completed proof session for library array

in particular, consistency of ArrayPermut is now ensured

completed proof session for library array
in particular, consistency of ArrayPermut is now ensured
355efcc6 · Jean-Christophe Filliatre · 87354afa · 355efcc6 · 355efcc6 · 355efcc6
Commit 355efcc6 authored Feb 25, 2014 by Jean-Christophe Filliatre
14 changed files
--- a/examples/algo63/why3session.xml
+++ b/examples/algo63/why3session.xml
--- a/examples/algo64/why3session.xml
+++ b/examples/algo64/why3session.xml
--- a/examples/algo65/why3session.xml
+++ b/examples/algo65/why3session.xml
--- a/examples/find/why3session.xml
+++ b/examples/find/why3session.xml
--- a/examples/flag/why3session.xml
+++ b/examples/flag/why3session.xml
--- a/examples/insertion_sort/why3session.xml
+++ b/examples/insertion_sort/why3session.xml
--- a/examples/insertion_sort_naive/why3session.xml
+++ b/examples/insertion_sort_naive/why3session.xml
--- a/examples/quicksort/why3session.xml
+++ b/examples/quicksort/why3session.xml
--- a/examples/verifythis_fm2012_LRS/why3session.xml
+++ b/examples/verifythis_fm2012_LRS/why3session.xml
--- a/lib/why3/array/array_ArrayPermut_exchange_permut_sub_1.v
+++ b/lib/why3/array/array_ArrayPermut_exchange_permut_sub_1.v
+(* This file is generated by Why3's Coq 8.4 driver *)
+(* Beware! Only edit allowed sections below    *)
+Require Import BuiltIn.
+Require BuiltIn.
+Require int.Int.
+Require map.Map.
+Require map.Occ.
+Require map.MapPermut.
+
+(* Why3 assumption *)
+Definition unit := unit.
+
+(* Why3 assumption *)
+Inductive array
+  (a:Type) {a_WT:WhyType a} :=
+  | mk_array : Z -> (@map.Map.map Z _ a a_WT) -> array a.
+Axiom array_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
+Existing Instance array_WhyType.
+Implicit Arguments mk_array [[a] [a_WT]].
+
+(* Why3 assumption *)
+Definition elts {a:Type} {a_WT:WhyType a} (v:(@array a a_WT)): (@map.Map.map
+  Z _ a a_WT) := match v with
+  | (mk_array x x1) => x1
+  end.
+
+(* Why3 assumption *)
+Definition length {a:Type} {a_WT:WhyType a} (v:(@array a a_WT)): Z :=
+  match v with
+  | (mk_array x x1) => x
+  end.
+
+(* Why3 assumption *)
+Definition get {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT)) (i:Z): a :=
+  (map.Map.get (elts a1) i).
+
+(* Why3 assumption *)
+Definition set {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT)) (i:Z)
+  (v:a): (@array a a_WT) := (mk_array (length a1) (map.Map.set (elts a1) i
+  v)).
+
+(* Why3 assumption *)
+Definition make {a:Type} {a_WT:WhyType a} (n:Z) (v:a): (@array a a_WT) :=
+  (mk_array n (map.Map.const v: (@map.Map.map Z _ a a_WT))).
+
+(* Why3 assumption *)
+Definition map_eq_sub {a:Type} {a_WT:WhyType a} (a1:(@map.Map.map Z _
+  a a_WT)) (a2:(@map.Map.map Z _ a a_WT)) (l:Z) (u:Z): Prop := forall (i:Z),
+  ((l <= i)%Z /\ (i < u)%Z) -> ((map.Map.get a1 i) = (map.Map.get a2 i)).
+
+(* Why3 assumption *)
+Definition array_eq_sub {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
+  (a2:(@array a a_WT)) (l:Z) (u:Z): Prop := ((length a1) = (length a2)) /\
+  (((0%Z <= l)%Z /\ (l <= (length a1))%Z) /\ (((0%Z <= u)%Z /\
+  (u <= (length a1))%Z) /\ (map_eq_sub (elts a1) (elts a2) l u))).
+
+(* Why3 assumption *)
+Definition array_eq {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
+  (a2:(@array a a_WT)): Prop := ((length a1) = (length a2)) /\ (map_eq_sub
+  (elts a1) (elts a2) 0%Z (length a1)).
+
+(* Why3 assumption *)
+Definition exchange {a:Type} {a_WT:WhyType a} (a1:(@map.Map.map Z _ a a_WT))
+  (a2:(@map.Map.map Z _ a a_WT)) (l:Z) (u:Z) (i:Z) (j:Z): Prop :=
+  ((l <= i)%Z /\ (i < u)%Z) /\ (((l <= j)%Z /\ (j < u)%Z) /\
+  (((map.Map.get a1 i) = (map.Map.get a2 j)) /\ (((map.Map.get a1
+  j) = (map.Map.get a2 i)) /\ forall (k:Z), ((l <= k)%Z /\ (k < u)%Z) ->
+  ((~ (k = i)) -> ((~ (k = j)) -> ((map.Map.get a1 k) = (map.Map.get a2
+  k))))))).
+
+Axiom exchange_set : forall {a:Type} {a_WT:WhyType a},
+  forall (a1:(@map.Map.map Z _ a a_WT)) (l:Z) (u:Z) (i:Z) (j:Z),
+  ((l <= i)%Z /\ (i < u)%Z) -> (((l <= j)%Z /\ (j < u)%Z) -> (exchange a1
+  (map.Map.set (map.Map.set a1 i (map.Map.get a1 j)) j (map.Map.get a1 i)) l
+  u i j)).
+
+(* Why3 assumption *)
+Definition exchange1 {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
+  (a2:(@array a a_WT)) (i:Z) (j:Z): Prop := ((length a1) = (length a2)) /\
+  (exchange (elts a1) (elts a2) 0%Z (length a1) i j).
+
+(* Why3 assumption *)
+Definition permut {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT)) (a2:(@array
+  a a_WT)) (l:Z) (u:Z): Prop := ((length a1) = (length a2)) /\
+  (((0%Z <= l)%Z /\ (l <= (length a1))%Z) /\ (((0%Z <= u)%Z /\
+  (u <= (length a1))%Z) /\ (map.MapPermut.permut (elts a1) (elts a2) l u))).
+
+(* Why3 assumption *)
+Definition permut_sub {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
+  (a2:(@array a a_WT)) (l:Z) (u:Z): Prop := (map_eq_sub (elts a1) (elts a2)
+  0%Z l) /\ ((permut a1 a2 l u) /\ (map_eq_sub (elts a1) (elts a2) u
+  (length a1))).
+
+(* Why3 assumption *)
+Definition permut_all {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
+  (a2:(@array a a_WT)): Prop := ((length a1) = (length a2)) /\
+  (map.MapPermut.permut (elts a1) (elts a2) 0%Z (length a1)).
+
+(* Why3 goal *)
+Theorem exchange_permut_sub : forall {a:Type} {a_WT:WhyType a},
+  forall (a1:(@array a a_WT)) (a2:(@array a a_WT)) (i:Z) (j:Z) (l:Z) (u:Z),
+  (exchange1 a1 a2 i j) -> (((l <= i)%Z /\ (i < u)%Z) -> (((l <= j)%Z /\
+  (j < u)%Z) -> ((0%Z <= l)%Z -> ((u <= (length a1))%Z -> (permut_sub a1 a2 l
+  u))))).
+intros a a_WT a1 a2 i j l u h1 (h2,h3) (h4,h5) h6 h7.
+destruct h1 as (h11,h12).
+destruct h12 as (ha,(hb,(hc,(hd,he)))).
+red. repeat split.
+(* eq_sub *) 
+red. intros. apply he; omega.
+assumption. assumption. omega. omega. assumption.
+(* permut *)
+red. intro v.
+
+assert (Occ.occ v (elts a1) i (i+1) + Occ.occ v (elts a1) j (j+1)
+      = Occ.occ v (elts a2) i (i+1) + Occ.occ v (elts a2) j (j+1))%Z.
+destruct (why_decidable_eq (Map.get (elts a1) i) v).
+rewrite Occ.occ_right_add. 2: omega. 2: ring_simplify (i+1-1)%Z; assumption.
+rewrite (Occ.occ_right_add v (elts a2) j). 2: omega.
+  2: ring_simplify (j+1-1)%Z; rewrite <- hc; assumption.
+ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
+rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) j). 2: omega.
+destruct (why_decidable_eq (Map.get (elts a1) j) v).
+rewrite Occ.occ_right_add. 2: omega. 2: ring_simplify (j+1-1)%Z; assumption.
+rewrite (Occ.occ_right_add v (elts a2) i). 2: omega.
+  2: ring_simplify (i+1-1)%Z; rewrite <- hd; assumption.
+ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
+rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) i). 2: omega.
+ring.
+rewrite Occ.occ_right_no_add. 2: omega. 2: ring_simplify (j+1-1)%Z; assumption.
+rewrite (Occ.occ_right_no_add v (elts a2) i). 2: omega.
+  2: ring_simplify (i+1-1)%Z; rewrite <- hd; assumption.
+ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
+rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) i). 2: omega.
+ring.
+rewrite Occ.occ_right_no_add. 2: omega. 2: ring_simplify (i+1-1)%Z; assumption.
+rewrite (Occ.occ_right_no_add v (elts a2) j). 2: omega.
+  2: ring_simplify (j+1-1)%Z; rewrite <- hc; assumption.
+rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) j). 2: omega.
+destruct (why_decidable_eq (Map.get (elts a1) j) v).
+rewrite Occ.occ_right_add. 2: omega. 2: ring_simplify (j+1-1)%Z; assumption.
+rewrite (Occ.occ_right_add v (elts a2) i). 2: omega.
+  2: ring_simplify (i+1-1)%Z; rewrite <- hd; assumption.
+ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
+rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) i). 2: omega.
+ring.
+rewrite Occ.occ_right_no_add. 2: omega. 2: ring_simplify (j+1-1)%Z; assumption.
+rewrite (Occ.occ_right_no_add v (elts a2) i). 2: omega.
+  2: ring_simplify (i+1-1)%Z; rewrite <- hd; assumption.
+ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
+rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) i). 2: omega.
+ring.
+
+assert (c: (i < j \/ i = j \/ j < i)%Z) by omega. destruct c as [c|c].
+(* i < j *)
+assert (Occ.occ v (elts a1) l u = Occ.occ v (elts a1) l i + Occ.occ v (elts a1) i u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a1) i u = Occ.occ v (elts a1) i (i+1) + Occ.occ v (elts a1) (i+1) u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a1) (i+1) u = Occ.occ v (elts a1) (i+1) j + Occ.occ v (elts a1) j u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a1) j u = Occ.occ v (elts a1) j (j+1) + Occ.occ v (elts a1) (j+1) u)%Z.
+  apply Occ.occ_append. omega.
+
+assert (Occ.occ v (elts a2) l u = Occ.occ v (elts a2) l i + Occ.occ v (elts a2) i u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a2) i u = Occ.occ v (elts a2) i (i+1) + Occ.occ v (elts a2) (i+1) u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a2) (i+1) u = Occ.occ v (elts a2) (i+1) j + Occ.occ v (elts a2) j u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a2) j u = Occ.occ v (elts a2) j (j+1) + Occ.occ v (elts a2) (j+1) u)%Z.
+  apply Occ.occ_append. omega.
+
+assert (Occ.occ v (elts a1) l i = Occ.occ v (elts a2) l i).
+  apply Occ.occ_eq. intros. apply he; omega.
+assert (Occ.occ v (elts a1) (i+1) j = Occ.occ v (elts a2) (i+1) j).
+  apply Occ.occ_eq. intros; apply he; omega.
+assert (Occ.occ v (elts a1) (j+1) u = Occ.occ v (elts a2) (j+1) u).
+  apply Occ.occ_eq. intros; apply he; omega.
+
+omega.
+
+(* i = j *)
+destruct c.
+subst j.
+apply Occ.occ_eq.
+intros k hk.
+assert (c: (k=i \/ k <>i)%Z) by omega. destruct c.
+subst k. assumption.
+apply he. omega. assumption. assumption.
+
+(* j < i *)
+assert (Occ.occ v (elts a1) l u = Occ.occ v (elts a1) l j + Occ.occ v (elts a1) j u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a1) j u = Occ.occ v (elts a1) j (j+1) + Occ.occ v (elts a1) (j+1) u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a1) (j+1) u = Occ.occ v (elts a1) (j+1) i + Occ.occ v (elts a1) i u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a1) i u = Occ.occ v (elts a1) i (i+1) + Occ.occ v (elts a1) (i+1) u)%Z.
+  apply Occ.occ_append. omega.
+
+assert (Occ.occ v (elts a2) l u = Occ.occ v (elts a2) l j + Occ.occ v (elts a2) j u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a2) j u = Occ.occ v (elts a2) j (j+1) + Occ.occ v (elts a2) (j+1) u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a2) (j+1) u = Occ.occ v (elts a2) (j+1) i + Occ.occ v (elts a2) i u)%Z.
+  apply Occ.occ_append. omega.
+assert (Occ.occ v (elts a2) i u = Occ.occ v (elts a2) i (i+1) + Occ.occ v (elts a2) (i+1) u)%Z.
+  apply Occ.occ_append. omega.
+
+assert (Occ.occ v (elts a1) l j = Occ.occ v (elts a2) l j).
+  apply Occ.occ_eq. intros. apply he; omega.
+assert (Occ.occ v (elts a1) (j+1) i = Occ.occ v (elts a2) (j+1) i).
+  apply Occ.occ_eq. intros; apply he; omega.
+assert (Occ.occ v (elts a1) (i+1) u = Occ.occ v (elts a2) (i+1) u).
+  apply Occ.occ_eq. intros; apply he; omega.
+
+omega.
+
+(* eq_sub *)
+red. intros. apply he; omega.
+Qed.
+
--- a/modules/array/array_ArrayPermut_exchange_permut_sub_1.v
+++ b/modules/array/array_ArrayPermut_exchange_permut_sub_1.v
@@ -96,52 +96,54 @@ Definition permut_all {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
  (a2:(@array a a_WT)): Prop := ((length a1) = (length a2)) /\
  (map.MapPermut.permut (elts a1) (elts a2) 0%Z (length a1)).

-(* Require Import Why3. Ltac ae := why3 "Alt-Ergo,0.95.2," timelimit 3. *)
-
-(* Why3 goal *)
-Theorem exchange_permut_sub : forall {a:Type} {a_WT:WhyType a},
+Axiom exchange_permut_sub : forall {a:Type} {a_WT:WhyType a},
  forall (a1:(@array a a_WT)) (a2:(@array a a_WT)) (i:Z) (j:Z) (l:Z) (u:Z),
  (exchange1 a1 a2 i j) -> (((l <= i)%Z /\ (i < u)%Z) -> (((l <= j)%Z /\
  (j < u)%Z) -> ((0%Z <= l)%Z -> ((u <= (length a1))%Z -> (permut_sub a1 a2 l
  u))))).
-(* Why3 intros a a_WT a1 a2 i j l u h1 (h2,h3) (h4,h5) h6 h7. *)
-intros a a_WT a1 a2 i j l u h1 (h2,h3) (h4,h5) h6 h7.
-destruct h1 as (h11,h12).
-destruct h12 as (ha,(hb,(hc,(hd,he)))).
-red. repeat split.
-(* eq_sub *) 
-red. intros. apply he; omega.
-assumption. assumption. omega. omega. assumption.
+
+(* Why3 goal *)
+Theorem permut_sub_weakening : forall {a:Type} {a_WT:WhyType a},
+  forall (a1:(@array a a_WT)) (a2:(@array a a_WT)) (l1:Z) (u1:Z) (l2:Z)
+  (u2:Z), (permut_sub a1 a2 l1 u1) -> (((0%Z <= l2)%Z /\ (l2 <= l1)%Z) ->
+  (((u1 <= u2)%Z /\ (u2 <= (length a1))%Z) -> (permut_sub a1 a2 l2 u2))).
+(* Why3 intros a a_WT a1 a2 l1 u1 l2 u2 h1 (h2,h3) (h4,h5). *)
+intros a a_WT a1 a2 l1 u1 l2 u2 h1 (h2,h3) (h4,h5).
+unfold permut_sub in *.
+destruct h1 as (eql,(h1,eqr)).
+unfold map_eq_sub in *.
+split.
+(* eq left *)
+intros. apply eql; omega.
+split.
 (* permut *)
-red. intro v.
-assert (c: (i < j \/ i = j \/ j < i)%Z) by omega. destruct c as [c|c].
-(* i < j *)
-assert (Occ.occ v (elts a1) l u = Occ.occ v (elts a1) l i + Occ.occ v (elts a1) i u)%Z.
+unfold permut in *.
+destruct h1 as (h1,(h1a,(h1b,h1c))).
+repeat split; try assumption. omega. omega.
+unfold MapPermut.permut in *.
+intros v.
+assert (c: (l1 <= u1 \/ u1 < l1)%Z) by omega. destruct c.
+(* l1 <= u1 *)
+assert (Occ.occ v (elts a1) l2 u2 = Occ.occ v (elts a1) l2 l1 + Occ.occ v (elts a1) l1 u2)%Z. 
  apply Occ.occ_append. omega.
-assert (Occ.occ v (elts a1) i u = Occ.occ v (elts a1) i (i+1) + Occ.occ v (elts a1) (i+1) u)%Z.
+assert (Occ.occ v (elts a1) l1 u2 = Occ.occ v (elts a1) l1 u1 + Occ.occ v (elts a1) u1 u2)%Z. 
  apply Occ.occ_append. omega.
-assert (Occ.occ v (elts a1) (i+1) u = Occ.occ v (elts a1) (i+1) j + Occ.occ v (elts a1) j u)%Z.
+assert (Occ.occ v (elts a2) l2 u2 = Occ.occ v (elts a2) l2 l1 + Occ.occ v (elts a2) l1 u2)%Z. 
  apply Occ.occ_append. omega.
-assert (Occ.occ v (elts a1) j u = Occ.occ v (elts a1) j (j+1) + Occ.occ v (elts a1) (j+1) u)%Z.
+assert (Occ.occ v (elts a2) l1 u2 = Occ.occ v (elts a2) l1 u1 + Occ.occ v (elts a2) u1 u2)%Z. 
  apply Occ.occ_append. omega.
-assert (Occ.occ v (elts a1) l i = Occ.occ v (elts a2) l i).
-  apply Occ.occ_eq. intros. apply he; omega.
-
-admit. (*TODO*)
-
-(* i = j *)
-destruct c.
-subst j.
+assert (Occ.occ v (elts a1) l2 l1 = Occ.occ v (elts a2) l2 l1).
+  apply Occ.occ_eq. intros; apply eql; omega.
+assert (Occ.occ v (elts a1) u1 u2 = Occ.occ v (elts a2) u1 u2).
+  apply Occ.occ_eq. intros; apply eqr; omega.
+generalize (h1c v); omega.
+(* u1 < l1 *)
 apply Occ.occ_eq.
-intros k hk.
-assert (c: (k=i \/ k <>i)%Z) by omega. destruct c.
-subst k. assumption.
-apply he. omega. assumption. assumption.
-(* j < i *)
-
-admit. (*TODO*)
-
-(* eq_sub *)
-red. intros. apply he; omega.
+intros i hi.
+assert (c: (i < l1 \/ u1 <= i)%Z) by omega. destruct c.
+apply eql; omega.
+apply eqr; omega.
+(* eq right *)
+intros; apply eqr; omega.
 Qed.

--- a/lib/why3/array/why3session.xml
+++ b/lib/why3/array/why3session.xml
--- a/modules/array.mlw
+++ b/modules/array.mlw
@@ -199,12 +199,6 @@ module ArrayPermut
    permut_sub a1 a2 l1 u1 -> 0 <= l2 <= l1 -> u1 <= u2 <= length a1 ->
    permut_sub a1 a2 l2 u2

-  lemma permut_sub_compose:
-    forall a1 a2 a3: array 'a, l1 u1 l2 u2: int. u1 <= l2 ->
-    permut_sub a1 a2 l1 u1 ->
-    permut_sub a2 a3 l2 u2 ->
-    permut_sub a1 a3 l1 u2
-
  (** {3 lemmas about [permut_all]} *)

  lemma exchange_permut_all:

--- a/modules/array/why3session.xml
+++ b/modules/array/why3session.xml
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE why3session PUBLIC "-//Why3//proof session v2//EN" "http://why3.lri.fr/why3session.dtd">
-<why3session shape_version="4">
- <prover
-  id="0"
-  name="Alt-Ergo"
-  version="0.95.2"/>
- <prover
-  id="1"
-  name="CVC3"
-  version="2.4.1"/>
- <prover
-  id="2"
-  name="CVC4"
-  version="1.3"/>
- <prover
-  id="3"
-  name="Coq"
-  version="8.4pl2"/>
- <prover
-  id="4"
-  name="Z3"
-  version="3.2"/>
- <prover
-  id="5"
-  name="Z3"
-  version="4.3.1"/>
- <file
-  name="../array.mlw"
-  verified="false"
-  expanded="true">
-  <theory
-   name="Array"
-   locfile="../array.mlw"
-   loclnum="10" loccnumb="7" loccnume="12"
-   verified="true"
-   expanded="false">
-   <goal
-    name="WP_parameter defensive_get"
-    locfile="../array.mlw"
-    loclnum="40" loccnumb="6" loccnume="19"
-    expl="VC for defensive_get"
-    sum="417b50dd6c746afcd074c39a87c22b33"
-    proved="true"
-    expanded="false"
-    shape="iiainfix &lt;V1V0Aainfix &lt;=c0V1Aainfix &lt;V1V0Aainfix &lt;=c0V1ainfix &gt;=V1V0Oainfix &lt;V1c0ainfix &gt;=V1V0ainfix &gt;=V1V0Oainfix &lt;V1c0ainfix &lt;V1c0Iainfix &lt;=c0V0F">
-    <label
-     name="expl:VC for defensive_get"/>
-    <proof
-     prover="0"
-     timelimit="6"
-     memlimit="1000"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="0.01"/>
-    </proof>
-   </goal>
-   <goal
-    name="WP_parameter defensive_set"
-    locfile="../array.mlw"
-    loclnum="46" loccnumb="6" loccnume="19"
-    expl="VC for defensive_set"
-    sum="fa98a75c669382d0f728114285407406"
-    proved="true"
-    expanded="false"
-    shape="iiainfix =asetV1V2V3V4Aainfix &lt;V2V0Aainfix &lt;=c0V2Iainfix =V4asetV1V2V3Aainfix &lt;=c0V0FAainfix &lt;V2V0Aainfix &lt;=c0V2ainfix &gt;=V2V0Oainfix &lt;V2c0ainfix &gt;=V2V0ainfix &gt;=V2V0Oainfix &lt;V2c0ainfix &lt;V2c0Iainfix &lt;=c0V0F">
-    <label
-     name="expl:VC for defensive_set"/>
-    <proof
-     prover="0"
-     timelimit="6"
-     memlimit="1000"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="0.01"/>
-    </proof>
-   </goal>
-   <goal
-    name="WP_parameter fill"
-    locfile="../array.mlw"
-    loclnum="73" loccnumb="6" loccnume="10"
-    expl="VC for fill"
-    sum="66669ba1682a1bf957739087e768c993"
-    proved="true"
-    expanded="false"
-    shape="ainfix =agetV6V7V4Iainfix &lt;V7ainfix +V2V3Aainfix &lt;=V2V7FAainfix =agetV6V8agetV1V8Iainfix &lt;V8V0Aainfix &lt;=ainfix +V2V3V8Oainfix &lt;V8V2Aainfix &lt;=c0V8FAainfix &lt;=c0V0Iainfix =agetV6V9V4Iainfix &lt;V9ainfix +V2ainfix +V5c1Aainfix &lt;=V2V9FAainfix =agetV6V10agetV1V10Iainfix &lt;V10V0Aainfix &lt;=ainfix +V2V3V10Oainfix &lt;V10V2Aainfix &lt;=c0V10FAainfix =agetV13V14V4Iainfix &lt;V14ainfix +V2ainfix +V11c1Aainfix &lt;=V2V14FAainfix =agetV13V15agetV1V15Iainfix &lt;V15V0Aainfix &lt;=ainfix +V2V3V15Oainfix &lt;V15V2Aainfix &lt;=c0V15FIainfix =V13asetV6V12V4Aainfix &lt;=c0V0FAainfix &lt;V12V0Aainfix &lt;=c0V12Aainfix &lt;=c0V0Lainfix +V2V11Iainfix =agetV6V16V4Iainfix &lt;V16ainfix +V2V11Aainfix &lt;=V2V16FAainfix =agetV6V17agetV1V17Iainfix &lt;V17V0Aainfix &lt;=ainfix +V2V3V17Oainfix &lt;V17V2Aainfix &lt;=c0V17FIainfix &lt;=V11V5Aainfix &lt;=c0V11FFAainfix =agetV1V18V4Iainfix &lt;V18ainfix +V2c0Aainfix &lt;=V2V18FIainfix &lt;=c0V5Aainfix =agetV1V19V4Iainfix &lt;V19ainfix +V2V3Aainfix &lt;=V2V19FIainfix &gt;c0V5Lainfix -V3c1Iainfix &lt;=ainfix +V2V3V0Aainfix &lt;=c0V3Aainfix &lt;=c0V2Aainfix &lt;=c0V0F">
-    <label
-     name="expl:VC for fill"/>
-    <proof
-     prover="0"
-     timelimit="6"
-     memlimit="1000"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="0.03"/>
-    </proof>
-   </goal>
-  </theory>
-  <theory
-   name="ArraySorted"
-   locfile="../array.mlw"
-   loclnum="114" loccnumb="7" loccnume="18"
-   verified="true"
-   expanded="true">
-  </theory>
-  <theory
-   name="ArrayEq"
-   locfile="../array.mlw"
-   loclnum="130" loccnumb="7" loccnume="14"
-   verified="true"
-   expanded="true">
-  </theory>
-  <theory
-   name="ArrayExchange"
-   locfile="../array.mlw"
-   loclnum="145" loccnumb="7" loccnume="20"
-   verified="true"
-   expanded="true">
-  </theory>
-  <theory
-   name="ArrayPermut"
-   locfile="../array.mlw"
-   loclnum="161" loccnumb="7" loccnume="18"
-   verified="false"
-   expanded="true">
-   <goal
-    name="exchange_permut_sub"
-    locfile="../array.mlw"
-    loclnum="190" loccnumb="8" loccnume="27"
-    sum="cb24596c6160655798eb2561e3379057"
-    proved="true"
-    expanded="true"
-    shape="apermut_subV0V1V4V5Iainfix &lt;=V5alengthV0Iainfix &lt;=c0V4Iainfix &lt;V3V5Aainfix &lt;=V4V3Iainfix &lt;V2V5Aainfix &lt;=V4V2IaexchangeV0V1V2V3F">
-    <proof
-     prover="3"
-     timelimit="30"
-     memlimit="1000"
-     edited="array_ArrayPermut_exchange_permut_sub_1.v"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="2.07"/>
-    </proof>
-   </goal>
-   <goal
-    name="permut_sub_weakening"
-    locfile="../array.mlw"
-    loclnum="197" loccnumb="8" loccnume="28"
-    sum="1bc160562527e4713ee7654de1e90377"
-    proved="false"
-    expanded="true"
-    shape="apermut_subV0V1V4V5Iainfix &lt;=V5alengthV0Aainfix &lt;=V3V5Iainfix &lt;=V4V2Aainfix &lt;=c0V4Iapermut_subV0V1V2V3F">
-   </goal>
-   <goal
-    name="permut_sub_compose"
-    locfile="../array.mlw"
-    loclnum="202" loccnumb="8" loccnume="26"
-    sum="136a7250026ea9a04b66c0c2413d542b"
-    proved="false"
-    expanded="true"
-    shape="apermut_subV0V2V3V6Iapermut_subV1V2V5V6Iapermut_subV0V1V3V4Iainfix &lt;=V4V5F">
-   </goal>
-   <goal
-    name="exchange_permut_all"
-    locfile="../array.mlw"
-    loclnum="210" loccnumb="8" loccnume="27"
-    sum="1f3f8188d66a6d0be1e6fcda85a90b38"
-    proved="true"
-    expanded="false"
-    shape="apermut_allV0V1IaexchangeV0V1V2V3F">
-    <proof
-     prover="1"
-     timelimit="6"
-     memlimit="1000"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="0.04"/>
-    </proof>
-    <proof
-     prover="2"
-     timelimit="6"
-     memlimit="1000"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="0.28"/>
-    </proof>
-    <proof
-     prover="4"
-     timelimit="6"
-     memlimit="1000"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="0.04"/>
-    </proof>
-    <proof
-     prover="5"
-     timelimit="6"
-     memlimit="1000"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="0.02"/>
-    </proof>
-   </goal>
-  </theory>
-  <theory
-   name="ArraySwap"
-   locfile="../array.mlw"
-   loclnum="216" loccnumb="7" loccnume="16"
-   verified="true"
-   expanded="false">
-   <goal
-    name="WP_parameter swap"
-    locfile="../array.mlw"
-    loclnum="222" loccnumb="6" loccnume="10"
-    expl="VC for swap"
-    sum="5e54f2889debe7787a9278286b940deb"
-    proved="true"
-    expanded="false"
-    shape="aexchangeamk arrayV0V1amk arrayV0V5V2V3Iainfix =V5asetV4V3agetV1V2Aainfix &lt;=c0V0FAainfix &lt;V3V0Aainfix &lt;=c0V3Iainfix =V4asetV1V2agetV1V3Aainfix &lt;=c0V0FAainfix &lt;V2V0Aainfix &lt;=c0V2Aainfix &lt;V3V0Aainfix &lt;=c0V3Aainfix &lt;V2V0Aainfix &lt;=c0V2Iainfix &lt;V3V0Aainfix &lt;=c0V3Aainfix &lt;V2V0Aainfix &lt;=c0V2Aainfix &lt;=c0V0F">
-    <label
-     name="expl:VC for swap"/>
-    <proof
-     prover="0"
-     timelimit="6"
-     memlimit="1000"
-     obsolete="false"
-     archived="false">
-     <result status="valid" time="0.03"/>
-    </proof>
-   </goal>
-  </theory>
-  <theory
-   name="ArraySum"
-   locfile="../array.mlw"
-   loclnum="234" loccnumb="7" loccnume="15"
-   verified="true"
-   expanded="true">
-  </theory>
-  <theory
-   name="NumOfParam"
-   locfile="../array.mlw"
-   loclnum="252" loccnumb="7" loccnume="17"
-   verified="true"
-   expanded="true">
-  </theory>
-  <theory
-   name="NumOfEq"
-   locfile="../array.mlw"
-   loclnum="268" loccnumb="7" loccnume="14"
-   verified="true"
-   expanded="true">
-  </theory>
-  <theory
-   name="NumOf"
-   locfile="../array.mlw"
-   loclnum="281" loccnumb="7" loccnume="12"
-   verified="true"
-   expanded="true">
-  </theory>
- </file>
-</why3session>