library int.NumOf now takes some higher-order predicate as argument

no more need for cloning
similar change in array.NumOf and array.NumOfEq
updated proofs
parent 189ef30c
* marks an incompatible change
library
* renamed library int.NumOfParam into int.NumOf; the predicate numof
now takes some higher-order predicate as argument (no more need
for cloning). Similar change in modules array.NumOf...
version 0.85, September 17, 2014
================================
......
......@@ -18,6 +18,7 @@
module Spec
use export int.Int
use int.NumOf as N
use export array.Array
use export array.IntArraySorted
......@@ -31,22 +32,20 @@ module Spec
(* we introduce two predicates:
- [numeq a v l u] is the number of values in a[l..u[ equal to v
- [numlt a v l u] is the number of values in a[l..u[ less than v *)
type param = (array int, int)
function numeq (a: array int) (v i j : int) : int =
N.numof (\ k. a[k] = v) i j
predicate eq (p: param) (i: int) = let (a,v) = p in a[i] = v
clone int.NumOfParam as Neq with type param = param, predicate pr = eq
function numeq (a: array int) (v i j : int) : int = Neq.num_of (a, v) i j
predicate lt (p: param) (i: int) = let (a,v) = p in a[i] < v
clone int.NumOfParam as Nlt with type param = param, predicate pr = lt
function numlt (a: array int) (v i j : int) : int = Nlt.num_of (a, v) i j
function numlt (a: array int) (v i j : int) : int =
N.numof (\ k. a[k] < v) i j
(* an ovious lemma relates numeq and numlt *)
lemma eqlt:
forall a: array int. k_values a ->
forall v: int. 0 <= v < k ->
forall l u: int. 0 <= l < u <= length a ->
numlt a v l u + numeq a v l u = numlt a (v+1) l u
let rec lemma eqlt (a: array int) (v: int) (l u: int)
requires { k_values a }
requires { 0 <= v < k }
requires { 0 <= l < u <= length a }
ensures { numlt a v l u + numeq a v l u = numlt a (v+1) l u }
variant { u - l }
= if l < u-1 then eqlt a v (l+1) u
(* permutation of two arrays is here conveniently defined using [numeq]
i.e. as the equality of the two multi-sets *)
......
(* This file is generated by Why3's Coq 8.4 driver *)
(* Beware! Only edit allowed sections below *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require map.Map.
(* Why3 assumption *)
Definition unit := unit.
(* Why3 assumption *)
Inductive array
(a:Type) {a_WT:WhyType a} :=
| mk_array : Z -> (@map.Map.map Z _ a a_WT) -> array a.
Axiom array_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.
Implicit Arguments mk_array [[a] [a_WT]].
(* Why3 assumption *)
Definition elts {a:Type} {a_WT:WhyType a} (v:(@array a a_WT)): (@map.Map.map
Z _ a a_WT) := match v with
| (mk_array x x1) => x1
end.
(* Why3 assumption *)
Definition length {a:Type} {a_WT:WhyType a} (v:(@array a a_WT)): Z :=
match v with
| (mk_array x x1) => x
end.
(* Why3 assumption *)
Definition get {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT)) (i:Z): a :=
(map.Map.get (elts a1) i).
(* Why3 assumption *)
Definition set {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT)) (i:Z)
(v:a): (@array a a_WT) := (mk_array (length a1) (map.Map.set (elts a1) i
v)).
(* Why3 assumption *)
Definition make {a:Type} {a_WT:WhyType a} (n:Z) (v:a): (@array a a_WT) :=
(mk_array n (map.Map.const v:(@map.Map.map Z _ a a_WT))).
(* Why3 assumption *)
Definition sorted_sub (a:(@map.Map.map Z _ Z _)) (l:Z) (u:Z): Prop :=
forall (i1:Z) (i2:Z), ((l <= i1)%Z /\ ((i1 <= i2)%Z /\ (i2 < u)%Z)) ->
((map.Map.get a i1) <= (map.Map.get a i2))%Z.
(* Why3 assumption *)
Definition sorted_sub1 (a:(@array Z _)) (l:Z) (u:Z): Prop := (sorted_sub
(elts a) l u).
(* Why3 assumption *)
Definition sorted (a:(@array Z _)): Prop := (sorted_sub (elts a) 0%Z
(length a)).
Parameter k: Z.
Axiom k_positive : (0%Z < k)%Z.
(* Why3 assumption *)
Definition k_values (a:(@array Z _)): Prop := forall (i:Z), ((0%Z <= i)%Z /\
(i < (length a))%Z) -> ((0%Z <= (get a i))%Z /\ ((get a i) < k)%Z).
(* Why3 assumption *)
Definition param := ((@array Z _)* Z)%type.
(* Why3 assumption *)
Definition eq (p:((@array Z _)* Z)%type) (i:Z): Prop :=
match p with
| (a, v) => ((get a i) = v)
end.
Parameter num_of: ((@array Z _)* Z)%type -> Z -> Z -> Z.
Axiom Num_of_empty : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(b <= a)%Z -> ((num_of p a b) = 0%Z).
Axiom Num_of_right_no_add : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((~ (eq p (b - 1%Z)%Z)) -> ((num_of p a b) = (num_of p a
(b - 1%Z)%Z))).
Axiom Num_of_right_add : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((eq p (b - 1%Z)%Z) -> ((num_of p a b) = (1%Z + (num_of p a
(b - 1%Z)%Z))%Z)).
Axiom Num_of_bounds : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((0%Z <= (num_of p a b))%Z /\ ((num_of p a
b) <= (b - a)%Z)%Z).
Axiom Num_of_append : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z) (c:Z),
((a <= b)%Z /\ (b <= c)%Z) -> ((num_of p a c) = ((num_of p a b) + (num_of p
b c))%Z).
Axiom Num_of_left_no_add : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((~ (eq p a)) -> ((num_of p a b) = (num_of p (a + 1%Z)%Z b))).
Axiom Num_of_left_add : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((eq p a) -> ((num_of p a b) = (1%Z + (num_of p (a + 1%Z)%Z
b))%Z)).
Axiom Empty : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z), (forall (n:Z),
((a <= n)%Z /\ (n < b)%Z) -> ~ (eq p n)) -> ((num_of p a b) = 0%Z).
Axiom Full : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z), (a <= b)%Z ->
((forall (n:Z), ((a <= n)%Z /\ (n < b)%Z) -> (eq p n)) -> ((num_of p a
b) = (b - a)%Z)).
Axiom num_of_increasing : forall (p:((@array Z _)* Z)%type) (i:Z) (j:Z)
(k1:Z), ((i <= j)%Z /\ (j <= k1)%Z) -> ((num_of p i j) <= (num_of p i
k1))%Z.
Axiom num_of_strictly_increasing : forall (p:((@array Z _)* Z)%type) (i:Z)
(j:Z) (k1:Z) (l:Z), ((i <= j)%Z /\ ((j <= k1)%Z /\ (k1 < l)%Z)) -> ((eq p
k1) -> ((num_of p i j) < (num_of p i l))%Z).
Axiom num_of_change_any : forall (p1:((@array Z _)* Z)%type) (p2:((@array
Z _)* Z)%type) (a:Z) (b:Z), (forall (j:Z), ((a <= j)%Z /\ (j < b)%Z) ->
((eq p1 j) -> (eq p2 j))) -> ((num_of p1 a b) <= (num_of p2 a b))%Z.
Axiom num_of_change_some : forall (p1:((@array Z _)* Z)%type) (p2:((@array
Z _)* Z)%type) (a:Z) (b:Z) (i:Z), ((a <= i)%Z /\ (i < b)%Z) ->
((forall (j:Z), ((a <= j)%Z /\ (j < b)%Z) -> ((eq p1 j) -> (eq p2 j))) ->
((~ (eq p1 i)) -> ((eq p2 i) -> ((num_of p1 a b) < (num_of p2 a b))%Z))).
(* Why3 assumption *)
Definition numeq (a:(@array Z _)) (v:Z) (i:Z) (j:Z): Z := (num_of (a, v) i
j).
(* Why3 assumption *)
Definition lt (p:((@array Z _)* Z)%type) (i:Z): Prop :=
match p with
| (a, v) => ((get a i) < v)%Z
end.
Parameter num_of1: ((@array Z _)* Z)%type -> Z -> Z -> Z.
Axiom Num_of_empty1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(b <= a)%Z -> ((num_of1 p a b) = 0%Z).
Axiom Num_of_right_no_add1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((~ (lt p (b - 1%Z)%Z)) -> ((num_of1 p a b) = (num_of1 p a
(b - 1%Z)%Z))).
Axiom Num_of_right_add1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((lt p (b - 1%Z)%Z) -> ((num_of1 p a b) = (1%Z + (num_of1 p a
(b - 1%Z)%Z))%Z)).
Axiom Num_of_bounds1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((0%Z <= (num_of1 p a b))%Z /\ ((num_of1 p a
b) <= (b - a)%Z)%Z).
Axiom Num_of_append1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z) (c:Z),
((a <= b)%Z /\ (b <= c)%Z) -> ((num_of1 p a c) = ((num_of1 p a
b) + (num_of1 p b c))%Z).
Axiom Num_of_left_no_add1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((~ (lt p a)) -> ((num_of1 p a b) = (num_of1 p (a + 1%Z)%Z
b))).
Axiom Num_of_left_add1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z),
(a < b)%Z -> ((lt p a) -> ((num_of1 p a b) = (1%Z + (num_of1 p (a + 1%Z)%Z
b))%Z)).
Axiom Empty1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z), (forall (n:Z),
((a <= n)%Z /\ (n < b)%Z) -> ~ (lt p n)) -> ((num_of1 p a b) = 0%Z).
Axiom Full1 : forall (p:((@array Z _)* Z)%type) (a:Z) (b:Z), (a <= b)%Z ->
((forall (n:Z), ((a <= n)%Z /\ (n < b)%Z) -> (lt p n)) -> ((num_of1 p a
b) = (b - a)%Z)).
Axiom num_of_increasing1 : forall (p:((@array Z _)* Z)%type) (i:Z) (j:Z)
(k1:Z), ((i <= j)%Z /\ (j <= k1)%Z) -> ((num_of1 p i j) <= (num_of1 p i
k1))%Z.
Axiom num_of_strictly_increasing1 : forall (p:((@array Z _)* Z)%type) (i:Z)
(j:Z) (k1:Z) (l:Z), ((i <= j)%Z /\ ((j <= k1)%Z /\ (k1 < l)%Z)) -> ((lt p
k1) -> ((num_of1 p i j) < (num_of1 p i l))%Z).
Axiom num_of_change_any1 : forall (p1:((@array Z _)* Z)%type) (p2:((@array
Z _)* Z)%type) (a:Z) (b:Z), (forall (j:Z), ((a <= j)%Z /\ (j < b)%Z) ->
((lt p1 j) -> (lt p2 j))) -> ((num_of1 p1 a b) <= (num_of1 p2 a b))%Z.
Axiom num_of_change_some1 : forall (p1:((@array Z _)* Z)%type) (p2:((@array
Z _)* Z)%type) (a:Z) (b:Z) (i:Z), ((a <= i)%Z /\ (i < b)%Z) ->
((forall (j:Z), ((a <= j)%Z /\ (j < b)%Z) -> ((lt p1 j) -> (lt p2 j))) ->
((~ (lt p1 i)) -> ((lt p2 i) -> ((num_of1 p1 a b) < (num_of1 p2 a b))%Z))).
(* Why3 assumption *)
Definition numlt (a:(@array Z _)) (v:Z) (i:Z) (j:Z): Z := (num_of1 (a, v) i
j).
(* Why3 goal *)
Theorem eqlt : forall (a:(@array Z _)), (k_values a) -> forall (v:Z),
((0%Z <= v)%Z /\ (v < k)%Z) -> forall (l:Z) (u:Z), ((0%Z <= l)%Z /\
((l < u)%Z /\ (u <= (length a))%Z)) -> (((numlt a v l u) + (numeq a v l
u))%Z = (numlt a (v + 1%Z)%Z l u)).
(* Why3 intros a h1 v (h2,h3) l u (h4,(h5,h6)). *)
(* YOU MAY EDIT THE PROOF BELOW *)
intros (n,m); simpl.
intros ha v hv l u hu.
unfold numlt, numeq; simpl.
generalize hu; pattern u; apply natlike_ind; intuition.
red in ha. unfold get in ha. simpl in ha.
assert (case: (Map.get m x < v \/ Map.get m x = v \/ Map.get m x > v)%Z) by omega. destruct case.
rewrite Num_of_right_add1; try omega.
rewrite Num_of_right_no_add.
rewrite Num_of_right_add1 with (b:=(Zsucc x)); try omega.
assert (case: (l < x \/ x <= l)%Z) by omega. destruct case.
ring_simplify.
replace (x+1-1)%Z with x by omega.
generalize (H7 H10); intuition.
rewrite Num_of_empty; try omega.
rewrite Num_of_empty1; try omega.
rewrite Num_of_empty1; try omega.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
unfold get; simpl; omega.
omega.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
unfold get; simpl; omega.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
assumption.
destruct H5.
rewrite Num_of_right_no_add1; try omega.
rewrite Num_of_right_add.
rewrite Num_of_right_add1 with (b:=(Zsucc x)); try omega.
assert (case: (l < x \/ x <= l)%Z) by omega. destruct case.
ring_simplify.
replace (x+1-1)%Z with x by omega.
generalize (H7 H10); intuition.
rewrite Num_of_empty; try omega.
rewrite Num_of_empty1; try omega.
rewrite Num_of_empty1; try omega.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
unfold get; simpl; omega.
omega.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
assumption.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
unfold get; simpl; omega.
rewrite Num_of_right_no_add1; try omega.
rewrite Num_of_right_no_add; try omega.
rewrite Num_of_right_no_add1 with (b:=(Zsucc x)); try omega.
assert (case: (l < x \/ x <= l)%Z) by omega. destruct case.
replace (Zsucc x - 1)%Z with x by omega.
apply H7; omega.
rewrite Num_of_empty; try omega.
rewrite Num_of_empty1; try omega.
rewrite Num_of_empty1; try omega.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
unfold get; simpl; omega.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
unfold get; simpl; omega.
red; simpl.
replace (Zsucc x - 1)%Z with x by omega.
unfold get; simpl; omega.
Qed.
This diff is collapsed.
......@@ -12,7 +12,7 @@ module SimplePrioriyQueue
type elt
function priority elt : int
clone import array.NumOfEq with type elt = elt
use import array.NumOfEq
type t = {
elems: array elt;
......
......@@ -18,18 +18,14 @@
module InverseInPlace
use import int.Int
use int.NumOf
use import ref.Ref
use import array.Array
function (~_) (x: int) : int = -x-1
type param = M.map int int
predicate pr (a: param) (n: int) = M.([]) a n >= 0
clone import int.NumOfParam with type param = param, predicate pr = pr
lemma num_of_decrease:
forall m: param, l r i v: int. l <= i < r ->
M.get m i >= 0 -> v < 0 -> num_of (M.set m i v) l r < num_of m l r
function numof (m: M.map int int) (l r: int) : int =
NumOf.numof (\ n. M.([]) m n >= 0) l r
predicate is_permutation (a: array int) =
forall i: int. 0 <= i < length a ->
......@@ -72,7 +68,7 @@ module InverseInPlace
(at a 'L)[~ !j] = !k /\ a[~ !j] < 0 /\ a[m] < 0 }
invariant { forall e: int. 0 <= e < m -> a[e] < 0 -> a[e] <> !j }
invariant { loopinvariant (at a 'L) a m (m-1) n }
variant { num_of a.elts 0 n }
variant { numof a.elts 0 n }
a[!k] <- !j;
j := ~ !k;
k := !i;
......
......@@ -3,69 +3,67 @@
"http://why3.lri.fr/why3session.dtd">
<why3session shape_version="4">
<prover id="0" name="CVC3" version="2.4.1" timelimit="6" memlimit="4000"/>
<prover id="1" name="Z3" version="4.3.1" timelimit="6" memlimit="1000"/>
<prover id="2" name="Z3" version="3.2" timelimit="5" memlimit="4000"/>
<prover id="3" name="Alt-Ergo" version="0.95.2" timelimit="6" memlimit="1000"/>
<prover id="4" name="CVC4" version="1.3" timelimit="6" memlimit="1000"/>
<prover id="1" name="CVC4" version="1.4" timelimit="6" memlimit="1000"/>
<prover id="2" name="Z3" version="4.3.1" timelimit="6" memlimit="1000"/>
<prover id="3" name="Z3" version="3.2" timelimit="5" memlimit="4000"/>
<prover id="4" name="Alt-Ergo" version="0.95.2" timelimit="6" memlimit="1000"/>
<prover id="5" name="CVC4" version="1.3" timelimit="6" memlimit="1000"/>
<file name="../inverse_in_place.mlw" expanded="true">
<theory name="InverseInPlace" sum="e2389d7bfc14348af96f1ccacefbe4ee" expanded="true">
<goal name="num_of_decrease">
<proof prover="4"><result status="valid" time="0.38"/></proof>
</goal>
<theory name="InverseInPlace" sum="fafff34e116537414a710874d3420b0f" expanded="true">
<goal name="is_permutation_inverse">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place" expl="VC for inverse_in_place">
<transf name="split_goal_wp">
<goal name="WP_parameter inverse_in_place" expl="VC for inverse_in_place" expanded="true">
<transf name="split_goal_wp" expanded="true">
<goal name="WP_parameter inverse_in_place.1" expl="1. postcondition">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.2" expl="2. postcondition">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.3" expl="3. loop invariant init">
<proof prover="0" memlimit="1000"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.4" expl="4. type invariant">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.5" expl="5. index in array bounds">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.6" expl="6. index in array bounds">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.7" expl="7. index in array bounds">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8" expl="8. loop invariant init">
<transf name="split_goal_wp">
<goal name="WP_parameter inverse_in_place.8.1" expl="1.">
<proof prover="1"><result status="valid" time="0.02"/></proof>
<proof prover="2"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8.2" expl="2.">
<proof prover="3"><result status="valid" time="0.04"/></proof>
<proof prover="4"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8.3" expl="3.">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8.4" expl="4.">
<proof prover="3"><result status="valid" time="0.01"/></proof>
<proof prover="4"><result status="valid" time="0.01"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8.5" expl="5.">
<proof prover="3"><result status="valid" time="0.01"/></proof>
<proof prover="4"><result status="valid" time="0.01"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8.6" expl="6.">
<proof prover="0" memlimit="1000"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8.7" expl="7.">
<proof prover="1"><result status="valid" time="0.04"/></proof>
<proof prover="2"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8.8" expl="8.">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.8.9" expl="9.">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
</transf>
</goal>
......@@ -73,21 +71,21 @@
<proof prover="0" memlimit="1000"><result status="valid" time="0.13"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.10" expl="10. loop invariant init">
<proof prover="0" timelimit="5"><result status="valid" time="1.03"/></proof>
<proof prover="2"><result status="valid" time="1.49"/></proof>
<proof prover="0" timelimit="5"><result status="valid" time="0.71"/></proof>
<proof prover="3" obsolete="true"><result status="timeout" time="4.98"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.11" expl="11. type invariant">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.12" expl="12. index in array bounds">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.13" expl="13. index in array bounds">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.14" expl="14. loop invariant preservation">
<proof prover="1"><result status="valid" time="0.50"/></proof>
<proof prover="4"><result status="valid" time="0.40"/></proof>
<proof prover="2"><result status="valid" time="0.06"/></proof>
<proof prover="5"><result status="valid" time="3.82"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.15" expl="15. loop invariant preservation">
<proof prover="0" memlimit="1000"><result status="valid" time="0.43"/></proof>
......@@ -99,30 +97,28 @@
<goal name="WP_parameter inverse_in_place.16.1.1" expl="1. loop invariant preservation">
<transf name="split_goal_wp">
<goal name="WP_parameter inverse_in_place.16.1.1.1" expl="1.">
<proof prover="0" memlimit="1000"><result status="valid" time="3.28"/></proof>
<proof prover="3"><result status="valid" time="2.36"/></proof>
<proof prover="0" memlimit="1000"><result status="valid" time="1.38"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.16.1.1.2" expl="2.">
<proof prover="0" memlimit="1000"><result status="valid" time="3.55"/></proof>
<proof prover="3"><result status="valid" time="1.40"/></proof>
<proof prover="0" memlimit="1000"><result status="valid" time="0.74"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.16.1.1.3" expl="3.">
<proof prover="3"><result status="valid" time="0.86"/></proof>
<proof prover="1"><result status="valid" time="0.05"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.16.1.1.4" expl="4.">
<proof prover="3"><result status="valid" time="0.90"/></proof>
<proof prover="1"><result status="valid" time="0.04"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.16.1.1.5" expl="5.">
<proof prover="3"><result status="valid" time="0.21"/></proof>
<proof prover="4"><result status="valid" time="0.21"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.16.1.1.6" expl="6.">
<proof prover="3"><result status="valid" time="0.89"/></proof>
<proof prover="1"><result status="valid" time="0.05"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.16.1.1.7" expl="7.">
<proof prover="0" memlimit="1000"><result status="valid" time="0.66"/></proof>
<proof prover="0" memlimit="1000"><result status="valid" time="0.96"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.16.1.1.8" expl="8.">
<proof prover="0" memlimit="1000"><result status="valid" time="1.64"/></proof>
<proof prover="0" memlimit="1000"><result status="valid" time="0.98"/></proof>
</goal>
</transf>
</goal>
......@@ -130,20 +126,20 @@
</goal>
</transf>
</goal>
<goal name="WP_parameter inverse_in_place.17" expl="17. loop variant decrease">
<proof prover="3"><result status="valid" time="0.08"/></proof>
<goal name="WP_parameter inverse_in_place.17" expl="17. loop variant decrease" expanded="true">
<proof prover="1"><result status="valid" time="0.25"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.18" expl="18. assertion">
<proof prover="1"><result status="valid" time="1.06"/></proof>
<proof prover="2"><result status="valid" time="0.80"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.19" expl="19. assertion">
<proof prover="3"><result status="valid" time="0.02"/></proof>
<proof prover="4"><result status="valid" time="0.02"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.20" expl="20. type invariant">
<proof prover="3"><result status="valid" time="0.03"/></proof>
<proof prover="4"><result status="valid" time="0.03"/></proof>
</goal>
<goal name="WP_parameter inverse_in_place.21" expl="21. index in array bounds">