbF>Q&5&f-bMjTyw73Ff=mWF%`SZvHN9ZX5I1POY9tb#WBScUW6wz2-
zWF%DxX=hUz#4-lR>)?aYTsrzYt9gNu1DGB}`xM231)`QZ<aO{db&zyb9x}<tRr3F=
zO{X^XkUcSA)PrmE<VBjeVgiGPZ_cAXbErvGLTC|VYCQ?}P8FM=>=1Ri@@D9fKg{tJ
zjmS!?maXy5HpqblMTh?7fuG=qCFlz<XP7aBAptpVazubWTM7tYrhz}tR`Y?}c)~9S
z0oqFv*R!#vwC1ppB@zXH_087|Uk>r#&sF$CpEr|$#haYemRNjoSy~Lr6uOPTvb_2_
z?1u~cy9cMKE~$b`m!3lwjZ`X1A&QtZPG<ZI`{XzgSX``j!f|6Nh$+y=A-huro@8My
z&DxqAnzr|w``eFgqnKs$ht<iy`jXkRcM=0gWc9wLRMmhK8c5+mGNQ?wS*$Q%!Ibxt
z6Mzz!4+=AkGfHQfEtt1Op(EkS@9R5vt`MJAKpP6Fh-GmyUaktVuGmeNcXz+v^aKg#
z!GIa$5A?gJ8;3m65bC%jcUHbDZ<2<vcv8l{r{NUA%sCbo^4i!_2;+^d;bd(}W(BS0
z40S)~h~P0}-2mk@-tblSkm>*&4@Bd$l3sm#_G!OcRNZb?)t}#{6+-HRI$)CCO9xie
zM1aH=$~fRUdr5tP4xU%Hf>Z*=8WFJHI}g?a^Mej}XsPp-`Z<h11(YNe&)(M2F`&BG
zrB0olPp#ASpDcK~+=)_->>1#g0=ZH1YD~4`oxX)1tH8e?HK!##&@ZB{CPZ)rN@d`y
zcU(;NnbD3k^VLQoE9alkOjB==Ld|n02d#lX*%~`yZ-aNWHuFLxe5ClhvoBT)>u_^&
zE`yhWO?uFW9#zpE$1!E&$RXDH-zC~qy8-o89a0y_0q7XZ1WN}9hSu{-6YJ>?)NUIx
z0kV0#fV3o;OX-DV$TU80LzhZ+btkNeuG$#Eqio}300bSMJK))wpz%dgVmJ9{q4h1&
zmoksxl<*mJAA-Ht_yRLW2dCaqM5Xa4N3x(XxjVoVaEd{zYTvBJYWDU7eBS#KGO(w?
zyM#&rXNqyWAA@lEkDN&kbRvx(4GTFqGqw`6z!Q`R*1WF24`Y!I1{;*ggY6>c3i=nM
zT1dzSgPpuK7UI-~Iyj#}@{FDdUgM)TXhBiJEC@$wfBBHong_f`7jrp+o%#l0GTy6L
zbh)%fy^nr)Bn4<n&)~7WM>|es7&1}CgleT<UjrISY~Y&()Q@AXpnXldYbm3Rrg;ZH
zn)&M7j-Z5^bv7rY1y})vT5HIKLJM4_E_(4*LnwFaif<U7ivX~-mKF$M0r+QH&#dLi
z$^6{)^D%YJ+HDC82HOglO=&el0aQyVWv4Ipt|hd*NZKls2geR0hfx5r#SA$amPhU{
t`a!4N3<_WPBTl=|vUcToa@?68OfIel3Y?B3m$wEz_%~(>y)JAi005UF&DsC}

literal 456
zcmV;(0XP01iwFP!00000|IL#>Z`&{s#dm!Q&FONa_!p>w8bu6v$yD50oX8_0z_DUk
z3H0$xHI^wA$WnCZB$7`@zV|!QdmYI&5`2I_Oaff=$&!)`L7KM4?{(^jdV;Z{mLdl$
zqa&G=Z@mN8sK7QTrK3wVb?4Mg^^T_7=nKMa^gt(iX(OSa3E_BK{kjW);!vja@`iAz
zLQ7IQ(n5gord3I4B10)!9klX(aW(eC*mqa{`Ah>pmE%$0Ej$E?`hEavRQqzcKz&%I
zJ8U*Zst7XgxGF=n#LISXxi*`s$30O9oK2n3qPyIkeSE(yUo^8!KZZ9xpxFQZU!pj!
zEG0^r$Z_Q*WnvY0ZbBoq2@DNLCIi6QXd8uYyixV3?_cZg{7yqh=P{4EaScdpvWfyo
zAZ)UT0%-O^6KpDBt<KuI{NDY~K*3|BOad*fYLoFw3zr+7+ucOZIiigEBghgX-@k$B
z$_1}R^EqBM%YT9Q_(Xh}Q4}FhF3aK?q}$+d1*Ai}$?8@&ZOhOWVSXK}GPDc8s&z5r
y36?yyksAXZLdxzHQxG!9KO6o!@Rf&m8oU1dKfR293g51LRlfi^%O*+71ONb}_u2^n

-- 
GitLab