Skip to content

GitLab

why3
why3
Commit 8a7974cf authored by Jean-Christophe Filliâtre's avatar Jean-Christophe Filliâtre
4 Browse files
Options

stdlib: set library revamped

parent 9f605136
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 1815 additions and 1352 deletions
CHANGES.md
View file @ 8a7974cf
:x: marks a potential source of incompatibility
Standard library
* set library revamped
- set.Fset
type `set` -> type `fset` and `choose` -> `pick`
- `appset.Appset` -> `set.SetApp` and `impset.Impset` -> `set.SetImp`
type `t` -> `set` and `.contents` -> `.to_fset`
`empty` -> `empty ()`
Tools
* why3prove counterexamples output is not JSON by default. To restore previous
behavior, pass the argument --json
......
drivers/ocaml64.drv
View file @ 8a7974cf
......@@ -278,21 +278,6 @@ module mach.int.State63
syntax val random_int63 "REMOVE"
end
module set.Fset
syntax val mem "REMOVE"
syntax val (==) "REMOVE"
syntax val subset "REMOVE"
syntax val is_empty "REMOVE"
syntax val empty "REMOVE"
syntax val add "REMOVE"
syntax val remove "REMOVE"
syntax val union "REMOVE"
syntax val inter "REMOVE"
syntax val diff "REMOVE"
syntax val choose "REMOVE"
syntax val cardinal "REMOVE"
end
module mach.peano.Peano
syntax type t "int"
syntax val to_int "Z.of_int %1"
......
drivers/pvs-common.gen
View file @ 8a7974cf
......@@ -298,21 +298,16 @@ theory set.Set
remove prop mem_empty
syntax function add "add(%1, %2)"
remove prop add_spec
syntax function singleton "singleton(%1)"
syntax function remove "remove(%1, %2)"
remove prop remove_spec
remove prop subset_remove
syntax function union "union(%1, %2)"
remove prop union_spec
syntax function inter "intersection(%1, %2)"
remove prop inter_spec
syntax function diff "difference(%1, %2)"
remove prop diff_spec
remove prop subset_diff
(* TODO: choose *)
......@@ -321,7 +316,7 @@ theory set.Set
end
theory set.Fset
syntax type set "finite_set[%1]"
syntax type fset "finite_set[%1]"
syntax predicate mem "member(%1, %2)"
remove prop extensionality
......@@ -331,24 +326,25 @@ theory set.Fset
syntax function empty "(emptyset :: %t0)"
syntax predicate is_empty "empty?(%1)"
remove prop empty_def
remove prop is_empty_empty
remove prop empty_is_empty
syntax function add "add(%1, %2)"
remove prop add_spec
remove prop add_def
syntax function singleton "singleton(%1)"
syntax function remove "remove(%1, %2)"
remove prop remove_spec
remove prop remove_def
remove prop subset_remove
syntax function union "union(%1, %2)"
remove prop union_spec
remove prop union_def
syntax function inter "intersection(%1, %2)"
remove prop inter_spec
remove prop inter_def
syntax function diff "difference(%1, %2)"
remove prop diff_spec
remove prop diff_def
remove prop subset_diff
(* TODO: choose *)
......
examples/WP_revisited/wp2.mlw
View file @ 8a7974cf
......@@ -363,29 +363,30 @@ module WP
use Imp
use set.Fset as Set
clone set.SetApp as S with type elt = ident, val eq = Int.(=)
predicate assigns (sigma:env) (a:Set.set ident) (sigma':env) =
predicate assigns (sigma:env) (a:Set.fset ident) (sigma':env) =
forall i:ident. not (Set.mem i a) ->
IdMap.get sigma i = IdMap.get sigma' i
lemma assigns_refl:
forall sigma:env, a:Set.set ident. assigns sigma a sigma
forall sigma:env, a:Set.fset ident. assigns sigma a sigma
lemma assigns_trans:
forall sigma1 sigma2 sigma3:env, a:Set.set ident.
forall sigma1 sigma2 sigma3:env, a:Set.fset ident.
assigns sigma1 a sigma2 /\ assigns sigma2 a sigma3 ->
assigns sigma1 a sigma3
lemma assigns_union_left:
forall sigma sigma':env, s1 s2:Set.set ident.
forall sigma sigma':env, s1 s2:Set.fset ident.
assigns sigma s1 sigma' -> assigns sigma (Set.union s1 s2) sigma'
lemma assigns_union_right:
forall sigma sigma':env, s1 s2:Set.set ident.
forall sigma sigma':env, s1 s2:Set.fset ident.
assigns sigma s2 sigma' -> assigns sigma (Set.union s1 s2) sigma'
predicate stmt_writes (i:stmt) (w:Set.set ident) =
predicate stmt_writes (i:stmt) (w:Set.fset ident) =
match i with
| Sskip | Sassert _ -> true
| Sassign id _ -> Set.mem id w
......@@ -394,19 +395,19 @@ predicate stmt_writes (i:stmt) (w:Set.set ident) =
end
let rec compute_writes (s:stmt) : Set.set ident
let rec compute_writes (s:stmt) : S.set
ensures {
forall sigma pi sigma' pi':env, n:int.
many_steps sigma pi s sigma' pi' Sskip n ->
assigns sigma result sigma' }
variant { s }
= match s with
| Sskip -> Set.empty
| Sassign i _ -> Set.singleton i
| Sseq s1 s2 -> Set.union (compute_writes s1) (compute_writes s2)
| Sif _ s1 s2 -> Set.union (compute_writes s1) (compute_writes s2)
| Sskip -> S.empty ()
| Sassign i _ -> S.singleton i
| Sseq s1 s2 -> S.union (compute_writes s1) (compute_writes s2)
| Sif _ s1 s2 -> S.union (compute_writes s1) (compute_writes s2)
| Swhile _ _ s -> compute_writes s
| Sassert _ -> Set.empty
| Sassert _ -> S.empty ()
end
val fresh_from_fmla (q:fmla) : ident
......
examples/bellman_ford.mlw
View file @ 8a7974cf
......@@ -14,8 +14,8 @@ theory Graph
(* the graph is defined by a set of vertices and a set of edges *)
type vertex
constant vertices: set vertex
constant edges: set (vertex, vertex)
constant vertices: fset vertex
constant edges: fset (vertex, vertex)
predicate edge (x y: vertex) = mem (x,y) edges
......@@ -144,7 +144,7 @@ module BellmanFord
use Graph
use int.IntInf as D
use ref.Ref
clone impset.Impset as S with type elt = (vertex, vertex)
clone set.SetImp as S with type elt = (vertex, vertex)
clone impmap.ImpmapNoDom with type key = vertex
type distmap = ImpmapNoDom.t D.t
......@@ -159,7 +159,7 @@ module BellmanFord
(* [inv1 m pass via] means that we already performed [pass-1] steps
of the main loop, and, in step [pass], we already processed edges
in [via] *)
predicate inv1 (m: distmap) (pass: int) (via: set (vertex, vertex)) =
predicate inv1 (m: distmap) (pass: int) (via: fset (vertex, vertex)) =
forall v: vertex. mem v vertices ->
match m[v] with
| D.Finite n ->
......@@ -180,7 +180,7 @@ module BellmanFord
forall lu: list vertex. path s lu u -> length lu >= pass)
end
predicate inv2 (m: distmap) (via: set (vertex, vertex)) =
predicate inv2 (m: distmap) (via: fset (vertex, vertex)) =
forall u v: vertex. mem (u, v) via ->
D.le m[v] (D.add m[u] (D.Finite (weight u v)))
......@@ -222,7 +222,7 @@ module BellmanFord
)
let relax (m: distmap) (u v: vertex) (pass: int)
(ghost via: set (vertex, vertex))
(ghost via: fset (vertex, vertex))
requires { 1 <= pass /\ mem (u, v) edges /\ not (mem (u, v) via) }
requires { inv1 m pass via }
ensures { inv1 m pass (add (u, v) via) }
......@@ -265,8 +265,8 @@ module BellmanFord
}
end
val get_edges (): S.t
ensures { result.S.contents = edges }
val get_edges (): S.set
ensures { result = edges }
exception NegativeCycle
......@@ -286,9 +286,9 @@ module BellmanFord
invariant { inv1 m i empty }
let es = get_edges () in
while not (S.is_empty es) do
invariant { subset es.S.contents edges /\ inv1 m i (diff edges es.S.contents) }
invariant { subset es.S.to_fset edges /\ inv1 m i (diff edges es.S.to_fset) }
variant { S.cardinal es }
let ghost via = diff edges es.S.contents in
let ghost via = diff edges es.S.to_fset in
let (u, v) = S.choose_and_remove es in
relax m u v i via
done;
......@@ -297,7 +297,7 @@ module BellmanFord
assert { inv1 m (cardinal vertices) empty };
let es = get_edges () in
while not (S.is_empty es) do
invariant { subset es.S.contents edges /\ inv2 m (diff edges es.S.contents) }
invariant { subset es.S.to_fset edges /\ inv2 m (diff edges es.S.to_fset) }
variant { S.cardinal es }
let (u, v) = S.choose_and_remove es in
if D.lt (D.add m[u] (D.Finite (weight u v))) m[v] then begin
......
examples/bellman_ford/why3session.xml
View file @ 8a7974cf
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN"
"http://why3.lri.fr/why3session.dtd">
<why3session shape_version="5">
<why3session shape_version="6">
<prover id="0" name="Eprover" version="2.0" timelimit="5" steplimit="0" memlimit="1000"/>
<prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/>
<prover id="2" name="Alt-Ergo" version="2.2.0" timelimit="1" steplimit="0" memlimit="1000"/>
<prover id="3" name="CVC4" version="1.6" timelimit="1" steplimit="0" memlimit="1000"/>
<file proved="true">
<path name=".."/>
<path name="bellman_ford.mlw"/>
......@@ -12,21 +14,21 @@
<proof prover="1"><result status="valid" time="0.00" steps="5"/></proof>
</goal>
<goal name="path_in_vertices" proved="true">
<proof prover="1"><result status="valid" time="0.01" steps="30"/></proof>
<proof prover="1"><result status="valid" time="0.01" steps="31"/></proof>
</goal>
<goal name="long_path_decomposition" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="long_path_decomposition.0" proved="true">
<proof prover="1"><result status="valid" time="0.30" steps="797"/></proof>
<proof prover="1"><result status="valid" time="0.17" steps="797"/></proof>
</goal>
<goal name="long_path_decomposition.1" proved="true">
<proof prover="1"><result status="valid" time="0.13" steps="539"/></proof>
<proof prover="1"><result status="valid" time="0.13" steps="541"/></proof>
</goal>
<goal name="long_path_decomposition.2" proved="true">
<proof prover="1"><result status="valid" time="0.17" steps="486"/></proof>
<proof prover="1"><result status="valid" time="0.17" steps="488"/></proof>
</goal>
<goal name="long_path_decomposition.3" proved="true">
<proof prover="1"><result status="valid" time="0.16" steps="455"/></proof>
<proof prover="1"><result status="valid" time="0.16" steps="454"/></proof>
</goal>
</transf>
</goal>
......@@ -44,7 +46,7 @@
</transf>
</goal>
<goal name="VC simple_path" expl="VC for simple_path" proved="true">
<proof prover="1"><result status="valid" time="0.87" steps="2567"/></proof>
<proof prover="1"><result status="valid" time="0.87" steps="2570"/></proof>
</goal>
<goal name="VC key_lemma_1" expl="VC for key_lemma_1" proved="true">
<transf name="split_goal_right" proved="true" >
......@@ -54,16 +56,16 @@
<proof prover="1"><result status="valid" time="0.01" steps="13"/></proof>
</goal>
<goal name="VC key_lemma_1.0.1" expl="VC for key_lemma_1" proved="true">
<proof prover="1"><result status="valid" time="0.13" steps="246"/></proof>
<proof prover="1"><result status="valid" time="0.13" steps="247"/></proof>
</goal>
<goal name="VC key_lemma_1.0.2" expl="VC for key_lemma_1" proved="true">
<proof prover="1"><result status="valid" time="0.33" steps="732"/></proof>
<proof prover="1"><result status="valid" time="0.33" steps="733"/></proof>
</goal>
<goal name="VC key_lemma_1.0.3" expl="VC for key_lemma_1" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="25"/></proof>
</goal>
<goal name="VC key_lemma_1.0.4" expl="VC for key_lemma_1" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="101"/></proof>
<proof prover="1"><result status="valid" time="0.04" steps="100"/></proof>
</goal>
<goal name="VC key_lemma_1.0.5" expl="VC for key_lemma_1" proved="true">
<proof prover="1"><result status="valid" time="0.09" steps="28"/></proof>
......@@ -72,7 +74,7 @@
<proof prover="1"><result status="valid" time="0.09" steps="39"/></proof>
</goal>
<goal name="VC key_lemma_1.0.7" expl="VC for key_lemma_1" proved="true">
<proof prover="1"><result status="valid" time="0.27" steps="725"/></proof>
<proof prover="1"><result status="valid" time="0.27" steps="726"/></proof>
</goal>
<goal name="VC key_lemma_1.0.8" expl="VC for key_lemma_1" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="47"/></proof>
......@@ -113,7 +115,7 @@
<proof prover="1"><result status="valid" time="0.02" steps="87"/></proof>
</goal>
<goal name="VC inv2_path.1" expl="assertion" proved="true">
<proof prover="1"><result status="valid" time="0.08" steps="342"/></proof>
<proof prover="1"><result status="valid" time="0.08" steps="345"/></proof>
</goal>
<goal name="VC inv2_path.2" expl="variant decrease" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="32"/></proof>
......@@ -127,15 +129,15 @@
<goal name="VC inv2_path.5" expl="postcondition" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC inv2_path.5.0" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.05" steps="129"/></proof>
<proof prover="1"><result status="valid" time="0.05" steps="130"/></proof>
</goal>
<goal name="VC inv2_path.5.1" expl="postcondition" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC inv2_path.5.1.0" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.09" steps="322"/></proof>
<proof prover="1"><result status="valid" time="0.09" steps="323"/></proof>
</goal>
<goal name="VC inv2_path.5.1.1" expl="postcondition" proved="true">
<proof prover="1" timelimit="5"><result status="valid" time="1.38" steps="5536"/></proof>
<proof prover="1" timelimit="5"><result status="valid" time="1.38" steps="5571"/></proof>
</goal>
</transf>
</goal>
......@@ -146,7 +148,7 @@
<goal name="key_lemma_2" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="key_lemma_2.0" proved="true">
<proof prover="1" timelimit="5"><result status="valid" time="0.62" steps="1596"/></proof>
<proof prover="1" timelimit="5"><result status="valid" time="0.62" steps="1604"/></proof>
</goal>
<goal name="key_lemma_2.1" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="12"/></proof>
......@@ -170,22 +172,22 @@
<proof prover="1"><result status="valid" time="0.04" steps="69"/></proof>
</goal>
<goal name="VC relax.0.2" expl="VC for relax" proved="true">
<proof prover="0"><result status="valid" time="0.91"/></proof>
<proof prover="0"><result status="valid" time="1.84"/></proof>
</goal>
<goal name="VC relax.0.3" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="117"/></proof>
</goal>
<goal name="VC relax.0.4" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.06" steps="219"/></proof>
<proof prover="1"><result status="valid" time="0.06" steps="221"/></proof>
</goal>
<goal name="VC relax.0.5" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.07" steps="261"/></proof>
<proof prover="1"><result status="valid" time="0.07" steps="265"/></proof>
</goal>
<goal name="VC relax.0.6" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.12" steps="479"/></proof>
<proof prover="1"><result status="valid" time="0.12" steps="486"/></proof>
</goal>
<goal name="VC relax.0.7" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.13" steps="389"/></proof>
<proof prover="1"><result status="valid" time="0.13" steps="393"/></proof>
</goal>
<goal name="VC relax.0.8" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="23"/></proof>
......@@ -212,13 +214,13 @@
<goal name="VC relax.1.0.0.0.0" expl="true case (postcondition)" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC relax.1.0.0.0.0.0" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="107"/></proof>
<proof prover="1"><result status="valid" time="0.04" steps="108"/></proof>
</goal>
<goal name="VC relax.1.0.0.0.0.1" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.15" steps="443"/></proof>
<proof prover="1"><result status="valid" time="0.15" steps="448"/></proof>
</goal>
<goal name="VC relax.1.0.0.0.0.2" expl="VC for relax" proved="true">
<proof prover="1" timelimit="5"><result status="valid" time="1.35" steps="4082"/></proof>
<proof prover="1" timelimit="5"><result status="valid" time="1.02" steps="3180"/></proof>
</goal>
<goal name="VC relax.1.0.0.0.0.3" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="99"/></proof>
......@@ -229,7 +231,7 @@
</transf>
</goal>
<goal name="VC relax.1.0.0.0.1" expl="false case (postcondition)" proved="true">
<proof prover="1"><result status="valid" time="0.36" steps="1172"/></proof>
<proof prover="1"><result status="valid" time="0.36" steps="1193"/></proof>
</goal>
</transf>
</goal>
......@@ -245,10 +247,10 @@
<proof prover="1"><result status="valid" time="0.05" steps="101"/></proof>
</goal>
<goal name="VC relax.2.1" expl="assertion" proved="true">
<proof prover="1"><result status="valid" time="0.09" steps="264"/></proof>
<proof prover="1"><result status="valid" time="0.09" steps="269"/></proof>
</goal>
<goal name="VC relax.2.2" expl="VC for relax" proved="true">
<proof prover="1"><result status="valid" time="0.06" steps="182"/></proof>
<proof prover="1"><result status="valid" time="0.06" steps="183"/></proof>
</goal>
</transf>
</goal>
......@@ -262,16 +264,16 @@
<proof prover="1"><result status="valid" time="0.05" steps="89"/></proof>
</goal>
<goal name="VC relax.3.0.0.1" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.09" steps="180"/></proof>
<proof prover="1"><result status="valid" time="0.09" steps="181"/></proof>
</goal>
<goal name="VC relax.3.0.0.2" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.09" steps="395"/></proof>
<proof prover="1"><result status="valid" time="0.09" steps="390"/></proof>
</goal>
<goal name="VC relax.3.0.0.3" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="124"/></proof>
</goal>
<goal name="VC relax.3.0.0.4" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.69" steps="2464"/></proof>
<proof prover="1"><result status="valid" time="0.69" steps="2241"/></proof>
</goal>
</transf>
</goal>
......@@ -290,19 +292,19 @@
<goal name="VC bellman_ford.0.0.0" expl="loop invariant init" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC bellman_ford.0.0.0.0" expl="loop invariant init" proved="true">
<proof prover="0"><result status="valid" time="0.36"/></proof>
<proof prover="0"><result status="valid" time="0.58"/></proof>
</goal>
<goal name="VC bellman_ford.0.0.0.1" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="76"/></proof>
</goal>
<goal name="VC bellman_ford.0.0.0.2" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.07" steps="177"/></proof>
<proof prover="1"><result status="valid" time="0.07" steps="100"/></proof>
</goal>
<goal name="VC bellman_ford.0.0.0.3" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="78"/></proof>
</goal>
<goal name="VC bellman_ford.0.0.0.4" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.06" steps="136"/></proof>
<proof prover="1"><result status="valid" time="0.06" steps="82"/></proof>
</goal>
</transf>
</goal>
......@@ -311,110 +313,110 @@
</transf>
</goal>
<goal name="VC bellman_ford.1" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.06" steps="121"/></proof>
<proof prover="1"><result status="valid" time="0.06" steps="161"/></proof>
</goal>
<goal name="VC bellman_ford.2" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="14"/></proof>
<proof prover="1"><result status="valid" time="0.01" steps="13"/></proof>
</goal>
<goal name="VC bellman_ford.3" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.06" steps="117"/></proof>
<proof prover="1"><result status="valid" time="0.06" steps="25"/></proof>
</goal>
<goal name="VC bellman_ford.4" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="18"/></proof>
</goal>
<goal name="VC bellman_ford.5" expl="loop variant decrease" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="59"/></proof>
<proof prover="1"><result status="valid" time="0.03" steps="41"/></proof>
</goal>
<goal name="VC bellman_ford.6" expl="loop invariant preservation" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC bellman_ford.6.0" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="57"/></proof>
<proof prover="3"><result status="valid" time="0.10"/></proof>
</goal>
<goal name="VC bellman_ford.6.1" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.81" steps="1717"/></proof>
<proof prover="2"><result status="valid" time="0.99" steps="7429"/></proof>
</goal>
</transf>
</goal>
<goal name="VC bellman_ford.7" expl="assertion" proved="true">
<proof prover="1" timelimit="5"><result status="valid" time="0.55" steps="1190"/></proof>
<proof prover="1" timelimit="5"><result status="valid" time="0.04" steps="144"/></proof>
</goal>
<goal name="VC bellman_ford.8" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.34" steps="1109"/></proof>
<proof prover="1"><result status="valid" time="0.34" steps="1052"/></proof>
</goal>
<goal name="VC bellman_ford.9" expl="assertion" proved="true">
<proof prover="1"><result status="valid" time="0.02" steps="7"/></proof>
</goal>
<goal name="VC bellman_ford.10" expl="loop invariant init" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="27"/></proof>
<proof prover="1"><result status="valid" time="0.03" steps="29"/></proof>
</goal>
<goal name="VC bellman_ford.11" expl="precondition" proved="true">
<proof prover="1"><result status="valid" time="0.01" steps="13"/></proof>
<proof prover="1"><result status="valid" time="0.02" steps="12"/></proof>
</goal>
<goal name="VC bellman_ford.12" expl="assertion" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC bellman_ford.12.0" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="96"/></proof>
<proof prover="1"><result status="valid" time="0.06" steps="109"/></proof>
</goal>
<goal name="VC bellman_ford.12.1" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.07" steps="226"/></proof>
<proof prover="1"><result status="valid" time="0.07" steps="193"/></proof>
</goal>
<goal name="VC bellman_ford.12.2" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.06" steps="103"/></proof>
<proof prover="1"><result status="valid" time="0.04" steps="117"/></proof>
</goal>
<goal name="VC bellman_ford.12.3" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.32" steps="851"/></proof>
<proof prover="1"><result status="valid" time="0.32" steps="1018"/></proof>
</goal>
<goal name="VC bellman_ford.12.4" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.05" steps="206"/></proof>
<proof prover="1"><result status="valid" time="0.05" steps="27"/></proof>
</goal>
<goal name="VC bellman_ford.12.5" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="164"/></proof>
<proof prover="1"><result status="valid" time="0.04" steps="175"/></proof>
</goal>
<goal name="VC bellman_ford.12.6" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.20" steps="672"/></proof>
<proof prover="1"><result status="valid" time="0.20" steps="693"/></proof>
</goal>
<goal name="VC bellman_ford.12.7" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.14" steps="239"/></proof>
<proof prover="1"><result status="valid" time="0.14" steps="205"/></proof>
</goal>
<goal name="VC bellman_ford.12.8" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.08" steps="218"/></proof>
<proof prover="1"><result status="valid" time="0.08" steps="29"/></proof>
</goal>
<goal name="VC bellman_ford.12.9" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.21" steps="667"/></proof>
<proof prover="1"><result status="valid" time="0.21" steps="728"/></proof>
</goal>
<goal name="VC bellman_ford.12.10" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="188"/></proof>
<proof prover="1"><result status="valid" time="0.04" steps="199"/></proof>
</goal>
</transf>
</goal>
<goal name="VC bellman_ford.13" expl="exceptional postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.01" steps="26"/></proof>
<proof prover="1"><result status="valid" time="0.01" steps="27"/></proof>
</goal>
<goal name="VC bellman_ford.14" expl="loop variant decrease" proved="true">
<proof prover="1"><result status="valid" time="0.03" steps="68"/></proof>
<proof prover="1"><result status="valid" time="0.03" steps="46"/></proof>
</goal>
<goal name="VC bellman_ford.15" expl="loop invariant preservation" proved="true">
<proof prover="1"><result status="valid" time="0.27" steps="807"/></proof>
<proof prover="1"><result status="valid" time="0.27" steps="1001"/></proof>
</goal>
<goal name="VC bellman_ford.16" expl="assertion" proved="true">
<proof prover="1"><result status="valid" time="0.06" steps="104"/></proof>
<proof prover="1"><result status="valid" time="0.06" steps="20"/></proof>
</goal>
<goal name="VC bellman_ford.17" expl="assertion" proved="true">
<proof prover="1"><result status="valid" time="0.04" steps="150"/></proof>
<proof prover="1"><result status="valid" time="0.04" steps="157"/></proof>
</goal>
<goal name="VC bellman_ford.18" expl="postcondition" proved="true">
<transf name="split_goal_right" proved="true" >
<goal name="VC bellman_ford.18.0" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.05" steps="79"/></proof>
<proof prover="1"><result status="valid" time="0.05" steps="114"/></proof>
</goal>
<goal name="VC bellman_ford.18.1" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.32" steps="1086"/></proof>
<proof prover="1"><result status="valid" time="0.32" steps="1175"/></proof>
</goal>
<goal name="VC bellman_ford.18.2" expl="postcondition" proved="true">
<proof prover="1"><result status="valid" time="0.05" steps="102"/></proof>
<proof prover="1"><result status="valid" time="0.05" steps="115"/></proof>
</goal>
<goal name="VC bellman_ford.18.3" expl="VC for bellman_ford" proved="true">
<proof prover="1"><result status="valid" time="0.01" steps="29"/></proof>
<proof prover="1"><result status="valid" time="0.01" steps="28"/></proof>
</goal>
</transf>
</goal>
......